The new dialogue with risk and the CIO office - 2013 Issue of the Year

Last week I held what I think was the first webinar of its kind for IDC and the Insights Team - a Predictions webinar, or maybe it was more of a dialogue with the research team here, on the topic of risk management and CIO, and what we see as an evolving dialog between these enterprise functions, some the business environment and 3rd platform innovations that underpin this maturing relationship, and what we see as key initiatives at the CIO strategy, business IT and operational IT layers across 6 vertical markets.

I was joined by IDC Insights vertical industry leaders to share our collective predictions, opinions, and guidance on the topic of risk, IT advancement, and CIO office in 2013.   

From the almost immediate feedback we received, the perspective produced by combining our IT research and vertical industry expertise to address this somewhat vertically unique role of the Chief Risk Officer, and some of the challenges and opportunities facing this role as this new platform of technologies get a footing to deliver business productivity improvement in 2013 was both differentiating and well received. We appreciate that feedback.

If you were not able to attend, here are a few of the highlights, organised as business imperatives, then a set of risk/CIO predictions from IDC's 6 vertical insights groups, and then impact and guidance statements.

Business Imperatives

  • All business models and arrangements are beset with a range of risks (e.g., credit, market, and operations, shifting competitive landscapes, geopolitical, talent and technology). 

    Enterprises internalise these risks in different ways. Investments necessary to risks continue to be viewed as a critical survival component across industry sectors, including financial services, healthcare, energy, retail, manufacturing, and the public sector.

  • While the role of the human element, policy, and business processes for managing risk can never be overlooked, information technology (IT) and related decisions are becoming increasingly important to CRO in improving risk-based decisions and enterprise risk capabilities.

  • While our studies find increased attention to risk management and related investments, the return on these investments frequently comes into question for many reasons.

There's a lot to these statements, but 3 important takeaways.  First, when talking about risk and technology, particularly the 3rd platform IT, most talk about the risks these technologies create.  For example, SLA risk with cloud, or data privacy and governance risks with big data, or mobile security.  

The better view in my opinion is to envision how these technologies improve the management of risk.  For example, offloading analytic workloads to the cloud to improve financial performance forecasting, or incorporating streaming data to enhance fraud analytics, or using mobile and social behaviors to more effectively authenticate customer transactions.  

Second, the maturity and the form in which risk management is organised are not consistent across vertical markets.  At one end of the spectrum are industries like financial services which are highly regulated, with formal enterprise structures, multi-discipline and talent requirements, policies and processes, and dedicated IT.  

At the other end, you have industries like retail, where risk is managed through line of business initiatives without a formal CRO but instead a CFO scorekeeper and a security officer.    

And third, it's important to understand that risks in one industry most often have downstream and upstream effects in others. The impact of payment fraud in retail for example has a direct impact on bank risk models and fees.

Risk and the CIO Agenda

 IDC - CRO 2013 blog 8.jpg

So our premise is that change in the IT landscape, the enabling capabilities of mobile, social, cloud and big data and analytics, and general market pressures on the need to optimise all decision making bring the risk and IT closer together than it's even been, or needed to be.  

We've been writing and speaking a lot at IDC about the advent of the intelligent economy, built on the pilings of social, big data, cloud, and mobile, and how we've moved to into an era of enabling business productivity with IT - technology that is truly disruptive and destructive, and enabling at the same time.  

In the webinar, we stated that IT acceleration creates 3 types of general risks - one, the risk of doing nothing, being left behind with mounting legacy IT costs - two, the risk associated with IT change - and three, the risk associated with the promise of the technology itself.  The greatest risk, in my opinion, is the risk of doing nothing.

At each of the three tiers of the CIO agenda, the risk manager has important strategic and tactical opportunities.  For example, at the CIO Strategic Issue layer, establishing an engagement model and establishing metrics for performance of risk and CIO activities is a top priority. 

At the business Driven IT layer there's clearly a full plate of opportunities - from governance initiatives to optimise the use of models and analytics, to new e-identity opportunities enabled by big "behavioural" data.  And finally, at the operational layer, use of open standards/open source to protect against rising integration costs, cyber security, what we call critical enterprise infrastructure, are areas where the risk function must add value.

 VersaceBlogSlide2.jpg

Here's a snap shot of the vertical priorities for 2013 - see the webinar presentation for details.  It's interesting to note the commonality and market opportunity that exists in risk when you look across these verticals.  For end-user, I think there's tremendous opportunity to learn from cross-industry peers on common topics such organizational structure, engagement models, governance policy for big data applications, cyber security, and others.  For vendors, risk is a growing market. 

 VersaceBlogSlide3.jpg

Right - a lot to cover in 60 minutes.  We're interested in your feedback as we incorporate these perspectives in our vertical insights research agendas and CIO/IT advisory strategies.

We closed this session with five essential guidance statements and identifying the "Issue of the Year" as "how well business and technology risks are understood, communicated, and planned for across risk and CIO functions as industries and the public sectors advance toward 3rd platform products, services, and operations."

Posted by Michael Versace, Research Director, Global Risk, IDC Financial Insights