Should CIOs have a Foreign Policy?

In July 2005, a series of suicide bomb attacks in London's transit system killed 56 people and threw the city into a state of confusion. The U.S.-based CEO of a multinational financial company with offices in London posed what to him seemed a simple and essential question: "Are all our people OK?"

In July 2005, a series of suicide bomb attacks in London's transit system killed 56 people and threw the city into a state of confusion. The U.S.-based CEO of a multinational financial company with offices in London posed what to him seemed a simple and essential question: "Are all our people OK?"

Getting an answer proved challenging. First, there was no single staff directory that covered the entire company and was kept up to date with ongoing staff changes. Nor was there a single directory of every person's location and contact information. Second, even if it existed, such a directory would not have included contractors, who nonetheless fit within the CEO's definition of "our people."

Third, there was no central record of which London employees were on vacation, on leave or traveling that day, or -- more worrisome -- which employees from other locations might be visiting London. And finally, even for those employees who were known to be in London and for whom the company had addresses and phone numbers, it was hard to make contact.

"Transportation was disrupted, cellphone service was down, SMS was down, and it was very unclear for most of the day just what had happened," recalls Andrew Marshall, director of Consultifi, which helps companies understand business risks.

The company's HR and IT departments weren't able to provide a timely answer to the CEO's questions, he says. "It turned into a conversation that involved philosophy and technology as well as HR," Marshall notes.

There are several lessons any IT leader can draw from this tale. First, there's no such thing as a safe location: Disruptions can happen anywhere. Second, it's important to have a plan that spells out what everyone's responsibilities will be and includes all the information you'll need. And finally, you need redundant communications systems, because "normal" methods of communication will likely fail -- especially mobile, which is quickly overwhelmed by the spike in local demand that takes place during any crisis.

Concerns About Crisis Events Grow

It would be impossible to think about events of the past 12 months without having at least a few qualms over systems, data and employees, especially those outside the U.S., and the possible effect of local unrest, epidemics, earthquakes or other hazards. Indeed, in a 2010 survey of the 100 largest technology companies, 55% of executives reported worrying about "natural disasters, war, conflicts and terrorist attacks." When the same executives were again asked that question in 2011, that percentage rose to 81%.

In this increasingly global and interconnected world, it's easy to see why they're concerned. Power outages, weather events, political unrest or even something as mundane as a ship dragging its anchor over a fiber-optic cable can disrupt your operations in unexpected ways. Data centers could go offline. Data stored in remote locations could become unavailable, as could your supply chain. You could lose contact with offshore service providers due to interrupted communications. Software-as-a-service applications could go offline. And although cloud-based infrastructure is mostly hosted in the U.S. now, that's expected to change in the next few years, posing even greater risks.

Be Prepared

What's in Your Crisis Suitcase?

When a crisis strikes at an International SOS location, local employees pull out the field deployment pack. That's a suitcase full of technology items that are especially useful when normal power and/or communications are down. It's a good idea to have a similar bag of tricks stored in a closet at each of your company's locations.

Here are the contents of an International SOS field deployment pack:

* Several laptops

* Satellite phones

* A satellite Wi-Fi hotspot

* A mobile printer

The printer is more important than you might think, explains Jonathan Bar, general manager of global infrastructure. You may need to print travel papers or other documents, or photos of people you're searching for.

Recently, the company has begun including iPads in its field deployment packs. With their high-quality image display capability, long battery life and robust mapping technology, they can be very handy.

-- Minda Zetlin

In fact, a significantly global operation is likely to be affected by local disruptions -- somewhere -- on a very regular basis.

"There are events happening almost constantly at any time in different parts of the world, whether a bombing in Jakarta or an uprising in Egypt or an earthquake in Japan," says Michael Shea, executive vice president for IT at International SOS, a company that provides medical and security services to travelers and has operations in 70 countries. With so many locations -- many of them in emerging markets and other politically or economically unstable areas -- operating through a crisis is business as usual. "We have to activate one of our business continuity plans about every three to four weeks," Shea says.

Even if you have few operations in unstable areas, it's wise to consider what events could disrupt your overseas operations, affect your overseas data or threaten your overseas employees. A well-thought-out foreign policy should be part of every CIO's toolkit. But how can you effectively prepare for whatever disasters the world might throw at you? Here are some ideas that might help.

Don't Plan for Everything Everywhere

In omnia paratus --"Ready for anything!" This might seem like a good approach to protecting your IT operations from all perils overseas. And indeed, some IT leaders take the position that, since there's no way to predict what might happen next in any geographic location, the best strategy is to be ready to meet absolutely any threat anywhere it may arise.

There's only one problem with this approach: It's impossible to do. "Trying to prepare for everything everywhere leads you down one of two paths, neither of which is good," says Dan Blum, an analyst at Gartner. "One path is saying that whatever you're doing will have to be good enough, since you can't know everything. The other is the path of being too paranoid and exhausting yourself chasing phantoms, and no organization can do that for very long. CIOs or chief information security officers who attempt to create and maintain the same very high level of preparedness everywhere will find their credibility eroding and their influence declining over time."

