After 15 years in different businesses across Europe and having come across hundreds of IT leadership role descriptions, I believe two of the most relevant yet underestimated are Performance Management and Operational Risk Mitigation.
Having covered performance management last month, I will now present some advice on operational risk mitigation, which I regard one of the most important areas to measure and control as CIO. My ambition is to give an introduction and to present examples of why I believe it is vitally important that we know how to manage this discipline.
One of the first things I do as incoming CIO, interim or permanent, is to quickly assess the situation regarding operational risks, especially in IT, however also in other relevant parts of the organisation. Based on that high-level assessment I know significantly more about inherent risks, awareness (or risk appetite) and can prioritise my work going forward.
What is Operational Risk?
Operational risk is defined (after Basel II) as the risk of monetary losses as a result of faults and errors in process, technology or skills or due to external factors, operational risk may also include other risks such as fraud, legal, physical, and environmental risks.
A Practical Approach
There are ways to quickly introduce or improve risk mitigation and thus increase quality, which in turn can lead to cost reductions and improved control over both IT and operational risk. I recommend that Executive management, including the CIO and the IT function, work together to identify, prioritise and reduce operational risks over time.
There are various ways to apply operational risk management; more formal models and frameworks, including establishing a risk audit and control function, which might be preferable in large companies and in the financial sector. However, many organisations benefit from a more pragmatic and hands-on methodology, which include;
- Identification of risks and risk areas.
- Analysis, compilation and assessment of current risks.
- Assessment of risk levels - if possible including financial implications.
- Decisions about actions (activity plans and budgets).
- Decisions and introduction of risk management model, tools and governance.
- On-going risk mitigation as part of daily operations.
By identifying, documenting, analysing and assessing operational risks across the board we can quickly get an understanding of current risk level and what needs to be done.
The next step is to prioritise and mitigate risks on a tactical level by reducing the most acute risks and make a plan for future risk reduction. In some areas, such as IT security, major programmes and vendor management, it might be wise to consult an independent specialist.
Finally, the organisation should introduce a governance model and tools such as a risk log and a dashboard for risk mitigation reporting. A risk committee, especially if there are several major risks, might be worthwhile. The CFO or CIO can, together with other executives, lead the strategic work to reduce risks over time. The risk committee can report to the management team, or even to the Board, once or twice per year.
The level of complexity depends on the type of business, number of functions, processes, and maturity level and so forth, and each business has a unique set of operational risks. In my opinion however, there are a couple of key categories to always look into early on:
- Risks with regard to major transformations or the total project portfolio (I refer to this as Change Management).
- Management and control of the IT function and IT delivery internally and externally, if services are outsourced.
I focus on these areas first since, according to my experience, they represent if not the most common risks, certainly the risks which are likely to cause significant economic damage compared to most other operational risks in general.
It is a fact that major transformations that are not properly planned, managed or governed might in fact jeopardise an entire business – I am referring to "Black Swans". One single IT programme that exceed budget by two or three times, or a project portfolio out of control, may inflict significant financial damage and even risk the company's existence. There are several recent examples in Banking, Life Science and in the Public sector where large programmes spun out of control, causing multi-million pound losses. As seasoned CIOs we are aware of these risks, however, if you have less experience as transformation director you may want to consider bringing in an external advisor to help in the risk assessment and with programme governance.
IT Delivery and Reliability
This is another well-known area for CIOs. But still, don't underestimate the risks! I have experienced an international company with a non-redundant core business system, one listed company where the communication network had a single point of failure just outside the head office and one company that had outsourced its WAN to a vendor that did not provide a back-up solution causing 24 hours total downtime for that business.
Almost daily, we read headlines about major IT disturbances in Banks, Food and Retail, Transportation (even airports), the Public sector and others including some of the largest and most successful IT companies.
What can CIOs do in order to avoid major business disruptions due to IT glitches? Properly introduced ITIL, ISO certifications and so forth are helpful. Bottom line though, it is about investigating all relevant areas from server rooms, hardware, networks, power supply, Business Disaster Recovery planning, configuration and change management and so forth. It can be helpful to look at the history of IT disturbances and to understand, not only frequency and severity, but what the organisation has done to make sure the root cause was resolved. This is nothing but hard and continuous work and work that should be prioritised.
Other areas to analyse?
I have listed a handful of categories to consider as well as some relevant questions that should give an indication of the current risk situation. Depending on your line of business you may want to expand that list with areas like SW development and testing, operations, manufacturing, logistics and so forth.
It is vital that the IT function regularly document processes, code changes, configurations and so forth. Unfortunately, it is also common that "fire fighting" daily issues interfere with proper standards and procedures, documentation, training and BDR planning and rehearsals. When was the last full scale BDR exercise held? What does the change management documentation look like? Are all processes and procedures documented? Is ITIL implemented? Are job and role descriptions in place? As an example, I was in close contact with a large business that had invested in process development throughout the Group, except for the IT function and its project management processes.
