Steve Randich, CIO with Nasdaq, relies on regular tests of his data center's business continuity plans to remind his staff that ERM is a core principle for the organization. About 3,300 companies are listed on the Nasdaq, which processes about 20,000 transactions a second and receives information from about 350,000 desktops and workstations worldwide. If Nasdaq can't operate its transaction systems, it has to close the market. "We're then out of business," says Randich.
After 9/11, it took four months for Nasdaq to permanently relocate its New York City offices. The data center was able to continue operating (although the government shut down the markets for four days), but Randich realized that the company needed a more detailed risk management plan. Nasdaq's new plan included the extra equipment it would need (such as desktops and Internet access), procedures for communicating with employees and alternative work sites in case of a disaster.
We agree that the CIO should be part of the Enterprise Risk Management Committee although we don't agree they should be the chair. If there is any one person that should be considered, it would be the head of Operational Risk. Think of them as the most capable of knitting together the intersections of the physical and digital world, along with the human aspects of internal and external events.
Savvy Operational Risk Managers understand the intersections of various kinds of risk that the organization is facing. That includes the companies in the supply chain and the "Go-to-Market" plans for new marketing and sales initiatives. While the CIO is a key component and certainly data touches almost every aspect of the organization, the CIO may overlook some key facets of the ERM matrix.
If you don't have someone who is in charge of Operational Risk, maybe it's time to appoint or hire an executive for this vital position.