- Email: [email protected]
Managing an information system crisis
Computers & Security, 7 (1988) 245-247
Special Feature
Managing an .Information System Crisis Dr. Jack Bologna anagers are not all o f one mind or body. They vary in terms o f personality, .values, interests, motivations, needs, and attitudes. Managers even vary by management style and philosophy. Some manage by force and pressure, some by persuasion, some by manipulation. A few manage by objectives and more than a few manage by crisis. But managers who deliberately manage by crisis are not necessarily good crisis managers. Crisis management is not so much action oriented or crisis oriented as it is prevention and avoidance oriented. It is anticpatory, not reactive. The immediate and longterm horizons are continuously scanned for evidence o f threats and risks. And the threats and risks that are monitored include not only disaster events that involve the safety and security o f customers, employees etc., but also threatening changes in the business environment that may hurt the company in terms o f lost revenues, greater costs, or damage to corporate image. So the underlying
M
~) 1988,Jack Bologna
purpose o f crisis management is to ensure corporate survival. Survival, however, does not mean growth. The kind of anticipatory planning that must be done for growth is called "strategic" and is long range in nature. However, if you don't survive today, there will be no tomorrow. So crisis management (i.e. planning for survival) comes first. Once survival can be reasonably ensured, planning can be extended to the near-term future and later on to the long-term future. An effective crisis manager therefore anticipates threats and risks of an immediate nature and develops action plans that spell out in detail what resources will be needed and what responses shall be made, by whom, when, where, and how. Lines of command and communication are also established in the plan. The plan is then periodically tested and updated. This idea o f crisis management sounds a lot like disaster recovery planning in the field of computer security, and indeed they are closely related. A computer disaster is but one type o f crisis that might be addressed within the context o f crisis management. The usual events portrayed in
0167-4048/88/$3.50 (~ 1988, Elsevier Science Publishers Ltd.
the media as corporate crises include unfriendly takeovers, chemical spills, industrial accidents, fire, safety and climatic disasters, product safety and product tampering incidents, terrorist acts, impending financial failures, and attacks by political, economic and social pressure groups. As often as not, the immediate cash loss from these crises is not the most serious problem since they are likely to be covered by insurance. The real loss is long-term damage to the company's reputation, credibility, and image and to the loss o f customer loyalty, employee loyalty, and stockholder faith in the enterprise. If this kind o f planning is intended to guarantee corporate survival, it must be a common practice in industry, right? Wrong! Crisis management is practiced about as commonly as disaster recovery planning is practiced in computer centers, that is, about as often as not.
Crisis Management Survey In conducting the research for his book, Crisis Management: Planningfor the Inevitable (Amacom Books, N e w York, NY, 1986), Steven Fink found the following anomalies among Fortune 500 companies. (1) 89% of the respondents agreed that a "crisis in business today is as inevitable as death and taxes." (2) However, 50% o f the respondents agreed they had made no crisis management plans. (3) O f those companies that had experienced a recent crisis, 42% still did not have a crisis management plan. (4) However, 97% were "con-
245
G.J. Bologna/Managing an Information System Crisis
fident" they could respond well to a crisis. (5) 74% of the responding firms admitted having experienced a serious crisis. The good news is that the firms that did have crisis management plans experienced shorter periods of crisis acuteness. Those without such plans suffered acute phases t h a t lasted two and a half times longer, It may be better to light one candle than to curse the darkness as the Christophers say. But if you are an MIS director and the lights go out at night, a candle won't help much. (On the other hand, cursing the darkness won't help either.) Many computer centers I visited over the many years o f m y practice had neither candles, curses, nor flashlights to ward offa power shortage much less emergency lighting or an uninterruptible power source. The only reason I could charitably imagine for such a phenomenon was that the management people in those MIS shops worked during the day, so they never thought about the need for lighting at night. In their world, "contingency planning" was an oxymoron (i.e. you can't plan for a contingency until it happens), so contingency planning must be a contradiction in terms.
