Visitors

free counters

Sunday, January 30, 2011

The Seven Signs of Complacency

The Seven Signs of Complacency
By Bob Lewis
December 29, 2004

Spotting a dysfunctional IT organization is pretty simple. End-users talk about the "helpless desk" and the "local area not-work." Managers gripe that simple requests disappear into the prioritization black hole. Executives tell horror stories about multi-million dollar project fiascos. And inside IT you find a shell-shocked inability to do anything more than flail away at things without accomplishing anything useful.

A complacent IT organization -- one that's "good enough" -- is harder to recognize. So hard that some in IT may assert that "raising the bar" is just more executive abuse -- an insistence that if IT was a car, it should accelerate instantaneously, stop on a dime, corner as if it ran on rails, deliver a hundred miles per gallon, never need an oil change, and cost $25 bucks plus tax.

Yes, some executives are unreasonable and yes, they do use the phrase "raise the bar" to justify back-breaking workloads. So what?

It doesn't make all IT organizations equally effective, and it doesn't justify complacency. It certainly doesn't mean the nagging feeling that information technology shouldn't cost so much, take so long, and be so overall hard to accomplish -- that it could be much, much better -- isn't sometimes justified.

You're the CIO, caught in the middle. You need criteria, not complaints, defensiveness, or vague feelings. To help you out, here are the seven warning signs of a complacent IT organization ... or at least, seven of the warning signs:


It's a ghost town at 5pm. IT staff members should feel a sense of urgency about problems that crop up, an intensity about finishing tasks by their deadlines, and personal pride in the quality of the work they deliver. If, no matter what's going on, everyone feels comfortable that it will wait until tomorrow, you're running a complacent organization.

That doesn't mean you should hope for the obverse. If everyone works late hours and six or seven day weeks all the time, it suggests a very different problem: Desperation. It comes from strong motivation (usually fear) coupled with severe ineffectiveness. Complacency is a matter of attitude and culture; ineffectiveness is a matter of process and training.


"'They' don't use the software they way they're supposed to." Complacent IT's job is finished when projects deliver software that meets specifications and end-users receive training in how to operate it. Being beyond blame is the goal.

In an effective IT organization the job isn't finished until the business has changed as planned. That means understanding the context behind the specifications. And it means training end-users in how to do their jobs with the new software -- quite different from learning how, where, and when to move the mouse pointer and click the buttons.


Fixing the same problems, over and over again. It's an unmistakable sign: If your e-mail server (or what have you) crashes so often that your department has achieved excellence in restoring it quickly, it's time to shake things up.


More allegiance to the profession than to the business. Allegiance to a profession is a worthy dimension in any corporate culture. It establishes high standards and a shared set of ethical guidelines. When the IT staff has more allegiance to their profession than their employer, though, they've lost their sense of what defines value -- a context-free set of abstract criteria replaces business horse-sense as the measure.


Metrics. No, you won't be able to spot complacency in the graphs that show how well IT meets or exceeds service levels. If those don't show that everything is just fine, it means the IT staff is so inept or demoralized that nobody bothers to game the system.

Complacency is hidden in how metrics are defined in the first place, or in their absence. It's in the agreement as to what constitutes a reasonable set of targets: Reasonable, of course, means easily achieved.


"That's how we do things around here." This, and the closely related, "We're different," tells you nobody is looking for a better way of doing things. They've become complacent.


"We're working our tails off and nobody appreciates our efforts." If there's one constant in the universe of business, it's that the employees who complain the loudest about how hard they're working are the ones who show up late, leave early, and produce the least while they're there.

"Better," said Voltaire, "is the enemy of good." That's a healthy attitude. Complacent organizations get it backward: Good enough is the enemy of better.


Bob Lewis is president of IT Catalysts, an independent consultancy specializing in IT effectiveness and strategic alignment and author of "The Toughest Job in the World: Leading IT." This column, the second in a three-part series, appears courtesy of IT Catalysts' subsidiary IS Survivor Publishing. Lewis can be contacted at rdlewis@issurvivor.com.

The #1 Leadership Problem


Willful Blindness is the phenomenon according to which we see what we want to see and manage to ignore whatever makes us uncomfortable or challenges our most cherished beliefs. We're wilfully blind when we think we can text and drive. The Catholic Church has been willfully blind to the criminal behavior of its priests; banks were willfully blind to the grotesque risks they took with other peoples' money. The book, Willful Blindness, will be published in the UK in February (http://tinyurl.com/36er9f5), in the US (http://www.amazon.com/dp/0802719988) and Australia in March and in Canada in April.
Song: 'Lie To Me' by Nick Bic√Ęt & Philip Ridley, used with permission.
Find it here: http://tinyurl.com/2dxkhcl

The #1 Leadership Problem

By Margaret Heffernan | January 27, 2011

Serial CEO

Margaret Heffernan


When I meet with CEOs, I like to find out what keeps them awake at night, what intractable issues or opportunities disturb their sense of confidence. Of course, each one has industry-specific or company-specific challenges and they’re fascinating.

But there’s one problem common to each one of them. They all know it. Only a brave few will talk about it openly: Ignorance.

It doesn’t matter whether the company is large or small, old or young, high tech or blue collar manufacturing. The reality is that no leader is fully informed of what is happening on his or her watch.

Ignorance Isn’t Bliss

Of course in theory, this shouldn’t happen. The chain of command should ensure that information reaches the top. Daily reports should flag critical issues. Balance sheets should indicate significant trends. And they all do - up to a point. The problem is that none of them works quite well enough.

That’s why BP can run unsafe plants and still be taken by surprise when they blow up.

It’s why music labels could be blind-sided by the rise of digital downloads.

It’s why soft drink companies were surprised by the popularity of vitamin drinks.

It’s why Lehman Brothers and Enron and Citibank and Merrill Lynch had no idea actually how much money they had.

It’s why companies are so anxious about what Wikileaks will publish next.

It Can Happen to You

The most tempting thing in the world is to look at that string of business disasters and argue: that was them, not me. It couldn’t happen here. They were just bad leaders, a few bad apples. But the minute you say you don’t have this problem is the minute you know you do.

The problem is willful blindness: the human propensity to ignore the obvious. It isn’t just a business problem, of course. We do it in our private lives when we leave those credit card bills unopened or take on a mortgage we can’t afford or insist that tanning salons really won’t cause us any harm.

There are numerous social, structural, organizational and neurological reasons for willful blindness and I’ll be blogging about them over the next few weeks. But in the meantime I’d like to hear from you:in your company or department or industry, where are your blindspots?

Video courtesy of Lindsay Nicholson;Music courtesy of Nick Bicat


Complacency!

Too often we would rather sit down and doze instead of getting up to face challenges or make the necessary change!
[koreanpress02-18 22:45]

There was something amiss about the company which I visited recently. From the exterior one would not know.  It looked like any modern building with all the trappings of the sophisticated facilities, intelligent lifts, high speed computer facilities, elegant office furnished with latest designed furniture and walls decorated with clear corporate vision and goals.  Even the employees were smartly dressed. However, what was obvious was the tremendous sense of complacency within the company which was what my client commissioned me to address.

