Governance, risk, and compliance or ‘GRC’ is an increasingly recognized term these days and widely talked about and discussed at various forums. GRC reflects a new way in which organizations are adopting an integrated approach to these important aspects of their business.
GRC is the umbrella term covering an organization’s approach across these three areas. Being closely related concerns, governance, risk, and compliance activities are increasingly being integrated and aligned—to some extent—to avoid conflicts, wasteful overlaps, and gaps. It is expected that companies would follow certain norms of governance, ensure that they have the right processes to recognize business risks and their mitigation and that they conform to the laws of the land.
As managements try to address these issues, the CIO has a fiduciary responsibility to assist the management in its efforts to address GRC issues. Let us understand each of the elements of GRC.
Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management control structures and the right management practices. One of the requirements of governance is that that the critical management information reaches the executive team in a form that is adequate, accurate, and timely to enable appropriate management decision making. It also involves providing the control mechanisms to ensure that strategies, directions, and instructions from management are carried out systematically and effectively.
So the CIO has his role cut out; he has to proactively provide the required support to the management through robust information and control systems. IT systems should also facilitate maintenance of documentation of various transactions, approvals, record of critical business discussions, decisions, etc.
Risk management is the set of processes through which management identifies, analyzes, and where necessary, responds appropriately to risks that might adversely affect realization of the organization’s business objectives.
The first need, therefore, is to do a risk assessment and identify all possible risks that the company could be exposed to. The next step is to analyze those situations and determine criticality of the risks and their possible impact on the organization.
Once the risks are analyzed, the company has to define measures that it can take to contain any adverse fallout. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting, or transferring them to a third party.
It then becomes the duty of the CIO to introduce policies and technologies for risk coverage and mitigation. He covers risks against hacking by external users, institute measures for user authorization and control, ensure safety of data through regular back-ups, implement disaster recovery and business continuity plans, conduct user education sessions, etc.
Compliance means conforming to the stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined, for example, in laws, regulations, contracts, strategies, and policies), those which assess the state of compliance, and the ones that assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance. It also involves defining management processes that can prioritize, fund, and initiate any corrective actions deemed necessary.
Here, the CIO has to be in touch with the company secretary / legal head or concerned departments to make a list of various statutory requirements that the company is required to comply with. He needs to facilitate the creation of facility to record requirements, to remind people on due dates, to help monitor compliance and help create a report on the status.
Various software packages are available that helps meet these requirements including those from leading ERP vendors, software majors, and many other small firms who create such specialized tools.
A 360-degree approach
GRC, therefore, is a holistic view of issues that the managements of companies are obliged to address. In my opinion, a CIO can play a significant role in helping his organization meet its obligations. Since most documents and processes reside on IT systems, it becomes incumbent on the CIO to ensure that all requirements are taken care of. Here is an opportunity therefore for the CIO to fill this space and rise to be an executive of significance.
We have enough experience of dealing with the staff who work with us. The staff always puts in efforts to achieve goals that we define and is one of the reasons behind our success. We know how to encourage, motivate them, at times by giving a pat on their backs, getting them awards, or by providing incentives so that they continue to help us attain our short terms goals. As a part of development activities, we send them for training programs, seminars, or workshops.
A pertinent issue
But in all this process we fail to address one situation which I have often experienced and may be true in many other organizations.
I am talking of the situation when a staff member acquires some additional qualification either through an executive education program, a correspondence course, or a certification program. He undertakes this study with the objective of advancing his professional careers. It is natural, therefore, that upon his completion of such program, he would expect some consideration from the employer in the form of an expanded role or a promotion. But to his disappoint, many a time, the employee doesn’t get any such consideration.
Apart from cases where the boss acts as the spoilsport, it can also be the HR department that puts spokes in the wheel. Their bureaucratic ways come to fore as they cite outdated policies to deny any such considerations. They may even point out that such a college or university does not figure in their approved list (which is made in the past) of institutions.
The poor fellow then loses out. Think again. Isn’t it the company that proves to be the loser? Let’s take a closer look at the situation.