The Current Scene I am pleased to report I see much less of the above behavior today. Indeed, just about everyone in MIS and EDP is now scurrying about trying to develop and implement a disaster recovery plan. Models o f such plans abound as do audit and assessment tools. I suppose I should be pleased that corporate top managers and IS managers have begun to show more
246
interest in the protection and preservation of their information resources. But I fear the current effort is too little and perhaps too late, because the value of information and information processing resources is far greater than ever before. Indeed, information resources are no longer mere number crunchers or accounting aids. They are today the very lifeline of private and public sector organizations. Computers give these organizations a lot o f their brain power, i.e. they provide a major mechanism for thinking, reasoning, and making decisions. C o m puters have become strategic resources in the competitive battle for survival and growth. So the nature of the risk of a computer or information system failure has changed greatly over the past 25 years. We aren't running just payroll anymore. We are running everything the company needs to make wise choices, everything the company needs to make better products, and everything the company needs to keep customers, shareholders, and government agencies satisfied. H o w did I come to this conclusion? Well, in thinking about a crisis management methodology one day, i.e. a worst case scenario, I asked myselfa fundamental question about business (i.e. what's the very worst thing that can happen to any business?). The obvious answer was bankruptcy. In carrying my analysis a step further, I asked myself how a business goes bankrupt? Are there any early warning signs? There were, in m y mind, certain conditions, events, or trends that signalled serious disorder. Such conditions, events or trends include the following. (1) Declines in profit, sales,
market share, cash flow, customer acceptance of products, and intensifying competition in the industry. (2) Increase in labor, material information, and technology costs. (3) Obsolescence o f products. (4) Price wars. (5) Loss of key personnel. (6) Loss of proprietary information to competitors. (7) Loss o f assets due to disasters not fully compensable by insurance. (8) Loss of assets due to tort claims and criminal charges against the company, not fully compensable by insurance. (9) Loss of assets o f any kind due to mismanagement (weakness or absence of controls). (10) Loss o f assets of any kind due to employee fraud, theft, embezzlement or sabotage. But, while all o f the above conditions, events and trends indicate a fair measure o f risk, the total loss of information processing capabilities for more than a day or two at a fair-sized company could quickly take it to the brink o f bankruptcy. If that's true, then loss of IS capabilities is more serious a crisis than declines in profit, and market share.
Dr. G.J. (Jack) Bologna holds degrees
Computers and Security, Vol. 7, No. 3
in accounting and law and has undertaken graduate study in business administration. Through his consulting firm, Computer Protection Systems Inc. Founded in 1980, he publishes two monthly newsletters: Computer Security Digest and Forensic Accounting Review. His career spans a period of 30 years and includes employment in banking, public account-
ing, federal law enforcement, industrial security, management training, college teaching and consulting. He is a prolific writer with more than 40 technical articles on a variety of business and management topics. He is the author of Computer
Crime: Wave of the Future; Strategic Planningfor Corporate Directors of Security and Risk Management; Corporate Fraud: The
Basics of Detection and Prevention; Guidelines of Forensic Accounting; The Fine Art of Fraud Auditing. Currently, he is Assistant Professor of Management at Siena Heights College, Adrian, MI. He is on the editorial board of several professional journals.
247
Special Feature
Managing an .Information System Crisis Dr. Jack Bologna anagers are not all o f one mind or body. They vary in terms o f personality, .values, interests, motivations, needs, and attitudes. Managers even vary by management style and philosophy. Some manage by force and pressure, some by persuasion, some by manipulation. A few manage by objectives and more than a few manage by crisis. But managers who deliberately manage by crisis are not necessarily good crisis managers. Crisis management is not so much action oriented or crisis oriented as it is prevention and avoidance oriented. It is anticpatory, not reactive. The immediate and longterm horizons are continuously scanned for evidence o f threats and risks. And the threats and risks that are monitored include not only disaster events that involve the safety and security o f customers, employees etc., but also threatening changes in the business environment that may hurt the company in terms o f lost revenues, greater costs, or damage to corporate image. So the underlying
M
~) 1988,Jack Bologna
purpose o f crisis management is to ensure corporate survival. Survival, however, does not mean growth. The kind of anticipatory planning that must be done for growth is called "strategic" and is long range in nature. However, if you don't survive today, there will be no tomorrow. So crisis management (i.e. planning for survival) comes first. Once survival can be reasonably ensured, planning can be extended to the near-term future and later on to the long-term future. An effective crisis manager therefore anticipates threats and risks of an immediate nature and develops action plans that spell out in detail what resources will be needed and what responses shall be made, by whom, when, where, and how. Lines of command and communication are also established in the plan. The plan is then periodically tested and updated. This idea o f crisis management sounds a lot like disaster recovery planning in the field of computer security, and indeed they are closely related. A computer disaster is but one type o f crisis that might be addressed within the context o f crisis management. The usual events portrayed in
0167-4048/88/$3.50 (~ 1988, Elsevier Science Publishers Ltd.
the media as corporate crises include unfriendly takeovers, chemical spills, industrial accidents, fire, safety and climatic disasters, product safety and product tampering incidents, terrorist acts, impending financial failures, and attacks by political, economic and social pressure groups. As often as not, the immediate cash loss from these crises is not the most serious problem since they are likely to be covered by insurance. The real loss is long-term damage to the company's reputation, credibility, and image and to the loss o f customer loyalty, employee loyalty, and stockholder faith in the enterprise. If this kind o f planning is intended to guarantee corporate survival, it must be a common practice in industry, right? Wrong! Crisis management is practiced about as commonly as disaster recovery planning is practiced in computer centers, that is, about as often as not.