What is complacency?   Complacency is a sense of excessive satisfaction which prevents people from addressing the real issues that require change. The signs of complacency are vey telling. Here are some of them:

¡¤         People skirt around the real issues and address only the convenient ones

¡¤         They preach about change but do not see through till it yields the desired results

¡¤         Leaders  let people get away with poor performance

¡¤         Staff are not motivated to achieve more or take more responsibilities

¡¤         There is no consistent follow-up;  many progress reviews are ad hoc and crisis-driven

The greatest waste of human resource is staff complacency.   Too often companies spend millions of dollars to educate, train and equip them will all the knowledge, skills and resources to enable them to perform.  Too much effort and time has been focused on getting people to be more competent.  The irony is that a lot of staffs know what to do but they do not do what they know. Yet little is done to eliminate complacency which is a productivity damper in organizations.  

During these turbulent times beset by a Global Financial crisis, companies cannot afford to have a complacent workforce. Productivity is the key to staying cost effective and competitive.   Many companies like to believe that their human resource is their assets.  This can only be true if leaders find ways to eliminate complacency in their workforce and make them productive.   The following are some ways to help eliminate complacency in organizations.

 

 

 

 

Ascertain the Root Causes Of Problems

In a downturn where sales start to plummet and profit heads South, it is crucial to ensure people take the heat.  Many will be lured by the escapism temptation and find an easy way out. They will address the symptoms and recommend some quick fixes. For example, when the demand goes down, competition becomes keener and customers have more bargaining power.  It is all too easy to succumb to reducing prices of products and services. It is more important to address how as a company, it can fundamentally help its customers overcome the tough times. It is better to find out what is truly ailing them and provide them what they value most.  For example, in the aftermath of the collapse of Lehman Brothers, more than ever, financial services companies have to do more with less and cut costs wherever they can.  Microsoft has developed a cost-effective solutions to help the ¡°customer¡¯s customers¡±.   Lloyds TSB Group, one of the United Kingdom's largest financial institutions, has made it quicker and easier for business decision makers to gain customer insight from data using a solution based on Microsoft business intelligence (BI) tools-at a cost approximately 80 percent less than the cost of competitive solutions.

Reducing price will certainly lead to complacency. It obviates the need to improve. People will no longer explore ways to differentiate what they are providing or the services they are giving, besides price.  And that will certainly lead to deteriorating profits and zoom the company towards doom. 

Engage Staff In Resolving The Real Issues

The role of the leader is not to provide all the solutions to their staff. Enough damage has been done in school where teachers think for their students and feed them with all the right answers.  The more leaders get their people to think for themselves and come up with their right solutions, the less complacent they will become. This makes perfect sense as it is not possible for a leader to be aware of all the actual happenings in the operational details.  By engaging employees to participate and help the company address the real issues, they will also develop more commitment and a sense of belonging which by themselves have intrinsic motivation.  Such motivation is more meaningful and sustainable than just mere monetary rewards.

Set High Standards

Nothing breeds complacency faster than low goals and expectations.  Such low standards are often too well justified for a company¡¯s own good.   All too often leaders like to rationalize that the company is not doing too badly compared to many others.  Others rationalize they have done relatively well considering how far they have come.  Of course for some it is all too convenient to argue that given the tough challenges in the industry and the economy, the company is doing pretty well.

 

Michelangelo, the multi-talented Italian painter, architect, sculptor and poet said it best, ¡°The greater danger for most of us lies not in setting our aim too high and falling short; but in setting our aim too low, and achieving our mark¡±.   For that will certainly drive us to become totally complacent.

 

Measure And Monitor Progress Regularly

James, the supervisor of manufacturing firm learnt the hard way.  To build a ¡°more trusting environment¡±, he decided to get rid of the weekly output progress meeting and allow each individual to monitor their own progress. After two months the production output fell by 20%. Monitoring progress is not about not trusting others.  In fact, it has a positive psychology effect on people if it is done the right way.

Without clear measurements and frequent monitoring of progress, complacency will begin to set in.  People will feel that what they do matter little as no one is paying attention. There is no motivation.  Soon most people will just do the bare minimum. According to Peter Drucker, the father of management, ¡°What gets measured, gets done¡±.   The tendency of the human behavior is doing what is inspected and not what is expected. 

Hold People Accountable For The Results

There is a magic in holding people accountable for results.  It conveys two very important messages. One, the belief in the person¡¯s ability. The other, the importance of the responsibility  the  person play.  To be effective,  this must be communicated in a positive, encouraging and confident manner.  It is not about telling people to do whatever they can and ¡° to try your best¡±.  It is about communicating to people that their results is  an important part of a  big ¡°jig saw puzzle¡±.  The success of the company depends on each one delivering the results that they are accountable. Only by each and everyone contributing their bits, can the whole ¡°picture¡±  be complete.

Discipline And Penalize Non-Performers

As a consultant, having worked with many companies, I noticed that most Asian managers are  poor disciplinarians.  They are better at playing the good guys  and delivering the great news. Discipline does not mean shouting and threatening people, although some managers seem to falsely believe that is the case. I once asked a manager why he screamed at one of his staff.  His rationale at justifying his behavior was most telling, ¡° Well, some people have to be shouted at, otherwise they just don¡¯t move¡±.   I explained to him that this was not just the dinosaur approach but also a very unprofessional and unacceptable  in the modern workplace.  There is a better way. 

One simply has  to be firm and fair in disciplining and penalizing  non-performers.  Firm in that one is unwavering and not give in to sob stories. Fair in the sense they are provided the training, resources, help and ample notices about their lack of performance.  In most cases, people are penalized not because they do not know how to do something but more because of not wanting to do  or  deliberating doing the wrong thing. 

Reward And Recognise  Based On Performance

Human beings are just too predictable, if one understands the psychology of people. People have needs to be met.  Not just basic needs of food, clothing and shelter.  Yes, man does not live on bread alone.  They have other needs to be nourished emotionally, psychologically  and intellectually.  People want to feel important.  They want to be recognized for what they have done.  They want to belong.  They are driven by ego and a need to achieve.  Ultimately,  they want a sense of fairness in terms of recognition and reward for the effort they have put in .  If humans are so predictable, how is it that leaders find it so hard to motivate and inspire people to perform.   The truth is that issue of motivating people has been complicated by company politics, human flaws in succumbing to favoritism, conflict of interests, self-driven agenda and other motivation dampening behaviors in organizations.  To motivate people to continue to perform, leaders simply have to reward and recognize people fairly based on performance. 

 

Dr Victor SL Tan is the CEO and principal consultant of KL Strategic Change Consulting Group. For more information, please call 03-90741129 or email to: victorsltan@klscc.com.

 

news from : koreanpress

Wednesday, January 26, 2011

Doctors orders: An IT audit for good reason

By Christopher Hock, Assistant Manager, IT Audit Department, Mazars, China | Aug 23, 2010

Thumbnail: 

With so much of our financial activity computerized these days, the importance of healthy IT systems is without doubt crucial not only to  the speed of an Audit but also its efficiency and accuracy.

Christopher Hock is the IT specialist at the audit and accounting firm Mazars. He is tasked with the critical pre-audit task of assessing the integrity of each client's IT system.  It's a process that helps both the client and financial audit team, as an IT driven, hiccup-free and time-efficient audit benefits all parties.

"My work begins and ends prior to any of the year-end audit procedures commence.  It's called an IT Audit for good reason as it's a detailed assessment of controls within the IT infrastructure as well as within the software systems clients use to execute their business processes," says Christopher Hock, Assistant Manager, heading the IT Audit Department of Mazars in China.


It's like Triage - a quick expert assessment
An IT Auditor works hand-in-hand with both the financial auditors, to understand their requirements - and the client, to understand their business processes.  So a thorough understanding of the Audit process, the client's business processes as well as an in-depth knowledge of IT systems engineering and software is needed.