The candidate, disappointed, starts looking out for an alternative and sooner than later finds an employer who is ready to respect his qualification and work experience and gives him a position that he deserves. He decides to separate and gives a damn about loyalty or any such terms thrown at him.
It’s only now that the boss or the company gets into the act. Suddenly, the candidate is bestowed a lot of attention and is persuaded to stay on. He is termed as the rising star in the team and is given assurances, including of a promotion (in the next year) and so on. Ironically, none of these promises are made in writing. The candidate, having been slighted earlier, usually turns down such overtures and makes an exit.
Now what does the company do? Obvious; it starts the candidate search afresh to fill up the vacancy. It is surely the boss and the company that lose out as they have to deal with:-
Loss of a good and experienced hand: The ongoing project suffers; deadlines are missed. The managers is hard-pressed to get work done by his other colleagues who swear and complain. The corporate brand suffers with company losing its face to its internal/ external customers.
Fresh recruitment efforts, costs: An unnecessary situation thrust upon due to faulty handling of the leaving colleague. This process takes time, effort, and the attendant costs.
Cost of change-over: The new candidate joins only after a certain gap. He requires time to get used to the new environment. Pace of work slows down. There would be a cost of spoilt work, which is but natural for a new recruit. He becomes valuable over a period of time.
Clearly companies pay dearly for their inability to address such a situation. It is sometimes the ego of the boss, unresponsive HR department, or the organizational culture that discourages the new and emerging talent. There are lessons to be learnt from such experiences and the earlier we learn the better.
For several years we processed our transactions sitting on fixed desktops and then moved on to laptops. Security considerations restricted usage from remote centers and access was given to only a select few. Times, however, have changed. The availability of various mobile devices that allow us to transact from anywhere and the severe competition in business have forced companies to sit up and examine the use of solutions that let people carry out their business dealings from anywhere.
Mobility solutions have been around for quite some time now; but it has taken time for these technologies to mature and for applications to get better and robust with their applicability in various industries. Devices and the networks used to be slow earlier and it was a challenge to connect and run applications; but technology companies have made significant contributions during the last few years to make this possible. Pioneering work done by a few software and service companies has resulted in development of solutions that are easily deployable.
Importance of mobile applications
Use of mobile applications is quite common now and companies are realizing the importance of exploiting this medium to gain advantage over their competitors. I would classify the usage into the following types:
Messaging: Exchange of mail between employees and with the outside world is a critical activity in any organization. We are expected to stay in touch, and therefore, not being in the office or being in a meeting is no longer an excuse that is tolerated. In fact, during off-hours, when we are at home or when on leave, we are still expected to respond to critical situations. Blackberry mobiles and the others have made our lives even more difficult by pushing/ pulling messages to/ from our handsets.
Field sales automation: These applications are widespread and have been implemented across industry segments including FMCG, automotive, insurance, banking, travel & tourism, real estate, etc. Applications ranging from sales order booking, making deliveries, generating invoices, recording collections, making travel itinerary to conducting field surveys have become common. Many organizations have demonstrated significant benefits using these applications.
Procurement staff: This is also a field application and used by officers who make procurements, to strike deals with approved rates/ schemes and also to seek required approvals for special cases. Various industries including engineering, automotive, commodities, financial sectors, etc., have been using this facility and have gained from it.
Managers on the move: Automation of business processes have spelt trouble for managers. With companies trying to speed up business dealings, tolerance for delay in approvals due to the absence of a manager in his seat, is fairly low. So you would find managers fiddling with their mobiles, trying to access and approve various transactions, whether inside or outside the company premises.
Flexi-offices: This trend, which began with the IT companies and consulting organizations, has now spread to other sectors as well. People working on special tasks or those making project reports, often work from home or from some remote centers, and therefore, prefer to be mobile.
Mobility solutions, therefore, are here to stay, and are an important medium for CIOs to leverage with. Though many have adopted to this new way of doing business, many are still considering and watching it from the sidelines. In my opinion, it is important for the CIOs to analyze business opportunities in their organizations and make use of this technology, wherever appropriate, and act proactively before functional heads realize and press for such solutions.
