Robert N. Charette
Robert N. Charette is a Fellow with Cutter's Business Technology Strategies practice. He is also President of ITABHI Corporation, a business and technology risk management consultancy. With 35 years’ experience in a wide variety of international technology and management positions, Dr. Charette is recognized as an international authority and pioneer regarding IS, IT, and telecommunications risk management.
Dr. Charette serves as a senior risk advisor to Global 100 CEOs, CFOs, and program and project managers. He is a trusted risk advisor to senior-level defense, civil, and local government officials worldwide on the effectiveness, impacts, rewards, and risks of their high-tech programs and policies. Dr. Charette acts as chief risk consultant to financial organizations and companies when investments, mergers, or takeovers are considered. His experience in both government and business provides a unique perspective on addressing the risk management issues confronting today’s public sector. He can be reached at email@example.com.
In this interview, Robert N. Charette addresses the role of the CIO and the corporate IT organization amid an atmosphere of increased corporate emphasis on risk management.
Q: In your latest Executive Report, "The Rise of Enterprise Risk Management and Governance," you cite the increased level of risk management in corporations, and the need to govern it across the enterprise. Why is the CIO's role so critical here?
The CIO is critical for a couple of reasons. First, IT is central to the effective and efficient operations of almost every modern organization. If a corporation's IT doesn't work well, the operations of the corporation suffer as a result. For instance, operational risks -- those risks that are created by a company's dependence on its internal systems, processes, and staff -- have caused measurable losses of shareholder value in several public corporations when they were not actively managed. Oxford Health Plans, as an example, lost close to 70% of its market value after its billing system failed a few years ago. In privately held or governmental organizations, operational risks are sources of higher operating costs. Therefore, how well the CIO, and by extension, his or her IT organization, manages the risks that reside therein can well determine the future viability of the corporation.
Second, the recent US Public Company Accounting Reform and Investor Protection Act of 2002 (also known as Sarbanes-Oxley Act) tightens the rules of public corporate financial reporting and, among other things, requires the CEO and CFO to personally certify the accuracy of financial statements. As an incentive to comply, Sarbanes-Oxley imposes a maximum penalty of 20 years in jail and a $5 million fine for making false statements in corporate financial certifications. This means that financial information must be both valid and verifiable. This increased accountability has, in turn, pushed the CIO into the hot seat concerning many corporate governance issues. For example, it's the CIO's job to ensure that risks -- for example, the possibility of fraudulently altering a financial transaction -- to any IT system used to produce, gather, store, or transmit financial-related data are not only being managed but that the processes to manage that type of risk are effective.
To give you a third reason, consider the UK, where the government is considering a "corporate killing" law, which would hold senior managers criminally responsible for accidental deaths resulting from actions taken by the company -- say, from the operation of a corporation's IT systems. How would you like to be the CIO of a company that makes software that is used directly or indirectly in transportation or communications systems, or in a power plant or hospital system?
What you are seeing now is that IT risks are becoming de facto enterprise-level risks, and it is the CIO and his or her team that is responsible for ensuring that the risks are managed effectively.
Q: What circumstances have caused this increased emphasis on risk management?
Several events have combined to increase the desire for better enterprise risk management and governance. We have had 9/11, which showed how unprepared corporations and their systems were for terrorist attacks. It also showed that many of the lessons learned about IT system vulnerability to extreme events from the Y2K experience were not put into regular practice.
There have been the Enron, WorldCom, Global Crossing, and several other corporate financial scandals that severely eroded the public's trust in corporate financial reporting, as well as in their ability to behave as good corporate citizens.
There has been a surge in IT security and data privacy problems (for example, identify theft) in the last several years that have made managing these types of risks a high corporate priority.
Ever-increasing global competition has spurred IT outsourcing across the world, which brings along all sorts of new types of corporate operational and strategic risks to be managed, many of them political in nature. It will be interesting to see what corporations that outsourced to India are going to do given the recent election of a new government there that campaigned on the idea that all the high-tech work being outsourced there wasn't necessarily beneficial to the country as a whole.
These and several other events, I think, have driven home the point to corporations that they live in an increasingly uncertain world, which requires a much better understanding of the opportunities they pursue and the risks they take on.
Q: What can the CIO do from an enterprise risk management and governance standpoint that goes beyond the purview of the typical CIO role?
Well, I am not sure what is a "typical" CIO role, but I think CIOs need to be -- if they aren't already -- extremely involved in the aggressive management of IT risks. Risk management can't be seen within the IT organization as some pro forma process that CIOs only give lip service to. CIOs need to continuously ask themselves and their project managers for the risks that the IT organization and its systems create for the corporation, and how they can best be managed.
