To successfully compete executives should ensure that effective reference models for IT risk, value and control are in place and are actually being used.
A recent Institute for Supply Management (ISM) Report on Business, which provides cross-industry data in the U.S., includes several interesting findings, including low manufacturer inventories, even lower inventories by customers of manufacturers and then an increase in new orders. These and other data, even at this high level, illustrate the success of manufacturers' supply chain and demand management methods to reduce the risk of carrying too much or too little inventory. More broadly, quality and cost structure (including plant design) methods have been helping manufacturers to more easily change variables such as scale and product mix. These changes have their roots in the early 1980s recession in the U.S. as well as similar economic struggles in Asia and Europe in the mid 1990s.
In learning these lessons about managing the risk of changing business conditions, manufacturing executives have addressed this issue from several perspectives:
- Operations seeking improved quality, less risk and improved productivity
- Finance seeking a cost structure better aligned with business strategy and improved liquidity
- Sales seeking greater customer responsiveness
- Human Resources evaluating training
- Design seeking new components
- Procurement seeking better timing/leaner operations
Information technology leaders have been involved as well. While some CIOs have been highly proactive in engaging IT in the business strategy discussions, others have been hampered by at least two reasons. First, IT is often viewed as just another "shop" with the plant, instead of as a team that can help reshape the overall business risk and cost structure. Second, CIOs often lack techniques and methods tailored to reducing technology-related business risk. There are many other reasons as well, such as insufficient early involvement by IT in merger, acquisition and consolidation plans.
Even CIOs who are making progress still struggle with the need to better manage risk on three fronts at the same time. First, they must reduce risk in business-IT investment decisions. Common pitfalls that are responsible for the staggering waste reported by some IT analyst firms include placing bets in the wrong places; not fully aligning with the business strategy; or not fully appreciating competitor, partner or customer changes. Nearly every CIO and CFO can easily recount painful lessons learned. As the CFO of a sporting goods manufacturer lamented, "We have been feeling the consequences of our ERP decision for years."
Second, they must handle risk in program and project management as they execute new business-IT projects. ISACA, a nonprofit association representing 86,000 practitioners in 160 countries, recently conducted a survey with approximately 500 respondents from around the world. Results showed that approximately 40% of business-IT projects are cancelled before they are completed, and that the cancellations resulted from several causes, often from requirements that change (or are painfully "discovered") mid-project.
Third, they must handle risk related to providing stable, available, protected and recoverable business operations. In the increasingly lean and time-sensitive manufacturing environments reflected in the ISM data, being "down" can be very costly. As an IT executive in one manufacturing organization commented, even a "little 'disaster' wakes people up to the extent of dependencies on IT."
In the past, manufacturing leaders in IT, risk, quality control and finance who wanted to reduce business risk associated with technology had to take up the task on their own. Those who did so still faced more challenges-synchronizing terminology and metrics with suppliers, partners and customers; keeping their work fresh and updated; and updating training for a proprietary approach.
To address this need, a group of IT leaders from several countries and industries, most all experts in risk management, volunteered thousands of hours by taking up the challenge of making life easier for manufacturers that are seeking more return with less risk from their IT investments and operations. Under the auspices of ISACA they developed the comprehensive Risk IT framework (available as a free download from www.isaca.org).
Extending the widely used COBIT framework, which is used internationally to enhance governance and control of IT, Risk IT provides guidance to help executives ask the key questions of management, make better risk-adjusted decisions and guide their enterprises so risk is managed more effectively. It offers the broad view that has been missing from the industry and from practitioners' knowledge bases, and provides an umbrella for addressing enterprise risk across other more focused and detailed frameworks and process models. Risk IT has two components-The Risk IT Framework (which helps convey the risk landscape and prioritize activities) and The Risk IT Practitioner Guide (which provides practical guidance on carrying out programs to improve the management of risk.)
To grow, an enterprise must take risks. Risk IT helps executives understand their pain points, achieve business objectives and increase return with a comfortable level of risk. It also provides high-level guidance so they can take on and manage more risk in pursuit of growth, e.g., to make an acquisition, sign a contract, expand geographically, form new partnerships or introduce a new product.
Executives increasingly need to provide tangible business benefits, including fewer operational surprises and failures, increased information quality, greater stakeholder confidence, reduced regulatory concerns, and more innovation to support business initiatives. They also need to compare their assessment of business needs with their current practices and identify both their appetite for risk and the ways they can achieve immediate benefits.
Risk IT provides a way to manage risks in a holistic manner to not only drive performance, but also enable consistent compliance reporting. It helps executives integrate and address IT risks in the context of business activities that depend on IT to increase value, generate revenue and service customers (see below).
Most enterprises don't do a good job of this. According to a nine-country survey of 1,217 IT professionals conducted by ISACA, enterprises worldwide believe they are realizing value from their IT investments -- yet they cannot be sure, as fewer than half have a shared understanding of value across the enterprise, and two-thirds fail to fully measure it.
To successfully compete in the continually evolving interconnected business environment, corporate boards and executives should ensure that effective reference models for IT risk, value and control are in place and are actually being used.
Brian Barnier, CGEIT, serves on the program committees for the IT Governance, Risk and Compliance Conference and North America CACS Conference, and the Professional Influence and Advocacy Committee. Barnier is a principal at ValueBridge Advisors, an advisory firm focused on the intersection of business effectiveness, technology economics and decision-making. Urs Fischer, CISA, CIA, CPA Swiss, is vice president and head of IT governance and risk management within the Swiss Life Group. He is currently chair of ISACA's Audit Committee and its CRISC Task Force, and is a member of ISACA's Credentialing Board. www.isaca.org/riskit
Interested in information related to this topic? Subscribe to our Information Technology eNewsletter.