Crisis Management Survey In conducting the research for his book, Crisis Management: Planningfor the Inevitable (Amacom Books, N e w York, NY, 1986), Steven Fink found the following anomalies among Fortune 500 companies. (1) 89% of the respondents agreed that a "crisis in business today is as inevitable as death and taxes." (2) However, 50% o f the respondents agreed they had made no crisis management plans. (3) O f those companies that had experienced a recent crisis, 42% still did not have a crisis management plan. (4) However, 97% were "con-
245
G.J. Bologna/Managing an Information System Crisis
fident" they could respond well to a crisis. (5) 74% of the responding firms admitted having experienced a serious crisis. The good news is that the firms that did have crisis management plans experienced shorter periods of crisis acuteness. Those without such plans suffered acute phases t h a t lasted two and a half times longer, It may be better to light one candle than to curse the darkness as the Christophers say. But if you are an MIS director and the lights go out at night, a candle won't help much. (On the other hand, cursing the darkness won't help either.) Many computer centers I visited over the many years o f m y practice had neither candles, curses, nor flashlights to ward offa power shortage much less emergency lighting or an uninterruptible power source. The only reason I could charitably imagine for such a phenomenon was that the management people in those MIS shops worked during the day, so they never thought about the need for lighting at night. In their world, "contingency planning" was an oxymoron (i.e. you can't plan for a contingency until it happens), so contingency planning must be a contradiction in terms.
The Current Scene I am pleased to report I see much less of the above behavior today. Indeed, just about everyone in MIS and EDP is now scurrying about trying to develop and implement a disaster recovery plan. Models o f such plans abound as do audit and assessment tools. I suppose I should be pleased that corporate top managers and IS managers have begun to show more
246
interest in the protection and preservation of their information resources. But I fear the current effort is too little and perhaps too late, because the value of information and information processing resources is far greater than ever before. Indeed, information resources are no longer mere number crunchers or accounting aids. They are today the very lifeline of private and public sector organizations. Computers give these organizations a lot o f their brain power, i.e. they provide a major mechanism for thinking, reasoning, and making decisions. C o m puters have become strategic resources in the competitive battle for survival and growth. So the nature of the risk of a computer or information system failure has changed greatly over the past 25 years. We aren't running just payroll anymore. We are running everything the company needs to make wise choices, everything the company needs to make better products, and everything the company needs to keep customers, shareholders, and government agencies satisfied. H o w did I come to this conclusion? Well, in thinking about a crisis management methodology one day, i.e. a worst case scenario, I asked myselfa fundamental question about business (i.e. what's the very worst thing that can happen to any business?). The obvious answer was bankruptcy. In carrying my analysis a step further, I asked myself how a business goes bankrupt? Are there any early warning signs? There were, in m y mind, certain conditions, events, or trends that signalled serious disorder. Such conditions, events or trends include the following. (1) Declines in profit, sales,
market share, cash flow, customer acceptance of products, and intensifying competition in the industry. (2) Increase in labor, material information, and technology costs. (3) Obsolescence o f products. (4) Price wars. (5) Loss of key personnel. (6) Loss of proprietary information to competitors. (7) Loss o f assets due to disasters not fully compensable by insurance. (8) Loss of assets due to tort claims and criminal charges against the company, not fully compensable by insurance. (9) Loss of assets o f any kind due to mismanagement (weakness or absence of controls). (10) Loss o f assets of any kind due to employee fraud, theft, embezzlement or sabotage. But, while all o f the above conditions, events and trends indicate a fair measure o f risk, the total loss of information processing capabilities for more than a day or two at a fair-sized company could quickly take it to the brink o f bankruptcy. If that's true, then loss of IS capabilities is more serious a crisis than declines in profit, and market share.
Dr. G.J. (Jack) Bologna holds degrees
Computers and Security, Vol. 7, No. 3
in accounting and law and has undertaken graduate study in business administration. Through his consulting firm, Computer Protection Systems Inc. Founded in 1980, he publishes two monthly newsletters: Computer Security Digest and Forensic Accounting Review. His career spans a period of 30 years and includes employment in banking, public account-
ing, federal law enforcement, industrial security, management training, college teaching and consulting. He is a prolific writer with more than 40 technical articles on a variety of business and management topics. He is the author of Computer
Crime: Wave of the Future; Strategic Planningfor Corporate Directors of Security and Risk Management; Corporate Fraud: The
Basics of Detection and Prevention; Guidelines of Forensic Accounting; The Fine Art of Fraud Auditing. Currently, he is Assistant Professor of Management at Siena Heights College, Adrian, MI. He is on the editorial board of several professional journals.
247