At a conference session on risk management and compliance, CIO Carolyn Damon let it be known that it is not uncommon for CIOs to be spending 40% of their time conferring with legal counsel. And, no, she was not talking about CIOs at law firms, but CIOs in regulated industries.
Damon is CIO of GE Capital Americas-Capital Financial Inc. — and proof that in the risk-riddled Great Recession, the office of the CIO is extending far beyond the four walls of the data center.
Yesterday, at the Gartner conference on risk and compliance in Chicago, Damon was play-acting the role of the CIO at the fictitious WinterNuke Co., an energy conglomerate under fire from environmentalists, regulators, shareholders, ordinary citizens, you name it. The constellation of mismanaged risks behind all the bad publicity included a failed SOX audit related to a botched acquisition; plans to build a nuclear plant in a seaside resort area; and a fired overseas employee claiming the speculative trades he made that lost millions were in fact sanctioned by upper management. (The fake scenario is a compilation of problems experienced by Gartner clients this year.) As keeper of the corporate data, the make-believe CIO was at the center of the legal maelstrom. The truth is that many real-life CIOs are there, too, or soon will be, she said.
“It is an interesting fact of where we are going from an IT perspective. Understanding the regulations that are out there, understanding business language, as well as understanding technology and then marrying the three, is fast becoming the role of the IT leader in organizations out there,” Damon said.
In those fake CNN reports on WinterNuke, there was no mention of IT per se, “and yet technology touches every one of the areas” under fire, Damon said.
A critical component of the real CIO’s job is to know exactly what the IT controls are for those areas and to “feather them against the regulations” that affect those areas, she said. The other part of the job is communicating the business benefits of that model to your counterparts in the legal as well as financial departments. “The more you can communicate with your legal partner what that method does and how it manages the risks they are concerned about, the more you have a partner,” she said, adding that the same goes for the CFO, with the added data point of how many dollars can be saved by implementing the IT model. “It’s about one executive at a time.”
By the way, among the many wrinkles in the fictitious case under review is the location of the rogue trader in Europe, where the data privacy laws might stymie the company’s investigation. That would not have been a problem at GE because her company “has been proactive” and gotten preconsent from overseas employees. Knowing the countries that you’re doing business in is critical. Spend time with the attorneys, Damon said, and if they don’t know the data privacy laws, the record retention requirements or the data movement protocol in the various geographies, the CIO should be able to lay it out.
That said, it is not the CIO who owns the risk management program for the company, Damon stressed. “Somebody has to have the overall plan.”