By Chuck Adams, Internet Business Solutions Group, Cisco
We live in a world of dangers: natural disasters, terrorist attacks, infrastructure calamities such as collapsed bridges, and the possibility of a global pandemic. At the same time, business is becoming more global and interconnected. For companies, that means that the risk of business disruptions is significant and growing.
Most companies take a completely reactive approach to security threats. But to protect critical resources, a company needs to be proactive. That means:
- Changing many business processes
- Decentralizing the business
- Creating a virtual organization
A proactive approach needs to be organic, pervasive, and integrated. It also depends on technology, and CIOs have a vital role to play in enabling it.
Obstacles to Proactive Risk Management
In most organizations, risk management isn't much different from the carnival game Whac-A-Mole, in which a mole randomly pops into sight and the player tries to hit it on the head whenever it appears. This kind of endless guessing game is an ineffective approach to security.
While many CIOs have responsibilities for risk management and business continuity, few have the authority to make the kind of organizational changes needed to implement strategies to meet their goals.
An even greater obstacle for CIOs is that the field of risk management is still in its infancy. The topic is just now being introduced into most mainstream educational programs, and industry guidelines and standards for risk management remain in flux.
Business Resiliency: Elements of a Proactive Risk Management Strategy
Proactive risk management is sometimes called "business resiliency" because it covers everything that can be an obstacle to a business. It involves two main steps. First, assess your business processes and identify at-risk, centralized processes. Second, integrate advanced technologies into a strategy that addresses these risks. Be prepared for the strategy to bring about changes that transform your company's business model.
Some of this work is outside a CIO's purview, but CIOs can make essential contributions. Not least is that a proactive risk management strategy depends on a robust, agile IT infrastructure.
Here are some elements of a proactive risk management strategy.
- Security for enterprise applications: Inside your company, infuse the IT department with strong discipline around risk management for your enterprise applications. Consider security up front.
- Protection of your company's human network: Focus beyond the technological components of risk management. The true source of intellectual property is the tribal knowledge in an organization's human network. By decentralizing its business model and using technology to transfer critical human knowledge, your company can reduce the need for physical contact among people and dependence on centralized locations.
- Management of outside risks: Step outside the realm of technology to understand threats facing your company from outside. Look beyond your infrastructure and consider the potential effects of public sector disruptions on your operations. If a disaster occurred, what kind of response could be expected from local and nation¬al authorities? For example, in the case of a pandemic, quarantines could last many weeks in multiple waves. How will you keep your plant running if you can't get people in or out during that period? To ensure that work continues, have plans in place to provide basic living necessities.
At Cisco, we had firsthand experience with business resiliency during the severe acute respiratory syndrome (SARS) outbreak in China in 2002-03. Cisco has huge operations in Asia, but because our corporate culture supports virtual work, we were able to weather the quarantine period with little disruption. Our sales offices were closed in quarantined regions for weeks at a time, but our robust network allowed us to work with customers and present the value of our products and services in an online environment. In the end, Cisco actually realized sales gains during that period.
