Yesterday was a fascinating day full of presentations on risk in the morning from a bunch of old CRO’s (Chief Risk Officers) followed by a lunch with a crock of CIO’s (Chief Information Officers). In fact, there was even one CIO who became a CRO … and that’s something that might happen more often on the basis of what was discussed.
For example, Juan Yanes, Deputy Group Chief Risk Officer at Grupo Santander, kicked off discussions with a presentation entitled "Risk Management and Value Creation: Challenges for the Risk Function".
Now, you may already be losing interest at this point having seen such an exciting opening line but DON’T!!! Juan’s presentation was really interesting, and that’s saying something for a Deputy Group Chief Risk Officer. After all, you know when you’ve met an extrovert Risk Officer in a cocktail bar … he’s the one looking at someone else’s feet.
So, back to Juan’s presentation.
Halfway through his slide deck, he had a slide that looked at the relationship between risk management and the business functions. His conclusion was that there needs to more of a business orientation of the risk function, and more of a risk orientation of the business.
In other words, risk management is not a function but a culture.
Funnily enough, I then went into a separate lunchtime conversation with CIO’s focused upon information vulnerability, business continuity, phishing attacks and so forth; all of which are Group Risk issues.
The CIO’s lamented the fact that many people in the business did not understand the risk of data loss.
The fact that taking a laptop home could be a serious data breach, as it might have customer data on that laptop.
The fact that the CEO does not implement a standardised policy across the board and that he/she can apply the policy favourably for some and not for others.
The fac that branch staff cannot take information home but Head Office line managers can.
The fact that the CEO needs to take a single data risk policy across the business and apply that policy to every person in the same way.
In other words, information is a core Risk in the business and needs the CEO and the enterprise to understand and manage these risks.
This brought us back to Juan’s message.
His message is a business orientation of the risk function, and a risk orientation of the business. The CIO’s message is a business understanding of information, and an information understanding of risk.
The CIO’s message is a difficult one though, in that ask any senior representative about the data risks of their blackberry or laptop and you get a pretty offensive response.
My walk-away is that there needs to be a major cultural shift to get to a world where Risk and Information become synonymous. In fact, the only way we’ll get there is if the CRO’s and CIO’s work together to make it happen.
IT and Business alignment … Risk and Business alignment … one and the same.