The IT Audit is usually done quickly, depending on the size of the business and complexity of its IT systems. For medium-sized companies, the process is usually complete within 2-3 days. For large enterprises with advanced and integrated systems, 5-7 days or more may be needed, depending on the task.

An IT Audit can uncover and resolve issues and risks across the board for a business and gives advice for improving systems and processes. After finishing the on-site work, the client and the Audit team receive an IT Audit Report revealing findings and recommendations.


The value of an IT Audit
For the client, identifying risks within the IT environment, as well as ways to increase the reliability and integrity of IT operations represent tangible value.  Ideas to improve the efficiency of actual business processes can also surface.

For the financial audit team, knowing that all data comes from an effectively controlled IT environment means they can rely on the controls in place. This reduces the manual audit work required and accelerates the efficiency of a financial audit.

Hock recalls an example: "There are clients who process up to 100,000 invoices per day, each for a small amount. For these, manual audit procedures cannot provide the viability or assurance that a financial audit requires. The IT Audit gives a valuable systems review through the business, thereby giving the financial auditors the assurance they need to carry out their task of reviewing all financial data."


Qualities of the IT Audit profession
Previously based in Munich, Germany, Christopher Hock is now located in China with Mazars and has a background that blends both IT and Auditing, equipping him well for the go-between role he plays. 

"I'm a mix of both professions. I majored in Information Systems for business administration and have gained experience and certification as a Java software developer.  But I started in the audit business, and have participated in financial audits large and small, so I know the process well."

Christopher Hock is also a Certified Information Systems Auditor (CISA), a qualification acquired only through the international body of IT Auditors (ISACA) by formal examination and a proven track record.

The IT Audit profession remains a specialist arena but has virtually become a standard procedure for every major audit assignment. Considering the client's IT is now mandatory for audits of major companies, according to International Standards on Auditing (ISA) and national audit standards in all major countries.


For Christopher Hock and Mazars, it's a crucial first step that both clients and financial audit teams have come to rely on.


In addition to IT Audits as part of the Financial Audit assignment, Mazars' IT Audit department also offers advice in the field of IT security, controls and processes, system implementation reviews, software selection support and consulting services to assist businesses fulfill the global regulatory and contractual requirements such as SOX and SAS 70. 


For Christopher Hock and Mazars, reliability in IT equates to reliability throughout a financial audit.

----------------

The author, Christopher Hock is Assistant Manager, heading the IT Audit Department of Mazars China.
 


Business Continuity and Disaster Recovery Planning: The Basics

Business Continuity and Disaster Recovery Planning: The Basics

Good business continuity plans will keep your company up and running through interruptions of any kind: power failures, IT system crashes, natural disasters, supply chain problems and more.


Disaster recovery and business continuity planning are processes that help organizations prepare for disruptive events—whether those event might include a hurricane or simply a power outage caused by a backhoe in the parking lot. The CSO's involvement in this process can range from overseeing the plan, to providing input and support, to putting the plan into action during an emergency. This primer (compiled from articles on CSOonline) explains the basic concepts of business continuity planning and also directs you to more resources on the topic. Last update: 7/1/2010.

Q: "Disaster recovery" seems pretty self-explanatory. Is there any difference between that and "business continuity planning"?

A: Disaster recovery is the process by which you resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus.

Given the human tendency to look on the bright side, many business executives are prone to ignoring "disaster recovery" because disaster seems an unlikely event. "Business continuity planning" suggests a more comprehensive approach to making sure you can keep making money, not only after a natural calamity but also in the event of smaller disruptions including illness or departure of key staffers, supply chain partner problems or other challenges that businesses face from time to time.

Despite these distinctions, the two terms are often married under the acronym BC/DR because of their many common considerations.

Useful Books on Business Continuity and Disaster Recovery

By Kelley Okolita (CRC Press 2009)
Includes numerous checklists and test scenerios

by Julia Graham et al (Rothstein Associates 2006)
Case studies with a business focus

What do these plans include?

All BC/DR plans need to encompass how employees will communicate, where they will go and how they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus on the plan. For others, information technology may play a more pivotal role, and the BC/DR plan may have more of a focus on systems recovery. For example, the plan at one global manufacturing company would restore critical mainframes with vital data at a backup site within four to six days of a disruptive event, obtain a mobile PBX unit with 3,000 telephones within two days, recover the company's 1,000-plus LANs in order of business need, and set up a temporary call center for 100 agents at a nearby training facility.

But the critical point is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other. (In this regard, BC/DR has much in common with security convergence.) At its heart, BC/DR is about constant communication.

See CSOonline's Daily Dashboard for business continuity alerts


Business, security and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In a catastrophic event (Hurricane Katrina being a relatively recent example), the plan will also need to take into account that many of those employees will have more pressing concerns than getting back to work.

Business continuity requires forethought and planning

Where do I start?

A good first step is a business impact analysis (BIA). This will identify the business's most crucial systems and processes and the effect an outage would have on the business. The greater the potential impact, the more money a company should spend to restore a system or process quickly. For instance, a stock trading company may decide to pay for completely redundant IT systems that would allow it to immediately start processing trades at another location. On the other hand, a manufacturing company may decide that it can wait 24 hours to resume shipping. A BIA will help companies set a restoration sequence to determine which parts of the business should be restored first.

Here are 10 absolute basics your plan should cover:

  1. Develop and practice a contingency plan that includes a succession plan for your CEO.
  2. Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency will not always be available.
  3. Determine offsite crisis meeting places and crisis communication plans for top executives. Practice crisis communication with employees, customers and the outside world.
  4. Invest in an alternate means of communication in case the phone networks go down.
  5. Make sure that all employees-as well as executives-are involved in the exercises so that they get practice in responding to an emergency.
  6. Make business continuity exercises realistic enough to tap into employees' emotions so that you can see how they'll react when the situation gets stressful.
  7. Form partnerships with local emergency response groups-firefighters, police and EMTs-to establish a good working relationship. Let them become familiar with your company and site.
  8. Evaluate your company's performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses.
  9. Test your continuity plan regularly to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.

Hold it. Actual live-action tests would, themselves, be the "disruptive events." If I get enough people involved in writing and examining our plans, won't that be sufficient?

Let us give you an example of a company that thinks tabletops and paper simulations aren't enough. And why their experience suggests they're right.

When [former] CIO Steve Yates joined USAA, a financial services company, business continuity exercises existed only on paper. Every year or so, top-level staffers would gather in a conference room to role-play; they would spend a day examining different scenarios, talking them out-discussing how they thought the procedures should be defined and how they thought people would respond to them.

Live exercises were confined to the company's technology assets. USAA would conduct periodic data recovery tests of different business units-like taking a piece of the life insurance department and recovering it from backup data.

Yates wondered if such passive exercises reflected reality. He also wondered if USAA's employees would really know how to follow such a plan in a real emergency. When Sept. 11 came along, Yates realized that the company had to do more. "Sept. 11 forced us to raise the bar on ourselves," said Yates.

Yates engaged outside consultants who suggested that the company build a second data center in the area as a backup. After weighing the costs and benefits of such a project, USAA initially concluded that it would be more efficient to rent space on the East Coast. But after the attack on the World Trade Center and Pentagon, when air traffic came to a halt, Yates knew it was foolhardy to have a data center so far away. Ironically, USAA was set to sign the lease contract the week of Sept. 11.

