When discussing disaster recovery planning (DRP), I mentioned about its being a part of the larger and extensive practice called the ‘business continuity plan’. So let’s discuss this subject in a little more detail.
Business continuity planning (BCP) is ‘planning which identifies the organization’s exposure to internal and external threats and provides effective prevention and recovery for its business, whilst maintaining the competitive advantage and the value system integrity. The intended effect of BCP is to ensure business continuity, the ongoing state in which the organization’s business is conducted.
In plain language, BCP is working out how to stay in business in the event of disaster. Typical incidents include local events like building fires, regional incidents like earthquakes or floods, and may include any event that could potentially cause loss to business.
It may also include any event that results in damage to the aspects that business is dependent on, such as loss of source of supply, loss of critical infrastructure (a major piece of machinery or computing/ network resource), or theft or vandalism. As such, risk management must be incorporated as part of BCP.
DRP versus BCP
These terms are often used interchangeably and though they address the same issue, their coverage is different. DRP refers to a process by which you are able to restore your work environment, i.e. data and the computing infrastructure, affected by any disaster.
BCP, on the other hand, suggests a more comprehensive approach to making sure you can keep making money and run business efficiently in the face of problems involving illness or departure of key staffers, supply chain partner problems or other challenges that businesses face from time to time. BCP, therefore, addresses the larger concern of business and ensure continuity of company’s business even when faced with grave situations.
Role of the CIO
It is here that a CIO can show the business orientation and lay emphasis on BCP rather than limiting himself to DRP. When talking of disaster recovery our focus is on ensuring recovery of data and the computing infrastructure so that the business can function. We forget that various business processes that have been affected may need their own time to recover the lost work and get back to normal functioning.
Many a time when there is a disruption and the IT department helps in rolling forward the database to the last position, business struggles for a couple of days more before getting back to normalcy. The business executives sit with the IT staff to reconcile transactions lost during the disruption phase, to cover of the backlog of transactions that might have taken place during this period but not entered (in the systems), or to restart with the right voucher/ document number.
In many cases, the users are not aware how to run their processes when any such disruption occurs. Some organizations have alternate systems which permit simple invoicing, issue of material, or recording production, etc. so that the immediate work does not suffer and then help transfer this data to the main application when the system is recovered.
Focus on the nitty-gritty
There are a few other factors that need clarity, for example, how to assess a failure and when to declare a disaster, how should the business function during the period of disruption, who would lead and manage the scene during this period and how to recover and regroup to get back to a steady state once the failure has been addressed?
BCP policy should clearly define when to inform the management, when to communicate to the working staff and also the standard operating procedure for the people / areas affected. This, of course, should be preceded by a business impact analysis and measures to ensure that the loss to the business is minimal. Post any disaster, the CIO should help assess the loss if any that the business might have suffered due to the disruption.
BCP, therefore, has a significant business element. It takes a holistic view of business to ensure that the company continues to function and stays competitive and rises quickly with minimal damage from any unforeseen and grave event that threatens to ground the organization.
In my previous post, I wrote about disaster recovery measures necessary to protect the organization from the after-effects of any possible disaster. Once the need is felt and understood, the next step would be to plan and execute these measures.
The question is, how do we go about doing it? Many CIOs that I know take considerable time to take necessary steps because a large portion of their available time is often consumed by their day-to-day tasks and by attending to emergencies. The organization then runs the risk of badly losing out in case there is any mishap.
What is disaster recovery planning (DRP)?
Disaster recovery planning (DRP) is the process of developing in advance, the facilities, plans, and procedures, that enable an organization to respond to a disaster by being able to resume critical business functions within a defined time frame, to minimize loss, and to restore affected areas of business. DRP is a part of the larger, more extensive practice called business continuity planning (BCP).
The primary objective of a business resumption plan is to enable an organization to survive a disaster and to re-establish normal business operations. In order to survive, an organization must ensure that critical operations can resume within a reasonable time frame.
Therefore, the goals of a business resumption plan should be to identify weaknesses to implement a disaster prevention program, to minimize the duration of a serious disruption to business operations, to facilitate effective co-ordination of recovery tasks, and most importantly, to reduce the complexity of the recovery effort.
