Category Archives: IT Management

Sep 07

Crisis and the Blame Game – Stories from the Cauldron

Posted on by

Over my career, like many of you, I’ve had to manage crisis situations.  The “Customer” database goes down and the company cannot process a single transaction involving any customer – online, on the phone, in person…  An earthquake destroys the data center…  Everyone’s had their moment in that critical spotlight.  I thought I would take a moment and illustrate some of the approaches I’ve learned over the years.  I do not hold myself out as a shining example of a crisis manager, but these tools have served me well.

Manage Your Stress

A crisis is by definition stressful, and some people handle stress better than others.  A friend of mine long ago told me a story that I re-play in my mind whenever I feel the stress getting too high.  I also use this story to mentor others on managing their own reactions to stress.

My friend was a part-owner in a software company in South America (that he referred to as a Banana Republic).  They had made the mistake of bidding on, then winning, the job to process the election results for President of the country.  It’s election night, the polls are closing, and the software is not working.  In walks the current President, with his machine-gun toting entourage, saying “I need to know if I’m going to be President tomorrow.”  Then he points out the window, saying “You see all those people in the street with their Molotov Cocktails?  Their pretty interested in the answer too.”

Now I embellished the language a little bit to make it more “pithy”, but the situation was quite real. The potential for a civil war, people will die, if your software doesn’t start working REAL soon.  THAT is stress.  The fact that your company is losing a million dollars a day because the website can’t take customers is, by comparison, NOT.  It also keeps me thinking that I’ll make better, more rational decisions, if I don’t become overwhelmed.  That will resolve the situation sooner as well.

Oh, and my friend?  He “managed” his stress well enough to get the software working so that they had a result 2 hours after the polls closed.  He never did tell me who won. (smiley).

The Blame Game

It is a common reaction (I won’t use the word “normal” for this situation) to begin a circular firing squad in a crisis.  It’s not MY fault, it’s YOURS.  This accomplishes nothing except delaying getting to the solution – even if you have found the right person to blame.  I was on a disaster conference call with that “Customer Database Down” situation where the company was losing about a hundred thousand dollars an hour.  The round-robin blame game started.  When, after two minutes, it was clear that it showed no signs of stopping, I raised my voice on the conference bridge.  “Enough.  It’s all my fault.  I caused this.  Blame me.  Now let’s start figuring out how to fix it.”  15 seconds of dead silence was followed by “well, has anyone thought of this idea?”

Blame has no place in crisis resolution.  Save it for the Lessons Learned session after normal operations have been restored.  Even then, blame the process that allowed the mistake to occur rather than the employee who made it.

Creating Order from Chaos

A crisis easily devolves into chaos unless the team is well practiced in dealing with crises.  If they are, then crises likely happen way to often.  Beyond solving the immediate problem, preventing its recurrence is a secondary priority – but one that is often lost in the chaos.  Attempting to instill order or process during the crisis is often as counter-productive as the blame game, the wide-ranging creativity that results from an unusual pressure situation is needed.  During the fire-drill, however, the critical gaps and flaws in normal processes that allowed the crisis to occur can be glimpsed – and missed if not noted contemporaneously.  These are the best possible fodder for the “Lessons Learned” meeting afterwards.  Don’t ignore them, scribble them down somewhere for later thought.  One or two might turn into a rabbit hole later, but there will be gems in there.

Common wisdom has it wrong – Focus on the problem, not the solution

It is common for a theory of the problem to emerge and most everyone gets focused on solving for that theory.  Some percentage of the time, that theory will be true and the problem solved quickly.  Some percentage of the time, that theory will be wrong and all the time spent on the “solution” will be wasted.  When a team is working on implementing a “solution”, make sure that there are others on the overall team who work on the assumption that the “solution” is false and more investigation is needed.  Look everywhere EXCEPT where the solution team will be looking.  Have no pre-conceived notions.  Assume this is the first-ever occurrence of whatever caused the crisis and that it is something no one on the team has ever dealt with before.

There are many other good tools useful in crisis situations, but I’ve written more than enough for today.  No one wants to go to a blog and read an entire book.  I am also sure that readers of this article will have dealt with other types of crises with other types of tools – or even run into situations where my tools would be worse than no tools at all.  I hope you will share those experiences, I’d love to learn from you.