Instead, USAA built a center in Texas, only 200 miles away from its offices-close enough to drive to, but far enough away to pull power from a different grid and water from a different source. The company has also made plans to deploy critical employees to other office locations around the country.

Yates made site visits to companies such as FedEx, First Union, Merrill Lynch and Wachovia to hear about their approach to contingency planning. USAA also consulted with PR firm Fleishman-Hillard about how USAA, in a crisis situation, could communicate most effectively with its customers and employees.

Finally, Yates put together a series of large-scale business continuity exercises designed to test the performance of individual business units and the company at large in the event of wide-scale business disruption. When the company simulated a loss of the primary data center for its federal savings bank unit, Yates found that it was able to recover the systems, applications and all 19 of the third-party vendor connections. USAA also ran similar exercises with other business units.

For the main event, however, Yates wanted to test more than the company's technology procedures; he wanted to incorporate the most unpredictable element in any contingency planning exercise: the people.

USAA ultimately found that employees who walked through the simulation were in a position to observe flaws in the plans and offer suggestions. Furthermore, those who practice for emergency situations are less likely to panic and more likely to remember the plan.

Read "Disaster drill: practice makes perfect" for more details of the USAA exercise.

Disaster recovery testing uncovers weaknesses

Can you give me some examples of things companies have discovered through testing?

Some companies have discovered that while they back up their servers or data centers, they've overlooked backup plans for laptops. Many businesses fail to realize the importance of data stored locally on laptops. Because of their mobile nature, laptops can easily be lost or damaged. It doesn't take a catastrophic event to disrupt business if employees are carting critical or irreplaceable data around on laptops.

One company reports that it is looking into buying MREs (meals ready-to-eat) from the company that sells them to the military. MREs have a long shelf life, and they don't take up much space. If employees are stuck at your facility for a long time, this could prove a worthwhile investment.

Mike Hager, former head of information security and disaster recovery for OppenhiemerFunds, said 9/11 brought issues like these to light. Many companies, he said, were able to recover data, but had no plans for alternative work places. The World Trade Center had provided more than 20 million square feet of office space, and after Sept. 11th there was only 10 million square feet of office space available in Manhattan. The issue of where employees go immediately after a disaster and where they will be housed during recovery should be addressed before something happens, not after.

USAA discovered that while it had designated a nearby relocation area, the setup process for computers and phones took nearly two hours. During that time, employees were left standing outside in the hot Texas sun. Seeing the plan in action raised several questions that hadn't been fully addressed before: Was there a safer place to put those employees in the interim? How should USAA determine if or when employees could be allowed back in the building? How would thousands of people access their vehicle if their car keys were still sitting on their desk? And was there an alternate transportation plan if the company needed to send employees home?

What are the top mistakes that companies make in disaster recovery?

Hager and other experts have noted the following pitfalls:

  1. Inadequate planning: Have you identified all critical systems, and do you have detailed plans to recover them to the current day? (Everybody thinks they know what they have on their networks, but most people don't really know how many servers they have, or how they're configured, or what applications reside on them-what services were running, what version of software or operating systems they were using. Asset management tools claim to do the trick here, but they often fail to capture important details about software revisions and so on.
  2. Failure to bring the business into the planning and testing of your recovery efforts.
  3. Failure to gain support from senior-level managers. The largest problems here are:
    1. Not demonstrating the level of effort required for full recovery.
    2. Not conducting a business impact analysis and addressing all gaps in your recovery model.
    3. Not building adequate recovery plans that outline your recovery time objective, critical systems and applications, vital documents needed by the business, and business functions by building plans for operational activities to be continued after a disaster.
    4. Not having proper funding that will allow for a minimum of semiannual testing.

I still have a binder with our Y2K contingency plan. Will that work?

Absolutely not (unless your computers, employees and business priorities are exactly the same as they were in 1999. In which case you have other problems.). Plus, most Y2K plans cover only computer system-based failure. Potential physical calamities like blackouts, natural disasters or terrorist events bring additional issues to the table.

Can we outsource our contingency measures?

Disaster recovery services—offsite data storage, mobile phone units, remote workstations and the like-are often outsourced, simply because it makes more sense than purchasing extra equipment or space that may never be used. In the days after the Sept. 11 attacks, disaster recovery vendors restored systems and provided temporary office space, complete with telephones and Internet access for dozens of displaced companies.

What advice would you give to security executives who need to convince their CEO or board of the need for disaster recovery plans and capabilities? What arguments are most effective with an executive audience?

Hager advised chief security officers to address the need for disaster recovery through analysis and documentation of the potential financial losses. Work with your legal and financial departments to document the total losses per day that your company would face if you were not capable of quick recovery. By thoroughly reviewing your business continuance and disaster recovery plans, you can identify the gaps that may lead to a successful recovery. Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can demonstrate how much risk they are taking."

Hager also says that smaller companies have more (and cheaper) options for disaster recovery than bigger ones. For example, the data can be taken home at night. That's certainly a low-cost way to do offsite backup.

Some of this sounds like overkill for my company. Isn't it a bit much?

The elaborate machinations that USAA went through in developing and testing its contingency plans might strike the average CSO (or CEO, anyway) as being over the top. And for some businesses, that's absolutely true. After all, HazMat training and an evacuation plan for 20,000 employees is not a necessity for every company.

Like many security issues, continuity planning comes down to basic risk management: How much risk can your company tolerate, and how much is it willing to spend to mitigate various risks?

In planning for the unexpected, companies have to weigh the risk versus the cost of creating such a contingency plan. That's a trade-off that Pete Hugdahl, USAA's assistant vice president of security, frequently confronts. "It gets really difficult when the cost factor comes into play," he said. "Are we going to spend $100,000 to fence in the property? How do we know if it's worth it?"

And—make no mistake—there is no absolute answer. Whether you spend the money or accept the risk is an executive decision, and it should be an informed decision. Half-hearted disaster recovery planning (in light of the BP oil spill of 2010, the 2005 hurricane season, 9/11, the Northeast blackout of 2003, and so on) is a failure to perform due diligence.

This document was compiled from articles published in CSOand CIO magazines. Contributing writers include Joan Goodchild, Bill Brenner, Scott Berinato, Kathleen Carr, Daintry Duffy, Michael Goldberg, and Sarah Scalet.

Last updated 10/28/2009

Further Reading

More in-depth coverage of disaster recovery and business continuity planning:

How to perform a disaster recovery business impact analysis
Includes a sample BIA worksheet

BCDR event planning, detection and response
Tom Olzak lays out a checklist of key considerations

A Pandemic Planner Advice for businesses from security and continuity advisory services.

Write People into the Plot
Business continuity plans only work if they take employee needs into account.

Interview: The Optimistic Pessimist
Mike Hager escaped from the World Trade Center and got OppenheimerFunds up and running again in less than five hours. Now he faces another challenge: keeping America interested in business continuity planning.

Lessons from a Disaster
Short and sweet, 10 things one practitioner learned after downtime caused by Nimda.

Disaster Recovery: Practice Makes Perfect (from CSO Magazine)
As one of the nation's largest insurance companies, USAA is in the business of managing risk. So it makes sense that-when faced with a disaster-the company knows how to respond.

CareGroup: All Systems Down (from CIO)
Lessons learned from a major information systems outage.


A guide to business continuity planning

A guide to business continuity planning

This publication provides a summary and general guidelines for business continuity planning (BCP).

While governments, not-for-profit institutions, and non-governmental organizations also deliver critical services, private organizations must continuously deliver products and services to satisfy shareholders and to survive. Although they differ in goals and functions, BCP can be applied by all organizations.

