Risk management: A CIO's strategic role

An interview with Michael Cusumano

Your new book is about managing strategy in turbulent times. What factors must a CIO, in particular, balance when responding to a crisis?

Cusumano: In different kinds of crises-product, economic, political-one common thread is the information available to executives.

In the Toyota recalls, we now know there were a number of cases of poor quality going back to the mid-1990s. Frame corrosion in trucks in North America. Pedal problems first in Europe. Software problems with braking in the United States and Japan. None of that information was aggregated, analyzed and presented to senior executives.

CIOs can make sure that the information systems are available for aggregating reports from the field or news media. But it's not just a technology problem. People have to respond to the data. It has to be put into a form that senior executives can absorb quickly on a regular basis.

CIOs need to champion not only that the IT systems are there. They have to try to make sure the processes are in place to use the information.

You have lots of indications that the whole credit market was put in a very high-risk situation. CIOs are in a unique position, because of the data and systems they see, to give special advice to their CEO and colleagues. Managers chose to ignore the risk elements. CIOs can make sure information is collected, but it's what people do with the data that's critical.

What have CIOs learned about business risk recently?

They can't just offload responsibility for risk, or for interpreting events, or for making sense of the data we're collecting. It has to be a collective activity among senior executives and people with deep knowledge of a company's and industry's processes.

Since the CIO is in a critical cross-functional position, maybe CIOs should take on more of a role regarding how people are thinking about what information means. IT enables almost everything a modern organization can do, so it does put a special pressure on the CIO.

When a crisis hits, how should internal information be handled?

You have to bring people together who can make change happen. Frequent physical or virtual meetings are important.

The CIO, CTO and head of software development should all be there to answer questions about what it's possible to do with IT, as well as to keep on top of how executives are looking at information and what they want to see. Any CIO worth his salt is guided by the principle that information is only meaningful if people use it. That's the foundation for what drives a modern CIO.

Why do you love meetings?

Just sending an e-mail to 300 people won't get anything done. People ignore it. There's no substitute for looking someone in the eyes and saying, "Did you do this? Are you going to do this? What do you think about this?"

Meetings don't have to be long. One of the things we've learned from agile development is that a daily meeting is productive. It's a stand-up meeting where no one gets comfortable. You tell everyone what you plan to do that day. You're synchronizing what you're doing with what other people are doing. You're helping each other respond practically in real-time.

That approach sounds useful in everyday operations.

Yes. Different industries have different paces of change. For industries where the pace of change and what customers and competitors do is fast or where risks are high, you need to have an information-sharing structure so people can respond quickly to urgent situations that come up all the time.

Michael Cusumano is a professor of management and engineering systems at MIT's Sloan School of Management and author of Staying Power: Six Enduring Principles for Managing Strategy and Innovation in an Uncertain World.

Join the CSO newsletter!

Error: Please check your email address.

Tags leadershiprisk managementrisk assessment

More about MITToyota Motor Corp Aust

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kim S. Nash

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place