Elements of DRP
The main elements of DRP are given below.
Policy statement: Defining the goal for the plan and a business impact analysis. This is where, I feel, many people slip; I have often found people talking of a DR site and on-line replication without even assessing the tolerance of business to a few hours of shutdown.
Preventive steps: It is important to make a list of all the possible failures and examine steps that can be taken to ensure that such failures could be prevented. This may even include measures like a dual power line to the data center, redundant servers, data back-ups (at remote sites), storage replication, two data centers in the same campus but apart with equipment distributed etc. Larger important measures need to be planned well.
Recovery strategies: This deals with the question ‘what and by when to recover’. Here we talk of Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
RPO refers to the age of the data you want the ability to restore to in event of a disaster. For example, if the RPO is eight hours, systems should be restored in the state they were in no longer than eight hours ago. This helps in defining the back-up or data replication strategies. RTO is the number of hours or days that management has put on resuming a business process or a system; in short this describes the time needed to get back to normal work.
Plan development: All the measures and steps including the infrastructure, back-up devices, processes and recovery steps need to be planned and documented so that the process is uniformly understood by all. Plans would then be run and tested.
Plan buy-in and testing: DR plans would not be effective if people are not aware of what is to be done in the event of a disaster. So awareness and training sessions are of utmost importance. It is a good practice to carry out drills so that the real recovery process is enacted and is a real world exposure.
Maintenance: It is not end of the story if we install a DR solution ― it has to be maintained on an ongoing basis. As the business grows there would be changes to our technical landscape, additions to capacities and realignment of business priorities, thus necessitating a review of our plans. Therefore, plans need to be examined and changed to reflect the current business realities.
DRP, hence, is a well thought of exercise and assumes the significance of a strategic plan designed to protect companies operations from disasters.
Organizations worldwide face various threats and mishaps that disrupt their operations and cause loss to business. Reference is to disruptions caused due to the failure of the computing infrastructure. And yet, disaster recovery has been ignored by many organizations citing prohibitive costs or due to pure apathy. Some feel that if nothing untoward has happened so far, nothing is likely to happen in future too. The approach is: ‘let’s cross the river when it comes’.
Disaster recovery explained
Disaster recovery (DR) is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity. While business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery focuses on the IT or technology systems that support business functions.
Why DR planning is important
Disaster recovery, as a concept, got developed long time ago when organizations became more and more dependent on the computer systems and related technologies.
Many a time, when problems occur, companies take long to recover, leading to disruption in work, and often causing loss to business. For instance, interruptions in manufacturing, delay in dispatch of goods, or invoicing may lead to delay in reaching of goods to the market, drop in sales, or loss of customers. Nowadays, organizations are more worried about the dent that disasters may cause to their reputation. Another driving force for ‘DR’ is increasing government regulations mandating business continuity and disaster recovery plans for organizations in various sectors of the economy.
Worldwide, it is estimated that the most large companies spend between 2% and 4% of their IT budgets on disaster recovery planning. By spending on DRP, they aim at avoiding larger losses to business that the damage to IT infrastructure and data can lead to. Of companies that have had a major loss of business data, many never reopened, many closed business within two years, and others survived in the long-term. Today, DR planning is important even to small and medium companies; at times, it is mandated by the principals to whom they supply goods or services.
A CIO’s task
We, as CIOs, have our bounden duty to protect the organization from the fall-out of any such disaster and take measures to both, avoid any such an interruption and to recover soon if any such unforeseen event happens. Such measures, however, cannot be taken in a jiffy; they require detailed study of the computing environment, listing of possible faults, appropriate mitigation measures, and a good amount of planning.
The DR plan (DRP) is a set of defined policies and processes that detail steps that need to be taken to recover access to software, data, network, and hardware in case of any disaster either caused by human negligence or due to natural causes. DRP is complex process and requires a good amount of thinking and application. The plan should take into account all business critical activities and their impact on business and the cost of counter-measures to take care of such disruptions.