Changes in the world of business continuity planning

Business continuity planning versus business resumption planning and disaster recovery planning

A Business Resumption Plan describes how to resume business after a disruption. A Disaster Recovery Plan deals with recovering Information Technology (IT) assets after a disastrous interruption. Both imply a stoppage in critical operations and are reactive.

Recognizing that some services or products must be continuously delivered without interruption, there has been a shift from Business Resumption Planning to Business Continuity Planning.

A business continuity plan enables critical services or products to be continually delivered to clients. Instead of focusing on resuming a business after critical operations have ceased, or recovering after a disaster, a business continuity plan endeavors to ensure that critical operations continue to be available.

The effects of September 11, 2001

September 11, 2001 demonstrated that although high impact, low probability events could occur, recovery is possible. Even though buildings were destroyed and blocks of Manhattan were affected, businesses and institutions with good continuity plans survived.

The lessons learned include:

  • plans must be updated and tested frequently;
  • all types of threats must be considered;
  • dependencies and interdependencies should be carefully analyzed;
  • key personnel may be unavailable;
  • telecommunications are essential;
  • alternate sites for IT backup should not be situated close to the primary site;
  • employee support (counselling) is important;
  • copies of plans should be stored at a secure off-site location;
  • sizable security perimeters may surround the scene of incidents involving national security or law enforcement, and can impede personnel from returning to buildings;
  • despite shortcomings, Business Continuity Plans in place pre September 11 were indispensable to the continuity effort; and
  • increased uncertainty (following a high impact disruption such as terrorism) may lengthen time until operations are normalized.

Emerging issues

Continuous Service Delivery Assurance (CSDA) is a commitment to continuous delivery of critical services that avoids immediate severe disruption to an organization. A BCP includes both risk evaluation, management and control and effective plans, measures and arrangements for business continuity.

Continuous risk management lowers the risk of disruption and assesses the potential impacts of disruptions when they occur. An example would be the business impact analysis component of a BCP program.

What is business continuity planning?

Critical services or products are those that must be delivered to ensure survival, avoid causing injury, and meet legal or other obligations of an organization. Business Continuity Planning is a proactive planning process that ensures critical services or products are delivered during a disruption.

A Business Continuity Plan includes:

  • Plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permits the organization to recover its facility, data and assets.

  • Identification of necessary resources to support business continuity, including personnel, information, equipment, financial allocations, legal counsel, infrastructure protection and accommodations.

Having a BCP enhances an organization's image with employees, shareholders and customers by demonstrating a proactive attitude. Additional benefits include improvement in overall organizational efficiency and identifying the relationship of assets and human and financial resources to critical services and deliverables.

Why is business continuity planning important

Every organization is at risk from potential disasters that include:

  • Natural disasters such as tornadoes, floods, blizzards, earthquakes and fire
  • Accidents
  • Sabotage
  • Power and energy disruptions
  • Communications, transportation, safety and service sector failure
  • Environmental disasters such as pollution and hazardous materials spills
  • Cyber attacks and hacker activity.

Creating and maintaining a BCP helps ensure that an institution has the resources and information needed to deal with these emergencies.

Creating a business continuity plan

A BCP typically includes five sections:

  1. BCP Governance
  2. Business Impact Analysis (BIA)
  3. Plans, measures, and arrangements for business continuity
  4. Readiness procedures
  5. Quality assurance techniques (exercises, maintenance and auditing)

Establish control

A BCP contains a governance structure often in the form of a committee that will ensure senior management commitments and define senior management roles and responsibilities.

The BCP senior management committee is responsible for the oversight, initiation, planning, approval, testing and audit of the BCP. It also implements the BCP, coordinates activities, approves the BIA survey, oversees the creation of continuity plans and reviews the results of quality assurance activities.

Senior managers or a BCP Committee would normally:

  • approve the governance structure;
  • clarify their roles, and those of participants in the program;
  • oversee the creation of a list of appropriate committees, working groups and teams to develop and execute the plan;
  • provide strategic direction and communicate essential messages;
  • approve the results of the BIA;
  • review the critical services and products that have been identified;
  • approve the continuity plans and arrangement;
  • monitor quality assurance activities; and
  • resolve conflicting interests and priorities.

This BCP committee is normally comprised of the following members:

  • Executive sponsor has overall responsibility for the BCP committee; elicits senior management's support and direction; and ensures that adequate funding is available for the BCP program.
  • BCP Coordinator secures senior management's support; estimates funding requirements; develops BCP policy; coordinates and oversees the BIA process; ensures effective participant input; coordinates and oversees the development of plans and arrangements for business continuity; establishes working groups and teams and defines their responsibilities; coordinates appropriate training; and provides for regular review, testing and audit of the BCP.
  • Security Officer works with the coordinator to ensure that all aspects of the BCP meet the security requirements of the organization.
  • Chief Information Officer (CIO) cooperates closely with the BCP coordinator and IT specialists to plan for effective and harmonized continuity.
  • Business unit representatives provide input, and assist in performing and analyzing the results of the business impact analysis.

The BCP committee is commonly co-chaired by the executive sponsor and the coordinator.

Business impact analysis

The purpose of the BIA is to identify the organization's mandate and critical services or products; rank the order of priority of services or products for continuous delivery or rapid recovery; and identify internal and external impacts of disruptions.

Identify the mandate and critical aspects of an organization

This step determines what goods or services it must be delivered. Information can be obtained from the mission statement of the organization, and legal requirements for delivering specific services and products.

Prioritize critical services or products

Once the critical services or products are identified, they must be prioritized based on minimum acceptable delivery levels and the maximum period of time the service can be down before severe damage to the organization results. To determine the ranking of critical services, information is required to determine impact of a disruption to service delivery, loss of revenue, additional expenses and intangible losses.

Identify impacts of disruptions

The impact of a disruption to a critical service or business product determines how long the organization could function without the service or product, and how long clients would accept its unavailability. It will be necessary to determine the time period that a service or product could be unavailable before severe impact is felt.

Identify areas of potential revenue loss

To determine the loss of revenue, it is necessary to determine which processes and functions that support service or product delivery are involved with the creation of revenue. If these processes and functions are not performed, is revenue lost? How much? If services or goods cannot be provided, would the organization lose revenue? If so, how much revenue, and for what length of time? If clients cannot access certain services or products would they then to go to another provider, resulting in further loss of revenue?

Identify additional expenses

If a business function or process is inoperable, how long would it take before additional expenses would start to add up? How long could the function be unavailable before extra personnel would have to be hired? Would fines or penalties from breaches of legal responsibilities, agreements, or governmental regulations be an issue, and if so, what are the penalties?

Identify intangible losses

Estimates are required to determine the approximate cost of the loss of consumer and investor confidence, damage to reputation, loss of competitiveness, reduced market share, and violation of laws and regulations. Loss of image or reputation is especially important for public institutions as they are often perceived as having higher standards.

Insurance requirements

Since few organizations can afford to pay the full costs of a recovery; having insurance ensures that recovery is fully or partially financed.

When considering insurance options, decide what threats to cover. It is important to use the BIA to help decide both what needs insurance coverage, and the corresponding level of coverage. Some aspects of an operation may be overinsured, or underinsured. Minimize the possibility of overlooking a scenario, and to ensure coverage for all eventualities.

Document the level of coverage of your institutional policy, and examine the policy for uninsured areas and non specified levels of coverage. Property insurance may not cover all perils (steam explosion, water damage, and damage from excessive ice and snow not removed by the owner). Coverage for such eventualities is available as an extension in the policy.

