Risk management: Be afraid

CIOs should use marketing-style 'fear, uncertainty and doubt' (FUD) tactics to pressurise boards and senior management into properly resourcing and prioritising operational risk management, a veteran CIO claims.

Martin Laing, CIO of Societe Generale's Australian business and a 24-year IT veteran, told delegates at an Alphawest leaders' forum last week that CIOs should "employ the tactics of the sales force of our suppliers" to drive home the threat of failures in day-to-day business processes.

Laing said such operational failures could be highly damaging: "Think of the effect of not making [payments via the Society for Worldwide Interbank Financial Telecommunication messaging and interface system] for a few hours, or a senior executive being caught viewing undesirable internet sites and having that splashed across tomorrow's tabloids."

He said the finance sector's requirement of instantaneous performance and high levels of interfacing between complex systems, combined with rapid change, demanded CIOs be "creative" in maintaining control over operational risk.

"We must create an internal FUD factor that will demonstrate what we are protecting ourselves against," Laing said.

"We need to create the [FUD] and report on the risks and vulnerabilities that exist, and present to our board that direct action is required."

He cited Gartner's recommendation that 3.5 per cent of the IT budget in financial services should be dedicated to security alone - excluding disaster recovery and business continuity planning. Yet he questioned how many financial services providers actually allocated that proportion.

"We must continually show [management] that cutting corners is no longer acceptable behaviour," he said.

IT executives must convey to management that issues such as disaster recovery and business continuity are not just be the province of the IT department, said Laing. Final responsibility should lie with company management.

"[It's] very important that the management responsibility for your DR/BCP [disaster recovery/business continuity process] is held outside the IT department.

"Yes, IT will be part of the management team, and should be. But IT, like every other department of your bank, [must be] seen as a contributor in addition to a participant."

Steven Deare writes for ZDNet Australia