A DR plan (a.k.a. DR strategy) is important as it defines objectives clearly and identifies the measures to be taken when a disaster strikes. Execution of the plans, however, is equally important and in my opinion, it is here that many of us are found wanting. Sometimes we take too long for planning, especially when the issues are complex or when business leaders do not show the required urgency. Sometimes a grand plan could be halted due to the CIO not being able to justify the costs involved. During these periods of delay, the risks persist and may even get more acute with time and if a disaster occurs, the CIO may be left groping for answers.
In such cases, the CIO can start implementing some smaller measures that are simple and lend more protection to the environment. The set-up becomes more secure than earlier and we get free form those small but recurring problems that cause headache often. The larger measures can always follow in due time but we would have some protection in the meanwhile.
We, as CIOs, deal with systems and data that are valuable to the organization. In other words we are custodians of all the information assets of the organization and therefore assume the responsibility of securing and protecting them.
I have spoken to a lot of information systems practitioners and the moment there is a mention of security, the talk immediately shifts to firewalls, perimeter security, UTM, and the like. It seems as if people have been conditioned to think of tools as the only means for addressing the issue. A formal approach to the subject would, however, reveal other issues that need to be attended to so that we develop a holistic view on matters of security.
There are two aspects to security. One is to preserve and protect data so that it is always available for access and the second is to keep it secure so that it is inaccessible to people who are not authorized to do so. A simple and a clear thinking would reveal three aspects that need to be addressed, such as, people, process, and technology. Let’s discuss each of them separately.
People: You may have all the technology and tools but it ultimately will depend on the people who run them. The first thing is to make them aware of the necessity of keeping data and information secure so that the data is available as and when they want.
Many organizations hold awareness and training sessions for employees so that they understand their respective responsibilities and also the dos and don’ts of dealing with organization’s data. They are also apprised of the security policies framed, their roles and also consequences of breach.
People often tend to ignore these advisories, and therefore, many companies regularly send e-mail blasts to all employees so that they sit up and notice, while others install wallpapers and screen savers on the user desktops so that they are constantly reminded of their roles and responsibilities.
Process: When data is to be kept secure, one would need to have a set of rules and processes which act as a guide for execution of the steps necessary to ensure safe keeping of data. All good organizations compile documents listing the standard operating procedures for back-up of data and for ensuring security from unauthorized access.
Companies call these as a ‘back-up policy’ or a ‘security policy’ document. This is circulated amongst employees or posted on their intranet pages for ready access for people who may want to refer to it. If these procedures are communicated, employees cannot feign ignorance for non-compliance. It is, however, not enough to just inform and sit back; adherence to process must be monitored regularly either through a process of internal audit or by audits conducted by an external party.
Documentation of all complaints, incidents, rectifications need to be preserved for study for any serious breach in security.
Technology: In a complex computing environment of today, where we are connected within and outside the organization, it may be difficult to ensure safety and security without the use of automated tools.
Organizations should evaluate and assess technologies that are appropriate and relevant for the needs of the organization. Choosing of the right technology elements should be based on the computing environment and the organization risk assessment based on the criticality of various business opportunities and risks.
It is here that we talk of firewalls, perimeter security, intrusion prevention, antivirus/ spam, identity management, UTM boxes, automated back-up tools, storage technologies, disaster recovery solutions, etc. In my opinion, this forms the third aspect of our preparedness and tools only go on the serve the larger business purpose.
The whole talk of security is incomplete if we do not talk of all aspects of security and safety. Only a reference to technology and tools leaves us woefully short of our task to provide the organization the right environment where the business can function with ease without being unduly bothered about the safety and security of their information assets.
In the last piece I spoke about the importance of quick decision making and that just mulling over a decision and taking time leads us nowhere. Afraid of making a mistake, we sometimes try and avoid the situation. If, however, we take decisions and they turn out to be good ones, we would get going and not look back. Now, how does one become good in the decision making process?