When submitting a claim, or talking to an adjustor, clear communication and understanding is important. Ensure that the adjustor understands the expected full recovery time when documenting losses. The burden of proof when making claims lies with the policyholder and requires valid and accurate documentation.

Include an expert or an insurance team when developing the response plan.

Ranking

Once all relevant information has been collected and assembled, rankings for the critical business services or products can be produced. Ranking is based on the potential loss of revenue, time of recovery and severity of impact a disruption would cause. Minimum service levels and maximum allowable downtimes are then determined.

Identify dependencies

It is important to identify the internal and external dependencies of critical services or products, since service delivery relies on those dependencies.

Internal dependencies include employee availability, corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and support services such as finance, human resources, security and information technology support.

External dependencies include suppliers, any external corporate assets such as equipment, facilities, computer applications, data, tools, vehicles, and any external support services such as facility management, utilities, communications, transportation, finance institutions, insurance providers, government services, legal services, and health and safety service.

Plans for business continuity

This step consists of the preparation of detailed response/recovery plans and arrangements to ensure continuity. These plans and arrangements detail the ways and means to ensure critical services and products are delivered at a minimum service levels within tolerable down times. Continuity plans should be made for each critical service or product.

Mitigating threats and risks

Threats and risks are identified in the BIA or in a full-threat-and-risk assessment. Moderating risk is an ongoing process, and should be performed even when the BCP is not activated. For example, if an organization requires electricity for production, the risk of a short term power outage can be mitigated by installing stand-by generators.

Another example would be an organization that relies on internal and external telecommunications to function effectively. Communications failures can be minimized by using alternate communications networks, or installing redundant systems.

Analyze current recovery capabilities

Consider recovery arrangements the organization already has in place, and their continued applicability. Include them in the BCP if they are relevant.

Create continuity plans

Plans for the continuity of services and products are based on the results of the BIA. Ensure that plans are made for increasing levels of severity of impact from a disruption. For example, if limited flooding occurs beside an organization's building, sand bagging may be used in response. If water rises to the first floor, work could be moved to another company building or higher in the same building. If the flooding is severe, the relocation of critical parts of the business to another area until flooding subsides may be the best option.

Another example would be a company that uses paper forms to keep track of inventory until computers or servers are repaired, or electrical service is restored. For other institutions, such as large financial firms, any computer disruptions may be unacceptable, and an alternate site and data replication technology must be used.

The risks and benefits of each possible option for the plan should be considered, keeping cost, flexibility and probable disruption scenarios in mind. For each critical service or product, choose the most realistic and effective options when creating the overall plan.

Response preparation

Proper response to a crisis for the organization requires teams to lead and support recovery and response operations. Team members should be selected from trained and experienced personnel who are knowledgeable about their responsibilities.

The number and scope of teams will vary depending on organization's size, function and structure, and can include:

  • Command and Control Teams that include a Crisis Management Team, and a Response, Continuation or Recovery Management Team.
  • Task Oriented Teams that include an Alternate Site Coordination Team, Contracting and Procurement Team, Damage Assessment and Salvage Team, Finance and Accounting Team, Hazardous Materials Team, Insurance Team, Legal Issues Team, Telecommunications/ Alternate Communications Team, Mechanical Equipment Team, Mainframe/ Midrange Team, Notification Team, Personal Computer/ Local area Network Team, Public and Media Relations Team, Transport Coordination Team and Vital Records Management Team

The duties and responsibilities for each team must be defined, and include identifying the team members and authority structure, identifying the specific team tasks, member's roles and responsibilities, creation of contact lists and identifying possible alternate members.

For the teams to function in spite of personnel loss or availability, it may be necessary to multitask teams and provide cross-team training.

Alternate facilities

If an organization's main facility or Information Technology assets, networks and applications are lost, an alternate facility should be available. There are three types of alternate facility:

  1. Cold site is an alternate facility that is not furnished and equipped for operation. Proper equipment and furnishings must be installed before operations can begin, and a substantial time and effort is required to make a cold site fully operational. Cold sites are the least expensive option.
  2. Warm site is an alternate facility that is electronically prepared and almost completely equipped and furnished for operation. It can be fully operational within several hours. Warm sites are more expensive than cold sites.
  3. Hot site is fully equipped, furnished, and often even fully staffed. Hot sites can be activated within minutes or seconds. Hot sites are the most expensive option.

When considering the type of alternate facility, consider all factors, including threats and risks, maximum allowable downtime and cost.

For security reasons, some organizations employ hardened alternate sites. Hardened sites contain security features that minimize disruptions. Hardened sites may have alternate power supplies; back-up generation capability; high levels of physical security; and protection from electronic surveillance or intrusion.

Readiness procedures

Training

Business continuity plans can be smoothly and effectively implemented by:

  • Having all employees and staff briefed on the contents of the BCP and aware of their individual responsibilities
  • Having employees with direct responsibilities trained for tasks they will be required to perform, and be aware of other teams' functions

Exercises

After training, exercises should be developed and scheduled in order to achieve and maintain high levels of competence and readiness. While exercises are time and resource consuming, they are the best method for validating a plan. The following items should be incorporated when planning an exercise:

Goal
The part of the BCP to be tested.
Objectives
The anticipated results. Objectives should be challenging, specific, measurable, achievable, realistic and timely.
Scope
Identifies the departments or organizations involved, the geographical area, and the test conditions and presentation.
Artificial aspects and assumptions
Defines which exercise aspects are artificial or assumed, such as background information, procedures to be followed, and equipment availability.
Participant Instructions
Explains that the exercise provides an opportunity to test procedures before an actual disaster.
Exercise Narrative
Gives participants the necessary background information, sets the environment and prepares participants for action. It is important to include factors such as time, location, method of discovery and sequence of events, whether events are finished or still in progress, initial damage reports and any external conditions.
Communications for Participants
Enhanced realism can be achieved by giving participants access to emergency contact personnel who share in the exercise. Messages can also be passed to participants during an exercise to alter or create new conditions.
Testing and Post-Exercise Evaluation
The exercise should be monitored impartially to determine whether objectives were achieved. Participants' performance, including attitude, decisiveness, command, coordination, communication, and control should be assessed. Debriefing should be short, yet comprehensive, explaining what did and did not work, emphasizing successes and opportunities for improvement. Participant feedback should also be incorporated in the exercise evaluation.

Exercise complexity level can also be enhanced by focusing the exercise on one part of the BCP instead of involving the entire organization.

Quality assurance techniques

Review of the BCP should assess the plan's accuracy, relevance and effectiveness. It should also uncover which aspects of a BCP need improvement. Continuous appraisal of the BCP is essential to maintaining its effectiveness. The appraisal can be performed by an internal review, or by an external audit.

Internal review

It is recommended that organizations review their BCP:

  • On a scheduled basis (annually or bi-annually)
  • when changes to the threat environment occur;
  • when substantive changes to the organization take place; and
  • after an exercise to incorporate findings.

External audit

When auditing the BCP, consultants nominally verify:

  • Procedures used to determine critical services and processes
  • Methodology, accuracy, and comprehensiveness of continuity plans

What to do when a disruption occurs

Disruptions are handled in three steps:

  1. Response
  2. Continuation of critical services
  3. Recovery and restoration

Response

Incident response involves the deployment of teams, plans, measures and arrangements. The following tasks are accomplished during the response phase:

  • Incident management
  • Communications management
  • Operations management

Incident management

Incident management includes the following measures:

  • notifying management, employees, and other stakeholders;
  • assuming control of the situation;
  • identifying the range and scope of damage;
  • implementing plans;
  • identifying infrastructure outages; and
  • coordinating support from internal and external sources.

