SIDEBAR: What Is Enterprise Risk Management?

ERM is a management approach focused on maximizing shareholder value or ensuring business continuity by creating a single view of all risks (internal and external) and an executive-level strategy to deal with those risks. As applied to IT, it is the identification and management of the risks that all IT systems, policies and procedures pose to the financial and operational health of the business. ERM connects the dots between a risk created in one department and an outcome in another, and offers a process to mitigate those risks. ERM can help organizations make better decisions about which business investments to make and which ones to avoid. To learn more about what ERM is and why it is important, see "Risk's Rewards", CIO December 04/January 05.

SIDEBAR: Getting a Handle

What should a CIO's main focus be in relation to enterprise risk management and governance? Cutter Consortium senior consultant Robert Charette outlines three priorities in the Cutter Consortium report titled "The Rise of Enterprise Risk Management and Governance".

• Become familiar with the intricacies of corporate governance, since many risks and problems of implementing it travel directly through the IT organization. Especially important are the "grey-space risks": the IT issues that do not begin as governance problems but end up as them.

• Determine how the IT organization can become a zero-trauma organization. "No surprises" should be the watchwords, with operational excellence as the objective.

• Develop and implement a strong risk management culture to evaluate operational IT risks. Culture will be increasingly important as many of the emerging risks that corporations and CIOs will have to deal with will be caused by societal changes in risk awareness.