What's the fix?

By Nichols, Vickrey & Sydow  |  Posted 02-08-2012

CIOs at Risk: Four Areas to Watch

David Nichols is CIO Services Leader, Geoff Vickrey is Enabling Technologies Leader, and Bob Sydow is Area Center of Excellence Leader for Ernst & Young LLP

Virtualization and cloud computing, social media, mobile and other disruptive technologies are converging to create something like the perfect storm for CIOs. The velocity of change-the pace at which technology is evolving-is so fast that uncharted risks make navigating today's IT environment more challenging than ever.

As the CIO's role evolves from providing tactical support for the business to becoming a strategic partner, the need to align IT's priorities to those of the business is of paramount importance. You also need to provide sage counsel, turning information into insights when the business is seeking to implement new technology solutions to achieve competitive advantage. The need to be fast to market might encourage organizations to procure and implement new technologies without understanding the full range of risks those new technologies present, and as CIO you must be ready with answers and solutions.

What's the issue?

The velocity of change in technology has forced many IT functions to adopt a new approach to sourcing and managing technology vendors and service providers as part of an overall IT infrastructure strategy. The current landscape of disruptive technologies presents numerous opportunities for IT functions to provide a more cost-effective, flexible and scalable infrastructure that better meets evolving business needs. This change is largely driven by advances in broadband, which now allows mobile devices to take full advantage of the cloud technologies that have been developing over the last decade. These advances are providing improved business functionality for organizations that have previously operated with a smaller internal IT footprint. But this change comes at a cost, creating a new set of risks that CIOs must effectively manage to be successful.

Why now?

The rapid introduction of disruptive technology is fundamentally changing how organizations go to market with products and services, interact with their customers, innovate and achieve competitive advantage. It is also creating a host of new risks that CIOs need to address.

How does it affect you?

In the past, IT functions had to create elaborate frameworks to deliver services that were primarily administered in-house. Infrastructure was developed and purchased under a peak-usage scenario, and any outsourcing involved long-term contracts with large vendors and often involved the transfer of physical infrastructure and resources. Going forward, infrastructure will be purchased on a pay-as-you-go or consumption-based model. Organizations are contracting with smaller, more nimble vendors with new contractual terms that are reviewed more frequently. Yet even as the physical IT footprint shrinks, the business expects CIOs to improve service delivery.

The other change that CIOs will have to contend with is a loss of control in the selection of technology platforms. Those decisions are increasingly being driven by consumers. IT's only option will be to react and respond.

This new hybrid infrastructure model creates a number of inherent risks for CIOs, including:

Strategic and financial risks. The number of vendors is growing, but the required size is shrinking, which can raise questions about their long-term viability. There could also be business-continuity risks if these smaller providers fail to meet service-level agreements. For instance, what plans need to be in place if a vendor's data center goes down? What losses could result?

Geographic risks. Geopolitical risks, from natural disasters and political unrest to persistent terrorism threats−particularly in emerging outsourcing markets−present significant risks of disruption to outsourced IT services.

Capacity risks. Smaller vendors might be able to offer greater flexibility, but their size could end up working against them-and you. Ultimately, they may not have enough capacity to support a growing customer base.

Control risks. An increase in outsourcing results in less control over your data. This presents the potential for data breaches and other security exposures.

Contract risks. IT functions will need to implement a rigorous vetting process to ensure that contracted vendors offer the right services in stable locations with sufficient capacity to support the business now and in the future. New vendors will also need to prove ongoing solvency and robust security.

What's the fix?


There are four steps CIOs can take to help mitigate the risks in today's rapidly evolving technology environment:

  1. Understand the risks. As the pace of technology changes accelerates, a new set of risks emerge. In addition to external threats, IT functions face evolving internal threats and potential misuse it attempts to blend the use of new technologies within the current IT infrastructure.
  2. Identify the risks. The complex factors that drive uncertainty and risk need to be effectively adapted to the design and implementation of governance, processes, controls and tools. As the degree of IT project complexity increases, the risk of failure, or, at the very least, of not meeting the IT project objectives also increases.
  3. Mitigate the risks. A comprehensive program risk-management strategy is key to mitigating risks. Once the risk factors have been identified, they can be managed throughout all stages of the evolution. The probability and impact of each risk needs to be evaluated, highlighting the highest risks, as well as sequencing the remediation. It is important to note that not all of the risk-management strategies will be technical in nature. Some will involve policy changes and increases in awareness training. IT functions can plan for 90 percent of the risks, understanding that 10 percent will be in constant flux.
  4. Evolve risk management and controls processes.

Additional lines of defense are also key to ensuring IT program success. Elements include:

  • Appointing experienced and dedicated risk managers
  • Creating a risk committee that is tasked with managing and monitoring the end-to-end risk program
  • Enhancing the role of internal audit
  • Leveraging external risk experts to complement or extend knowledge beyond the experience within your organization

What's the bottom line?

The pace at which technology is changing will not slow-it will only accelerate. To be successful, CIOs need to establish a robust set of processes and controls to effectively manage the new risks that new technologies bring.

This will require the CIO to gain an immediate understanding of the changing demands from the business, the technologies that are likely to make the greatest impact there, and the ever-evolving vendor landscape within their organization.

The CIO doesn't necessarily need to react to every aspect of this rapidly changing environment,but he or she will need to thoroughly understand the change drivers and the impact to the organization.

About the Authors

David Nichols is CIO Services Leader, Geoff Vickrey is Enabling Technologies Leader, and Bob Sydow is Area Center of Excellence Leader for Ernst & Young LLP

The views expressed herein are those of the authors and do not reflect the views of Ernst & Young LLP or any other member firm of Ernst & Young Global Limited