In the event of tragedy

By Michael Mazengia
Illustration: Baiba Black

The death of a key staff member can affect operations and systems, which is why a business continuity plan is vital

Is your firm prepared for avian influenza? What about a fire at head office? Have you taken steps to ensure that your personnel and data are secure in the event of a hurricane, flood or terrorist attack?

Business continuity planning is a high priority for many businesses, but one wonders whether it overshadows a more obvious threat — the sudden loss of an important person in your operation.

Most CA firms are too small to warrant any more than two or three IT staff. In fact, many CA firms have a single person charged with maintaining e-mail systems, computer equipment, data storage and backup, vendor relationships and administrative passwords. Even where a team exists, duties are often segregated.

For executive committees and IT managers this begs the question: if something happened to one of your firm’s key IT people, could you continue to operate? The leader of the IT team at Mintz & Partners faced this very issue after an esteemed and highly important IT team member suddenly passed away.

The IT member was highly competent and had been given autonomy in many areas. In the weeks following the tragedy, the leader’s greatest challenge was not redistributing his friend’s duties but simply uncovering all of them. Coupled with this was the challenge of leading a team during an emotional crisis and handling his own sense of loss. What he learned can be applied in any situation where a key IT team member abruptly leaves.

Communication
How many telephone calls and e-mails do you receive a day from outside your firm? If a team member passes away, vendors, clients and even friends may continue to call or e-mail them. The person’s voice mail message should advise callers to contact a designated person — ideally the IT manager. The firm’s main receptionist may also receive calls for the deceased team member. Both of these people should be counseled on how to break the news to callers. Additionally, the person’s phone number or extension should not be assigned to anyone else in the firm.

The deceased team member’s e-mail address should be set to forward messages to the IT manager or an appropriate alternate. That said, it is recommended that firms use a single e-mail address for registering software. This way, if a person leaves the firm for any reason, the link with vendors will not be broken. Another link with vendors concerns the ability to open a ticket, or request, for technical support. Generally, vendors will permit only one or two people at a firm to formally request technical support and changing this list may require a formal letter from a manager or other representative of the firm. Also, look at the deceased team member’s calendar and determine whether there are any appointments that should be kept.

It is helpful to engage the assistance of professional counselors and make them available to all team members. In particular, their expertise should be sought when people — who themselves may be grieving — are tasked with breaking the news to vendors and other contacts.

Knowledge
Over time, individuals build up knowledge that is not easily transferable. This includes knowledge of different software programs and external and internal business relationships. To minimize the loss of knowledge that occurs when someone leaves a firm, a database should be maintained to record areas where IT members have developed particular expertise. Some firms prefer to use a wiki-tool (software that allows users to create, edit, and link Web pages) for this, making it easier for individual team members to maintain their sections of the wiki.

Technologists in particular adopt specializations. While this can be positive for skill development and job satisfaction, it is important to formally recognize these specializations and to en-sure that one person’s specialization does not crowd out others from developing a working knowledge in the area.

What about the small team, in which one person’s workload could not be temporarily absorbed by the others? Consider identifying technologists among your non-IT staff. (For example, have at least one accountant in a firm with an extremely strong knowledge of IT systems in general.) By formally providing this person with a role in business continuity, you can eliminate many of the challenges associated with hiring a temporary worker.

Firms should also log all IT support calls and their resolution. Over a short time this will create a storehouse of knowledge for incoming IT team members to access. However, it is important that this does not become grunt work and that team members record relevant details about each call, with a minimum of jargon.

Keeping track
For many businesses, data is among their most valuable assets. Many firms store data offsite, and if the person responsible for doing this passes away, business continuity can be threatened. The location and content of all onsite and offsite data should be well documented. And, any change in IT staff should be communicated immediately to vendors responsible for offsite data storage.

Because data is so critical to organizations, it may be wise to engage your firm’s chief operation officer, managing partner or other senior people in the relationship with the data storage vendor. In this way, amidst a tragedy, the highest levels of authority in the firm will have direct access to one of the firm’s key assets.

It is also important to perform audits of what data is securely stored. For example, do you know anything about the information that is stored on individual computer desktops? Despite the sophisticated applications with centralized storage that your firm provides, some people may be storing critical information on their computer’s desktop, or worse, in personal e-mail inboxes.

Many of us now keep three, four or more passwords in our heads. If a high-level password is lost, access to mission-critical systems could be blocked. Firms should maintain a secure database to track all system and administrative passwords, the date when each password was last changed and who created the password. To ensure this database does not become out of date, it should be revisited and tested regularly — monthly or quarterly.

Firms should also set up a database to track all IT equipment that is signed out and when it is due to return. This should also be used to track equipment that is being repaired outside the office. A good asset management program can allow for quick identification and re-allocation of resources.

If an IT team member passes away, look through his or her office papers. For example, if he or she regularly received invoices, one could be caught in limbo if an invoice has been opened but not forwarded to the firm’s internal accounting department.

A hostile firing
This real case in which an IT team member passed away closely relates to what would occur if a firm has to fire an IT team member. In such a scenario, it is critical to be well prepared. Before a firing, perform an audit of all nodes on your network. This includes objects such as users, printers, etc. in your firm’s network that have administrative rights. A malicious or disgruntled employee could assign administrative rights to an innocuous device, such as a printer, and use that device to gain access to the network to do harm. Change administrative passwords and any keypad codes for physical doors. Cancel the employee’s credit and calling cards. Wireless networks can be accessed from outside an office, so if you have a wireless cloud, change its password. Hire an independent consultant prior to letting the person go. This will help identify all remote entry points to the firm’s IT infrastructure and manage them accordingly. This includes but is not limited to e-mail servers, application servers, data servers, and Web servers including access to externally hosted websites. The password on those systems must be changed as soon as the IT person is let go. Notify employees not to release any password to the individual. Also recommended is forced password change on all systems in case the IT person knows a someone’s password.

Plan for business continuity
It’s been more than a year since the firm lost its good friend. It was an emotional period and the strain of coping with his loss compounded the business challenges everyone faced. Although technical issues have been focused on, the human issue should not be ignored. Those who were required to work harder to help the firm operate through its loss were the same people who were most affected by the loss. People can make mistakes when under stress. A period for grieving is a recognition of a human need and is an important part of mitigating against costly errors.

A business continuity plan is vital in ensuring you can deal for the loss of a key IT team member as well as any other disaster or tragedy that may occur.

Michael Mazengia is senior manager, IT, at Deloitte / Mintz & Partners. He can be reached at (416) 644-4420; or michael_mazengia@mintzca.com

Technical editor: Yves Godbout, CA,CISA, director of IT services, Office of the Auditor General of Canada