As a CIO, you want to sit down with your CEO to discuss her new plan to implement cloud-based software. You’re concerned about security risks. But after some back and forth with her office, it’s clear she isn’t looking forward to meeting with you. You normally have a good rapport with her, and haven’t had any issues lately, so what’s the problem? The problem could be how each of you views the risks and potential rewards of the new software.
CEOs and business executives are often natural risk-takers who seek out growth opportunities. CIOs and CISOs, on the other hand, are hard-wired to find ways to minimize losses that will erode value. On the surface, these goals are polar opposites. That’s not to say CEOs don’t care about risk management. In fact, CEOs are now more concerned about risk management as it relates to their strategic digital business initiatives. A recent Gartner CEO survey showed that 65% think their organization is falling behind in risk management investment and discipline maturity, and 77% are concerned about new risks associated with digital business initiatives.
Organizations can improve their risk management programs and outcomes by addressing strategic risks within the context of value, desired business outcomes and their risk appetite. CIOs must be prepared to support the CEO’s initiatives, while making well-informed decisions regarding strategic bets.
The Dawn of a New Era in Integrated Risk Management
The dawn of a new era in integrated risk management (IRM) is now centered on the evolving digital business transformation initiatives that are taking hold in many companies around the globe. Gartner defines this new IRM market segment as digital risk management (DRM). Simply put, DRM is the integrated management of risks associated with digital business components such as cloud, mobile, social, big data, third-party technology providers, operational technology (OT) and the Internet of Things (IoT).
Establish a risk mentality of good risk vs. bad
Often, the challenge when discussing risk management with CEOs is that the CIO’s goal is to reduce risk by avoiding high-risk business activities. This is counterintuitive thinking to CEOs, who are looking at potentially risky options that could add value to the company.
The way to frame the conversation is to think in terms of good risk versus bad risk rather than high risk versus low risk. A high-risk option might actually be a good risk when evaluated against the value created and the company’s appetite for risk. In fact, good risks are often at the
heart of innovation.
It’s key that CIOs and CISOs don’t get caught up in judging risk based on legal or compliance risk. A recent Harvard Business Review study found that over the past decade, 86% of losses in a company’s market value were related to strategic risks and 9% were related to operating risks. Only 3% of the losses were related to legal and compliance risks.
Determine what makes a good risk
Once a good versus bad risk mentality is established, CIOs must be able to evaluate the value in the business outcome as opposed to the risk appetite associated with achieving the goal. This creates a more business-outcome-oriented focus over simply categorizing actions as high
or low risk. It can be difficult to separate good risk from bad. While the value of a given digital business initiative is typically the focus, it is often more difficult to articulate the risk appetite. However, without a clear understanding of risk appetite among the board of directors and senior executive team, it is nearly impossible to identify the good risk.
Once identified, this new view of risk can be used to perform the following activities and get your CEO to embrace DRM:
- Prioritize the pursuit of digital business opportunities.
- Make risk treatment decisions:
○ Invest in controls to optimize risk.
○ Invest in insurance to transfer risk.
○ Choose to accept risk.
○ Isolate and avoid risk.
- Raise visibility of risks to influence decision making across a project.
- Improve governance through greater risk transparency and accountability.
Digital Risk Management Hub
Visit the Gartner Digital Risk Management Hub for complimentary research and webinars.
Gartner clients can read the full report titled How to Get Your CEO to Embrace Digital Risk Management.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.