During an IS audit, I had the opportunity to observe a financial organization’s disaster recovery drill. They had planned to run the business from an alternate site for 1 full day. Since the audit was in progress, my team and I had an opportunity to witness the drill being completed successfully, including moving back to the original work site and continuing business as usual (BAU) operations the following day. Stakeholders organizationwide were elated at the result because drills are required for regulatory compliance and successful drills reflect a positive organizational image.
After the disaster recovery drill, our team’s audit continued for another week and completed with an exit meeting to discuss audit findings. The sense of euphoria derived from the successful disaster recovery drill still prevailed at the organization at the start of our exit meeting. When the chief executive officer (CEO) asked me for my opinion about the organization’s business continuity planning (BCP), I paused, as this question was not part of the agenda. The CEO insisted that he needed my informal opinion since I had witnessed the drill. I finally gave in and remarked, “In my opinion, your BCP preparedness score is a 3 out of 5.” The CEO was shocked. I had just deflated his euphoria. So he challenged me, “But my team feels it is 4.75 out of 5.” I replied, “I shall be glad to give you that score if you will allow me to pull the main fuse and then observe how smoothly operations continue.” This seemed to resonate with the CEO. He responded, “Now I understand what you mean. Can you suggest how we should proceed?” I suggested he identify a risk manager or chief risk officer (CRO).
I recounted this experience because this situation happens in organizations all the time. Even I have felt this way after the successful completion of a task. Unfortunately in this situation, I had to play devil’s advocate. It is normal to be happy when you achieve a goal—personal or organizational—but it is dangerous to become complacent. Being complacent can lure organizations into a false sense of security.
The answer to this issue is to be proactive. This means you must have a risk professional such as a risk manager or CRO in place to oversee risk management. A risk professional must be familiar with the environment and internal and external risk factors. An organization’s risk culture is one element risk mangers cannot ignore. In the example given earlier, we could describe the risk culture as optimistic and unwelcoming to negative or apocryphal thoughts. But a risk manager is required to think pessimistically and act optimistically to balance the positive and the negative and bring clarity to facts. Facts supported with data can help identify the gaps that might have been missed while acting optimistically. In short, one should always stay grounded while celebrating achievements.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.