We have an association of CIOs residing in the NCR region and we meet regularly to discuss matters of common interest. These meetings are in the form of seminars or group discussions, either amongst us or those involving external speakers who are technology or management experts.
Relevance of ERP
As a part of the series, we held an internal meet of CIOs a few days ago for a discussion on ERP implementation and its effectiveness in our respective organizations. About 50 CIOs attended the event. Since the subject was vast, it was important to decide the format of the meeting so that the desired objectives were met. Instead of presentations by a few members, we thought it would be better to place a few salient points for discussion by members.
These points encompassed all elements of the ERP journey, like establishing the need for ERP in the organization, formal definition of project objectives, evaluation/ selection of ERP package and implementation partner, project manager and the team, business transformation, etc. We thought of capturing best practices adopted by the member organizations.
The meet was conducted in a panel discussion format, but at the same time, allowing enough opportunities for all participants to join in the discussion with their views. I was asked to moderate the session.
Establishing the need for ERP
The discussion kick-started with the point – whether the need for ERP was clearly established in the organizations right at the beginning. Answers varied; some expressed their plan of taking ERP as the core application accumulating data from all other legacy systems for consolidation. For someone, it was his company CEO who, having seen it running at some other organization, opted for ERP. Some were clear that their companies needed financial reports and that led to the introduction of ERP. Some said that it was due to peer pressure and also the fact that other companies in their industries had ERP, while some others said that the objective was just to replace their old and creaking legacy systems.
I tried to elicit CIOs’ views on the business value of ERP and the role it can play to further the business of the organization, but didn’t find adequate appreciation from the audience about this being a genuine requirement or an admission that this aspect was left out in their scheme of things.
Laying out project objectives
The second discussion point was about the need for an organization to formally lay down the project objectives or their expectations from the ERP implementation. It was explained that without a clear definition of objectives, it is very difficult to assess the degree of success for any project. There are elements like business drivers, KPIs, or some measures that define goals for the enterprise.
The responses from participants ranged from saying that there was a broad definition to some small and insignificant measures. For example, one CIO stated that the objectives were set based on broad expectations spelt out by the CEO or some functional head during the kick-off meet. Some said that the expectation was to reduce manual entries, or for preparing final accounts from the system. Some said that meeting demands of compliance to IFRS was the need and some said that generating MIS was the need expressed.
Getting IT right
It was only towards the end that one of the CIOs got up to explain that their organization had hired a consultant to lay down KPIs for the CEO and further down to each functional head and that served as the document to drive the design of the ERP system. That was a significant statement and I thought that adequately explained this point and grand finale for the meet.
Discussions during the entire meet were intense and we thought it better to discuss a few issues in depth rather than running through many. To me, the meeting revealed one significant point: there is a need for the CIOs to understand the business value of ERP and IT in general. They need to focus on business outcomes and not limit their focus to operational matters. CIOs still have some distance to travel in spite of their assertions that they have already ‘arrived’.
There is a joke doing the rounds. When we meet a CIO friend we ask for his business card and when he looks surprised we enquire whether he is still with the same company that he was with when we met him last. This joke is not limited to CIOs alone as we are often surprised when we meet the same sales representative who then come representing another company and sometimes the competitor.
A cyclical problem
IT sector has been in the news for its high growth trajectory and also for the lay-offs during times of recession. Bad times bring in some stability, though at other times, shortage of skill-sets create opportunities for the good candidates to move around. Attrition has been cyclical a problem that the industry and corporates have to battle with.
When recruiting a person, I have often been confronted with cases where candidates who look good otherwise, are let down by their track record which shows frequent movement. There are, however, others, who have not moved for too long a period of time. Each case has to be examined in detail to ascertain their suitability to the requirement.
Now let us take a look at some reasons for people preferring to change jobs. Some may have genuine reasons while others may be undone because of their unreasonable expectations or hurried reaction to unexpected events. Some reasons that I have come across are:
Change for better prospects: Everyone has an ambition and a desire to grow. He may be stagnating in an organization and the moment he sees an opportunity to perch on a higher branch, he would take that jump. For example, he may be offered a manager’s position from the current position as a staffer, or may get to be a CIO if he is just a manager in the present company. Such a move, in my opinion, is justified.
