ORGANISATIONAL RESILIENCE NEEDS STRONG IT SUPPORT

Size: px

Start display at page:

Download "ORGANISATIONAL RESILIENCE NEEDS STRONG IT SUPPORT"

Job Neal
5 years ago
Views:

1 ORGANISATIONAL RESILIENCE NEEDS STRONG IT SUPPORT BUILDING AN EFFECTIVE CORPORATE RESILIENCE FRAMEWORK DEMANDS BUY-IN FROM EVERY PART OF THE BUSINESS Survey conducted by IDG Connect on behalf of Sungard Availability Services TM

2 CONTENTS

Summary of Research Resilience policies Almost three quarters of UK organisations currently maintain corporate resilience policies or strategies but less appoint dedicated resilience champions or

Approaches to expected/unexpected challenges Organisations currently employ different approaches to anticipated and unanticipated challenges, with the emphasis shifting from preparation and

72% 45% 44% 19% 6% 52% 13% 28% Maintains corporate resilience policy/ strategy Resilience included as part of mission/vision statement Appointed board level resilience champion 23% Anticipated 15%

3 Summary of Research Resilience policies Almost three quarters of UK organisations currently maintain corporate resilience policies or strategies but less appoint dedicated resilience champions or write requirements into mission statements. Approaches to expected/unexpected challenges Organisations currently employ different approaches to anticipated and unanticipated challenges, with the emphasis shifting from preparation and prevention to reaction and laissez-faire. 72% 45% 44% 19% 6% 52% 13% 28% Maintains corporate resilience policy/ strategy Resilience included as part of mission/vision statement Appointed board level resilience champion 23% Anticipated 15% Unanticipated 44% Proactive Reactive Preventative Defeatist Resilience indicators rated very mature Some work has been put into the development of mature appropriate organisational resilience indicators but there remains room for improvement in most cases. Priority of approach Equal importance attributed to planning, knowledge, decision making, partnerships and staff engagement. 50% 41% 40% 33% 32% 29% 28% 90% 86% 85% 84% 83% 83% 72% 66% 0 Unity of purpose Leadership Proactive posture Innovation and creativity Situational awareness Internal resources 0 Planning strategies Leveraging knowledge Decision making Establishing effective partnerships Staff engagement Stress testing plans Breaking departmental siloes

1. Introduction Risk is a perpetual force in every business environment, but the form it takes is constantly evolving and change can come from any number of environmental, political, commercial and

4 1. Introduction Risk is a perpetual force in every business environment, but the form it takes is constantly evolving and change can come from any number of environmental, political, commercial and technological sources. How each individual organisation deals with this risk the extent to which it is able to foresee its future, adapt positively to change, and quickly bounce back from any crisis or period of adversity goes a long way to defining its long term success or failure. Reacting to incidents as and when they occur remains a common approach to establishing organisational resilience, one that putting preventative measures in place to minimise the effects of disruption, or even stop it from happening, can supplement to a certain extent. But nobody can predict the future or prepare against the unknown. In some cases it may be better to concede daily disruption as a normal state of affairs and rather than seek to maintain business processes, focus on delivering the adaptive capacity to change those business processes as appropriate. Effective resilience involves supporting a decision-making strategy which transcends individual business divisions and job roles to gather information from, and promote collaboration between, every part of the organisation, for example. And making sure that for any one possible scenario a number of different options not just plan A and B, but also C, D and E are available to help mitigate against any unfavourable outcome and that alternative strategies are regularly tested to validate their effectiveness. Leadership and innovation can also play a pivotal role when it comes to the filtration of new ideas and positive thinking across the organisation. IDG Connect interviewed 100 IT decision makers working for large organisations in the UK to analyse how individual job roles see resilience from different perspectives and assess the extent to which resilience is being hampered by any lack of support from the IT department. The majority of those polled (69%) worked for organisations employing 1,000 people or more. Respondents worked in a broad range of verticals, with software computer services (12%), finance (11%) and retail (9%) all well represented. An even split of IT managers and directors (40%) and C-level executives (43%) took part, with vice presidents, senior vice presidents and executive vice presidents making up the remainder.

