In my first two blogs, I talked about the need to communicate how implementing an IT strategy will accelerate value delivery and deliver new capabilities. CIOs have a fiduciary responsibility to reduce technology risk. This type of thinking is often second nature to IT professionals. However, business executives may be unaware of technology risks and the benefits of reducing those risks. They might also lack an appreciation of the efforts required to address said risks.
CIOs should reinforce messages concerning technology risks in strategy and budget discussions. The challenge is to do so in a proactive way. The best way to go about it is to answer the following question as part of the strategy discussion: How does the IT strategy reduce business risk?
Identifying Risks
Security risks due to intrusions and ransomware are often in the news. CIOs can easily reference these risks and have the organization understand them. These risks are necessary to reference and target due to the need for awareness and funding for new security measures.
Business executives often downplay legacy technology risks. CIOs have a fiduciary responsibility to raise these issues and pursue funding for system upgrades and legacy technology requirements. They must also identify the potential for business disruption due to dependence on legacy technologies. Identifying the business risk of falling behind (from a product and underwriting perspective) due to dependence on legacy platforms is an appropriate way to build a business case for necessary upgrades and replacements.
Service-oriented architectures and cloud deployments introduce complexity and new risks. One of the benefits of cloud implementations is access to the cloud providers’ security services and capabilities. Communicating cloud security benefits may mislead oversight committees and undermine proposals for monitoring software or other solutions to address problem-solving and analytics capabilities over a complex network and deployment of services. CIOs need to identify this complexity as a new but manageable source of risk.
Heat maps are an effective tool to link business processes to associated risks and enable objective prioritization of related investments necessary to reduce these inherent risks. Presenting all risks in this summarized format helps to focus discussion on the highest priority risks.
Reducing Current Risks
Talent risk is very real. The risk has increased recently due to a rise in remote workers, the aging population of legacy technology support personnel, and the rapid pace of technology innovation. System and technology retirements are only part of the solution. IT strategies should explicitly indicate how they will access alternative talent pools, complete cross-training, and manage talent during IT transformations.
Vendors face some of the same risks and challenges that insurers face. Vendor management programs should score vendors on financial, technology, and talent risks, as well as service delivery capabilities. Vendor management programs should evaluate financial risks from insurer and vendor perspectives. Vendor management organizations, IT, and legal departments should review contract terms for duration, price escalation caps, and escape clauses. IT and finance should also review and monitor the vendor’s financial status. A best practice is establishing risk mitigation plans for vendor risk before trouble occurs and setting objective criteria for when those plans should go into effect.
Many startups fail to expand beyond their initial clients. They can lack the capital to continue investing at the rate necessary to develop their offerings further. Insurers need to assess the potential for additional cash infusions or the impact of termination of services. Novarica also recommends risk mitigation plans for InsureTech startup engagements to prevent teams from becoming too deeply entangled with failing companies.
Insurers can establish targets for risk mitigation by developing future-state heat maps for several periods. Doing so can be a challenge: High-priority risks may be addressed in the next year, but moderate risks may develop into larger risks in the same period. Novarica recommends an iterative process to identify optimal risk reduction plans where varying investment levels are forecasted.
Project and program governance can also play a vital role in managing risks. Governance or IT Steering Committees should assess active and approved projects for the next planning cycle for risk against established criteria. The PMO or whoever is presenting the plan to the governance committee should explicitly present the overall risk profile of the entire project portfolio.
Multiple large programs or multiple introductions of new technologies in a given period increases the risk of all projects during that period. Communicate and evaluate risk mitigation strategies against the portfolio assessment. The governance committee should also assess any new requests and categorize them against the same risk criteria.
Managing Future Risks
Security risks are a moving target. Proactive measures for testing, monitoring, and staying ahead of emerging security risks are necessary. Any plans should highlight these measures.
Emerging technologies also present a future risk that insurers must address. Organizations often justify research programs and pilots based on the possibility of gaining competitive advantages. Insurers should also assess the risk of being a late adopter (e.g., losing competitive advantage, falling behind the market) and use this information to justify research efforts, attendance at industry conferences, and advisory subscription services.
Once value delivery improvements, new capabilities, and risks have been explicitly defined, alignment to the business strategy should be reinforced. That is the topic of my next strategy blog.
Add new comment