Change for higher compensation: This is certainly an inducement and sometimes enticing. At times, this could be the right market price for his skills and he may seek to correct the low compensation paid by his current employer. This is a reasonable expectation but at other times people just jump at any higher price or use the offer letter to bargain with his current employers for higher compensation. People have also to realize their responsibility of completing tasks assigned and the trust placed on them by the management. In one instance during my career, I had to turn down an attractive offer just because the Board of Directors had just then approved my plans and cleared allocation of a huge sum for the purpose.
Being unhappy in present position: Life is not always smooth and we face turbulence at various moments in our professional life. We may sometimes be unhappy with the treatment meted out to us or when the company and the management do not understand or do not want to understand IT. It may be logical for us to think of moving elsewhere where we may be of better use.
These are real situations and such a move could be justified. However, moving just because the situation looks difficult, may smack of defeatism. It is these difficult situations that bring the best out of us and is a challenge that sharpens our management skills. Our credibility would go up several folds if we come out those seemingly impossible positions to chart a success. Just quitting the battlefield doesn’t help as we may end up moving from ‘a frying pan to fire’. So my suggestion, quit only after you have tried your best to retrieve the situation.
For personal reasons: There are some cases when people have to move from one city to another or from one type of job to another because of some personal or family compulsions. The candidates here have to weigh their personal commitments against their career aspirations and take a call that is in their best interest.
In the end, I would say that people have to be balanced in their approach towards changing jobs and should maintain high professional standards during their entire career spans. Needless to say, our reputations are our greatest strengths and our history speaks for us and for our doings.
I have seen a good number of seminars being held these days in our towns with at least two of them happening every week. These are breakfast meetings, evening sessions or half-day events, usually packed with CIOs/ CXOs who are obliged to visit due to the intense follow-up on the invites sent to by the organizers. Most of the participants are familiar and we keep meeting them more often than we would desire. These seminars were held earlier during the busy months of winter & spring but are now organized throughout the year, just like cricket matches.
These events are arranged by vendors of hardware/ software/ services or by the media companies and sponsored by vendors. They all target CIOs who usually sit on huge budgets to be spent on IT goods and services. So there are two or three parties involved here: the vendor company that sponsors such events, the media company that organizes the meets and extends invitations (with vendors tagged along), and CIOs who serve as the target audience. Let us take a look at these three groups as they engage with each other.
The vendor: He gets an opportunity to display his wares and to put on an elaborate presentation describing the hardware, software, or the bouquet of services he provides. He tries his bit to convince the CIOs that his offerings are second to none and that they score over the competition on every front. He knows that this effect is reversible and can change soon as the CIO attends the next event organized by his contemporary, but he strives to build a mind share and hence sees potential for better business. He has his sales force as well who spread amongst the guests and strike a conversation with the CIOs during coffee/ lunch-break in an effort to win them over. The vendor execs have pre-approved budgets and not spending those budgets may not go down well with their top managers.
The media company: The media company convinces the vendors that it has a great influence over CIOs, and can, therefore, ensure a high CIO participation. It also proclaims to be better-equipped to manage events. Media companies use the occasion to widen their sphere of influence and to obtain news/ content for their next issues. They brand these programs and call them as their ‘properties’. This enables them to generate larger revenue for themselves. Usually, they laugh their way to the bank.
The poor CIO: Without doubt, these seminars would not survive if CIOs choose not to attend them. CIOs are spoilt and pampered by the vendors and are profusely thanked every time they attend such an event. A CIO is tied to the event and has to sit through the entire session, whether he likes it or otherwise, often yawning and eagerly waiting for the break, and for the cocktails to flow. He comes all the way for the event to fulfill his obligation to the vendor and / or to the media company who do a wonderful job of befriending him. It also serves as a welcome break for the CIO from his drab routine and gives him an opportunity to network with fellow sufferers from other companies.
So friends, this is a win-win-win situation, making each of the constituents happy, in one way or the other. Each one is benefited or thinks so and returns home with a sense of accomplishment. The cycle, thus, continues and the CIOs gather again to be a part of another spectacle. To prevent a burn out, organizers announce a grand event once a year where the honored CIO is taken on a jaunt to an exotic location either within the country or to some wonderful location abroad. But there too, he is made to sit in the seminar hall and then shown a place or two as consolation. All stay happy, however, and the story goes on. These are happy times for everyone.
We often hear of talks or read articles on green datacenter and we also see awards being constituted for those who implement these measures. I have also read about cases wherein people have claimed achieving a good return on the investment made in green technologies. Some of these, as you know, are business moves made by vendors who peddle such solutions.
I am neither challenging the efficacy of these technologies nor the intent of vendors, but just expressing my opinion that the propaganda borders on hype. Rather than being pressured by such moves, the CIO should think independently and act in a way that is in the best interest of the organization he works for and for the environment and society at large.
The CIO is a respectable professional and a responsible citizen. He, therefore, has to ensure that all resources that he uses are properly utilized and nothing is wasted. By doing so he does well for the organization that he works for as he optimizes use of assets and resources like power. He serves the society by putting less pressure on the scare resources. He also does a great work in protecting the environment from wasteful use of energy. Instead of just trying to show that he has implemented green technologies, CIOs should look at the larger picture of optimal and best use of technology resources which automatically will take care of issues that green technology promotes.
This objective can be met by adopting the following actions:
- Judicious upgrade of technology: Very often we find ourselves burdened with equipment that are old and comparatively low on performance. Besides frequent breakdowns and increasing cost of repairs, these equipment also consume more power, need more cooling, and turn out to be energy guzzlers. However, it is not so easy to throw out old and expensive stuff and the CIO needs to put in sufficient justification to propose a change or replacement of equipment.
There comes a time when the old machines have to be retired and the CIO needs to recognize the fact and act accordingly. There is no point in holding on to old machines and flog them till they are dead. Newer technologies not only give more speed and capacity for the same buck but also consume less power and occupy less space.
- Using the right technology: At the time of technology selection, the CIO has to scout for new product introductions and choose the one that is most appropriate for his requirements. There have been several solutions in the market, in the form of server virtualization, enterprise storage, precision air-conditioning, sleep mode for idle machines, etc. But CIOs have been very slow in adopting these new technologies, often preferring to stay with the familiar. Most of these solutions help you optimize the use of resources, cost lesser per unit of data or processing power, and carry a smaller footprint than the old solutions. Delay in adoption is, therefore, undesirable and should be addressed appropriately by the CIO.
- Optimal utilization: Use of technology resources needs care; we have to ensure that all servers, storage, desktops, etc., need to be utilized optimally. Unutilized or under-utilized equipment is a waste. Along with the overheads in maintaining them, it costs dear to the organization and to the society. There has to be a proper distribution of load, proper evaluation and sizing before procurement, and frequent monitoring of utilization thereafter. Before rushing in to add further capacities, it is advisable to examine whether optimization of usage can create more capacity for use.
- Product end-of-life programs: Replacement of old equipment has become inevitable today due to accelerated changes in technologies. Equipment like desktops, laptops, printers, and media like CDs, DVDs, tapes, etc., have often to be disposed as they become unusable. Simple disposal is an environmental hazard and we, as enlightened citizens, should avoid such a step.
Desktops, laptops, etc., are often given by companies as buy-back to the vendor and vendors have their own channels for putting them to alternate use. In other cases, corporates give away the old machines to rural schools so they are put to use further. Specialized agencies exist today that undertake dismantling of equipment and media for to extract useful elements and to scrap them in an environment-friendly manner. CIOs should get in touch with such agencies and do their bit to protect the environment.
These small but significant steps can go a long way in ensuring a better environment for our children.
As CIOs, we hold important positions in our organizations, and usually have large budgets for our activities. We go about our jobs with due diligence, and earn a name for ourselves in the companies we work in and also in the professional circles. But it is also important to retain the reputation in the long term. A reputation can take several years to build, but may suffer a dent even with a small mistake.
A three-step formula
Let us consider a few ways by which we can ensure that our personal integrity stays at a high level. This has to be a sustained effort and a part of our work ethics. We can do so by following three easy steps.