Almost three quarters of UK organisations currently maintain corporate resilience policies or strategies Most UK organisations currently maintain corporate resilience policies and strategies but they

5 Almost three quarters of UK organisations currently maintain corporate resilience policies or strategies Most UK organisations currently maintain corporate resilience policies and strategies but they are not always backed up by broader organisational initiatives. A large majority (72%) of those polled by IDG Connect reported that their organisation currently maintains some form of corporate resilience policy or strategy, for example, indicating that most work for companies which have already adopted a formal approach to making sure their organisation can adapt positively to change. But less appear to have qualified that approach by either including any commitment to prosper despite adversity in their mission statement (45%) or appointing a champion or dedicated staff role to manage and drive that resilience policy at board level (44%). As with many aspects of corporate resilience (and a pattern which we see repeated throughout the survey), those working in the IT department tend to have different opinions compared to C-level executives and vice presidents. This suggests that in some cases IT managers and IT directors may have had less involvement in defining or implementing corporate resilience procedures, practice or management policies to date. The number of IT department staff which reported their organisation maintains a corporate resilience policy or strategy is only 30% for example, compared to 53% of CIOs, CTOs and CSOs and 50% of vice presidents, executive vice presidents and senior vice presidents (the VP group). Company size does not appear to make that much of a difference here. Those which maintain a resilience policy and employ a dedicated member of staff to co-ordinate activity are roughly equal regardless of overall headcount. Less people working for smaller companies (those employing less than 1,000 people) record any commitment to resilience in their organisation s mission statement (35%). But this is probably a result of formal mission or vision statements not being defined by their employers.

6 Wide variation in approach towards expected and unexpected challenges A slight majority (52%) of respondents described their organisation s current approach to dealing with anticipated challenges as proactive. Another 19% judged it to be preventive indicating that preemptive measures had been taken to mitigate or limit the fall out of expected challenges before they actually happened. But others reported that they are either more likely to take a reactive stance (23%) that focusses efforts on dealing with the consequences after the event, and a further 6% describing current attitudes as defeatist this indicates that while an organisation knows and expects that challenges will arise, in some cases it may feel there is nothing it can do to adequately prepare itself to meet them. The extent of their preparedness changes for unanticipated challenges however. Smaller numbers see their organisation as either proactive (28%) or preventive (15%), and more see themselves as either reactive (44%) or defeatist (13%). Clearly, respondents are more confident that their employers are willing and able to prepare themselves for the expected as opposed to the unexpected. There are also some interesting differences of opinion amongst IT department staff, C-level executives and vice presidents. This suggests that attitudes to, and appreciation of, current organisational resilience strategies vary according to each individual manager s place in the chain of responsibility and their visibility into the overall resilience management framework. The C-level executives (35%) and vice presidents (25%) are far more likely to judge their organisation s approach to anticipated challenges as reactive compared to IT managers and IT directors (10%), for example. Conversely, those in the IT department think their organisation has a more proactive approach (75%) compared to 42% for C-level executives and 31% for VPs. Whilst the number of defeatists amongst IT managers is identical for both anticipated and unanticipated challenges, the figure jumps from 5% to 16% for C-level execs and 13% to 25% for VPs. This suggests that those in senior management see less benefit in spending time and resources preparing for unknown and unexpected outcomes which they don t believe they can properly prepare to meet in the first place. This may stem from a greater confidence in the organisational resilience policies and strategies in place on their part, a confidence which is not shared by those in the IT department who fall back on detailed plans and processes as a result.

Failure to integrate standalone elements risks undermining overall resilience Organisations exhibit different levels of adoption when it comes to the key elements which underpin resilience frameworks.