Dec 27

Following your Bliss…

Posted on by

Recently, a colleague of mine presented me with a problem.  I’ll anonymize him and the company so as to avoid embarrassment of either.  Joe is a clear expert in a specific technology that is becoming critical to the way the company will develop its software going forward, and was hired specifically based on this expertise.  Walking in the door, he was one of the top three experts in the company on the technology that everyone will end up needing to learn.

Every organization has a distinct personality and way of doing business.  The company in question allows teams great latitude in how they will accomplish the goals they are given.  While this new technology is pivotal to the way the company will operate in the future, it has a very weak mandate.  Adoption, in accordance with company personality, is based on “convincing” the team that the approach is the correct one, not mandating adoption.  If the technology is truly right, we should have no trouble convincing people.  If we can’t convince people, maybe it is not the right choice.

Joe expressed his frustration at not being recognized for his expertise and the fact that the project team to which he was assigned was actively ignoring his input.  In this assessment, he is absolutely correct.  His evaluation of his personal worth is based on his technical ability and the respect he was shown.  This culminated in his statement that he is finding it challenging to motivate himself to come to work every day.

Joe comes from a different organizational culture where his position carried with it the authority of powerful sponsors.  He has not had the need to earn his way to respect, it was handed to him with the positions he had over the years.  Hence the frustration.  His ideas are right.  The team should adopt them.  But they are allowed to say no, and they are doing so. 

I recognize that the organization needs to adopt this strategy, but that politics dictates a more subtle approach.  I am keenly aware that we, as an organization, need both the enthusiasm and the expertise of this individual.  However, if things continue the way they are going, both of those needs are in jeopardy.  The more the solution is pushed, the more reverse psychology will ensure that the new style is not adopted.  The stronger this individual pushed for his ideas, the more he threatens his own position.

So, I took it upon myself to counsel Joe.  I explained that I had been in his situation where I had strong authority, and where I had none.  I pointed out that his problem with motivation stems from tying his identity and worth to the technical solution he was proposing rather than his personal skills as an architect and leader.  If you come to work every day not with the goal of accomplishing a given task, but instead with the goal of improving your personal worth using the technical challenge as a vehicle, life becomes exciting.  You never know what’s coming around the corner, and you have the constant interesting challenge of how to adapt yourself to whatever life throws your way.  If you do your (redefined) job right, all the right things begin to happen of “their own accord” and you have all the success metrics you need to prove your value.   On top of that, you no longer need to prove your value, it becomes obvious to all those around you.  And even better than that – you are following your bliss every day by finding more reward in everything you do as you craft a better you.

My efforts with Joe are still a work-in-progress, and I will share what works and what does not here in this forum as we journey through this together.  I would love to hear your thoughts and suggestions that might help my colleague and me through this discovery process.

Oct 25

Creative Geekdom

Posted on by

In an interview a few years ago, the interviewer asked me to list some traits by which my colleagues would describe me.  I mentioned “creative” as one of them.  As you would expect, the immediate follow-up question was to provide an example.  I stumbled and fumbled, I drew a complete blank.  The interviewer certainly thought I was simply blowing smoke, that I wanted him to think I was creative when I wasn’t.  The honest truth was that my colleagues did (and still do) call me creative, but I never looked around to see why.

So, I spent some time thinking about it – was I really creative?  I’m not sure, but at least I can think of an example or two of something creative that I’ve done.  You decide.

Flashback: Katrina had just pummeled New Orleans.  I was working as a Solution Architect for EarthLink at the time.  The project was Metro Wi-Fi (a Wi-Fi equivalent of Clear’s service model focused only in high-density urban centers), and I had just finished two large Voice over IP rollout projects.

We were all stunned by the scope of the devastation, and wondering how we could make a difference from Atlanta.  Emails started fly around with all kinds of ideas.  Mine was thus: There were no cellular or landline communications in the deepest areas of destruction and people cannot find out if their loved ones were alive.  We were attempting to sell Wi-Fi phones in the cellular market, and we were wiring urban areas with Wi-Fi access points. We had a bus equipped with a satellite dish for broadband unwired backhaul.  Let’s put all that together and drive into the flooded zones and start handing out phones.  I was working side-by-side at the time with the product VP for voice, and we very nearly pulled the trigger until we found that the bus was a thousand miles away and he could not get it redirected for another week.

Had it worked, we would have helped hundreds or thousands of people to put their family’s worries to rest.  EarthLink’s PR department probably would have made sure the company got some credit for it, though that was a very small consideration given the human situation on the ground.

We ended up going with the second option which was essentially a web-based registry of people and where they could be found.  We helped, but not as much as we had hoped.  Do you have a story of creativity?

