As a CIO, you want to sit down with your CEO to discuss her new plan to implement cloud-based software. You’re concerned about security risks. But after some back and forth with her office, it’s clear she isn’t looking forward to meeting with you. You normally have a good rapport with her, and haven’t had any issues lately, so what’s the problem?
The problem could be how each of you views the risks and potential rewards of the new software.
CEOs and business executives are often natural risk-takers who seek out growth opportunities. CIOs and CISOs, on the other hand, are hard-wired to find ways to minimize losses that will erode value. On the surface, these goals are polar opposites.
That’s not to say CEOs don’t care about risk management. In fact, CEOs are now more concerned about risk management as it relates to their strategic digital business initiatives. A recent Gartner CEO survey showed that 65% think their organization is falling behind in risk management investment and discipline maturity, and 77% are concerned about new risks associated with digital business initiatives.
77% of CEOs are concerned about new risks associated with digital business initiatives
“Organizations can improve their risk management programs and outcomes by addressing strategic risks within the context of value, desired business outcomes and their risk appetite,” says John A. Wheeler, research director at Gartner. CIOs must be prepared to support the CEO’s initiatives, while making well-informed decisions regarding strategic bets.
A challenging discussion
The dawn of a new era in digital risk management (DRM) is now centered on the evolving digital business transformation initiatives that are taking hold in many companies around the globe. Gartner defines DRM as the integrated management of risks associated with digital business components such as cloud, mobile, social, big data, third-party technology providers, operational technology (OT) and the Internet of Things (IoT).
Often, the challenge when discussing risk management with CEOs is that the CIO’s goal is to reduce risk by avoiding high-risk business activities. This is counterintuitive thinking to CEOs, who are looking at potentially risky options that could add value to the company.
The way to frame the conversation is to think in terms of good risk versus bad risk rather than high risk versus low risk. A high-risk option might actually be a good risk when evaluated against the value created and the company’s appetite for risk. In fact, good risks are often at the heart of innovation.
It’s key that CIOs and CISOs don’t get caught up in judging risk based on legal or compliance risk. A recent Harvard Business Review study found that over the past decade, 86% of losses in a company's market value were related to strategic risks and 9% were related to operating risks. Only 3% of the losses were related to legal and compliance risks.
Determine what makes a good risk
Once a good versus bad risk mentality is established, CIOs must be able to evaluate the value in the business outcome as opposed to the risk appetite associated with achieving the goal. This creates a more business-outcome-oriented focus over simply categorizing actions as high or low risk.
It can be difficult to separate good risk from bad. While the value of a given digital business initiative is typically the focus, it is often more difficult to articulate the risk appetite. However, without a clear understanding of risk appetite among the board of directors and senior executive team, it is nearly impossible to identify the good risk.
Once identified, this new view of risk can be used to perform the following activities and get your CEO to embrace DRM:
- Prioritize the pursuit of digital business opportunities.
- Make risk treatment decisions: Invest in controls to optimize risk, invest in insurance to transfer risk, choose to accept risk or isolate and avoid risk.
- Raise visibility of risks to influence decision making across a project.
- Improve governance through greater risk transparency and accountability.