7 Failure to integrate standalone elements risks undermining overall resilience Organisations exhibit different levels of adoption when it comes to the key elements which underpin resilience frameworks. But while some individual processes have already been implemented, in many cases this has been done on a point by point basis with little or no strategic or tactical integration with broader organisational wide policies. This is particularly true for physical security, adopted by 67% of UK organisations but integrated strategically by only 36% and tactically by 39% - a clear indication that physical security is often treated in isolation and not included within resilience policies by up to a third of those polled. A similar disparity emerges for IT disaster recovery, but other elements see a closer correlation between adoption and integration. Risk management and business continuity appear far more likely to be integrated into wider organisational resilience frameworks from their inception for example. Indeed, amongst larger companies employing 5,000 or more people, the adoption and strategic integration of risk management and business continuity is identical. And while information security shows a low level of strategic integration, tactical integration is much higher. This is probably down to a UK regulatory framework with the power to levy large fines for data security breaches, forcing organisations to apply a reactive approach that deals with incidents as and when they are discovered rather than when they actually occur. Marginally more of those in senior IT department roles (usually tasked with greater responsibility for ensuring data security) feel that information security processes and functions have been adopted, but significantly less judge them to have been deployed tactically compared to those in the C-level group. So whilst on a purely practical level measures have been put in place, IT managers and directors do not necessarily feel that these have been implemented with any firm resilience goal in mind.

High engagement in horizon scanning, flexible working and relationship/risk management There are generally high levels of IT involvement in facilitating horizon scanning, flexible working,

8 High engagement in horizon scanning, flexible working and relationship/risk management There are generally high levels of IT involvement in facilitating horizon scanning, flexible working, relationship management and risk management functions amongst UK organisations, with only around a third of respondents reporting little or no contribution from the IT department in each case. The outlook is mixed when considering whether those functions are enabled by standard IT tools however, with only around half believing this to be true for all four functions. The same pattern emerges for advances in IT that are driving risk management and flexible working, with a roughly equal number of respondents again judging this to be the case. But marginal splits do appear for relationship management and horizon scanning. Only 42% indicated that new technology is leading relationship management activity for example, and 45% horizon scanning, findings which suggest that these two functions at least are perceived to be driven by other determining factors to a greater degree. Smaller companies employing 1,000 people or less appear to rely more heavily on IT support for all four functions, where perhaps the lack of in-house staff forces a greater dependence on technology platforms to support specific initiatives. It is the bigger companies (45%) who are more likely to see no or limited involvement from IT for horizon scanning in particular, indicating that the effort involved in daily management and maintenance of larger scale IT infrastructure (or keeping the lights on ) means few have the time to predict or prepare for challenges. Appraisals of IT support for horizon scanning also vary significantly by job role, with only 38% of IT managers and directors considering this function to be enabled by standard IT tools compared to 63% of C-Level executives. This may suggest that IT departments do not consider this to be part of their remit, and/or that senior management believes available technology to be far more useful than it actually is. When it comes to IT involvement, those actually working closely with the IT department also feel they have more input into all four functions than do the executives.

Effective leadership, compliance and IT infrastructure present the biggest tests Those taking part in the survey see the three most significant challenges to achieving organisational resilience as

9 Effective leadership, compliance and IT infrastructure present the biggest tests Those taking part in the survey see the three most significant challenges to achieving organisational resilience as effective leadership (78%), compliance with external national or industry regulation and internal governance rules (77%), and IT infrastructure (76%). A slightly smaller number (71%) rate staff education, motivation and preparedness as a challenge which again indicates many may be unhappy with current resilience attitudes and knowledge amongst their employees. Support from external business partners is thought less of an impediment by comparison but still considered a significant challenge for over half of those polled. It is the largest companies (5,000+) which see IT infrastructure as the most significant challenge, indicating that current technology platforms may be holding them back in some cases. This category inevitably attributes more significance to compliance too. This is perhaps no surprise given that the scale of their operations and revenue makes them most likely be governed by national regulation and/or internal guidelines around data security, business continuity and financial management to which they are expected to adhere. There are additional industry specific rules and regulations that outline compliance requirements for companies operating in the financial services, insurance, healthcare and internet service provider sectors which collectively make up 29% of the survey base. It is also the C-level executives - a group which includes chief information officers and chief security officers who are more likely to be given responsibility for implementing appropriate policies - who attach slightly more significance to compliance than IT managers and IT directors. They are also more likely to consider effective leadership as something that needs to be addressed, possibly because they attach more importance to that leadership and/or are in a better position to see where improvements could be made.