On the other hand, it can be very hard to see even a short distance into the future. Consider Orange Business Services, the business communication arm of one of Europe's largest mobile providers. The company has four major support centers in Egypt. One day last winter, Paul Joyce, senior vice president of international customer service and operations, paid a routine site visit to the company's facility near Cairo. With protests sweeping through nearby Tunisia, Joyce asked the company's local staffers whether they anticipated civil unrest in Egypt as well.

World View

How to Create a Valid Threat Matrix

In South Africa, phone lines often fail because people desperate for money pull them apart to sell the copper wire. In the Philippines, electrical fires are a frequent problem. There's no doubt that knowing the likelihood of a particular threat in a particular location is key to business continuity planning. But is there a useful way to take all the various factors into account?

International SOS, which provides medical and security services to travelers in 70 countries, comes as close as humanly possible by creating a specific risk matrix for every one of its locations. "We look at about 50 different categories of events, and for each we rate the possibility of it happening from 1 to 5," explains Jonathan Bar, general manager of global infrastructure.

IT executives obtain this information by working directly with local employees. They're asked how many times a given event has taken place in their location during the previous year, five years, 10 years and 100 years. Once you take such a long view, some recent startling events become slightly less surprising. "You'd have to go back to the 1970s and the presidency of Anwar Sadat, but there was rioting in Egypt then," Bar says. "That was only about 30 years ago, so it could happen again."

Once you have a threat matrix established for a particular location, it's easier to plan for the likeliest disruptions. In Thailand, for instance, depending on how you count, there have been 20 attempted or successful coups in the past 100 years. During the most recent attempt, the local International SOS office was surrounded by tanks.

"So we adjust our planning for Thailand with the view that the odds of civil unrest are very high," Bar says. "When it comes to tornadoes there, we're not overly concerned."

-- Minda Zetlin

"They joked that the worst trouble would arise from [ousted president] Ben Ali flying by overhead on his way to Paris," Joyce says. "They were sure it would never happen there." Only a week later, they were proved wrong.

You can't be ready for everything everywhere, but at the same time, specific events in specific places can be nearly impossible to foresee. So how do you prepare?

"My recommendation is a balancing act," Blum says. "You want to raise your baseline capability to cope with any crisis. You raise that as high as you reasonably can, given the costs and potential benefits. But then you look at worst-case scenarios that would be catastrophic to the business in terms of what's most likely to happen, and that will vary by location."

Should you watch the news with special attention to potential disasters brewing where your data, operations or outsourcing partners are located? "Anyone with access to the Internet and a news service should have a basic idea of what's going on," Marshall says. But, he adds, you shouldn't try to go it alone. "Every organization needs to monitor external events. You may have a risk management team within your company, or there are commercial organizations that will keep you updated about potential risks."

One of your best sources of information is whatever staff you have on the ground in a potentially troubled location. Depend on them for insight, and make sure they have a plan for where to get their own news if a local event causes disruptions.

Sometimes it's possible to see a problem coming well in advance. Although the earthquake and damaged nuclear reactor in Fukushima, Japan, are no longer making daily headlines, Orange is helping a client located nearby consolidate and relocate operations to Indonesia as soon as possible. Why? "The biggest challenge for many there was power continuity," Joyce says. "Coming into the peak of the summer, there will still be a serious aftereffect of that disaster. We're anticipating rolling blackouts."

Ask 'What if?'

Once you've considered what types of disruptions are most likely at your various locations, sit down with key staffers and talk through each of those scenarios.

"It's worth running through a catalog that might include civil unrest, power supply problems, interruption of Internet service and a terrorist attack, although trying to imagine and foresee everything will take you down some blind alleys," Marshall says.

It's an important opportunity to learn just what top management will expect of IT in a crisis. "See if everyone's assumptions are the same," Marshall suggests. "Ninety percent of the time, someone will say, 'I thought you guys would be up and running for that!'"

People tend to assume that working systems stay that way, he notes. "Anyone who's worked in a company with centralized data storage knows there are all kinds of misconceptions about what you will and won't be able to access, and the assumptions you make in IT won't be the same ones that Finance or other departments make." Key areas to cover for each scenario: Will the Internet be available? What about phone service? If data needs to be restored from a backup, how long will it take? "People tend to assume that, since we have backups, the data will be instantaneously available," Marshall says.

Another reason for this exercise is for you to learn which systems are most essential to keeping the company running -- and they may not be the most complex or challenging ones from IT's point of view. "Generally, anything around your revenue stream is highly critical," says Terry Assink, group vice president for Brand Velocity, which consults on business project implementations, and former CIO of Kimberly-Clark. "You need to be able to take in money, and you need to be able to pay your employees."

"Your finance department may be very needed during a crisis," adds Shea. "If you're in Egypt during the unrest, and you need to charter airplanes so you can get people out of there safely, you will need finance people and financial resources to make that happen."

Asking "What if?" made a huge difference for Allied Telesis, which supplies communications for the U.S. Air Force base in Yokota, Japan, about 190 miles from Fukushima, where much of the local infrastructure was destroyed. Despite massive problems and power outages, the Yokota base never lost communications.

Related:
1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams