STEP 2: DEFINE YOUR MESSAGE
CIOs who have become ERM leaders in their companies say defining your message for why ERM is necessary is one of the most important steps to raising awareness about it - and it is arguably the most difficult. Because ERM spans the enterprise, you must understand the intricacies of the operations in each line of business. It also requires you to think about events or consequences that you may have either ignored or preferred not to consider, especially if the culture of the corporation views thinking about risks as pessimistic.
"You must find a way to describe the risk," says David Weymouth, former CIO with Barclays Bank, who now heads the bank's business ethics strategy. "If you can't find a way to describe it, then you'll never get anywhere."
That may require you to devise a new way of talking about IT with your executive colleagues and staff alike. A definitive ERM message includes facts that can be used to sway doubters, says Weymouth. He instituted a monitoring system to collect data on Barclays' operational systems, such as the number of times the bank intercepted a fraudulent payment or blocked a denial-of-service attempt. By capturing how often the IT shop has reduced the number of incidents that could have disrupted bank business - which, for Weymouth, are equivalent to risks - he is able to calculate savings. He is also able to use the data to show that Barclays must continue to invest in IT to mitigate those risks.
STEP 3: BE FLEXIBLE
Not everyone understands risk, and people view risks differently. That means you have to be patient and give your audience time to understand what you are talking about. Flexibility is the key here so that you may adapt your message for the different attitudes toward risk you encounter.
George Westerman, a research scientist at MIT's Sloan School of Management who is studying ERM in relation to IT, illustrates the point with a story about his four-year-old daughter, who enjoys climbing on a jungle gym. When she reaches about halfway up, she says: "Daddy, look at me."
"My impulse is to say: 'Great. Go all the way to the top', hoping to avoid the risk of overprotecting her," Westerman explains. "Her mother's inclination is to say: 'Get down now', hoping to avoid the risk that our daughter may fall and hurt herself. We both have different ideas of risk, yet we both have our daughter's welfare first. It turns out that an appropriate response is to stand beside her and let her climb as high as she wants and be there in case she falls." The message, Westerman says, is that his daughter can take a bigger risk, given the appropriate safeguards.
Sometimes delivering your ERM message requires you to not talk about risks at all. When Sharon was CIO at the advertising agency McCann WorldGroup, he sometimes avoided the topic altogether. During one project for the agency's global accounts group, he knew account managers wouldn't understand what he meant about managing risks. The group, which was responsible for more than 100 markets, was having trouble keeping track of its e-mail and faxes from the company's various lines of business. These communications were frequently lost or took a long time to locate, increasing the risk that the group could not respond quickly enough to clients.
Instead of discussing risks, Sharon talked about how an intranet could improve the group's service to customers. He told them he understood how hard they were working, and offered to help them with logistics so that they could focus on serving clients better. Once the Web site was deployed, he recalls, the group started making business decisions in real time, reducing the risk that dissatisfied clients would take their business elsewhere.
Other times, the straightforward approach works best. Westerman relates the story of a CIO at a Fortune 100 company who needed to sell his board of directors on taking what seemed to be a bigger than usual risk on a large corporate-wide IT project. The company's IT department had never missed a deadline or run over budget. The reason was that the IT department had always doubled its estimates of the amount of time and money needed to complete its projects.
The CIO decided this management approach was too risky for the company because it didn't give the board accurate information with which to make business decisions. It also gave the IT department an incentive to spend too much money. The CIO decided that this time he would give the board the most accurate cost estimate and time line for the project, and explain that he might have to come back for more money and time.
Westerman says that before the meeting, the CIO, typically a steady individual, was "shaking in his boots". The CIO assumed the board would think his approach lacked proper analysis and increased the risk of project failure. But the board approved the project and did not condemn the CIO's judgment when he came back a few months later to say that the project would be two months late and would cost more. The CIO had prepared them by outlining the risks.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.