10 Many organisations are confident they are making good use of IT to support corporate resilience requirements Respondents indicated that overall they were very confident that their organisations are making the best use of the IT systems, infrastructure and processes under their control to meet corporate resilience requirements. When asked to score that utilisation on a scale of one to a hundred, the mean number was 73, though the headline statistic masks a wide variation of responses lurking beneath: 21% rated IT utilisation in support of resilience as 90 or over and a small minority (7%) awarded no points whatsoever (zero). The feeling was very positive across the board though and there was little significant variation according to job role - the scores are almost identical for both IT staff and C-level execs at 73 and 71 respectively and dip only slightly for the vice president category (63). The only significant difference of opinion comes from a slight disparity between larger companies (those employing 5,000+ people) and mid-size organisations. Whereas the former rate their utilisation as 78, the latter attributed a score of 69 indicating that the size of the IT estate does make a difference to how well it can be harnessed in support of corporate resilience requirements. Those working in the IT department may be in a good position to judge the extent to which technology is supporting those requirements, but it is possible that they may be erring on the side of complacency and/or even have a tendency to overstate the case to maximise the importance of their own role in supporting broader corporate resilience requirements. The question of just how much visibility and understanding into underlying platforms other respondents have should also be considered, especially given that responses elsewhere in the survey indicated that little more than half of those polled believe certain functions are either enabled, or driven by, advances in IT. In some cases however, the IT department may have only just begun to contribute to organisational resilience in any meaningful way. Whilst they are thinking harder about how best to use technology to support resilience in the best way they can, gaps in its understanding are still to be bridged.

Leadership and unity of purpose well developed but still room for improvement None of those taking part in the survey rated a range of key resilience indicators as very immature, suggesting that at

11 Leadership and unity of purpose well developed but still room for improvement None of those taking part in the survey rated a range of key resilience indicators as very immature, suggesting that at least some effort has been put in to establishing appropriate organisational resilience frameworks, though the precise extent of progress varies. Most organisations do not appear to believe that their current resilience frameworks are as efficient or advanced as they could be. Less than half rated leadership (40%) as very mature, for example, perhaps not surprising when we remember that 39% identified effective leadership as their single most significant challenge. A similar number (41%) rated unity of purpose as very mature, suggesting that there is still work to be done in making sure organisational resilience policies are consistently understood, appreciated and applied uniformly by all staff and business divisions. Those ratings slip further for an established proactive posture (33%), innovation and creativity initiatives (32%), availability of internal resources (28%) and situational awareness (29%) indicating that up to two thirds and over feel these indicators also exhibit room for improvement. A marginally higher number of smaller organisations (employing 1,000 people and under) consider leadership (48%), a proactive posture (45%) and internal resources (39%) to be at a very mature stage of their development indicating they are slightly ahead of the curve in this respect. But the number of larger companies (5,000+) that believe they have established a very mature proactive posture for organisational resilience dips to just 16%. Again however, the starkest contrast comes from comparing the responses of IT managers/directors and C-level executives. We see significantly less of those working in IT management rating situational awareness (13%), innovation and creativity and internal resources (15%), unity of purpose (20%), and proactive posture and leadership (25%) as very mature. Furthermore, IT managers and IT directors are far more likely than colleagues to see almost all of these indicators as immature.

