Overseeing BCP: Just One More Reason to Consider CIOs as Directors
By Jory J. Marino and Michael C. Nieset

While spectacular corporate meltdowns were leading to Sarbanes-Oxley, a series of other cataclysms dramatically emphasized the risk of business disruption – and put business continuity planning on the front burner for boards. Y2K, though it proved to be less than met the eye, first sounded the alarm, followed shortly by 9/11 which highlighted the vulnerability not only of computer networks but also of phone, power and transportation systems. A literal meltdown with the power outage of August 2003 renewed fears about the stability of the electrical grid. Continued globalization exposed companies to more risks in more places, while political instability, including war in the Middle East, turned many risks into reality. Hurricane Katrina is only the latest and surely not the last of these cataclysms.

Following these upheavals, an increase at the global, country and state levels in regulatory requirements for disaster recovery planning (DRP) and business continuity planning (BCP) has heaped new expectations for the scope and quality of oversight on directors’ shoulders. Although directors are not responsible for directly managing and planning for calamities, no board will enjoy the scrutiny that is sure to follow for having failed to ensure that an adequate business continuity and disaster recovery plan was in place. To meet this complex new responsibility, boards should consider a relatively new kind of board member – a current or former CIO. Just as corporate boards have sought financial experts to meet their expanded fiduciary responsibilities in the SOX era, they must also now be prepared to extend seats to current or former CIOs who are best able to exercise oversight of disaster recovery and business continuity planning.

Although the value CIOs bring to such oversight may be insufficient by itself to justify adding them to boards, that expertise joins a growing list of areas in which CIOs can make significant contributions as directors, including their valuable knowledge about how to maintain compliance with today’s rigorous business, financial management and reporting requirements. A CIO’s enterprise-wide understanding of business and technology-driven business strategies could prove invaluable in stewarding a company through a natural disaster or terrorist attack as well as contribute substantially to the board’s understanding of risk and information security.

A Dearth of CIO Directors
Nevertheless, only a handful of companies now include CIOs on their boards. Heidrick & Struggles’ research shows that among the Fortune 1000 companies only 15 have a current or former CIO as an external director. Why this dearth of current or former CIOs on boards, despite their fitness to contribute in many areas of oversight?

Part of the answer lies in perceptions. Board members and CEOs often see CIOs as exclusively concerned with operations and find it hard to imagine them moving from the server room to the boardroom. More narrowly still, CIOs are often seen as technologists, not strategists. CEOs want to learn from board members and often feel that CIOs have nothing to teach them about business.

CIOs also lack visibility in the networks in which CEOs and board members move and from which they choose directors. Many companies like to add high-profile names to their boards – and that usually means a celebrated CEO. Even the obvious ability of CIOs to exercise oversight of disaster recovery and BCP is easily discounted by companies who may erroneously believe that creating a plan and signing on for backup sites are one-time events rather than part of an ongoing oversight process.

A Compelling Case for Inclusion
With companies increasingly restricting the number of boards on which their CEOs can serve, the pool of qualified director candidates is shrinking. CIOs can significantly enlarge that talent pool. For despite all of the negative perceptions of CIOs, those with the right combination of experience and talents can make substantial contributions in a wide variety of areas – especially risk management and compliance as well as business strategy – which, taken together, add up to a compelling case for adding a CIO director.

Since the 1990s the financial control processes that now loom so large in SOX compliance have resided in ERP systems, presided over by CIOs, who can provide unique understanding of how to apply those systems to SOX. The best of these CIOs also know how to go beyond mere compliance to automate business processes and financial controls to drive down the enormous costs of compliance.

Data security has also moved to the forefront of risk management, largely as a result of high-profile security breaches at information companies, credit card companies, and banks, elevating concern about protecting the public’s personal information. Companies that fail to exercise diligent oversight in this area put their reputations and their business at risk. CIOs have not only been on the frontlines of data security, they also understand that ensuring data security encompasses links in the technology supply-chain that extend far beyond the company’s control.

In matters of strategy and business acumen, the nature of global business and technology today ensures that CIOs in large, global and complex organizations have acquired skills and understanding that far exceed the purely technical. Global businesses today operate complex supply chains, manage a variety of captive and outsourced service providers, and manage multiple distribution channels and customer touch-points. In all of these activities, technology plays a central role, providing the CIO with an enterprise-wide view of business – and an enterprise-wide view of risk management.

“As businesses continue to transform from batch to real time, risk management extends beyond traditional BCP/DRP to include a CIO’s ability on a board to provide a point of view and oversight on information, reputational, project execution and acquisition risks,” says James Dallas, Audit Chair, KeyCorp and former CIO of Georgia Pacific Corporation. “All of these issues have technology at their core.”

Finding the Right CIO Candidate
In our experience, CIO director-candidates with the breadth of business and technology understanding that are required to make a real contribution to board deliberations are most likely to come from large companies, like the Fortune 250. In these global, complex organizations the role of the CIO has evolved into a position that today combines traditional technology responsibilities with the general management responsibilities of a COO. These CIOs may negotiate deals on behalf of the company with a variety of third parties and outsourcing organizations or they may create a captive outsourcing organization. To perform successfully these CIOs must be able to integrate their mastery of technology, understanding of business processes, and thorough knowledge of the business and industry into a comprehensive vision of the company and execute against it. In the largest companies they will often know more about the company’s business operations than business line managers or even the CEO.

Not surprisingly, many CIOs have come up through the technology ranks and then stepped into broader general management roles like COO or president of a business unit or large division. The president and COO of one of world’s most successful internet companies served as chief technology officer in his previous company, joined the internet company as CIO, rose to his present position and was recently elected to the board of a public software company. Sometimes the career trajectory runs in the opposite direction. The CIO of a leading building materials company came up through finance and then moved into technology mid-career and now sits on the boards of two companies.

But whether an individual moves from technology to general management, general management to technology, or acts as a CIO whose role is almost indistinguishable from that of a COO, the lesson remains the same: The success of large companies today greatly depends on top executives who can operate effectively in both spheres. Boards can reflect that new reality by considering candidates who have:

Operated an organization of scale, where scale may be defined in terms of geography, complexity of the business, multiple business units, or overall size in revenues, capital investments, and budgets
Demonstrated strong financial and operational skills as well as knowledge of the business and industry
Addressed operational and business risk across the many vulnerabilities in a complex, global organization
Moved up in a progressively responsible CIO career and later stepped into a full general management role, or moved from general management to absorb technology responsibilities
Presided over an operation as it globalized its business and customer base and addressed the impacts of sourcing and offshoring
Delivered significant business value

Such candidates not only have a broad perspective on business, but they can also broaden the perspective of boards at a time when effective oversight and risk management require a comprehensive, integrated understanding of business and information technology. Such directors may not only help ensure business continuity following disasters but also – contrary to narrow perceptions of CIOs – help avert business disasters.

About the Authors
Jory Marino is Managing Partner of Heidrick & Struggles’ Global CIO practice and New York-Park Avenue office. Michael Nieset is a Senior Partner of Heidrick & Struggles’ Technology and Board of Directors practices. The authors can be contacted at jmarino@heidrick.com, mnieset@heidrick.com or by phone at 312.496.1345.

Reprinted with permission from Directors & Boards’ Boardroom Briefings. Directors & Boards' Boardroom Briefings series is published quarterly by MLR Holdings LLC. For additional information on scheduled topics and sponsorship, please see www.directorsandboards.com or contact Scott Chase at 301/879-1613 or scottchase@verizon.net.