Being honest: That is, doing only what we say; and conversely, saying only what we do. There is then no dichotomy to your behavior.
For example, if we can learn the act of delivering systems by the promised date, and do so more than once, then we build a reputation. If we are unable to meet the deadline for some unavoidable reason, it is better to approach the user/ management and seek some more time. That way, people begin to trust us. Justifying ourselves with a list of reasons (after the failure to meet the deadlines), does not take us too far as people start losing confidence in us.
Working in the company’s interest: We work for a company and its management. The management reposes confidence in us, and therefore, it is incumbent on us to live up to the management’s expectations. We have to ensure that every rupee spent on IT assets is properly utilized. When we choose various technology components, the main consideration should be their relevance to the company’s goals and objectives. Technology components should not be chosen just to impress the seniors or to show off amongst our peers in the industry.
I know of cases wherein CIOs boldly put in solutions like ERP, CRM, VOIP phones, unified communication, etc., but the projects couldn’t take off or got grounded soon after deployment. Being embarrassed, some of these CIOs even quit their jobs and joined other firms. But such mistakes can damage their reputations as the CIOs; their track records follow them, and may potentially harm their career prospects in future.
Procurement ethics: A CIO is involved in various capacities when selecting a technology, software, or a service provider. His role could be of a recommender, the final authority on selection, or of a negotiator. All these roles demand responsibility, transparency, and fairness in judgment. I know of a few unfortunate instances wherein CIOs have been accused of seeking personal favors from vendors for choosing their products/ services. Such actions, although may not leave behind any evidence, can still inflict sufficient damage to the reputation of the CIO in question, both within and outside the company.
People development: We need to remember that we are not bigger than the companies that we work for. The company must run well even if we depart. To ensure this, we must do two things while in the job. First, we should prepare a succession plan, and second, train our staff members well so that they can manage their work themselves. We should guide people and make them work on their own so that they get confident. We shouldn’t corner all glory to ourselves but share it with our colleagues.
These measures can go a long way in defining our characters and building reputations. The power that these actions can bring to us can be tremendous. In fact, many a time our reputations reach a place even before we arrive there. It’s on account of our reputations that we are respected and are invited for various forums, and thus, experience a feeling of invincibility.
To be a good and an effective CIO has always been a challenge. I have been in various organizations and what I could achieve depended a lot on the organization’s understanding and approach to IT. I would group these organizations into the following types:
1. Organizations which are forward looking, where the CEO is dynamic and articulate enough to spell out his vision of making the business win with the help of IT.
2. Organizations where the CEO wants IT to be effective but leaves it to the CIO to define his own role.
3. Organizations who are indifferent and don’t care much.
Changing business expectations
All high performance organizations display the first two characteristics. They demand more out of IT and are supportive of various IT initiatives that address business needs. Here, the CEO encourages his managers to be self-starters and to take initiatives to make the organization effective in winning over its competition. With the markets changing faster than before, CEOs want their managers to rise up and act; in short, they want their managers to be intrapreneurs.
Who is an intrapreneur?
An intrapreneur is a person who has an entrepreneurial skill set but works within an organisation, enterprise, or venture. An intrapreneur thinks like an entrepreneur seeking out opportunities, which benefit the corporation. It is a new way of thinking, in making companies more productive and profitable.
It is no surprise that with increased competition, CEO wants his managers to be innovative and to add that extra muscle with which the company can score over others. In such circumstances, therefore, CIO has a great opportunity to stand up and get counted. In my opinion, it is crucial for CIO to boldly take that step forward and come out of his comfort zone. He will no doubt face challenges but he has to learn to get over them. However, to come out trumps, he will have to imbibe the following qualities.
Initiative: He will have to step forward on his own and not wait for someone to call him over. He has to look around, sense the requirement and move in to address the issue. He has to seize opportunities to add value.
Business understanding: He has to develop a close understanding of the business by engaging with managers from other functions and visiting areas of work like the shop floor, warehouses, sales offices, vendors, dealer sites, customers etc. That would give him the right perspective and context of various business operations. His appreciation of the issues will lead him towards better solutioning.
