Tuesday, June 12, 2012

A Protagonist at the Harvard Business School

The faculty at the Harvard Business School wrote a case study about the November 13, 2002 CareGroup Network outage  and use the case to teach healthcare leadership in the MBA and Executive Education programs.

I'm often invited to sit in the back of the room as the "protagonist" in the case while the students discuss my performance during the crisis.

It's always enlightening to listen to teams evaluate what I could have done better - seeking help faster, enhancing infrastructure sooner, developing more detailed disaster recovery policies etc.

Yesterday, I spent the afternoon with 60 healthcare leaders at an HBS Summer Course recounting my feelings, anxieties, blind spots, and hopes during the early hours of the crisis.

They initially evaluated my performance with letter grades that varied between A- to C-.

Then, they turned to ask more difficult questions - What would they do in a similar crisis?  How could IT be better prepared for disaster?

They debated the balance between control and freedom, predictability and innovation, bureaucracy and agility.

After the class we had a great discussion about the era in which we live - organizations are increasingly matrixed and complex.  Accountability is clear but authority is not.  As CIOs we are responsible for ever increasing regulatory and compliance demands but we often lack the top down control of the global organization needed to enforce policies.

In 2002, the issue was infrastructure - lack of redundancy and hardware updates.

In 2012, the issues for CIOs are much more complex - mandates to control behavior throughout the organization (such as mobile device encryption) but challenging organizational dynamics to implement constraints on personal choice.  Infrastructure is no longer a pain point - the Cloud makes it all so simple…

The class speculated that survival as a CIO is very difficult in 2012.   Either the demands/expectation of the job have to change or the resources/authority needs to be increased.  

Given the evolution of challenges from 2002 to 2012, it will be very interesting to watch the next 10 years.   Who knows uncharted waters exist for 2022!

A great discussion with the class.


Adrian O'Connor said...

That case study was how I found your site; I liked what you implemented after the crises and the fact that you openly talked about the event itself.

I could easily have been one of the Techies on your Team so the whole event was very real to me. In my experience once the issues have been dealt with Management quickly forget about them and the resources that are needed to keep them at bay. You brought in some heavy hitting resources to compliment your team and setup structures to make sure it didn’t happen again.

The sad thing is that most organisations, certainly in the SME sector, have no idea how vulnerable they are. A single hacker can make mincemeat of the majority of IT departments. All companies should have IT Security Audits as mandatory in a similar fashion to financial audits.

Jim St.Clair said...

I still remeber reading about this in CIO Magazine. I would be curious to know if the students focused on the "simple" technical crisis or your leadership in the sitaution? For instance, I could perosnally never give a "C-" because I think your effort to educate after the fact was excellent. In many ways the IT scenario could be replaced with in-flight decision-making by a pilot, or even the technical aspects of the financial crisis.

Anonymous said...

I can say without a doubt, if more CIO's and CEO's or just leadership in general would practice the example you have set, the business world would have less risk to manage. It is a old saying that "Those who fail to learn from the mistakes are doomed to repeat them,". We continue to see business continue to run the gambit of risk only to find out that those risk could have been avoided, by practicing good risk management.

Hindsight will always be a blessing if only we could have seen the bigger problem before it happened.

At least you have decided to meet those risk/problems that pledged your organization head-on and fix them to ensure that the risk associated with them are minimize to the fullest extent.

Arm chair QB's come a dime a dozen, everyone can comment on how you could have better handled the situation, however, being prior military i can tell you when things happen unless you've practice an event over and over and over, the finale outcome will always be different then how you may have planned it (Murphey's law)