Intercompany communication on a global scale also has challenges. There are cultural issues as well as practical ones like time-zone differences. Using technology to communicate instead of face-to-face contact has implications for network support, usage policies and firewalls. The good news: For multinationals, connection to the Internet isn’t much of an issue, nor is reliability. The Internet was designed for a nuclear attack.

The cost of business travel will now be spent on technology. CIOs will now be responsible for a large redeployment of resources. As communication technologies replace travel, the technology itself becomes more important, which means that managing the technology is more important.

RISK MANAGEMENT

Plan for People, Not Just Systems

JOHN MCCARTHY
Senior manager in information risk-management practice, KPMG, Washington, D.C.

One of the great lessons of this tragedy, and others in the last decade, has been helping company leaders see the people in their organization as part of the risk-

management equation. Most companies have a business plan for technology failure?things like someone putting bad software on the system or dealing with a security or hacker threat. Now what we’re seeing post-Sept. 11 is the recognition by leadership that there’s an even greater need to understand people processes in the context of risk management and disaster recovery.

Companies need to think about how they will take care of their employees, account for the missing and deal with the families in the event of a fire, a flood or an explosion in the building. How will you take the services and processes handled by those people and transfer that responsibility to another part of the organization so the business can continue dealing with a disaster? You can’t let a major disaster stop the entire organization from doing anything else?you have to look at how you can separate the tragedy from the necessity to keep delivering services. You have to know what the critical functions are and how to continue them in the face of disaster. How will you communicate internally and externally? You must figure out how you will talk to industry peers and associations, and how you will deal with state, local and federal authorities.

Also, think about how you will communicate with customers. How will you talk to them about the status of your business and your employees, particularly if the business?say, a financial institution?has a piece of the customer’s money?

A big lesson for CIOs and other leadership is that continuity management is not a line function. It’s a core function that must be managed from the top of the organization. CIOs are familiar with this, as they have long argued that technology also cuts across the business and needs attention from the executive team. After Sept. 11, CIOs will have a lot more credibility when making arguments for replicating critical systems. The case has been made graphically for CEOs that the kind of discussion that has gone on at the CIO and CFO level in terms of risk management aren’t way out there?they need to be addressed ahead of time. The watchword coming out of this is going to be enterprise risk management?no more point solutions. If you want to survive something this extreme, an enterprise approach is what will make the difference between making the business go or not.