CIOs and Risk Management: It's OK to Act Like a Baby

Ann All

Risk management is a lot like gambling. It essentially comes down to knowing when to hold 'em and when to fold 'em.

 

Business seems to instinctively "get" this; IT not so much. That's what Michael Harris, owner and president of David Consulting Group and one of three authors of "The Business Value of IT: Managing Risks, Optimizing Performance and Measuring Results" told me when I interviewed him earlier this year. (Read an excerpt of The Business Value of IT in IT Business Edge's Knowledge Network.) As Harris described it:

Management comes into the engineering office and says, "I need X by Y date." And the first reaction is, "We can't possibly do that." It's like when you take your car into the garage. You get the same kind of a reaction. Yet at the same time, software is always 90 percent complete. I think at the core of it, IT hasn't been trained to do risk management. To some extents, the risks with software development in particular but with IT in general are extremely complex.

IT and business must come to terms on what constitutes an acceptable risk, Harris added:

You can pay $15 million to totally secure a piece of hardware from potential security threats, or you can accept the fact that some (threats) are so unlikely we don't need to worry about them. I think the key thing is to have a risk management strategy in IT, not necessarily a complex one, and to have it informed by techniques like risk mitigation, probability against impact, those sorts of things.

Most important, risk management needs to become a standard part of IT governance, with IT and the business discussing it on a regular basis, not just when the business pushes it, Harris advised.

 

I looked up Harris' remarks after reading a blog post titled "The Betting CIO" by Linda Cureton, CIO of NASA/Goddard Space Flight Center. Like Harris, Cureton contends risk taking is a key part of IT leadership. Her key takeaways:

 

  • Know the difference between luck and sound research and risk analysis. She writes: "If you haven't applied sound risk-based security management practices and nothing bad happened, that's luck, not good management."
  • You must have some tolerance for risk. (This is hard wired into some folks' DNA; others need to cultivate an ability to take chances.) Cureton writes: "A system with absolutely no security risks is one that is turned off or unusable. Without risk, there is no fear; and without fear, there is no need for courage; and without courage, there can be no innovation."

 


And my personal favorite: Learn from babies, who mostly strike the right risk-taking balance. As Cureton notes, they observe an object, put it in their mouths and taste it, then finally try to see what they can do with it. She advises CIOs to use a similar approach:

The Betting CIO should be observant, try some things and set up safe sandboxes; but should not be reckless, scared or paralyzed.


Add Comment      Leave a comment on this blog post
Aug 25, 2009 11:33 AM PSI PSI  says:

As harris advise, Most important, risk management needs to become a standard part of IT governance, with IT and the business discussing it on a regular basis, not just when the business pushes it. 

we should handle the Risk Management, (It's OK to Act Like a Baby) like a baby handles the risks. Nice website about risk management.

www.ermsummit.comwww.gsmiweb.com

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.