Innovation: Standard solutions are passé. Companies today need new solutions and breakthrough ideas to take a leap in the markets. Apart from new technology solutions to address business issues, he could suggest new ideas to cover areas that have hitherto been unaddressed.
Thinking big: Gone are the days of incremental changes and improvements. At a time when organisations are looking for fast growth, a CIO can’t think of playing safe and moving cautiously. Whether it is about using a new technology, revamping our systems, re-architecting the IT setup, or taking up large projects, he has to act fast and decisively after doing proper due diligence. His risk taking ability will come to fore and he should be ready to put his neck on the block. As they say, the greater the risk, greater the profit.
Run his role as a business: The thinking has to move from being purely a service organization to being a critical part of business. It is not just about delivering some user needs but about helping the organization to win and grow rapidly. He has to be conscious of the benefits derived and the expenses incurred.
In my opinion, there has never been a better time for the CIO to assert himself. We have been, for long, talking about the CIO playing a second fiddle in organizations; but ‘here – now’ is the great time for him to make that quantum jump and get into the next orbit.
When discussing disaster recovery planning (DRP), I mentioned about its being a part of the larger and extensive practice called the ‘business continuity plan’. So let’s discuss this subject in a little more detail.
Business continuity planning (BCP) is ‘planning which identifies the organization’s exposure to internal and external threats and provides effective prevention and recovery for its business, whilst maintaining the competitive advantage and the value system integrity. The intended effect of BCP is to ensure business continuity, the ongoing state in which the organization’s business is conducted.
In plain language, BCP is working out how to stay in business in the event of disaster. Typical incidents include local events like building fires, regional incidents like earthquakes or floods, and may include any event that could potentially cause loss to business.
It may also include any event that results in damage to the aspects that business is dependent on, such as loss of source of supply, loss of critical infrastructure (a major piece of machinery or computing/ network resource), or theft or vandalism. As such, risk management must be incorporated as part of BCP.
DRP versus BCP
These terms are often used interchangeably and though they address the same issue, their coverage is different. DRP refers to a process by which you are able to restore your work environment, i.e. data and the computing infrastructure, affected by any disaster.
BCP, on the other hand, suggests a more comprehensive approach to making sure you can keep making money and run business efficiently in the face of problems involving illness or departure of key staffers, supply chain partner problems or other challenges that businesses face from time to time. BCP, therefore, addresses the larger concern of business and ensure continuity of company’s business even when faced with grave situations.
Role of the CIO
It is here that a CIO can show the business orientation and lay emphasis on BCP rather than limiting himself to DRP. When talking of disaster recovery our focus is on ensuring recovery of data and the computing infrastructure so that the business can function. We forget that various business processes that have been affected may need their own time to recover the lost work and get back to normal functioning.
Many a time when there is a disruption and the IT department helps in rolling forward the database to the last position, business struggles for a couple of days more before getting back to normalcy. The business executives sit with the IT staff to reconcile transactions lost during the disruption phase, to cover of the backlog of transactions that might have taken place during this period but not entered (in the systems), or to restart with the right voucher/ document number.
In many cases, the users are not aware how to run their processes when any such disruption occurs. Some organizations have alternate systems which permit simple invoicing, issue of material, or recording production, etc. so that the immediate work does not suffer and then help transfer this data to the main application when the system is recovered.
Focus on the nitty-gritty
There are a few other factors that need clarity, for example, how to assess a failure and when to declare a disaster, how should the business function during the period of disruption, who would lead and manage the scene during this period and how to recover and regroup to get back to a steady state once the failure has been addressed?
BCP policy should clearly define when to inform the management, when to communicate to the working staff and also the standard operating procedure for the people / areas affected. This, of course, should be preceded by a business impact analysis and measures to ensure that the loss to the business is minimal. Post any disaster, the CIO should help assess the loss if any that the business might have suffered due to the disruption.
BCP, therefore, has a significant business element. It takes a holistic view of business to ensure that the company continues to function and stays competitive and rises quickly with minimal damage from any unforeseen and grave event that threatens to ground the organization.