What's the fix?
There are four steps CIOs can take to help mitigate the risks in today's rapidly evolving technology environment:
- Understand the risks. As the pace of technology changes accelerates, a new set of risks emerge. In addition to external threats, IT functions face evolving internal threats and potential misuse it attempts to blend the use of new technologies within the current IT infrastructure.
- Identify the risks. The complex factors that drive uncertainty and risk need to be effectively adapted to the design and implementation of governance, processes, controls and tools. As the degree of IT project complexity increases, the risk of failure, or, at the very least, of not meeting the IT project objectives also increases.
- Mitigate the risks. A comprehensive program risk-management strategy is key to mitigating risks. Once the risk factors have been identified, they can be managed throughout all stages of the evolution. The probability and impact of each risk needs to be evaluated, highlighting the highest risks, as well as sequencing the remediation. It is important to note that not all of the risk-management strategies will be technical in nature. Some will involve policy changes and increases in awareness training. IT functions can plan for 90 percent of the risks, understanding that 10 percent will be in constant flux.
- Evolve risk management and controls processes.
Additional lines of defense are also key to ensuring IT program success. Elements include:
- Appointing experienced and dedicated risk managers
- Creating a risk committee that is tasked with managing and monitoring the end-to-end risk program
- Enhancing the role of internal audit
- Leveraging external risk experts to complement or extend knowledge beyond the experience within your organization
What's the bottom line?
The pace at which technology is changing will not slow-it will only accelerate. To be successful, CIOs need to establish a robust set of processes and controls to effectively manage the new risks that new technologies bring.
This will require the CIO to gain an immediate understanding of the changing demands from the business, the technologies that are likely to make the greatest impact there, and the ever-evolving vendor landscape within their organization.
The CIO doesn't necessarily need to react to every aspect of this rapidly changing environment,but he or she will need to thoroughly understand the change drivers and the impact to the organization.
About the Authors
David Nichols is CIO Services Leader, Geoff Vickrey is Enabling Technologies Leader, and Bob Sydow is Area Center of Excellence Leader for Ernst & Young LLP
The views expressed herein are those of the authors and do not reflect the views of Ernst & Young LLP or any other member firm of Ernst & Young Global Limited