Sep 20

Managing Chaos

Posted on by

Managers mostly come in two flavors: the fireman and the accountant.  The fireman is a crisis manager.  This is the one you run to when the data center melts down or your product blows up in the face of a child star on television.  They excel at stopping the bleeding by applying tourniquets and enough emergency care to get the patient out of the hospital.  A crisis manager keeps a cool head during all the shouting, ensures everyone is focused on the most important problem, and bulldozes any road blocks that come up.  They are not good, however, at what I call steady-state management.  They get bored, they are addicted to adrenaline.  If there’s no crisis, they spend a little time getting better prepared for the next crisis, then they go to sleep.

The steady-state accountant manager, on the other hand, is keeping things moving day-by-day, and slowly improving the processes to produce more and prevent future crises.  They manage people and processes, not situations.  The accountant ideally thinks proactively, compared with the reactive crisis manager.  The better they do their job, the less you realize their value – or even their existence.  In a crisis, however, they are lost.  They look for what went wrong, where their systems failed them, rather than the main goal of getting back in operation as quickly as possible.  They can often add to the panic rather than push through it.

So where do I fit in?  I’d love to say I’m the ideal mix between the two, but that would just be self-serving and inaccurate.  I do fit in the intersection, however.  I would describe my approach as building order from chaos.  I do manage to keep everyone focused on solving the crisis if one appears, but I don’t make the intuitive leaps that a natural crisis manager can.  When the crisis is over, my first task is to gather Lessons Learned and divide them into two categories: How to prevent the next crisis, and How to respond faster next time it happens.  But unlike the crisis manager, my next step is building the processes to prevent future occurrences along with the plans and tools to respond more quickly to any similar event.  In between crises, my aim is to build robust processes within my group to proactively address future needs and more efficiently produce current results – similar to a steady-state manager.  I will admit that focusing on the detailed minutia of minor incremental improvements, where the accountant shines, is where I begin to lose some interest.

Where is your sweet-spot in this spectrum?

Jun 18

IT Management, Herding the Cats

Posted on by

You know?  There are a lot of management theories and guidebooks out there.  Theory X, Maslow’s Hierarchy of needs.  The five levels (good book, by the way).  I don’t subscribe to any of the more-than-dozen I’ve studied.  As with most things, they have enough truth to be valuable, but not enough to be reliable.  There are some basic ideas which I use when leading people.

First, even when I owned the business and employed several consultants, I have always relied on influence rather than authority to move the people with whom I work.  I get far more results per effort-hour from motivated (and especially from inspired) employees than I would from two people working because they fear for their position.  I begin by building a one-on-one relationship with each one where I understand the levers which motivate them.  In other words, I find out what they want, then explain to them how what I need from them will move them toward what they want.  Then I deliver.  This generates respect and trust.

This goes hand in hand with my practice to pass along kudos – they’re for my people, not for me – and intercept any blame.  The only person allowed to blame my people for anything is me.  In a crisis situation, while on a bridge call to restore a critical service, I heard people saying, in essense, “No, that wasn’t my fault, it was the other guy’s fault.”  I immediately stopped the conversation by saying “No, It is my fault.  Blame me.  Now solve the problem.”  I knew exactly who had caused the problem, and we had a conversation the next day when the service had been restored.  He never made such a mistake again.

On the other hand, I had two people loaned to my team to help out on a difficult project.  They went above-and-beyond, really helping me get the job done.  I made sure that their boss, his boss, and her boss all knew what those two had done for me.  From that day on, I always received instant attention to anything I needed from their group.  This is one of the ways I lead by influence rather than authority.

This same thinking applies to global groups, including outsourcing.  Many seem to think that if the work is being done by an outsource company, the paycheck they receive is sufficient.  I know that treating each one as an individual, and filtering their motivation through a cultural lens based on their culture not mine, makes them perform better.  My projects with outsourced resources do not fail because of communication or lack of domain knowledge issues.

There are a couple of rules I try to never forget, stemming from my time running my consulting company.  First, I always remember that I have some measure of responsibility for the food on their table and the roof over their head – which makes me accountable to them.  I must treat them fairly and make sure they know where they stand so they can make sound decisions about their own future and wellbeing (for good or ill).  Second, helping them to develop into the best they can be only enhances my productivity and chances of success.  In my case back then, it literally affected the amount of food on my table.

There are many other guidelines I use, such as ways to foster collaboration, consensus, and creativity, but I’ve already spouted enough platitudes for one article.  Help me out and tell everyone here how you encourage creativity in your group.