Process of decision making
Let us look into what is involved in decision making. Decision is all about taking a stand on a particular issue and choosing ‘to do’ or ‘not to do’ a certain thing. At other times, it may have to do with a set of choices and for us to select one from them to go on with. In doing so we consider the best fit solution and also mull the consequences of selecting any of the other choices. But a selection we have to make, sooner than later, and if we don’t someone else will walk away with the cake leaving us high and dry.
Modes of decision making
There are various ways of taking decisions. The best way in many a cases is one which is based on facts and data. We collect all details and classify them into those which are in favor or against a particular choice. These work very well in cases where facts and figures are clearly available and more the data you have, the better the judgment would be.
There are cases, however, where data may not be available and therefore we may have to make choices on various other factors such as our principles, ethics, and so on. We sometimes take a particular step based on our intuition or based on our strong likes/ dislikes even though it may not sound logical. It is, therefore, important for us to understand where we are coming from, when taking decisions.
Elements of good decision making
Quality of our decisions rests a lot in the way we arrive at our conclusions. Let us look at a few factors that are ingredients of good decisions.
Well considered: When we study a certain issue with all seriousness and consider various aspects that speak in favor or otherwise and we apply our judgment based on the facts we have with us. It is not a choice made casually but one with a sense of responsibility.
Balanced and fair: We act as a judge and try to deliver a judgment which is fair and not biased either way. Here, we are true to ourselves and retain our sense of balance considering the right or wrong in making our choice.
Free from emotion: Decisions made with a level head where the heart doesn’t rule the head (except for cases involving human issues). Emotions often mar our judgment and we ignore logic and facts when arriving at a decision.
Ethical: It is important that we do things in a manner that is right and acceptable. So when exercising our choices, we keep ethics and good conduct as a part of our decision making process. We should connect to ourselves and not do anything that hurts our conscience or values we cherish.
Consider both from long term and short term: Depending on the situation and need, we need to take decisions based on the needs that are immediate or sacrifice the short terms needs in favor of long term goals.
We may sometimes make mistakes when taking decisions and on hindsight blame ourselves for being inadequate or incompetent. This may not be the right thing to do. Many years ago I was in a state of remorse after facing consequence of a decision that went wrong. It was my superior then who drew me aside and gave me valuable advice. He explained to me that we all take decisions that we think are right in the circumstances and which are based on the understanding that we have at those points of time.
So we should not wrong ourselves but take a lesson from the error and move on. This is where people often lose heart, shed their boldness and then start withdrawing from decision making or pass it on to the others. They vacate the center stage. We surely can do better and hold our head above water.
Related post: The importance of decision making
We all are involved in the decision making process in our day-to-day life, whether in office or at home or elsewhere. We say good about those who can take quick decisions; we call them efficient and effective. One may feel it is futile to discuss about this topic stating that this trait is an innate part of our character and nothing much is possible to be done. But people are trainable, aren’t they?
We see some people taking decisions and moving forward while some others stay put with the current situation due to indecision. Some make bold decisions, take risks and jump far ahead and out of reach of others while some exercise extreme caution and make little progress. Is this a quality that is inherent in a person or is it one that a person develops over time. We can perhaps leave this matter to be debated by philosophers and psychologists, and move ahead and discuss the consequences of poor decision making.
Taking a stand
In our day to day professional life we are confronted with various situations where we are required to take a stand. Our decisions may relate to choosing of a technology solution or a partner, fixing up something that has gone wrong in the datacenter, resolving unreasonable user demands and many such things, but these decision points are critical and essential part of our work. If we keep taking decisions, work moves on and we embark on the next important matter. However, if we are stuck with indecision, matters come to a standstill and it affects our productivity and efficiency.
I am in no way hinting at hurried decision making or taking matters casually. Decisions need to be taken with utmost care; and these need to be well considered and sound. The process may take longer in some cases which require analysis and research but it is important to take a call after a reasonable time has elapsed.
Not all decisions we take may be correct and perfect; we may make mistakes at times and that is human―a corollary would be to say that we would not make a mistake if we do not get into decision making. I am reminded of one of our Prime Ministers, who had adopted a unique approach of postponing decisions hoping that circumstances will take care of the problem on it’s own. To quote Paul Newman, “A man who waits to do something so perfect that nobody would find fault it, he would do nothing.”
Effects of indecision
Consequences of indecision or delayed decision are enormous. First, you lose on time; things that needs to be done today will be done tomorrow or the day after. Any work getting stretched over days leads to inefficiency and higher costs. If work does not proceed as scheduled, there is a sheer waste of resources put on the job. Both our assistants and also the end users, so affected, develop a wrong impression and lose confidence in us. By not acting on time we may lose out an opportunity to make use of a situation or lose out on making a difference to the environment when it was most essential.
On occasions when we stretch the time for making a decision, the situation changes and the decision loses its relevance. Delay in decision could also alter your position from a winner to a loser. I would like to share the example of my son who is a brilliant amateur chess player. He makes well considered moves and often surprises opponents ranked higher than him, but loses a few games due to time constraints. He considers all possibilities to choose the correct move and hence consumes more time. The lesson he has to learn is that if he develops the habit of faster decision making, he could win many more games and the championship. Rather than looking for the perfect move, he can move with faster with quicker decisions and not mind if there is a rare move that is incorrect.
Decisions are taken easily taken by people who have courage; as they proceed ahead, their confidence grows. If they make mistakes they consider these as opportunities to learn and move on.
When it comes to training and development we think of ourselves, but perhaps it is as important to think of development of the rest of IT staff who work for us.
Coming from the era of ‘command and control’, we often commandeer the staff and lead them as we move along. We pass instructions and we expect them to obey. We think it is our role to think and strategize and it is duty of the staff to execute and carry out instructions given to them. This may sound demeaning but we do act that way many a time.
This approach obviously has negatives. We are pressured and where the staff does not perform as desired, we are left to face the user and even though we may make all those excuses and shift blame, the user is unhappy. There are times when staff and managers do not begin work in your absence and wait for you to come and give instructions. Staff does not participate or add value – they merely do what they are told.
Not a very happy situation, or is it? What if in my absence my manager takes an initiative, solves a problem and saves the situation? We come back and discover that someone has filled up for us. Won’t we like to encourage people who are knowledgeable, competent and who take initiative?
To ensure that IT staff stands up to perform on various occasions, I have to ensure that they have the right knowledge and competence to tackle various problems. Developing them can be in various forms. One is to send them for technical training courses or even certification courses. They learn new skills and develop greater insights into the requisite technical area that they are supposed to deal with in office.
Another way could be encouraging them to attend various vendor events / product launches and other seminars. This opens them up to new developments and also gives them a chance to network with people from other organizations.
It is also a great idea to introduce the concept of periodic departmental meetings where the IT head first shares the IT strategy drawn up, plan/ budget for the year and also reviews the progress of various projects. This way the staff can understand the overall direction of the function and can also get to know of going-ons in the department.
One great learning was the concept of creating a ‘teaching and learning community’ as taught to me by an HR colleague many years ago. Here, each person is encouraged to read thoroughly about a subject of his choice and then take a session to tell others what he learnt. This encourages learning and creates a certain enthusiasm in the function.
Technical skills by themselves are not adequate to equip IT staff to deal with any situation. Some soft skills are also critical for their success. There are many skills that can make them grow up in confidence. I have seen people blossom after they had gone for courses like communication skills, leadership programs, negotiation skills, team building exercises, creativity and innovation programs, etc.
Impact of education
It must be said that as people move towards developing their wholesome personalities, they turn out to be real assets for the department. There have been times when I would deliberately move out of a situation so that the next in line learns to handle a difficult situation on his own. There have been times when my managers would ask me to relax when on leave, saying that they would handle things in my absence and wanting me back, fresh after a good vacation.
Many of the managers who had worked with me in the past are now full-fledged CIOs on their own and are making news. Little did I understand that they were professionals of great potential and once encouraged they could go on to achieve great heights.
We get busy, don’t we? Every day chores, problems, trouble shooting, projects, et al. So much to do every day, leaving very little time for us to breathe. We visualize the CIO as an overworked individual struggling to keep everyone happy and getting more of brickbats than bouquets. With so much to attend to, he gets very little time to look around himself and or to spend time on his professional development.
