For a country prone to the disasters, from natural and man-made to technology-based, surprisingly few companies have plans in place to deal with them, according to experts at last month’s World Conference on Disaster Management in Toronto.
And while IT is only a portion of the solution, it can play an important role in mitigating risk.
“Constraints and restraints keep us at the lower part of the organization,” said Neil Simon, president of Southfield, Mich.-based Incident Mitigation LLC. “We are technical experts, not salespeople.”
Even though there is a “lack of upper administrative support” for change, a lot of it due to “fear of incompetence or obsolescence…(and a) ‘what’s in it for me,’” attitude, Simon said IT has to take some initiative to learn to sell disaster planning to management.
Bob Plaseski, a senior director at ZANTAZ Canada in Ottawa, said one way to get management’s ear is to point to legislation such as Sarbanes-Oxley and U.S. Securities and Exchange Commission (SEC) requirement 34-49537, which states that businesses listed on the New York Stock Exchange (NYSE) must have a business continuity plan.
Unfortunately, Simon said the strategy of pointing to what the competition is doing often doesn’t work since “organizational transplants don’t work.”
Instead, “you need to capture individual perceptions of key organizational membership.”
But getting top management’s ear is not always easy. One attendee, from a New York City-based company, said “there are certain individuals I’d like to see here…the ones who think it is all too easy…(and) you’d think that the companies in New York City would be very interested.”
Simon said the key is to identify which executives are friend, foe or on the fence.
“What you really have to do is understand your (stakeholder) target,” Simon said. But to do this IT must understand the organization’s direction, business functions and political structure. “You’ve got to work within the system,” he said.
This is often achieved by actually setting up time to talk to executives, and though you won’t always get as high as the CEO, “you can get close enough,” he said. “Often times they’ll talk to you about these things (disaster planning) but never talk to each other,” he said.
One specific area often overlooked, which can be used as leverage for internal talks, is e-mail. About 50 per cent of companies don’t have an e-mail retention and retrieval policy, Plaseski said. Backup tapes are no longer acceptable, he added. And although companies not on the NYSE or unaffected by U.S. laws such as Sarbanes don’t have to worry yet, the Toronto Stock Exchange is looking into implementing similar requirements, Plaseski said. Not to mention the fear of lawsuits and $800 an hour lawyers ineffectively searching your subpoenaed e-mail. “All it takes if one lawsuit…(and) most major firms will face litigation at some point.”
Though an “online all the time, non-tamperable” systems is not cheap, Plaseski admitted, “the risks far outweigh the costs.”
But Rex Pattison, director, business continuity with Scotiabank in Toronto, had some words of advice about understanding the need to implement and activate expensive technology. “Who is going to want to be the guy who wasted $6 million on a power generator and the power comes up five minutes later,” he said. Luckily, all the experts agreed, compliance with laws may remove some of the trepidation from the decision making process.
In March, the Bank of America was fined US$10 million for violations of the SEC’s record keeping and access requirements. Plaseski said a Canadian company, which he wouldn’t name, was fined $40 million for similar infringements.