To many respects, COVID has changed everything. I like to say it put us all on a new space/time continuum because we will never get back to "normal." Instead, we will eventually get to a "new normal" with regular waves of COVID like the seasonal flu.
As many of my neighbors are fighting COVID-19 at this very moment — some for the second time — I believe we will continue from here a bit more careful and cautious. For example, I went to my third conference recently and tried to keep a mask on for most of the conference. Clearly, I couldn’t do this completely. With this said, how should organizations consider risk after the crisis?
I asked CIOs.
Creating Better Readiness for an Ever-Changing Future
CIOs had many thoughts about what we all had just gone through and about managing the risks that remain on the horizon. Miami University CIO David Seidl captured most people’s reactions when he said, “the risks we thought we were facing — a few weeks of remote, etc. — turned into a multi-year shift, huge impacts to our businesses, changes in society plus culture, long term health issues for many, mental health concerns that we will see for year."
In terms of how organizations managed themselves during the crisis, the answered is it depends. Some CIOs are candid to say there wasn’t as much planning during the pandemic. For the less mature and less agile, there was much more reacting. For this reason, it is critical that these CIOs provision now for flexibility and redundancy at scale in the future.
Related Article: How Can CIOs Manage Strategy Through Uncertainty?
Risk Needs to Consider People
CIOs are clear that corporate risk approaches cannot be just about technology being up or down. CIOs believe people should have always been part of equation and should now receive even more attention in risk planning. Process is critical, but so is how people manage risk and processes. Many CIOs are clear people are the answer. For this reason, we have to do a better job at risk planning.
Additionally, CIOs claim dynamic risks require greater empowerment of employees. This includes the ability to make faster, short-term decisions. As well, the crisis brought front and center the currency of employee skills. Without question, the organizations that did the best kept their employees learning.
Risk Is Complex, and Change Is Inevitable
CIOs assert that risk planning needs to consider many factors, not just one. As well, CIOs and business leaders need to take a more objective approach to risk management. Part of this is that organizations shouldn’t think they know what type of a risk event could happen.
Additionally, CIOs believe the crisis showed how tech debt and complexity can impact risk. They believe, in fact, that complexity multiplies the impact of risk for an organization. For this reason, it is important to focus now on simplifying what you can. This includes creating business flexibility.
At the same time, change is inevitable and remains the only constant. Today, CIOs claim the speed of change is increasing. At the same time, they stress there is no such thing as being totally ready. For this reason, CIOs believe business leaders need to embrace the ambiguity. They need to make certain they are comfortable with the unknowns including the unforeseeable. CIOs suggest as well business leaders be on first-name basis with the monsters in the closet and own their demons.
CIOs, also, said something unexpected. They said that crises happen all the time in IT. CIOs every day have to deal with micro-crises such as a technical issue with a business service and evolving macro-crises including digital transformation and pandemic. For this reason, CIOs say they need to operate for the micro crisis and plan-invest-execute for coming macro crisis.
Related Article: CIOs: Time to Sense Transformational Needs, Create Agility
Learning From Mistakes Made
CIOs say it is important that their organizations determine what worked and what didn’t work during the crisis. At the same time, it is time to move the organization — especially IT — out of heroism mode. This may have helped in the early days of the crisis, but it is no longer healthy.
In terms of taking stock, CIOs say it is important to create a safe place to talk about and learn from the mistakes made. The starting place for this can be finding people who are willing to publicly talk about their own mistakes. To make this work, it is important to build a process to get to the root cause of the mistakes without placing blame. With this, it is critical to fix stuff and reward those who do this. CIOs need to be patient in this process. CIOs suggest as well that for experiments or projects, it is important to fail early because failing later has higher costs and consequences.
Planning for Risk Needs More than IT
It has become abundantly clear during the crisis that IT isn’t an island onto itself and that the risks associated with a crisis require more than IT. Risk planning today has to be more comprehensive than "call IT."
One CIO suggested that one of the big corporate pathologies of the last 20 years is just to give things that nobody wants or are hard to think about to IT just because it touches, could touch, or might touch technology. As we all learned during the crisis, without a process for effectively accommodating and protecting humans, you set your business up to fail.
Related Article: Clearing the Path for Future CIOs
Dealing With the People Risk
While a short or simple outage may only require a note to the team saying this application is down for the next few hours, COVID-19 brought to the forefront what few were willing to verbalize. People matter during any crisis.
I remember a few years ago an insurance executive telling me about the impact of a network outage for the claims department. The network being down meant the claims application was down and that meant after a few hours they sent the claims department home. To be clear, the technology issue shut down the claims process because there are no longer paper workarounds. And even worse, they had to have the department come in over the weekend to make up the work that wasn’t done. Clearly, COVID was much worse and multiplied the human impacts significantly.
At the same time, for the IT teams that kept everything running during the crisis, it is important to keep these people safe and give them the ability to relax from the increased stress levels required to respond to the crisis. For this to work, CIOs and other business leaders need to provide and model self-care. And provide opportunities for this to occur. At the same time, it is important to train people proactively and continuously.
Disaster Prep Pays Off
As CIOs look back, their efforts at disaster preparation paid off. Disaster prep, for them, was like insurance. It is better to have it and not need it than not have it and need it. Organizations who had invested in and regularly conducted disaster recovery and business continuity planning, testing, exercises were better prepared. CIOs suggest that pre-COVID existence of quality disaster recovery/business continuity planning was linked to better business results. CIOs believe that these firms, even if non-pandemic scenarios, were much better equipped to handle the crisis.
With this said, CIOs claim that it is more important to prepare for the unexpected. This includes knowing that 100-year events can happen. At the same time, CIOs say that it is important to have flexible plans for different types of events.
Parting Thoughts: Agile Organizations, Leaders Will Win
It seems clear now that those that handled COVID-19 were better prepared. They consider the risk as a part of their business strategy. They were more change-ready by having dealt with their complexity.
And finally, they actively consider disaster recovery and business continuity as part of their business planning. The agile clearly will inherit the earth. As well as those that consider people in their planning and protect them now for the new normal is front of them.