Risks that may materially affect the corporation's finances, strategic position, competitive capabilities, reputation, intellectual property, etc., need to be conveyed upwards to the CxOs and corporate board so that they may understand what is being placed at risk, and what the consequences are if these risks turn into problems. This is especially true of what I call "grey space" IT risks -- IT issues that don't start out as governance-related issues but can quickly turn into them. For example, if an IT project looks as if it will incur a major financial overrun that will materially affect, say, the corporation's profitability, then the project becomes a governance issue. These types of risks need to be communicated as early as possible to senior managers. At the very least, CIOs need to ensure that IT creates no surprises for senior decision makers.
Risk Management Comes of Age
An interview with Bob Charette, Senior Consultant, Cutter Consortium
What trends are you seeing in risk management?
The main trend is that a lot more companies are doing risk management. A decade ago, if you said risk management, people would say, "risk what?" Today, people are understanding the basic premise of risk management and how it's supposed to be applied. It's been one of those unexplored areas. People knew they should be doing it, but there were all these other things -- like quality management and process improvement -- that were perceived to be of higher value. Risk management has now matured to the point where people recognize it as something they need to do.
Not only are more people doing it, but more people are getting benefits from it. There are now many projects in which risk management is a key factor of success. In the defense realm, there's the Peace Shield defense system project, whose team attributes a tremendous amount of their success to the fact that they did very aggressive risk management throughout the life of the program. The project was seen as extremely risky, yet they were able to deliver early and under budget. In industry, you have companies like Rockwell Collins, which has a very aggressive risk management program -- in fact, a whole culture of risk management. They started with a process improvement program, of which risk management was a piece. It was championed internally by a few people, and now risk management is considered a competitive advantage. They're rated so high in this area that they often win contracts based on their ability to do risk management.
Is there often strong internal resistance to a risk management program?
One of the difficulties with risk management is that, like quality programs, the thinking is that it will cost you money. With quality, it took a while for people to realize you could become more profitable by improving quality -- you could reduce rework and change processes to build quality in from the beginning. In some quarters, that type of thinking still doesn't exist.
Risk management is similar, but even harder -- you're trying to show that by spending money, something won't happen. The quantification of benefits is very difficult because you're trying to prove a negative. But I rarely find that the question today is whether or not we should do risk management -- it's how much risk management should we do. The field is still very immature; you find lots of people doing risk identification, a smaller group doing risk analysis, and very few who are really doing risk management (determining the options, looking at the risk of each option, and understanding the full implications of the process).
Similarly, there are only a handful of companies who are looking at opportunity management. There are tremendous benefits here. As the field matures, people will start to understand that risk management should come before planning, rather than after. Most people create a plan and then do risk management on it -- that's okay, but in many ways, it's too late in the process.
Do you have to have an entrenched risk management program before you can do opportunity management?
No, you just need people with an open mind. For example, Rockwell Collins is a very hard-nosed, conservative, Midwestern engineering company. They looked at risk management and said, "This makes sense. This is the way we want to do business."
When you're pursuing opportunities, it's both an offensive and a defensive strategy. My major interest these days is not in the day to day risk management of projects, it's in risk leadership and risk entrepreneurship. How do you turn risks into opportunities? What does it mean for individuals to do that? How do you teach that skill?
Companies need someone in the role of risk manager -- that's one of things the dot-coms have found out. They were not just poor risk managers, they were phenomenally poor risk leaders. There are certain companies, like Amazon or AOL, that can see opportunities where other people don't; they take the lead and move the idea forward. There are a lot of others that see opportunities that don't exist or see opportunities and don't have the wherewithal to follow through.
What should companies watch for when setting up a risk management program?
One problem with risk management becoming so popular is that it's being done very superficially in some companies. Companies should be wary of people who claim they can come in and analyze a $10 million program in a day. Even if you could identify the risks that quickly, you could never understand all the implications of your recommendations in less than several weeks.
Look for someone who has done risk management on programs for some length of time. The process itself is not very difficult to understand, but the practice is extremely difficult. It's as much art as it is science. It's also a multidisciplinary field. If you're looking at someone to do risk management, you need to know both their experience in risk management and their background -- have they had a wide variety of business experiences? Unfortunately, I find companies deciding to have someone do risk management and then choosing their new hire for the position. This is exactly the wrong person for the role. The risk analyst has to be father confessor, the honest broker, and Mother Theresa all rolled into one.
For example, a risk analyst may need to go in and to kill a project; that takes away people's livelihood. Risk analysts also need the guts to say that the company is not funding a project to an appropriate level. I see many projects that are technically feasible but not schedule or cost feasible. The executives put so many constraints on a viable program that it ends up being killed for overrunning.
There are projects that should never see the light of day, but I also see a lot of projects that's there's so much fuzzy thinking about the benefits of a project that it is hard to determine the risks. Even if you don't do a risk analysis, you should make sure you clearly understand objectives (why am I trying to do this), the assumptions, and the constraints. These fundamentals are overlooked time and again.
Up Close with Robert N. Charette
"...hope is not a method, nor is optimism a substitute for a feasible strategy."
— Robert N. Charette
"No More Gorilla Dust: Autopsy of GM"
Learn more about bringing Robert N. Charette, Ph.D. to your organization.Contact Us