Cross-functional Partnership for Effective Risk Management

The partnership between a CIO and CRO (Chief Risk Officer) begins with each having a deep understanding of what the other is trying to accomplish for the company and how together they can achieve their objectives. This means sharing business plans and presentations, supporting cross collaboration between their teams and spending one-on-one time developing each other’s knowledge of their respective subject matter. This “rubber meets the road time” is critical to aligning messaging for board and officer communications, and it helps the risk manager be able to ask good questions while efficiently probing for the identification of threats and vulnerabilities which could harm the organization.

To partner effectively , each must recognize the gap in their own abilities and knowledge and allow the other to help facilitate improvement. The CIO may teach why IT resources are vulnerable to attack or misuse and the risk manager may teach how to prioritize threats and discover the impact to the business if specific threats arise.

Once the partnership is established, they can turn to leading the organization through the challenge at hand— managing the threats organizations face from “being online” so that they continue to extract value from information technology and win in their marketplace. No binder on a shelf ever survives first contact with an incident, but people who have the competence to lead and manage in a crisis can help organizations to navigate a serious situation with a greater likelihood of mitigating damage.

Urgency is added when we remember that about 80 percent of decision making in a company is done in middle management layers whose risk awareness and risk competence likely needs more attention. These are the very people whose linear, step-by-step, management abilities have promoted them in the first place. Is time best spent writing plans that become stale the moment the binder holes are punched, or is time better spent coaching, training, and exercising our middle managers competency to lead and manage through various unknown incidents? Let’s build their fundamental risk management abilities.

Teaching the competencies of incident management, business continuity, and disaster recovery by having a simple risk management conversation about what is critical to the business, how critical items are vulnerable and what threats may exploit vulnerabilities is the right place to focus. In a non-linear environment where anything is possible, we need flexible - minded managers who can stay calm and organize incident response based upon the facts coming in at the moment.

As foreign governments, hacker mafias, and rogue individuals continue to exploit an open internet and flaws in hardware and software to attack companies who continue to put themselves at risk to gain the benefits of being online, the logical response is to engineer flexibility and competence into our people—risk management competence is fundamental to a high performing culture. The binder on the shelf won’t just hurt you by falling on your head; it will hurt you most by diverting your focus from the reality of the moment that new technologies and threats are making.

New technologies will keep coming. New threats will keep evolving. Our best protection is a diverse internal partnership and becoming as expert as possible in the fundamentals of risk management. The business reward for this type of approach is to live and grow another day in the marketplace of your choice.