The CIO’s Role in Business Continuity Planning

Ensuring continuous business operation is essential. When operations are interrupted, revenue is lost, and profit is reduced. It can also lead to customer unhappiness and possible defection to competitors. Consequently, it is critical for any company to have a Business Continuity Plan (BCP) in place.  Since most businesses rely on IT in order to operate, IT infrastructure should be included in any BCP, and it is the Chief Information Officer’s (CIO) role to ensure that a solid BCP for IT is in place.

IT within a business continuity plan

A BCP is essentially a set of procedures and strategies a business executes in the event of a business or industrial disruption. Business disruption can be caused by a multitude of reasons or scenarios. It can be due to common problems like network unreliability, power outages, or equipment failure. It can also be caused by more severe problems like cyber-attacks, terrorist attacks, or so-called acts of god (fire, earthquakes, hurricanes, etc.). It can also be triggered by a global pandemic, like the current outbreak of COVID-19. 

The United States Department of Homeland Security itemized the four critical steps needed to create a sound BCP:

1. Immediately recognize and take note of  critical business or time-sensitive functions and processes as well as their support systems and resources 
2. Document these critical business functions and then create plans to recover them in case of disruption, loss, or damage
3. Form a BCP  team who will draw up a BCP plan  to manage the disruption
4. Implement ongoing training for the BCP  team to evaluate, strengthen, and improve recovery strategies and the plan

IT infrastructure, and its many components like PCs (desktops and laptops), networks, data centers, software applications, etc. are integral to most critical business functions, and should be considered in a BCP. Information Technology related steps or procedures in a BCP should: 

• Ensure the availability of necessary equipment; 
• Keep the business data safe and accessible;
• Provide reliable IT security;

This is where the CIO comes in. The CIO is responsible for making the business decisions directly related to the IT infrastructure requirements of a BCP.

Availability of necessary equipment

Let us take a hypothetical situation wherein the office building of a business is heavily damaged by a fire or an earthquake, leaving most of the IT equipment in it damaged beyond repair. When this kind of disruption to business operations occurs, the workforce may be unable to operate since their current equipment is suddenly unavailable. It is the CIO who makes executive decisions regarding the procurement of IT equipment for a business.  They have the role of planning contingencies for sudden equipment unavailability in scenarios like this. Things like having a surplus of PCs stored in a different location can be considered in the BCP.

Safe and accessible data 

Business and customer data should be backed up consistently and recovered reliably. Access to the data should also not be disrupted. Going back to the example of a business whose building has been heavily damaged, it would be a major problem if the data center, which stores the data that employees need to do their jobs, is destroyed. It would be much worse if the data destroyed was customer data. The CIO has oversight on what IT Infrastructure is used to store data, where that infrastructure is located, and the methodology on how to store it. Their role in planning for business continuity is to ensure that their decisions on these things consider any potential disruption. They should ensure that a robust methodology to back up data consistently and recover data reliably is in place. The plan should also allow uninterrupted access to the data by the necessary users.

Reliable security

Part of the purview of the CIO is to map out the IT policy of a company, educate the employees about it, and ensure that the business, as a whole, accepts and practices it. An IT policy covers a wide range of things like:

• the type of VPN service to use
• the anti-virus software to use
• How user password rules and guidelines are implemented

The IT policy is a company’s defense against cyber-attacks, computer viruses, and malware. The CIO is responsible for its consideration in coming up with a BCP.

BCP and the global pandemic

The coronavirus is not going away anytime soon. The World Economic Forum states that a vaccine for the virus is likely still almost two years away from completion. Businesses will have to weather the storm. BCPs will be severely tested, especially the processes and methodologies that implement remote work for employees. In an interview with CMSWire, Yousuf Khan, CIO of Automation Anywhere states:  

“For me as a CIO, this means ensuring that remote work can be as seamless as possible to provide the highest level of support to our customers and partners…”

In order to provide a “seamless as possible” remote work experience for employees, a CIO needs to monitor and improve, if necessary, certain aspects of the BCP related to IT:

• Employees must be provided with the necessary equipment that they can set up and use in their homes;
• Employees must have quick and reliable access to the data they need to do their job; and 
• There must be a secure way to access the data remotely to protect company data from malicious attacks

Continuously looking at these aspects of the BCP will greatly aid an organization to survive well after the pandemic. The CIO is the most vital leader right now to guard the ramparts.