January 17, 2017
CIO Meeting Recap: Are You a Risk Manager?
There are many hats IT leaders need to wear, and a risk manager is just one. Although risk management is different for all companies, it is critical for all IT leaders to be aware of the risks their organization may face. Andy Bingenheimer, Group Development Manager at U.S. Bank, brought the topic of Are You a Risk Manager to life at Friday’s CIO roundtable meeting where many personal experiences were shared by all.
How do you manage IT risk within your organization?
Risks are everyone’s responsibility and IT leaders shouldn’t be the only ones held accountable for them. It is important for everyone in the organization to think about the risks in the context of their job. In order to close this gap and help the entire business understand and be aware, IT leaders need to train and educate their organization. Risk is not a bad thing as long as the organization is knowledgeable.
IT leaders must be aligned with business leaders to make sure they understand the emerging risks and how they can affect the organization as a whole. A way to put risks into a business perspective is by quantifying the risk and adding a capital value to the risk. By looking at what the company would lose if this risk actually occurred, the organization can better understand the importance of the risk and how to prevent it from occurring.
How would you describe risk appetite of your organization? Is it formally documented or part of the unwritten culture? How do you enforce risk appetite within your organization? Is it effective?
Risk appetite is the amount and type of risk an organization is willing to accept in pursuit of its business objectives. Every organization is unique with the way they approach risk; for some, it is unspoken and more of a cultural understanding, for others it may be well documented with many protocols in place. Whether informal or formal, risk appetite must be communicated and enforced via one or more of the following methods:
- Authority/spending authorization levels
- Value statements
- Incentive compensation at different levels of the organization
- Monitoring reviews
One interesting piece that a member left with the group was that no matter how your organization approaches risk, at the end of the day the way you approach risks comes down to your judgement, intuition, and what feels right in your gut. This is an important thing to remember as risk is something we deal with every day.
Would you consider yourself a risk manager?