October 10, 2006 By Craig Grivette
Ironically it may not even be one of the more egregious potential ironies for government IT in supporting crisis situations.
How are government IT organizations prepared to respond to increasing threats of terrorism, a pandemic outbreak, or the next natural disaster, such as an earthquake or flood? I am not talking about the National Guard, the Office of Emergency Services, the Office of Homeland Security or the State Highway Patrol -- whose roles are well defined -- but rather the departments of Financial Institutions, Motor Vehicles, Finance, Consumer Affairs, Employment Development and many others that may face the daunting question: How will we continue to operate if a pandemic is announced?
Can government leaders confidently say their CIOs have a plan to keep the work force connected and serving the public?
"Government entities outside the first-responder community have not historically looked at this issue from a risk management perspective," said Kelvin Pye, deputy director of the California Department of Technology Services. "In IT we are typically funded for normal operations, not the extraordinary circumstances of a major event. People may have false assumptions about what capability really exists to respond."
Few, if any, organizations have the luxury of funding response plans for specific emergency situations. In the aforementioned example, it is unlikely -- and impractical -- that health services Web sites be designed for peak capacity based on the theoretical possibility that the need would arise during a pandemic bird flu outbreak or other crisis.
Additionally many state government departments and agencies can hardly deal with the complexity of managing the technology they have today, let alone take on new challenges, such as those presented by homeland security threats or other emergency situations. Estimates show that a typical IT organization can spend 80 percent of its budget simply managing existing systems and applications.
When reviewing mandates across the country, it is generally required by administrative oversight that each department or agency have some form of disaster recovery or operational resumption plans. But these are almost universally limited to isolated circumstances (e.g., a building evacuation). Few consider regional events that may displace not only their staff, but also the staff of allied agencies and departments on which they may be interdependent. Even fewer really test or exercise these interdependencies.
Business continuity or recovery services should be planned commensurately with the potential impact, which is often not fully considered. When the Bank of New York, reportedly the largest government securities broker at the time, experienced a 27-hour IT outage in 1985, the bank was forced to borrow $22 billion, which ended up costing its insurers almost $5 million in increased interest charges alone. That was a direct impact.
Consider the indirect impact of a failure in a state-run eligibility system, like Temporary Assistance for Needy Families. Not only could billions of dollars not make it to families in need, but the impact to the economies in which they live could be considerable, and the local and state government themselves could lose millions in sales tax revenues. Operational recovery should be about risk management, but today it appears to be about filing a report and exercising a script on an annual basis.
But the situation is not hopeless. Two promising broad trends are emerging. First, more organizations are finally giving up on the specific response plans around certain hazards -- e.g., mudslide in Denver, levee break in Sacramento, Calif., bomb threat in Austin, H5N1 Pandemic in Tallahassee, Fla. With the notable exception of the Department of Defense, which maintains extensive war plan options for each region and each scenario, most government entities have no capacity to cover so many permutations, and have found investments in all hazards planning to be far more productive. The second trend involves "emergency preparedness friendly" technologies that have matured over the last decade, driving other business initiatives that have everyday value, not just in the event of the unexpected.
"We can't plan for each hazard individually as well as we can plan for them all at once," said Dan V. Johnson, former director of Minnesota State Homeland Security. "For most agencies, generalized response capability has a much higher return on investment than specific solutions." Johnson contends that it's about time state and local jurisdictions realize more fully that they are already spending a lot of money on general purpose IT investments that are simply not aligned around emergency preparedness.
"For example, e-mail systems that are used every day can be a very effective way of reaching out to all state employees after an event," he said. "Unfortunately many states have not viewed e-mail and other collaboration tools as part of the emergency response efforts and tend to be in silos."
All hazards include those that occur naturally, as well as those that occur as a result of human interaction, both intentionally and unintentionally. Examples include:
Government's reputation for trailing the private sector in IT is usually discussed with a disapproving eye toward change. The flip side to that has typically been a critical view of the private sector, chasing one fad after another -- where are dot-coms now?
