CIO: Chief Water Bailer
powers-old-account 270000NC1K Visits (2008)
IBM Global Technology Services just released a report written by the Economist Intelligence Unit summarizing the findings of a survey that investigates how organizations are developing their business resiliency strategies. “Key trends driving global business resilience and risk” is on the IBM web site and free for anyone to download.
Businesses of all sizes from North America, Europe, and Asia-Pacific were surveyed. They were asked to name their top risk management concerns and the top three answers aren't too surprising:
But when the survey respondents were asked to name the components of a business resilience strategy, it looks like IT security issues are top of mind:
Arguably, “infrastructure security” can encompass non-IT issues and there are non-IT components to data protection. But looking at this list, it seems that IT issues continue to remain top of mind when people talk about actually creating a business resiliency plan. This is borne out by some of the other questions of the survey.
When asked who is most involved in risk and resilience strategies, organizations clearly favored their IT leaders:
So like it or not, IT leaders are being asked to show leadership in the top business resiliency areas, even though business resiliency goes far beyond IT and includes disaster recovery and regulatory compliance.
Given that disaster recovery has so much to do with physical locations of the business and the jurisdictions that the company does business in, it's surprising to me that the lines of business owners aren't more prominently involved. I suppose they might be covered in “Other C-Level Execs,” but it's unclear.
If a line of business owner is responsible for the business case for an opportunity and marshaling the company's resources to go after that opportunity, wouldn't that same line of business owner need to own the resiliency of his plan in order to make the numbers? In any case, it's not my job to argue with the survery respondents. They put IT leaders at the top of the list. That's the reality.
The good news is that the attitudes are slowly changing. One of the most interesting survey questions to me was the change in roles involved in business resiliency that are expected in the next three years.
Over time, organizations see non-IT roles becoming more involved. The rise in importance of business partners is notable. I suspect that's because more and more organizations are seeing IT not as a centralized internal organization but a supply chain of service organizations that supply IT services. “Employees" involvement is also expected to increase quite a bit, even more than the higher level roles mentioned in the question. This would suggest to me that resilience expertise comes “from the trenches” even if the creation of resiliency plans are directed from the “top down.”
But IT leaders will continue to be on the forefront of
responsibility for business resiliency, including not just IT
security, but disaster recovery and regulatory compliance. So when the
floods come, it will be the IT organization that is expected to bail the water.