Extracting time for oneself
Now if a CIO devotes so much of his time in keeping the ‘lights on’, he would be neglecting his need to grow and develop. Rather than portraying himself as a victim, he should extract some time for himself.
There are many ways that he could accomplish that. He can develop a clear plan and schedule all his major activities in conjunction with the organizational priorities and user-requirements. Once the plans are agreed upon with the management, he could concentrate on major projects and refuse to take up ad-hoc work that is often thrust upon him. That could release a lot of time otherwise spent on many of these miscellaneous activities.
The CIO can delegate work by developing his managers and takes care of planning and monitoring. He should, in fact, outsource some of the routine activities and follow-up so that these tasks do not take time of his managers and himself. These and other measures could release time that he can use on himself.
Balance between ‘P’ and ‘PC’
Stephen Covey, in his book ‘7 Habits of Highly Effective People’, speaks of the balance between ‘P’ (production) and ‘PC’ (productive capacity). If an individual keeps delivering or producing, he would get accolades; but there would come a time when he is asked to deliver more, he runs out of ideas. A more accomplished person in this situation would apply innovation or new methods or technology to come out an appropriate solution. Now, where will the conventional manager stand if he falls short of what is expected of him?
Importance of self improvement
It is therefore very important that while we take care of our day-to-day performance, we also take out time to develop and equip ourselves for the future. The question often asked is ‘how much time should I allocate to development’ – the answer would depend on every individual and to each situation. Whether we practice 80:20 or 70:30, it is important that we consciously keep working on our development and make ourselves relevant for the future for otherwise we may lose out in the world of new order.
There are various ways that we can recharge ourselves. What we have studied in our engineering, science or other disciplines in our college gets outdated over a period of time and may be not as relevant in changed times.
We have therefore to learn new technologies, new management methods, new ideas and new solutions. One way is to enroll ourselves in academic courses – I have seen people joining management courses, either by leaving their jobs to do full time courses or obtaining degrees by attending up evening classes or through correspondence courses. The added qualification and confidence help them in going up higher.
I have seen a few others attending events and professional seminars where they keep themselves abreast of the new developments and get in synchronization with contemporary methods. Some enroll in short executive development courses of management institutions and become more knowledgeable. Some others join certification courses and learn to use the technologies better.
Such an individual, therefore, is constantly working upon himself to get better and develops additional capability to take him up to higher levels and the makes him eligible for taking up higher responsibilities. Learning never stops in life and the higher that he goes, the more he will have to learn.
IT plans and budgets often look progressive and impressive. The bigger the organization, the larger would be the budget and speaks of the power that the CIO commands. But the real power is derived from implementing them and making the solutions work. The status of the CIO and of the IT group goes up a notch every time they make a success of any project.
As we make plans for the coming year and start working on them, it is the year-end review which lets us know if we were good enough in meeting our commitments. A good report card strengthens the position of the CIO in the management group. While this requires hard work and dedication on his part through the year, the approach direction he takes has a great significance. Let us take a look at various measures that he can take towards this end.
- Setting priorities: It is important that clear priorities are set and that execution plans give clear precedence to matters that stand high on the list. We have to ensure that these are business priorities that are in line with the strategic plan of the organization. The real success of IT lies in enabling business in meeting market expectations and in achieving growth. If the right attention is not given to such projects, all sundry matters occupy the space thus crowding out resources from important projects leaving them incomplete. When such projects of importance like supply chain automation, CRM, sales force automation, ERP etc, lie unfinished, they give a poor impression of the IT program, even though the IT staff we may have done a great job in storage deployment, Network implementation etc.
- Projects should be well-conceived: We have to avoid situations where we move three steps forward and two steps backwards. I often find people starting off a project under pressure from the user but later finding various gaps in understanding and scope definition. Such stoppages and getting back to review details puts back the IT plans by several weeks and are often difficult to make up. It is therefore crucial to put that extra effort to manage user expectations and to fix up the scope and coverage before kick-off.