Jun 11

Strategic IT Resource Allocation

Posted on by

So, now that I have pontificated for about 6 weeks on IT organizational structure, I can finally answer the Professor’s question: how do you strategically allocate people to keep normal operations flowing yet still advance strategic IT capabilities that extend the business’ competitive advantage?  If you put all your attention on keeping current things from falling apart, the competition will pass you by.  If you focus only on the future, the floor will rot out from under you – that was the essense of the conundrum he presented (rephrased in my own words).  So: where do you put your best people in order to keep both progressing?

The obvious and over-simplified answer is to balance it out so that they’re spread across the organization.  But I contend that beyond being trite, it is also wrong.  First, the two areas require different talents, meaning it is not an either-or situation.  Second, there are different levels (individual contributors, first-level management, executive direction) that provide more levers to push.  I think that the U.S. Navy has long had the general answer to this question.

A ship is run 24 hours a day, separated into watches.  Let’s divorce theory from reality for this discussion and say that there are 3 watches, one led by the CO (Captain), one by the XO (first officer), and one by the CDO (command duty officer, which is a rotating role, not a person).  Who is on the bridge with the captain?  The weakest, newest officers being evaluated or trained into the positions.  Who is on with the weakest of the three commanding officers?  The best officers for each position – specifically to cover the weakness of the officer commanding the watch.  We’ll ignore the mix characteristics for the XO for the time being.

This same model can act as a guide in strategic personnel assignment.  In the maintenance role, you want a tactical leader who is a great crisis manager.  This role needs little strategic thinking, other than planning for the next crisis.  The people they lead need dogged troubleshooting skills and deep knowledge of how things work, but they do not need to be the “best and the brightest.”  The senior leadership of this group performs mostly an administrative role.  Of the three levels (IC, mid-management, executive), the maintenance/operations group needs the mid-management to be its strongest link.

The development organization, on the other hand, is the exact opposite.  The individual contributors need to be independent and creative, the best and the brightest.  Mid-managers in development often only need resource-management or administrative skills – if the individual contributors are as strong as they should be.  The executive level needs strong vision and inspiration ability.  In this case, the stronger people are in the Individual contributor and Executive positions, while mid-management can be weaker.

Those who show strong management potential might be promoted into mid-management of the maintenance organization where they gain knowledge of how the business works, how important it is that things keep operating, and how to deal with high-stress situations.  Managers from the maintenance side of the house can make good candidates for the executive core of the development organization because they now understand more of how the whole business works and what they need to work better.

As with any organization, there is no one cookie-cutter approach that works all the time.  What I describe here works when the IT organization is structured as I described in the past several articles.  The same kind of thinking (why you need strength at different levels) applied to IT Organizations with different structures and strengths will lead to an optimal layering of talent for that specific organization.

Tell us all how your organization focuses its technical talent to achieve organizational objectives.  Have you seen models that work better?

Jun 07

IT’s Batman and Robin

Posted on by

So we have two TLA’s (Three Letter Acronyms) that look alike and sound alike, what is the difference between a Chief Information Officer (CIO) and a Chief Technology Officer (CTO)?  I will give you a different answer and prospective than you will see by Googling the terms.  The difference is very simple: Whatever the two of them decide it should be.

Sure there are standard definitions, but they should only serve as guidelines.  An organization is unlikely to find two people that fit the textbook roles and they should not try.  The two need many overlapping talents – vision for the future, ability to truly see the present, a deep understanding of the business and industry, and the ability to lead and inspire their people.

I have seen many pairings in different shapes and flavors.  One organization had the CTO as a peer of the CIO, where the CTO (with no direct reports) reported to the CEO and the CIO reported to the COO.  In some, the CTO is little more than the “idea man” for the development organization.  Most common is the CTO who manages the Enterprise Architecture group.  The textbook-ideal has the CIO doing hands-on management of the Operations organization, and managing the Development organization through his proxy, the CTO.

The structure does not really matter as long as it supports the natural division of talents between the CIO and the CTO.  They are partners in helping the business drive for success.  For example, while the CIO would typically be responsible for the supply chain, if the CTO has a very strong LEAN background, they may swap that role.  The two should split up the responsibilities for the department based on which one can best do each major task.

Speaking in generalities, however, the basic distinction is that the CIO focuses more on current operations and efficiencies, while the CTO focuses more on growing the catalog of business capabilities.  Within that very high level division of interest, the two of them operate as a team filling in all the holes and driving excellence into the business.

