OC CIO Roundtable Minutes 6-12-08

Southern California/Orange County CIO Breakfast Round Table
June 12, 2008 meeting

Present: Larry Godec, Jeff Reid, William Zauner, Tak Fujii, Randy Farner, Rich Hoffman, Jim Sutter, Jennifer Curlee, Joe Cracchiolo, Subbu Murthy, Sean Brown, Jeff Hecht, David Mann, John Pringle, Dave Phillips

The minutes of this and prior breakfasts are available online at the Peer Consulting Group’s website, www.peergroup.net, with links to the host’s presentation material, when available. Please provide us with the “url” of your presentation materials.

Topic: Business Continuity Program

When Larry Godec, First American, worked at Nissan, he put together a BCP for them following 9/11. When he joined First American, he built on those ideas to put together an Emergency Response (ER), Disaster Recovery (DR) and Business Continuity (BC) program, in response to the Florida hurricanes, which wiped some of their offices in FL off the map. The ER ensures the safety of employees and the security of facilities. The DR restores the technology infrastructure following an event. The BC ensures the preservation of revenue through continuity of operations following an event. They have about 1400 offices in the US, and they have organized the program by region. Each region (now 10) has a business line continuity officer (BLCO), whose function includes documentation of BP flows, identifying recovery teams, each with fully defined tasks, recording all critical contact data, posts all material on the unit’s Sharepoint page, and facilitates annual review of plans and tabletop testing. The corporate office role (in Corporate Security) is to integrated plans, train BLCOs, perform periodic assessments and report to executive management. Read Larry’s handout to get a more complete feel for the four phases involved in the planning process. An event is defined as 40% workforce shortage, technology and facility unavailable, and critical vendor failure. The plan requires that you define objectives and the command process, identity recovery teams and detailed tasks, define the communications strategy and complete documentation. Larry’s handout shows samples, templates and storage. They use LDRPS, a system by Strohl, to manage the plan.

We asked the members to describe their BC plan, if any, and to highlight the most important problem they had in dealing with this issue.

Jeff Reid, Toyota Material Handling, said that they do not yet have a BC plan. Their problem is a lack of organizational maturity. Formed in 2003 and built for speed, they have too many other things to fix first, such as developing an IT governance approach, and a DR approach. At Western Digital they had both a DR and BC plan. At Conexant they had developed a BC plan, but when Jazz was spun off, it changed everything. That highlights the major challenge – trying to stay current with all the business changes.

William Zauner, JAMS, said that they do have a DR and BC plan and had a building in downtown NY, which was affected by the 9/11 attacks. However, they have found that the small problems cause most of the BC events. Recently on the same day, they had a bomb scare which shut down their DC office, and a fire, which affected their backup office in Boston. What they have found to be critical are the people, judges and phone systems, not the computer systems and infrastructure.

Tak Fujii, Olson Company, they are a small company but do have a BC and DR plan in place as the owner put a lot of emphasis on them. However, only the DR system is kept up-to-date. The BC has not been tested for 4 years, people have changed and contact data is out of date. Thus the IT department becomes the BC resource, by default.

Randy Farner, Vitreous Solutions, agreed with Tak that the IT group used to be the default group – no one in the business seemed to care. Things changed at the Auto Club after the Houston hurricane. They developed an emergency response team, with joint ownership by the business, HR and IT.

Rich Hoffman, ex-HISNA, said that plans are great but in the end, it’s the people who are the most important element. He mentioned a talk given by the CIO of the city of New Orleans, who said that when Katrina hit all their plans were rendered ineffective. It soon became survival first, food and water second, and everything else a distant third. At Yamaha, they did some planning but never put it into the job description, and so no one was made responsible. At Hyundai, when the roof fell in, they had to keep people out, and didn’t have an 800 # for employees to call to find out the latest status.

Jim Sutter, Peer Consulting Group, agreed with my opening comments that BC seems to be a great opportunity for the CIO to show business acumen and executive potential. He mentioned how Dave Kepler at Dow Chemical is now Chief of Business Sustainability, responsible for not only IT but for all Dow’s Green activities and raw material availability. At Rockwell’s auto parts company, which was contracted to provide sunroofs to VW in 35 seconds after receiving the order, BC has a totally different meaning. In IT they had a back-up data center in Dallas until changes in the world political climate (when the Berlin Wall came down) caused a major business reduction. They eventually phased out the back-up center and went with Sunguard.

Jennifer Curlee, Surefire, said that BC has all sorts of implications for a manufacturing company. They have started on a BC project, headed by a retired business executive. IT is working on a DR plan first. They store all documents on Iron Mountain. Their defined event is a 7.9 earthquake.

Joe Cracchiolo, FluidMaster, said that they built a BC/DR plan 5 years ago. It has become an IT responsibility. Their event envisions that most of the current staff will be engaged in saving their own family unit. Their major problem was how to build a plan for someone from the outside to execute. Another fact is that the technology has changed significantly since they first built a plan, and through the years, the IT challenge is not as significant. Being out of action for 12 hours is not a real problem, but it can affect customer confidence.

Jeff Hecht, Word & Brown, said that they do have DR (plan and tested), using Sunguard as a last resort. They don’t have a BC plan. They have tried to think through 3 scenarios – HQ gone, Data Center gone, and both gone. There is a difference between some availability, and a complete disaster. In the end, it’s the people who will make the difference.

Subbu Murthy, USourceIT, said that 90% of disasters need a DR plan, not a BC plan. The changes in technology allow for shared services, and building a DR will be much cheaper. A lot of it is common sense, and paying attention to the potential problem goes a long way to solving it. It should be a regular agenda item, not an annual event. He favors using scenario planning.

Sean Brown, RJTCompuquest, agreed with the CIO from New Orleans. When real disaster hits, it’s survival first, then food and water. A massive event is unlikely, so plan to recover from smaller events that will happen.

John Pringle, RCMT, said that they do have a BC plan, which was as a result of becoming SOC compliant. They are a regional office, and rely on corporate for back up. Their major need is to have an ability to print checks. They back up their Oracle clients with Sunguard. They devised a 3-tiered approach for each client and all their clients opted for level 1!

This was a great topic, and a lively discussion. Thank you, Larry, for a great introduction and handout.