- User involvement / ownership: Projects that start without a clear user involvement and those where the stake holder has not assumed full ownership are bound to falter. Many a time CIOs give this a pass and proceed as they try to complete their task as defined in their KRAs. In most such cases they get into trouble as they struggle with scope creep, and lack of user co-operation in defining specifications and subsequent testing. It is advisable to hold on to the project till the users get on board.
- Project management: This is an essential skill that the CIO has to possess and apply. Projects are always prone to delays and it is here that he has to apply his skills in undertaking regular reviews, use Gantt charts, and other project management techniques to intervene where necessary and on time. Delays have to be addressed immediately so that they don’t grow bigger needing escalation.
- Vendor management: Vendors are important constituents to the projects, whether they are hardware, software, network vendors or system integrators. Their knowledge and experience can easily be leveraged upon to fix problems at various stages of the project. It is important to build relationship with them and keep them engaged in the project. A good practice employed by many organizations is to have the vendor partner as a member of the Steering Committee. They can bring specific expertise at crucial junctures and get the project going.
A good handling of activities can see us achieve the objectives set at the beginning of the year. Even though all milestones may not have been crossed a good success rate draws appreciation of the organization since some of the projects get delayed because of various organization constraints. A plan capped with a sound execution signifies excellence.
We struggle with our IT budgets every year. As the year draws to a close, we try to estimate all that is in store for the next year and go about jotting it down. The problem is that the ‘budget’ not only carries what we want to do, but also carries the demands that users and user departments make. The challenge is two-fold—one is to arrive at a realistic estimate of expenses, and another is to get them approved by the management. Now how does one go about these tasks?
The act of making a wholesome budget and getting it cleared by the management is an art. It consists of a series of steps—right from carrying forward unfinished tasks from the previous year, to undertaking new and fresh programs in the New Year. The budget also covers routine tasks and maintenance of the current systems, aka keeping the ‘lights on’. A tricky job, this.
I suggest the following steps to make sure that we are right in our budget making:
1. Requisitions from functional departments: Ask departments to list out their requirements of IT support, along with their business plans which trigger these requirements. Try not to accept simple requests for the PCs, printers and software without them specifying the accompanying business need. This needs careful handling, as mere collation of requirements run contrary to our stated objective of being effective CIOs. We have to ensure that IT serves the business’ purpose. Unless the assets are put to right use, you cannot obtain benefits.
2. Bring out the Information Systems plan: Prepare a plan document that states the main business issues that IT plans to address. For example, these may include process automation in the plant, supply chain efficiency, ERP, work flow in specific areas, or sales force automation. This is the language that business understands, and the management is also clear about the addressed business challenges. In such cases, budget approvals are not very difficult to obtain. Routine expenses including maintenance and AMCs are usually not discussed on such occasions.
3. Translate in to an IT plan: Once the main direction for IT receives approval, we need to translate this in to a list of necessary equipment and software to be bought (or hired). This has to be executed carefully, taking into account new technologies and solutions offered in the market. It is advisable to review the current status of hardware and software—suggest upgrade or replacement where necessary.
4. Estimation of prices: This is often a challenge. I have been in both spots—situations when prices used to go up every year as well as the latter environment when prices saw a drop every year. In either case, it is best to apply our best judgment by obtaining prices from vendors—either formal or informal. You can formally ask vendors to submit their budgetary prices and then apply your judgment. This way, we come to a financial figure which may not vary widely with time—unless of course there are unforeseen changes.
5. Presenting to the management: On this front, you can put up a presentation to explain IT’s efforts to enhance business capability or efficiency, or send a note that clearly explains the direction being pursued and considered assumptions.
During my career, I have taken this approach and seen it work. I admit that getting a budget approved is not always easy—all the more so at times of low growth and recession, but proper persuasion would help avoid drastic cuts to the IT budget. The IT budget is often the first victim when cuts are imposed on spending, but if put across as a business initiative, spends may look justified. Lastly, it is important to work on the approved plans during the year and come out successfully–let us remember that we again have to approach the Board next year for approval of our budgets.