How should a CIO make a business case for their CFOs to invest in redundant IT systems? Do you have an example?

The more a CIO can tie redundancy to the regular business, the more chance he or she will get money for it. You’ll need to go through what could happen if you go down in the same way you justify paying an insurance premium. You’ll also want to look at it as an ongoing process of evaluating the risks you’re facing. By building flexibility into any operation, you can respond better to market changes. The best way to do this is to build in redundancy that can help the business even before disaster strikes. For example, when you buy desktop computers, don’t throw the old ones out—keep them as excess capacity. CIOs have to think about how to help the main vision of the business, which is to be profitable and increase the stock price. Having this redundancy on the IT side not only gives us insurance but also the flexibility to handle surges in demand when necessary.

OK, but what happens if you’re really trying to cut costs in IT?

This is the big problem. Let’s say you get prepared, and in the best of all worlds, nothing happens. The CEO asks, ’why are we wasting this money?’ You’ve got to try to prove your point through benchmarking. It’s hard to do because people don’t get promoted based on cost avoidance. It doesn’t show anywhere in the books. All managers, not just CIOs, face this. You can benchmark against leaders in the industry and present the consequences of not doing this. At the end, it’s a management decision.

Are some people investing too much in redundancy?

No, because the pressure to cut costs is so intense that you don’t see companies overdoing it. Individuals may overinsure and buy unnecessary warranties. But most corporations tend not to do it.

What’s the best way to figure out the main risks for your company?

You want to have a brainstorm of all things that could go wrong and then plot them on a probability versus severity axis. Some events are very likely but don’t threaten the survival of the company. For example, demand for a product is lower or higher than we thought or a truck has an accident. Some other potential disasters require more central planning, but aren’t likely to happen, such as 9/11, Katrina or the Exxon Valdez oil spill, a strike, or a failure of the information system. All these things require the company to develop redundancy even if the probability is low. You’ll have to plan for what you’ll do because you’ll also have fear among employees and customers, and the government may overreact. Even after 9/11, most of the economic damage came from the closing of our borders, not the actual attacks. Ford lost 13 percent of its fourth quarter production in 2001. They had convoys of trucks with parts coming from Canada and Mexico that couldn’t get into the country. When foot and mouth disease hit in England, the government closed farms and culled livestock. To show they were in control, they also closed the countryside to tourists. Damage was 2.5 times larger to the tourism industry than to the agriculture industry.