I have seen a new definition pop up lately, the Chief Science Officer (and every time I hear it, I think of Spock – smile).  Has anyone ever seen such a role in their organization?  How did it compare to CTO and CIO, and did it make an operational difference to the organization?  Please comment here and let us all know.

May 29

Understanding what the business needs

Posted on by

The last installment in my series about IT Organization will discuss the PMO. What does that stand for? Most often, Project Management Office, but some call it Program, others Portfolio, and though the words have different meanings which affect the focus, they all boil down to one thing: Understanding what the business needs, prioritizing it, and getting the organization’s resources behind getting it done.

The PMO’s first task is to understand what the business needs. Portfolio management is the best starting point. The portfolio managers are linked to lines of business and understand their roadmaps. This can be done by pairing portfolio managers with product managers in the business units, if they have them. Since the business units have more work than can be done at once, the portfolio manager also provides prioritization of strategic portfolio work as well as projects and maintenance work (where the line of business has reported bugs or requested minor enhancements not sufficient to group into a project). The portfolio manager must understand all work streams for their line of business and organize the work streams to fit the amount of time IT management allocates to that line of business.

Program managers are typically assigned one-to-a-program where the scope of work is strategic and large – to the point that the program manager may have a project manager or two working for them. Project managers will typically work on more than one project at a time, providing project management shared services to the enterprise. Project and Program managers should be certified by the Project Management Institute (PMI). Of all the certifications I have taken or seen, this is the most meaningful. It requires the candidate not only to be able to recite their taxonomy, but also to demonstrate several years of experience actually doing the job.

The second segment of the PMO is the Systems Analysts and Business Analysts. This group is the font of knowledge of what capabilities the business has. These analysts elicit requirements from the business users and translate them into specifications for the developers. They become the experts on the details of what must be done, and work in conjunction with the subject matter experts and architects to figure out the ‘how.’ The strength of the analysis group allows the development group to become centers of excellence for their technologies rather than silos aligned to the business units.

The head of the PMO is the natural leader for the Project Governance group, but a key characteristic that must be sought in this position is the balance between delivering when needed and following the process. It is too easy for the leader to get caught up in making the process king and becoming a bottleneck in achieving the business’ strategic goals.

I watched an organization struggle trying to make their PMO fit this vision, but left before it was implemented. The difficulty they had was getting sufficient knowledge of the business in their Business/Systems analysts, when starting from the ground up. Does anyone have any suggestions for how to accomplish this?

May 22

Do Enterprise Architects Architect the Enterprise?

Posted on by

In a word, unlikely. 

Today, I continue the series on IT organizational structure.  So far, I’ve talked about Operations (with three sub-areas: Infrastructure, Production Operations, and Risk Management) and Development.  Today’s topic is Enterprise Architecture, and it will be natural along the way to discuss the Enterprise Architecture Oversight Committee (from the article on Governance).  The final article in the series will be Portfolio Management and two related Governance committees: Project Governance and Strategic Planning.

So: Why don’t Enterprise Architects Architect the Enterprise?  Because almost always, the Enterprise is already built (smile).  At best, they’re blueprinting the remodeling effort.  Unfortunately, in too many cases, they’re re-arranging the nick-nacks on the shelves.  The challenge for the leader is to keep the organization relevant by solving business problems without resorting to ivory tower ideology.

Today, everyone calls themselves an architect.  Apparently, development and analysis titles are too boring or do not pay enough.  Anyone who can string three programs together is an architect.  For the purposes of the Enterprise Architecture group, I plan to focus on four types of architects: Application (domain expert), Solution (cross-application focus on single business problem), Infrastructure (hardware), and Enterprise – along with their boss, the Chief Technology Officer.

An Application Architect focuses on a single (or a few related) application domains (Provisioning or Fulfillment are examples).  This role is a subject matter expert in the business domain.  The individual has knowledge of all the technology used to solve the problem space – applications, servers, databases, middleware, hardware and business processes.  Application Architecture strongly overlaps with the Portfolio Management Systems Analysts for that business area so that you can use the strengths in one to manage the weaknesses of the other.  This area also includes the architect responsible for the middleware layer (e.g. Enterprise Service Bus, Business Process Modeling, etc. – sometimes referred to as a Technical Architect).

