Plan for People, Not Just Systems
John McCarthy--Senior manager in information risk-management practice, KPMG (US).
One of the great lessons of this tragedy, and others in the last decade, has been helping company leaders to see the people in their organisation as part of the risk-management equation. Most companies have a business plan for technology failure - things like someone putting bad software on the system or dealing with a security or hacker threat. Now what we're seeing post-September 11 is the recognition by leadership that there's an even greater need to understand people processes in the context of risk management and disaster recovery.
Companies need to think about how they will take care of their employees, account for the missing and deal with the families in the event of a fire, a flood or an explosion in the building. How will you take the services and processes handled by those people and transfer that responsibility to another part of the organisation so the business can continue while you're dealing with a disaster? You can't let a major disaster draw the attention of the entire organisation and stop it from doing anything else - you have to look at how you can separate the tragedy from the necessity to keep delivering services. You have to know what the critical functions are and how to continue them in the face of disaster. How will you communicate internally and externally? You must figure out how you will talk to industry peers and associations, and how you will deal with state, local and federal authorities. Also, think about how you will communicate with customers. How will you talk to them about the status of your business and your employees, particularly if the business - say, a financial institution - has a piece of the customer's money?
A big lesson for CIOs and other leadership is that continuity management is not a line function. It's a core function that must be managed from the top of the organisation. CIOs are familiar with this, as they have long argued that technology also cuts across the business and needs attention from the executive team. After September 11, CIOs will have a lot more credibility when making arguments for replicating critical systems. The case has been made graphically for CEOs that the kind of discussion that has gone on at the CIO and CFO level in terms of risk management aren't way out there - they need to be addressed ahead of time.
The watchword coming out of this is going to be enterprise risk management - no more point solutions. If you want to survive something this extreme, an enterprise approach is what will make the difference between making the business go or not.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.