The reality is that neither sector is perfect, but that government may have benefited nicely from a number of investments made from failing business concepts such as the application service provider market and storage service providers. Neither took off as independent business models, but both made major advances in technologies that are now useful to all large enterprises, including government.
Enter the Resilient Government
Numerous trends in the way government agencies work and interact may be pivotal to CIOs' ability to build an adaptive, resilient government.
This number continues to grow at the federal level and has skyrocketed in the private sector. According to the most recent census data, the rate of job growth in telecommuting is twice that of conventional on-site positions. State and local governments that allow or encourage it have found they are more competitive as employers for the top talent in the industry.
Too often, fieldwork in law enforcement, regulatory investigations, health care or other mobilized functions is restricted to the office. Public-sector agencies that untether their staff are finding more work can be done with the same work force with higher levels of satisfaction compared to fieldworkers who must return to their office to do paperwork.
These trends are not new. Indeed, each has been evolving over the last decade or longer. The point is, there are well established trends based on multidimensional factors that are encouraging a more agile working environment. Emergency preparedness doesn't have to stand alone. CIOs can align factors into a strategic plan rather than rely on happenstance to address the needs around emergency preparedness.
On the technology front, a set of technologies that enable a mobile, agile and resilient government have emerged and matured in a manner that would allow CIOs to address emergency preparedness as an integrated element of IT investments. "CIOs today have more technologies at their disposal than ever before, and unlike a few years ago, these technologies can now be deployed safely across the public and private sectors," said retired Lt. Gen. Harry Raduege, former director of the Defense Information Systems Agency. "Hackers love organizations that believe their information is safe behind the walls."
The following technologies have been battle tested in e-commerce, corporate enterprises and across government and have sound business cases surrounding their use outside emergency preparedness:
These technologies are not emerging: they have emerged. Yet their use in the public sector still trails the private sector because of the many challenges that face public-sector CIOs wanting to build and sustain a resilient organization.
What Can Public CIOs Do Today?
Realize that neither the federal government nor anyone else is going to drop a trunk of money at your door for your emergency preparedness program. Also realize that you may temporarily need to operate as a skunk works, doing the right thing but without any fanfare.
Never commit to getting to the perfect solution, but to making sure that each step your organization takes is a step forward. Organizations that wait for the big bang usually find themselves in the same place five years later. Baby steps will advance more quickly.
Take inventory from a preparedness perspective. Find out where you are already successfully using some of the potentially enabling technologies in your organization today. Celebrate those as case examples.
Figure out which are the oldest, most temperamental applications or business processes you have in the organization. Establish a small pilot to bring those to the Web.
Look at your IT procurement policies. See if they are preparedness-friendly. For example, consider the decision-making model around laptops versus PCs. Having more laptops in the environment will not cost much more, but could provide choice and flexibility down the road.
Look at your IT project approval process. Does the process require that an active project contribute to the overall agility of the organization? If not, then amend it. You can only move forward one project at a time. Make sure that each project helps build your agility and resilience.
Be open-minded and willing to participate in efforts bigger than you. If you are approached by another governmental entity about sharing infrastructure, say yes when appropriate. Obviously you have to respect your organization's mission and your commitment, but think hard about ways it could work. Don't focus on the 10 reasons it may fail.
Embrace existing programs that could be extended. For example, if your personnel organization has already incorporated a telecommuting policy, start to exercise it with your own staff. Lead by example. Hold more teleconferences and conduct more online meetings so that remote management skills are more commonplace.
Work to ensure that every person in your organization has periodic access to the computing environment, no matter how seemingly mundane or unrelated their assignment may be. Make sure they are getting e-mail services.
Help your colleagues on the emergency preparedness side of the organization look good. They will return kudos and support you.
In my experience, public-sector CIOs are already doing many of these things, but perhaps rethinking and recommitting to them with the goal of positioning the organization to be more resilient in the future, no matter what happens, is good practice for us all.
You may use or reference this story with attribution and a link to