HR and the IT organisation
What has the HR function to do with operational risk? It is about securing that the right competencies are in place within IT and don't represent single point of failures. Do you have succession plans and relevant documentation in place allowing a quick replacement, should key staff suddenly leave? Many years ago an entire IT operations team resigned the very same day in an international company that was planning to outsource IT operations – the company had no choice but to re-hire the entire team as contractors, at a significantly higher cost.
IT strategy and governance
Do you have a documented, approved and communicated IT strategy? Are there technical and system road maps and an architectural target picture in place? Are there performance management controls to effectively monitor and control the IT function's delivery? Is IT represented on C-level or does IT report into CFO or COO with financial savings as the number one responsibility? Global companies that failed to align IT strategies with market opportunities such as digital innovation include a well-known photo technology provider and one of the oldest music industries in the world.
CSR including environment has rapidly grown in importance. Are there processes and technology in place that minimise energy consumption by IT and in premises? Do you measure the reduction of paper consumption and air travel? Is there an environmental policy communicated throughout the organisation? Does the organisation have control of subcontractors (child labour, environmental issues)? Are management in control over how international business is carried out across the globe? The effects of not having CSR controls in place can be severe, like a leading Nordic Telecom provider is a recently experienced.
There are a number of operational risks that relate to finance. Examples of materialised risks might relate to lack of or incorrect reconciliation in Accounts Payable and Receivables, incorrect VAT or interest rates, interest fees on late payments. Keywords include transaction intensity, automated reconciliation and any previous history of incorrect or late payments (where lack of errors might be an indicator as such).
Other processes include "Record to Report", "Order to Cash", management reporting and business intelligence. For example, it is crucial that customer bonuses are calculated on actual booked sales, not estimated sales and that BI development is properly tested like any other system development project.
I have personally seen a case where managers did not book larger received invoices during end-of-quarter, seemingly to "improve" the business unit's result and hence bonuses, which, if actually the case, is defined as fraud or fraudulent behaviour. Publicly known fraud cases include several global companies in Banking and Financial Services.
Finally, it is important to ensure that IT is stand-by to support Finance and payroll system during end-of-month and salary processing as a delay might cause significant losses.
Obviously this is one of the most complex, complicated and important risk mitigation areas and one that most companies are in good control of. Many organisations have a CSO working full time on IT security. There are other types of security risks that we want to control including information security and physical security (access to premises). Sometimes it is hard to separate Security from IT delivery – disaster recovery planning, for example. However, as long as CIO manages both the business should be in good hands.
Personally, because of my technology skills, I have always relied partly on subject matter experts dealing with IT security risks. Examples of questions to ask as part of an assessment include; history of security breaches, attempts and frequency, and results of external penetration tests and security audits? Are documented and tested fall-back procedures relating to relevant IT and telephony in place? When did IT and senior management perform the last disaster recovery exercise? Is there a communicated information security policy in place and is it understood? Addressing IT security, it is important to investigate any outsourced IT, which leads us to the final risk area.
I recently wrote an article for another journal (CFO World) where I stated: ''I will now reveal a hidden truth; most 'leading' IT vendors have little or no control over their operational risks!''. If we take that into account we can, and should, assess operational risks outside our organisation the same way as we do internally. The major difference is about getting access to information and about understanding the contractual agreements and legal implications if an IT vendor cause, directly or indirectly, significant disturbances and financial losses to your business? An SLA 'guaranteeing' 99.99% availability is nice to have, but what if the penalty clause only offer a fraction of the losses occurred in our business during a prolonged period of down time? It is difficult to assess all the legal documentation in retrospect, especially if a former employee was responsible for the outsourcing deal. My advice is to at least look into the most important agreements, and to do this together with an expert IT lawyer.
Finally, management of software licences and fixed assets (computers, tablets, cell phones) that are improperly handled can mean significant additional costs including penalties or even lawsuits. Do you have functioning process and properly maintained AD and a Fixed Assets directory in place? Do all employees sign off for hardware, mobile devices and are you in control of all the software that is used, and not used?
When to consider making an Operational Risk Analysis?
Companies with operational risk as a regular agenda item on Board of Director and Executive Team level, where operational risk management are a clearly defined C-level responsibility, as well as organisations performing internal IT audits on a regular basis are likely to be in better control. Regardless, I would recommend an operational risk assessment to be made:
- Prior to strategic decisions about major development or ERP projects, transformations, outsourcing or other strategic ventures; here an independent risk review is recommended.
- As newly appointed and externally recruited Chairman, CEO, CFO or CIO.
- Should the Board have doubts about management's ability to control the operational risks.
I recently spoke about operational risks with a NED in a listed company who told me; "There are some boxes in this company that we do not wish to open". Pretty scary stuff!
The bottom-line; as CIOs it is our responsibility to mitigate and minimise operational IT risks in the businesses we work for. Doing this correctly and effectively will save money even if it may not make us into headline news. However, the better we mitigate operational IT risks the smaller the 'chance' that we become headline news for all the wrong reason.
Bjorn Ovar Johansson is a Manchester-based interim CIO with a background in Senior IT Leadership roles across Europe