Communications management

Communications management is essential to control rumors, maintain contact with the media, emergency services and vendors, and assure employees, the public and other affected stakeholders. Communications management requirements may necessitate building redundancies into communications systems and creating a communications plan to adequately address all requirements.

Operations management

An Emergency Operations Center (EOC) can be used to manage operations in the event of a disruption. Having a centralized EOC where information and resources can be coordinated, managed and documented helps ensure effective and efficient response.

Continuation

Ensure that all time-sensitive critical services or products are continuously delivered or not disrupted for longer than is permissible.

Recovery and restoration

The goal of recovery and restoration operations is to, recover the facility or operation and maintain critical service or product delivery. Recovery and restoration includes:

  • Re-deploying personnel
  • Deciding whether to repair the facility, relocate to an alternate site or build a new facility
  • Acquiring the additional resources necessary for restoring business operations
  • Re-establishing normal operations
  • Resuming operations at pre-disruption levels

Conclusion

When critical services and products cannot be delivered, consequences can be severe. All organizations are at risk and face potential disaster if unprepared. A Business Continuity Plan is a tool that allows institutions to not only to moderate risk, but also continuously deliver products and services despite disruption.

top of page

Additional resources


ISBN 0-662-33765-4
Catalogue No. D82-37/2003E-IN
Minister of Public Works and Government Services

Date Modified: 2010-11-23

Tuesday, January 25, 2011

Getting Speed - Blue Coat WAN Optimization



*If you received this via email, click on the link at "Posted by ECGMA to ECBeez Blog" to view the blogpost"*

Watch this video to learn why Blue Coat provides Next Generation WAN Optimization

WAN Optimization - Solution Overview

Accelerate business applications, improve user productivity and reduce bandwidth costs

How can you accelerate critical business applications without constantly adding expensive bandwidth upgrades? Two words: WAN Optimization.

Blue Coat WAN Optimization technologies enable you to accelerate the delivery of internal, external and latency-sensitive real-time applications to distributed users across the extended enterprise – resulting in faster decision making and enhanced competitiveness. The Blue Coat Application Delivery Network (ADN) infrastructure provides the comprehensive application and user control required to contain network bandwidth costs and enhance business productivity, while providing the flexibility to align network investments with changing business requirements.

Accelerate internal, external and real-time applications

The Blue Coat WAN Optimization solutions accelerate your critical applications by optimizing traffic, conserving bandwidth and metering or blocking recreational applications. External applications specifically benefit from industry-leading HTTP protocol optimizations and caching, along with the industry’s most advanced SSL/TLS acceleration.

With Blue Coat WAN Optimization technologies, you can identify and control unauthorized network traffic such as online ads, inappropriate web surfing, Web-borne malware and customer-designated applications. As a result, our WAN Optimization solutions help you:

  • Provide LAN-like application performance to remote users and branch offices
  • Deliver outstanding performance for streaming audio, video and other rich media applications
  • Reduce recurring network bandwidth costs with multiple levels of compression and content caching
  • Accelerate live and on-demand rich media, as well as SSL-encrypted traffic

What CFOs want from IT

Here's what finance officers would like you to know before you come knocking.

Mary K. Pratt
 

January 24, 2011 (Computerworld)

You can't run a company without technology, but you can't invest in technology without the blessings of the finance department. And thanks to the stagnant economy, the pendulum of power between Finance and IT is swinging decidedly toward the chief financial officer's door these days.

"The power dynamic in the C-suite really does change when the economic times are difficult," says Bob Martins, a CFO partner at Tatum LLC, an executive services firm headquartered in Atlanta. "And right now, any kind of spending decision requires much more scrutiny."

All of this means that now is an excellent time for you, as an IT manager, to hear what Finance has to say. Computerworld asked several CFOs what message they'd most like to get through to their top technologists.

Say Goodbye to Bells and Whistles

During better economic times, Don MacKenzie, CFO and chief operating officer at Accounting Management Solutions Inc., could be persuaded to buy a more expensive system if it offered nice-to-have usability options or extra functionality.

But these days, the age-old battle between cost and functionality is being won by cost. So when the Waltham, Mass.-based professional services firm needed new customer relationship management software, MacKenzie told his CIO at the outset, "Maybe we don't need the Cadillac. Our problem might be better solved using a Chevy solution."

MacKenzie expected the CIO to deliver an analysis that looked at several systems -- something he has always done, in good times and bad -- detailing how much each one cost, the features offered and what type of ROI each one could be expected to deliver. But MacKenzie admits that given the financial pressure, the weight was almost all on the cost side of the equation.

"I'm not suggesting that there wouldn't have been a financial analysis [in the past]," MacKenzie continues, "but the focus then would have been more on functionality and on [the software's] tie-in to other applications. That might have overridden the financial considerations."

These days, that's not the case. One of the options the CIO presented was "a 300-pound gorilla with all the bells," MacKenzie says, "but we went with one that was a lot cheaper."

Play With the Toys You Already Have

Tibco Software Inc. in Palo Alto, Calif., has made significant investments in IT in the past, including the acquisition of an ERP system. So before Executive Vice President and CFO Sydney Carey opens the coffers to buy more hardware or software, she wants to make sure that the company is making full use of its current resources.

"The recession has focused us more on the fact that we've made investments," she says, "so we need to ask, 'Are we really getting all we can from them?'"

Tips

Hint: CFOs Like Cloud Computing

Perhaps you've already discovered this, but cloud computing (including software as a service) is a CFO-friendly topic.

CFOs like the pay-as-you-go economics of cloud computing because it keeps cash in the bank longer, notes a Forrester Research report.

"To a CFO, IT capacity or an application purchased from a cloud service provider is an operating expense that can be scaled up to meet a rising business need -- or turned off when the need evaporates. The same system hosted in the corporate data center is a sunk cost that includes a capital expenditure that must be carried on the balance sheet as an asset that loses value as it depreciates," the report explains.

Forrester says that because of the difference between capital expenditures and operating expenditures, cloud computing yields the kind of financial benefits that CFOs value:

  • Better cash flow. The company avoids taking on debt and writing a big check upfront. Instead, checks are written monthly or quarterly.
  • Lower financial risk. With a cloud-based system, you pay only for what you use, and you can terminate the contract. An on-premises system means spending money upfront for benefits that may or may not materialize.
  • Greater financial visibility. A cloud services provider can tell you how much it will cost to add a user or process an additional transaction. Many IT shops would be hard-pressed to do the same for an on-premises system.
  • Healthier return on assets. Cloud costs are incurred in the same time period that the value is delivered, so the balance sheet doesn't carry an ever-depreciating capital asset of hardware and software, which lowers the increasingly important financial metric of return on assets.

In a recent survey of 481 CFOs in the U.S., about half said they already have some IT activities occurring in the cloud. The survey by Duke University and CFO magazine found that 83% of the CFOs expect their companies to rely on cloud-based services in the next three to five years.

Mitch Betts

Specifically, Carey explains, "we needed to leverage our systems, automating or integrating or getting the right information to the right people at the right time to make decisions" -- but without making any more big investments in infrastructure.

That meant working with the CIO and the IT staff to get more value from the ERP system. Carey had the IT staff add business process management software and other programs to the ERP front end to make the company's order fulfillment system run more efficiently.