A Solutions Architect takes a single business problem from idea to reality across all applications and infrastructure.  Solution Architects often overlap with Project Managers.  They lead cross-functional teams and do joint design sessions, integration walkthroughs, etc.  The Solution Architect is a guided missile who is aimed at the target of the strategic business problem to be solved and who brings every resource necessary to bear on the problem until it is solved.

The infrastructure architect is busily trying to figure out the best configuration of hardware elements will most effectively support all the needs of the enterprise. Many organizations place this responsibility in the Infrastructure Operations organization, but it truly belongs in EA.  This role is responsible for everything from the composition of the data center, integrating cloud processes (internal and external), to what type of equipment goes into the networking closets at all the remote offices.

The Chief Technology Officer is the leader of this organization, whether tasked with management responsibilities or not.  In some cases, the CTO has incredible talent to solve massive strategic business problems between breaths, but would drive all the design talent screaming out of the organization.  While this is regrettable, sometimes the talent is too strong to give up and must be supplemented by a manager to take day to day supervision tasks off that person’s shoulders.  But even in that case, the CTO sets the direction for the EA group by defining the right problems to solve and the principles to which the group will aspire to in solving them (principles based architecture).  It is best if the CTO directly leads the group, but even if that is not feasible, the CTO is the spiritual leader of the team.

Shortly, I plan to discuss the differences between the CIO and the CTO.  The two are like a matched pair complementing each other’s weaknesses with their strengths. The compatibility of the CIO and the CTO is far more important than the actual job definitions for each, as they can fluctuate to take advantage of each one’s superior skill set.  But I will talk about what the roles should be in theory.

The CTO is the chair of the Enterprise Architecture Oversight Committee (EAOC) in the governance role.  Does that mean that the CTO is dictating architectural decisions to the rest of the organization?  If so, that person should not be the CTO.  The EAOC decides issues by consensus, and the CTO is the chief salesman within the group, advocating for the vision.  If the CTO cannot convince the operating majority of the group, it is likely that the idea is not good enough or the CTO lacks persuasive ability, which is a key component of the job description.  As described earlier, the EAOC is charged with maintaining the list of approved technologies and ensuring that any newly proposed technology or major architectural component has been fully vetted before being acquired.

One organization used the EAOC to enforce its technological will on the development directors (because the leader was dominated by the “bright shiny object” syndrome – adopting technology simply because it is “cool”) or as constraining leash on the architecture group (because it was lead by the risk-averse Operations group).  Properly run, it is balanced and focused only on what is healthy for the whole enterprise.

Please share your stories of how EA helped or hindered your organization in the quest for strategic growth.

May 18

Information Risk Management

Posted on by

The article below is part of the overall discussion of the IT organization and was written by an Executive Summary contributor, Rodrigo Ruiz.  Rodrigo was the VP of Risk Management for ING Latin America and one of the broadest thinkers I’ve run across on the subject of Risk Management.  I hope you enjoy his article and comment liberally.

I would like to share my thoughts around what is the best fit for the Information Risk Management (IRM) function reporting line within an Organization and, hopefully, get feedback from this audience.

Of course, there is no a unique (magic) recipe. In my opinion, it will depend on the size, complexity, risk profile, and regulatiory environment that apply to the business that the Company supports. In smaller and less complex Companies, I have seen the IRM function either non-existing or built within the IT Organization, or in some cases mixed with Information Security Operations function. While in large and complex Companies the IRM function is separated from IT and reports to the Chief Risk Officer (CRO) or to the Chief Financial Officer (CFO).

In Companies that have a matured Risk Management practice, IRM fits within a larger Risk Organization that combines IT Risk with all other Operational Risk functions (like fraud risk, personal and physical security risk, control risk, processing risk, compliance risk, etc) on a more integrated approach.

Usually known as Enterprise Risk Management (ERM), this framework will integrate all Risk Management functions. The Enterprise Risk Management COSO framework (shown below) emphasizes the importance of identifying and managing risks across the enterprise. The COSO framework consists of eight components:

Enterprise Risk Management

Enterprise Risk Management Model

1. Internal control environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information and communication
8. Monitoring.

 

Based on my experience, when a Company moves the IRM Function out of IT, it gains transparency on risk identification and reporting; therefore, making the risk more visible to the Business. IRM, in conjunction with IT, helps the Business Leaders to better understand the business risks associated to specific IT related vulnerabilities, threats, controls effectives issues, etc., so that that business decisions can be made regarding risk acceptance, mitigation, transfer or avoidance.

Please feel free to provide comments or open discussion points.

Rodrigo Ruiz