12 Equal importance attributed to planning, knowledge, decision making, partnerships and staff engagement On aggregate an equal amount of importance is attached to a range of approaches deemed helpful to establishing effective resilience, including planning strategies (cited as most or very important by 86% of those polled), leveraging knowledge (85%), decision making (84%), staff engagement (83%) and establishing appropriate partnerships (83%), whether with external business partners or internal staff. The focus on stress testing plans is less pronounced, indicating that some organisations may be leaving themselves less adaptable to change by failing to implement adequate training programmes. Nor does the breaking of departmental siloes attract the same level of priority, possibly because some organisations take a more centralised approach to business administration which sees fewer divisions or business units in operation in the first place. Again those working in IT management are particularly ambivalent when it comes to breaking departmental siloes compared to their C-level and VP colleagues, with 23% rating their organisation s approach as the least important. They are also less likely to perceive any significant emphasis on every other type of approach listed with the single exception of planning strategies, once more highlighting the gulf in understanding/ appreciation between IT managers/directors and C-level executives particularly. Alternatively it may be considered that departmental siloes, if managed correctly from a strategical perspective, do not present any great impediment. Certainly, it is the largest companies employing 5,000 people or more (arguably those more likely to have separate business divisions by virtue of scale) which attach the least amount of importance to this approach. This suggests either they have already implemented cross departmental strategies and are confident that nothing more needs to be done, or simply that they do not feel it would be helpful to break those siloes in the first place. By contrast, smaller firms appear to place more significance on establishing effective partnerships and stress testing, another indication that they do not have the resources to co-ordinate resilience alone and place more emphasis on preparation and prevention rather than cure.

Conclusion The research findings indicate that senior executives working in the IT department in particular are often out of step with their managerial colleagues when it comes to judging current

13 Conclusion The research findings indicate that senior executives working in the IT department in particular are often out of step with their managerial colleagues when it comes to judging current standards of corporate resilience within their organisation. Technology can play a key role in supporting resilience objectives but is not always doing so, and the implementation and maintenance of a suitable underlying IT infrastructure is seen as one of the biggest challenges to achieving organisation resilience. While IT is heavily involved in understanding and managing risk, relationship management, flexible working, and horizon scanning for example, these functions are only enabled by standard IT tools or driven by technology advances in roughly one out of two cases. Equally, where measures to address physical security, IT disaster recovery, information security, crisis and risk management, and business continuity have been widely adopted, they often operate in isolation and see little integration. Most organisations give their current use of IT in support of resilience objectives a high rating, but this does not mean they believe their current resilience frameworks are as efficient or advanced as they could be. Other areas with room for improvement include establishing an effective leadership team, meeting compliance requirements, and training and motivating internal staff to be better prepared to meet challenges. Around three quarters of those taking part in the survey considered that they took a proactive or preventive approach to dealing with anticipated challenges by preparing themselves to meet them in advance. Yet others react to incidents only when they happen or do nothing in the expectation that any action they take will be ineffective. And any confidence in taking pre-emptive measures to meet anticipated challenges plummets when it comes to dealing with unanticipated incidents which they cannot see coming. Nor is the focus on stress testing plans as concentrated as it could be, and some organisations may be leaving themselves vulnerable to failure by not building adequate verification procedures into their resilience policies. Establishing and maintaining effective corporate resilience strategies across large organisations is never going to be easy, not least because of the infinite sources of potential disruption and risk which could affect a company s survival at any one time. But the key to success may depend on extending policies beyond the realm of IT and uniting physical security, risk/crisis management and business continuity under a single framework. Above all, it is about making sure that everybody involved, regardless of the job they do, knows what the business is trying to achieve and is happy to work together in implementing a standard, uniform approach.

14 Sungard Availability Services provides managed IT services, information availability consulting services, business continuity management software and disaster recovery services. To learn more visit Global Head Office: 680 E. Swedesford Road, Wayne, PA EMEA Head Office: Unit B Heathrow Corporate Park, Green Lane, Hounslow, Middlesex TW4 6ER +44 (0) Trademark Information: Sungard Availability Services is a trademark of SunGard Data Systems Inc. or its affiliate used under license. The Sungard Availability Services logo by itself is a trademark or registered trademark of Sungard Availability Services Capital, Inc. or its affiliate. All other trade names or trademarks used herin are the property of their respective owners Sungard Availability Services, all rights reserved. CHK