Although the software additions did require some in-house development, they represented a quicker and cheaper investment than buying and rolling out an entirely new system. Yet the results were significant: Carey says the department that handles orders has been able to increase accuracy and double the number of transactions handled each quarter without adding staff.

Know What the Business Needs Now

Being aware of the company's business strategy is always a priority for IT managers, but in tough times, it's imperative for IT to be up to date and ready to help with corporate changes on an almost daily basis, CFOs say.

For example, Teknor Apex Co., a custom compounder of advanced polymers in Pawtucket, R.I., recently completed a major acquisition, and CFO Jim Morrison says he had to make sure IT understood the challenges the merger presented.

His message to IT: Bringing the new acquisition into the fold is your No. 1 priority for the foreseeable future. For six to nine months, IT will be "pretty much consumed" with the acquisition -- indeed, "the whole company will be," says Morrison. The acquisition illustrates the need for the IT department to help drive forward the company's strategy and be able to rapidly adjust priorities as the strategy evolves. To be sure, Morrison supports his CIO's road map of long-term strategic initiatives intended to increase efficiencies and save money, but he also needs IT to be able to shift resources as corporate events warrant.

Tatum's Martins agrees. He says a CIO needs to understand his company's short-term financial situation, its near-term tech requirements, and its current risk-tolerance level -- as well as its future vision. Understanding all that, he says, will help a CIO better identify and prioritize the projects that mesh with the company's immediate needs.

Show Me an ROI That I Can Trust

Martins advises CIOs to look beyond price tags and projected savings when they're making a case for a tech investment. He says those figures aren't really enough to calculate the true return an IT investment will generate. "I see ROIs all the time that can have a wide range of values depending on how you work your assumptions," he says.

Tips

How to Sell IT Projects to the CFO

Most CFOs still see IT as a black box -- they have limited visibility into the value that IT creates for their organizations, says Gregg Rosenberg, managing director of the IT practice at The Corporate Executive Board, a research and advisory services company.

So it's no wonder that IT managers have a tough time persuading their CFOs to spend money on new technology today, Rosenberg says.

By making changes in their pitches, IT managers can overcome that roadblock and get the CFO's stamp of approval for more projects, Rosenberg and other consultants say. Those changes should include reframing proposals and spending requests to highlight the business value that technology creates.

In a white paper, Rosenberg suggests that CIOs should take the following steps to get their economic houses in order and make it easier for CFOs to see the value of the services that IT provides to the business:

  • Find out the business objectives of the stakeholders.
  • Allocate all IT costs to a set of services that the business wants.
  • Hold IT service managers accountable for controlling the costs of the services they provide.
  • Define units of service in terms that the business understands, and show how changes in IT service consumption affect costs.
  • Reward IT staffers for lowering the total cost of service.
  • Set the prices for IT services to support overall business objectives, such as cost predictability.
  • Invest in IT asset management for making resource allocation decisions (not for reacting to audits).

Most of all, CIOs should communicate using the business metrics -- like "decrease unit costs" -- that really matter to the company's leaders, says Saby Mitra, an associate professor in the College of Management at the Georgia Institute of Technology.

Mary K. Pratt

Martins, who works in the Washington, D.C., area as interim CFO for a government contractor and as a financial adviser to two other companies, says CIOs need to include more details in the ROI figures they present. For example, he says, if a $500,000 investment helps generate $2 million in revenue, the ROI needs to account for the revenue that would have been earned anyway.

And IT managers also need to identify the risk associated with each investment.

"If there's a $500,000 expenditure, you have to consider the magnitude of success, the probability of success, and the risk if you don't succeed," Martins explains. "Because if you properly discount the probability of return but don't factor in the cost of risk, then you're not really presenting an accurate ROI."

He cites a case he has knowledge of but didn't work on directly, where an IT department implemented a $2 million CRM system that was approved without calculating the whole range of costs associated with it or how much it would generate in returns.

The company ended up with a system that did half of what it was expected to do but cost twice as much as anticipated -- all just as the economy tanked and the company's market shrank.

"It's been a significant drag on that company's performance," Martins says. Further, it limited the company's ability to generate new business at a crucial time. With more-accurate pre-investment projections, the company might be in a better place today -- or at least it would be using a less expensive CRM system.

Emphasize Short-term Benefits...

Breslin Longstreth wants his CIO to seek out projects that deliver benefits quickly.

"It's all about the short-term and medium-term returns," says Longstreth, senior vice president of finance at A Place for Mom Inc., a Seattle-based service that helps people find care options for elderly parents.

Case in point was the company's decision to revamp all software licenses, standardize equipment, and upgrade and integrate phone and computer services. Longstreth says the company was looking at a six-figure investment to get the project done -- he declined to disclose the actual price tag -- but found that the ROI would likely be realized within a year.

"We move quickly if we think there's a strong, quick ROI. If it's not obvious, we're probably not going to do it," says Longstreth.

He says A Place for Mom, a private, $50 million operation, is growing so quickly that it's hard to predict what it will require from IT beyond the next few years. That's one reason he encourages his top IT person, the vice president of development, to think about projects with quick returns.

By the Numbers

What CFOs Worry About

Is there something IT can do to ease your CFO's mind?

CFOs' top macroeconomic concerns:

  1. Weak consumer demand
  2. The federal government's agenda
  3. Intense price competition
  4. Credit markets/interest rates

CFOs' top internal concerns at their own companies:

  1. Maintaining profit margins
  2. Cost of healthcare
  3. Difficulty forecasting results
  4. Attracting and retaining qualified employees

Base: 481 chief financial officers in the U.S.; multiple responses allowed.

Source: Duke University and CFO magazine, December 2010


Top risks in the next five years:

  1. Financial exposure
  2. Supply-chain/logistics disruption
  3. Legal liability, reputational harm
  4. Technology failure
  5. Security breach

Base: 168 senior finance executives; multiple responses allowed.

Source: CFO Research Services and Liberty Mutual Insurance Co., June 2010

The economy is another reason, Longstreth says. Although the company is financially healthy, he says he doesn't want to risk leaving it cash-strapped by investing in technology that has a long-term ROI.

"Making a bet on something with a return three to five years out has too much risk right now," he says.

...But Don't Abandon Long-term Investments

Even with the economy in the dumps, Teknor Apex's Morrison wants his CIO to continue proposing projects that will help the company reach its long-term goals.

"If there's a project needed for our strategic well-being, I don't necessarily [want IT to] put it on a back burner because the economy has taken a downturn," Morrison says.

As a private company that's not driven by quarterly performance, Teknor Apex has the luxury of being able to focus more on long-term results, Morrison acknowledges. But that doesn't mean he can fund IT projects that don't support the corporate agenda -- especially in today's economy.

"Outside of upgrades of hardware, everything we do from an IT perspective is put forth as either being strategic in nature or increasing our efficiencies," Morrison explains.

When the market went south in 2007, Morrison says, the company reduced its head count by 5% to 10%, but at about the same time he OK'd spending $150,000 for software for the credit department. "It was probably one of the best projects we ever did," he says, explaining that it allowed the company to reduce staff in the credit department while improving performance. As a result, the new system paid for itself within two years.

Morrison says those are the kinds of technology investments he'd like to see IT managers bring forward.

"We look at IT as an enabler of a lean company. I don't think there's a function that doesn't feel that the IT systems are absolutely essential to their performance," he says. "So we give them what's needed. They just have to show there's a good return."


Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at marykpratt@verizon.net.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.