Risk Management and Governance

Governance is important. Governance can be an enabler for change and growth. The key is how the governance rules are defined. They cannot be dictated from on high, but instead must be developed through careful consideration with end users and stakeholders, not just the audit and risk committee.

At the operational level, a keen understanding of who does what and how different teams interact is vital for the organisation to locate areas where there is a risk of weakness.

Demonstrable governance processes build the trust of the executive team and the Board, so long as the governance is not too restrictive and ignored by the end users.

Our Capability:

  • Reviewing current governance arrangements and advise on ways to make them reflect the needs of digital technology, whilst still ensuring compliance with audit and risk committees.
  • Developing the technology leadership into a well performing team, fully equipped to handle all the challenges of a multi-faceted organisation.
  • Advising on the factors to consider when deciding who needs to be involved in given projects.
  • Identifying a governance framework that enables change with the right controls to mitigate risk, but with the right freedom to stimulate innovation.
  • Assessing the boards risk appetite and tolerances and assisting the IT team to relate them to the risk inherent in the IT activities, projects and programmes.

Point of Views

CIO Connect publish regular ‘Point of View’ documents – here are links to a selection of recent documents related to risk and governance:

At its most simple Governance is about how you take a decision. Governance rules need to be formalised in a governance framework which is created in isolation from any particular decision. The framework will determine what structures are created with authority to opine on governance and take decisions.

Governance is critical to the success of any organisation. Without it there would be chaos. Freedom is critical to innovation. The CIO in their role as orchestrator of the newly emerging digital world has a special responsibility to ensure that IT governance is sufficient to conform to necessary organisational controls yet provides the freedom to allow testing and execution of innovative ideas.

IT risk is viewed in different ways by the board and the IT team. The IT team usually sees risk in terms of a danger that something won’t work (i.e. an operational risk). The board sees risk from a much wider business perspective, and IT needs to align with that broader view. How can CIOs understand risk and ensure their approach is in line with the broader business perspective?