Overseeing BCP: Just One More Reason to Consider CIOs as Directors
By Jory J. Marino and Michael C. Nieset
To meet this complex new responsibility, boards should consider a relatively new kind of board member—a current or former CIO
W h i l spectacular corporate meltdowns were leading to Sarbanes- Oxley, a series of other cataclysms dramatically emphasized the risk of business disruption—and put business continuity planning on the front burner for boards. Y2K, though it proved to be less than met the eye, first sounded the alarm, followed shortly by 9/11, which highlighted e Jory J. Marino M i c h a e l C . N i e s e t the vulnerability not
only of computer networks but also of phone, power and transportation systems. A literal meltdown with the power outage of August 2003 renewed fears about the stability of the electrical grid. Continued globalization exposed companies to more risks in more places, while political instability, including war in the Middle East, turned many risks into reality. Hurricane Katrina is only the latest and surely not the last of these cataclysms.
Following these upheavals, an increase at the global, country and state levels in regulatory
requirements for disaster recovery planning (DRP) and business continuity planning (BCP) has heaped new expectations for the scope and quality of oversight on directors’ shoulders. Although directors are not responsible for directly managing and planning for calamities, no board will enjoy the scrutiny that is sure to follow for having failed to ensure that an adequate business continuity and disaster recovery plan was in place. To meet this complex new responsibility, boards should consider a relatively new kind of board member—a current or former CIO. Just as corporate boards have sought financial experts to meet their expanded fiduciary responsibilities in the SOX era, they must also now be prepared to extend seats to current or former CIOs who are best able to exercise oversight of disaster recovery and business continuity planning.
Although the value CIOs bring to such oversight may be insufficient by itself to justify adding them to boards, that expertise joins a growing list of areas in which CIOs can make significant contributions as directors, including their valuable knowledge about how to maintain compliance with today’s rigorous business, financial management and reporting requirements. A CIO’s enterprise-wide understanding
of business and technology- driven business strategies could prove invaluable in stewarding a company through a natural disaster or terrorist attack as well as contribute substantially to the board’s understanding of risk and information security.
A Dearth of CIO Directors
Nevertheless, only a handful of companies now include CIOs on their boards. Our research shows that among the Fortune 1000 companies, only 15 have a current or former CIO as an external director. Why this dearth of current or former CIOs on boards, despite their fitness to contribute in many areas of oversight?
Part of the answer lies in perceptions. Board members and CEOs often see CIOs as exclusively concerned with operations and find it hard to imagine them moving from the server room to the boardroom. More narrowly still, CIOs are often seen as technologists, not strategists. CEOs want to learn from board members and often feel that CIOs have nothing to teach them about business.
CIOs also lack visibility in the networks in which CEOs and board members move and from which they choose directors. Many companies like to add high-
Boardroom Brieng: Business Continuity and Disaster Recovery