5 Things I've Learned

Five Things Tom Ridge Has Learned About Risk

Tom Ridge, former Department of Homeland Security chief, on the importance of disaster preparedness and battling complacency

Leave a comment

By Katherine Walsh

October 29, 2007 — CIO — Tom Ridge is the two-term governor of Pennsylvania and first U.S. secretary of homeland security. He recently launched Ridge Global, an advisory firm based in Washington, D.C. Ridge believes another terrorist attack is likely.

Complacency is what keeps me awake at night. It's predictable in human terms, but unacceptable as well. We just don't seem to have that same sense of urgency that we did in the first years after 9/11. The professionals have it: the police, firefighters, emergency service personnel and the military. But in the corporate world, and even to a certain extent, the political world, there isn't that same sense of urgency.

We can't secure the country from inside Washington, D.C. We should look to the private sector for best practices to respond to disaster. That will take a major upheaval, but I strongly believe in it. We've got the talent and interest and commitment in the private sector. There are so many things the private sector could help us do more effectively. At the end of the day, collaboration is critically important. The federal government, as big as it is, needs to work with the private sector.

You can't prepare for everything. So you have to be prepared for the unpredictable. There is a certain element of surprise associated with every crisis and challenge you face. I served in Vietnam; most people in the military will tell you that you reduce losses and enhance odds for success by having the right equipment, training and the right people. And it applies to the corporate world, too. Have you empowered your CIO or CSO to look critically at your entire infrastructure and make specific requests? Do you have a business continuity plan and do you exercise it? Have you tried it out? There are basic lessons in regard to planning and training that are helpful because sometimes you don't have time to think; you just have time to react. But if you've trained a certain way and planned a certain way, chances are pretty good you will react the right way.

I have a lot of empathy for CIOs and the CSOs. When they would like to beef up their IT systems and embed preparedness and recovery plans into their networks, they have to go to the CFO and CEO and say "I need X number of dollars to do this." And the first response they get is, "What's the risk? That's a big expense. Where's the ROI?" But I think in a more globally competitive and interdependent marketplace, a post-9/11 Sarbanes-Oxley world, there are far greater vulnerabilities to a commercial enterprise today than ever before. It's not just about profitability. It's about the intangible asset—your brand—that's at risk. I would hope CFOs and CEOs and boards of directors pay more attention to the risk assessment rendered by security officers or information officers when parceling out annual budgets. You have to manage the risks, and there are certain ones that need to be managed, regardless of ROI.