For a country prone to disasters, from natural and man-made to technology-based, a surprising number of companies have unacceptable plans in place to deal with them, according to experts at this week’s World Conference on Disaster Management in Toronto. And, while IT is only a portion of the solution, it can play an important role in mitigating risk.
“Constraints and restraints keep us at the lower part of the organization,” said Neil Simon, president of Southfield, Mich.-based Incident Mitigation LLC. “We are technical experts, not salespeople.”
Even though there is a “lack of upper administrative support” for change, a lot of it is due to “fear of incompetence or obsolescence…(and a) ‘what’s in it for me'” attitude, Simon said. IT has to take some initiative to learn to sell disaster planning to management, he added.
Bob Plaseski, a senior director at ZANTAZ Canada in Ottawa, said one way to get management’s ear is to point to legislation such as Sarbanes-Oxley and U.S. Securities and Exchange Commission (SEC) requirement 34-49537, effective July 2004, which states that business on the stock exchange must have a business continuity plan.
Unfortunately, Simon said the strategy of pointing to what the competition is doing often doesn’t work since “organizational transplants don’t work.” Instead, “you need to capture individual perceptions of key organizational membership,” Simon said.
But getting top management’s ear is not always easy. One attendee, from a New York City-based company, said “there are certain individuals I’d like to see here…the ones who think it is all too easy… (and) you’d think that the companies in New York City would be very interested.”
Simon said the key is to identify which executives are friend, foe or on the fence and understand your stakeholder target. But to do this IT must understand the organization’s direction, business functions and political structure. “You’ve got to work within the system,” he said.
This is often achieved by actually setting up time to talk to executives about disaster planning, and though you won’t always get as high as the CEO, “you can get close enough,” he said. “Often times they’ll talk to you about these things but never talk to each other,” he said.
One specific area often overlooked — which can be used as leverage for internal talks — is e-mail. About 50 per cent of companies don’t have an e-mail retention and retrieval policy, Plaseski said. Back-up tapes are no longer acceptable, he added.
And though companies which are not on the New York Stock Exchange or are not affected by American laws such as Sarbanes-Oxley don’t have to worry yet, the Toronto Stock Exchange is looking into implementing similar requirements, Plaseski said. Not to mention the fear of lawsuits and $800-an-hour lawyers ineffectively searching your subpoenaed e-mail. “All it takes if one lawsuit…(and) most major firms will face litigation at some point.”
Though an “online all the time, non-tamperable” systems is not cheap, Plaseski admitted, “the risks far outweigh the costs.”
But Rex Pattison, director, business continuity with Scotiabank in Toronto, had some words of advice about understanding the need to implement and activate expensive technology. “Who is going to want to be the guy who wasted $6 million on a power generator and the power comes up five minutes later?” he said.
Luckily, all the experts agreed, compliance with laws may remove some of the trepidation from the decision-making process.
In March, the Bank of America was fined US$10 million for violations of the SEC’s record keeping and access requirements. Plaseski said a Canadian company, which he wouldn’t name, was fined $40 million for similar infringements.