Around the table Steven Cooper, IT operations manager, GPT Group
Joseph Earl, general manager application support, Star Track Express
Andrew Fry, business unit executive - business resiliency and continuity services, IBM
Kirsten Garwood, business unit executive - internet security systems, IBM
Chris Johnson, chief information officer, Parsons Brinckerhoff
David Kennedy, chief information officer, Office of State Revenue, NSW Treasury
Ross Lennox, chief information officer, Oil Search
Rob Livingstone, chief information officer, Ricoh Australia
Carlos Loureiro, manager information system, Marrickville Council
Greg Naimo, manager information services, City of Sydney
Bruce Nicholas, network manager information systems, Ten Network Holdings
Peter Wardrop, manager information systems, City of Ryde
Bryan Whitefield, NSW chapter president, Risk Management Institution of Australasia
Brian Corrigan, editor, MIS magazine
It was an incredible visual spectacle that dominated the morning's conversation across town, but the dust storm that swept through Sydney on a Wednesday in September quickly became a business continuity threat for Parsons Brinckerhoff's chief information officer, Chris Johnson.
Two hundred of the company's engineers decided to work from home rather than make the eerie trip into the CBD office. The SSL VPN link copped a battering but, thankfully for Johnson, effectively dealt with the unusually heavy workload. While Johnson says the company prides itself on being an employer of choice with very flexible working arrangements, the dust storm served as a timely reminder of how events well beyond their control can present CIOs with nasty surprises.
Risk and the GFC
Like the dust storm, the global financial crisis of the past 18 months caught everybody by surprise and severely reduced business visibility. Ricoh Australia CIO Rob Livingstone says the GFC has helped organisations focus on what their real risks are.
"You've got to be very careful you don't invest too much money in risk mitigation at the expense of actually staying in business," he says. "It's a question of having that balance and really focusing on those risks that you can do something about, because you can't mitigate against all risks. It's not going to happen."
The financial crisis prompted the City of Ryde to defer a number of major projects, including business continuity planning, as the manager of information systems, Peter Wardrop, says the city doesn't have the budget to implement them.
But the GFC had exactly the opposite effect at NSW Treasury's Office of State Revenue, where CIO David Kennedy has been charged with driving innovation through technologies like business intelligence, which can help to increase compliance and drive greater revenue.
Disaster and continuity
Ricoh is moving to a new disaster recovery model where the DR site is treated as
a second production data centre and will run the company's public website, which Livingstone says provides a huge amount of flexibility to manage risk − as opposed to going into a cold site with a box of tapes.
NSW Treasury is also taking that next step, Kennedy says, and turning a DR site into production, so that it has dual capability. "We'll outsource the housing of it and then upgrade it to a full production site," he says.
Parsons Brinckerhoff has conducted four DR tests in the past two years, Johnson says, and had its systems up and running within about six hours. While he is confident of making the switch if needed, the bit that scares him is how long it would take to fall back to existing production systems, and how the business would react to managing that scenario.
"We've built our DR on a guideline of 60 per cent capacity, so we could run it for a period of time, but it's not scalable," he says. "We are highly sensitive to billable hours as a consulting organisation and there are three extra public holidays in Australia during this financial year, which immediately has a 2 to 3 per cent impact on our bottom line. The pressure is on me, as the CIO, to minimise any downtime due to the data centre or telecoms."
IBM Australia's business unit executive, Andrew Fry, says he has known organisations that took a 20 per cent revenue hit for the year because they didn't handle the first four hours of a crisis situation well. While most organisations do have business continuity planning, Fry says they rarely address the communications issue.
Making sure the business understands that IT has to take some stances on security is a constant issue, says City of Sydney's manager of information services, Greg Naimo. "That puts some restrictions on business but that's part of our responsibility in managing the risk profile," he says. "The business wants to be out there doing innovative things and it can be a real conflict of interest."
During tough economic times, data loss can be a major concern. So, in terms of compliance and government controls around privacy and confidentiality, how do CIOs stack up the business case for data loss? GPT Group's IT operations manager, Steve Cooper, says data loss sensitivity is related to the business cycle.
"If we have a major data loss just as we are about to put results out then it has an astronomical effect compared with other times of the year," he says.
"We haven't been able to put a figure on the actual cost of data loss at any particular time, but our disaster recovery plan pitches somewhere in the middle in terms of our capability to recover."
Ricoh's Livingstone says one of the things his organisation has struggled with is the loss of information through USB keys or printouts under the arm. "It's really, really difficult to mitigate against human behaviour. In our business, we are very sensitive in the lead-up to major bids because you don't want that information out there," he says.
"You could obviously put other pieces of information, like the price list, on a bus stop and we wouldn't care. We have tried to segment information according to its importance at any given time. Once a contract has been awarded, that bidding information is no longer important."
No matter how good your risk management strategies are, the behaviour of staff is always a huge variable. Ten Network Holdings manager of information systems Bruce Nicholas admits it is one aspect of the job that keeps him awake at night. He also regrets the fact that it is harder to raise the profile of what could go wrong in conversations with business executives, when operations have been running smoothly.
Bryan Whitefield, from the Risk Management Institution of Australasia, says business executives are more concerned about whether the CIO can help them deliver on their sales budgets than organisational risk. "They want to know if a system will be delivered on time, within budget and work properly," he says. "But their belief that everything is going to be OK if anything goes wrong is often not well-founded."
Managing expectations about complex projects has also been a problem for Ricoh's Livingstone. "An executive might have a 17-year-old son who can build a website in three hours and wants to know why it will take six months for the company's new site to go live," he says.
"You need to make the commercial side of the business aware of the potential knock-on effect if you try to rush a project through. Disclosing that information means they have some visibility and ownership of the consequences associated with that decision."
It is not just people on the inside who have difficulty. City of Sydney's Naimo says the organisation has just been through an external audit and found it was very difficult for the auditors to understand how the council ran its DR site. "It was a real disconnect," he says. "But they've still got a very high level of credibility with the board, so you have to work with them to make sure what they say is sensible."
Joseph Earl, the general manager of application support at Star Track Express, says his company recently had a similar problem with a security audit. "We were told 'best practice says you must do this', but we're a transport company so we don't need to go to that level," he says.
GPT Group's Cooper says having a chief risk officer within the business has been a big help. A CRO provides a consistent approach to risk management and promotes a greater level of awareness, while also guaranteeing senior executive buy-in.
Taking a slightly different approach, Oil Search CIO Ross Lennox says his organisation has a framework available that is well received across the business.
"We're fortunate that we can dovetail into that. In some areas there's a bit of conflict if you take a purist approach to ITIL [information technology information library] but we make it fit," he says.
"Every area of enterprise risk has to be owned by a director and risk sits within corporate strategy."
Ten Network's Nicholas says each head of function at the broadcaster is a member of the risk committee, which meets regularly to discuss whether the risk profile has changed and review any major incidents. "We do a workshop each year where each function head builds their risk profile from scratch to see how it has changed during the year," he says.
"That focuses us on managing risk across the business − whether it's related to the brand, supply or our IT systems."
One of the biggest problems of doing business today, and managing the risks associated with it, is the ever-increasing complexity. "We have a very large system that runs most of our company and recently we put in a content management system," Nicholas says. "The challenges we will face are modifications and the rigorous testing we have to do. It's not an isolated system, so it's quite a challenge."
That's a sentiment echoed by Star Track Express's Earl, who says "we exchange information with about 5000 customers every day, so we worry about that connection for that entire supply chain. When you throw your security on top of that it becomes very, very complex". MIS Australia
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.