The other day in a closing remark I wrote management may be the biggest threat of all.
The remark was meant to be a little flip, but in retrospect, management may actually be a major risk.
I have worked several projects where management ignored the practitioner's recommendations.
Some of the projects were as in-house staff; some were as an external consultant.
Case in point
I was a staff employee reporting to the VP/MIS at one organization.
The company had hired a colorful Big Name company at its overseas headquarters to do "business continuity" for its worldwide operations.
As far as the colorful Big Name company was - and still is - concerned, "business continuity" equates to little more than disaster recovery.
But at least the Big Name company got the headquarters thinking about true business continuity.
My boss told me the company wanted a plan for its North American headquarters; I was to meet with him and the CFO to discuss what needed to be done.
To the VP/MIS, a "business continuity" plan should be done "at 20,000 feet."
Fortunately, the CFO understood that to be successful, business continuity must be done at the process - ground - level.
I created the plan and made a number of recommendations, among them being that the organization needed to increase its backup power supply output.
Generators were in place to keep the VP/MIS' servers working, but there was no power for
- Special call center phones
- Air conditioning - the building was "environmentally sound"
- Desktop computers and monitors
- Copiers and printers
- Other essential workplace equipment
A hurricane brushed by the facility and electricity was off for about 5 days.
The generator kept the servers serving, and the fuel vendor kept the tanks topped off.
But the building remained empty except for one hot and lonely guy in the data center who monitored the servers.
Because the VP/MIS chose to ignore my recommendations and somehow managed to convince the CFO to do the same.
I don't know how much it cost the company, but the VP/MIS was relocated to a less desirable location.
In this case, management was very much the risk.
In another instance, I was part of a consulting team.
We completed, despite less than enthusiastic support from Top Management, the first phase of a project for a state government department.
Unfortunately the second phase - the response and awareness sections - were considered too expensive so the plan died on the vine. A management decision.
Added September 19, 2011
Finally there was the retail chain that needed to document what was required to move its IT operation from Point A to alternate site Point B and then back to Point A again.
Management would call meetings and everyone would be present and accunted for - except management.
Nothing could be accomplished.
Finally, after three meetings sans critical management, I resigned from the engagement.
And then there are the good guys
On the other hand, some management takes risk management seriously.
One international company for which I created a plan thought it was fairly well situated. In truth it had done a number of "right" things.
But as I started asking questions I uncovered a number of "got'chas that no one had considered. Fortunately for me, my two bosses, the CIO and his second in command, were "risk management aware." They understood my concerns, even though most of the concerns were not IT related, and worked to see them mitigated.
Another client listened when I suggested it ought to ask its vendors for their (vendor) business continuity plans.
Heavily dependent on its vendors, it considered and acted upon my suggestion.
Each of its critical vendors complied. I critiqued each vendor plan and provided feedback to my client which then passed along the information to the vendor who submitted the plan.
It was a win-win-win situation: my client knew which vendors had a viable plan, the vendor got a free plan critique, and I gained knowledge by reading others' plans.
But apparently not many
As an in-house planner for a very large company, once an industry leader, I suggested to corporate management that someone should consider an enterprise risk management plan.
For my concern I nearly was terminated.
In my lowly division position I did manage to involve Facilities and Purchasing in the business continuity plans, a first, and I "discovered" that an agreement my division thought it had with another division to back up our operation "in the event of" was worth less than the paper it wasn't printed on - a handshake between two managers who had moved on. My management showed interest - for about 5 minutes and then dismissed the problem.
There ARE "risk management aware" managers and practitioners treasure these people. But too often the people who determine what will be done with a practitioner's information - no matter how much it cost the organization to develop - really only pay lip service to our recommendations.
I am reminded of the expression "A little knowledge of first aid is a dangerous thing."
Creating, but failing to implement, a plan may seem "good enough" to many managers, but in truth, such a plan provides a false sense of security.
In cases like that, management is the biggest threat of all.