Anyone who has kids knows that their aging is a constant reminder of how fast time goes by. My son is about to turn seven years old -- hard to believe, I have to admit! Time flies when you are having fun -- but also when you are really busy. It has already been a year since I was on the campus of the Harvard Business School as an invited academic to the Delivering Information Services (DIS) program. There I had the luxury to become a student again for a week and to see some of the great ones -- like Warren McFarlan and Lynda Applegate -- work their magic. I had forgotten how nice it is not to run the show but rather to be a part of it from the other side of the podium. The DIS program is designed and managed by a person many of you know very well: Cutter Fellow and HBS Professor Rob Austin. On top of organizing the program, Rob also taught some sessions and demonstrated that the new guard can hold its own with the legends!
One of the most interesting sessions during the week-long program centered on iPremier -- a fictitious case describing the experience of a CIO of an online financial services company during and after a denial-of-service attack that shut down the firm's Web site. Rob wrote and taught the case. It starts with a middle-of-the-night phone call that wakes the protagonist and requires him to quickly "switch on" and make decisions.
Amongst the many interesting insights, one of the main points of the case was to realize how difficult it is to make decisions under duress in the midst of a crisis. The other critical insight of the iPremier case is that preplanning for a crisis opens options that are otherwise unavailable to the organization once the emergency begins. In many cases, simple precautions taken at the appropriate time create a wealth of opportunities for reacting to and managing a crisis were it to indeed happen. Forgoing these precautions boxes the firm into substandard responses and sometimes spells outright doom.
While the iPremier case is about a security breach, it could be about any type of crisis. And in any crisis, what you do before and what you do during the emergency is what really matters. In this issue of CBR, we focus on this very same question under the broad topic of emergency preparedness and disaster recovery planning. Our goal is to help you build a resilient organization -- one that will be in the best position possible to "weather the storm." That storm could come in the form of a literal storm, as was the case with Hurricane Katrina in the US or the tsunami that hit Southeast Asia, or it could come in the form of a terrorist attack of major proportions or a security breach of the firm's infrastructure. But, as our contributors remind us, it doesn't have to be a major large-scale event. It could be a localized flood, a protracted power outage, a fire in your building, or, a perennial favorite in my hometown of Ithaca, New York: an ice storm that cripples the town's infrastructure.
Your organization needs to be able to respond to any one of these episodes. In an effort to provide some guidance as to the best way to plan for and respond to emergencies, this issue of CBR draws insight from two academic contributors: Tom Horan and Ben Schooley. Tom is an Associate Professor and Executive Director of the Claremont Information and Technology Institute (CITI) at Claremont Graduate University, where Ben is earning his doctorate. Tom and Ben's research interests center on the development and deployment of advanced information technologies and policies -- including emergency planning and management. Our practitioner view is offered by Rebecca Herold. Rebecca is a Senior Consultant with Cutter's Enterprise Risk Management & Governance practice; an information privacy, security, and compliance consultant, author, instructor; and adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program.
Keeping with our standard model, Tom and Ben start us off with a general framework grounded in academic research and the notion that disaster recovery is much more than getting the computers back up and running when something bad happens. They identify four levels of analysis when planning for potential emergencies: the emergency response and recovery process; interorganizational linkages; end-to-end performance of response and recovery; and contextual variables and implications. They then discuss selected survey responses and draw some conclusions and tangible guidelines for emergency planning and crisis management.
Rebecca takes an in-depth look at the survey results starting with a stratified analysis of the respondents. As is often the case with our practicing contributors, Rebecca's piece is sprinkled with tips, reminders, and tangible suggestions that are worth the price of the issue. I always find these seemingly simple reminders and apparently obvious suggestions to be extremely useful since they are all too often overlooked or forgotten by busy professionals. For this reason, I particularly draw to your attention her section on the importance of communications and her step-by-step suggestions for how to be effective at it. I also draw your attention to Rebecca's closing section on lessons learned and guidelines.
It is interesting, as Rebecca points out, that an event often becomes an emergency and escalates to a crisis because the affected individuals or organizations were unprepared. In other words, there is no such thing as an outright crisis -- the same event can be effectively managed by one organization, yet cripple another.
I hope that you will find this issue of CBR instrumental in helping you build a resilient organization and fall consistently in the first category.
-- Gabriele Piccoli, Editor, Cutter Benchmark Review
In this issue of CBR, we focus on this very same question under the broad topic of emergency preparedness and disaster recovery planning. Our goal is to help you build a resilient organization -- one that will be in the best position possible to "weather the storm." That storm could come in the form of a literal storm, as was the case with Hurricane Katrina in the US or the tsunami that hit Southeast Asia, or it could come in the form of a terrorist attack of major proportions or a security breach of the firm’s infrastructure. But, as our contributors remind us, it doesn’t have to be a major large-scale event. It could be a localized flood, a protracted power outage, a fire in your building, or, a perennial favorite in my hometown of Ithaca, New York: an ice storm that cripples the town’s infrastructure.