The Women in Business Continuity Management (WBCM) committee shines a spotlight on accomplished women in resilience. For the inaugural issue of the DRI Foundation e-newsletter members of the WBCM committee conducted interviews with some of these women. This time, we interviewed Linda Conrad, Principal, Corporate and Information Security Risk Management at Exelon Corporation, a Fortune 100 energy company, Linda lives in Baltimore, Maryland, USA.
What’s your overall background? What business continuity fields, and related industries, have you worked in (disaster recovery, crisis/emergency management, risk management, etc.)?
I’ve worked primarily in risk management for the insurance and energy industries, and I am currently in cybersecurity risk management. Previously, I worked for an insurance company which is in the business of managing risk all day, every day, focused on the prevention and financial coverage of disasters. I worked in global the risk engineering group, a team of almost a thousand people, which helped people recover from crises, but more importantly we looked at what businesses could do to avoid or minimize damage. We’ve done things as large as helping them relocate or reconfigure factories that were flood prone, down to helping them try to minimize disruption when something happens.
At my current role in the energy industry, much of what we do is regulated by the government. We have required reporting, and we do a lot of preparations and drills. Crisis communication is one of the most important things we focus on, so that when different subsidiaries or different business units have issues, we work out how they coordinate with the main business continuity team.
I think it’s important to broaden conversations about business resiliency. In some companies, the focus can be primarily on data loss – and it is very important to look at the risk of something happening to confidential data, and what tools and teams can prevent that. Then I try to expand the discussions, beyond just strictly data loss to what business functions and operations can be disrupted. We work with parts of the business to identify the biggest operational impact if something should go down: applications and cyber related functionality, but also other operations. Then we tie that back to the business impact analysis, to make sure it reflects that kind of prioritization around the delivery of core services.
How did you get into this field? Did you go into the field on purpose or stumble into it?
I would have to say that I was fortunate to stumble on risk management, but I intentionally directed my efforts to focus on business resilience. In particular, I have emphasized managing cyber and supply chain risk.
What do you enjoy about your job? What aspect of this work are you passionate about?
What I like about this field is that it helps people in crisis when they most need it. The business resiliency field is not recognized as a “helping field” like a doctor or a social worker, but it definitely helps people in the time when they’re most desperate for help. That’s something that really resonates for me from a personality perspective.
That being said, my preference is for us not to get to that desperate moment in the first place. One of my taglines is “resiliency is about helping people or companies bounce back — but we don’t want to bounce in the first place.” So we spend a lot of time on what we can do now, to prevent issues from happening.
Do you see any overlap between the related fields you’ve worked in, or ways that one field informed the other?
I see the value of having one foot in the cybersecurity world and one in business continuity, and finding the places where they intersect and inform each other. I did a lot of work around supply chains and drifted into the cyber space. Initially I was looking at how disruptions to the supply of goods and services impact core functions, but realized that we had to look beyond the physical supply chain, into goods and services that you can’t even touch and feel. From there, I backed my way into the cyber supply chain, and looked at how we protect against and rebound from the impacts of cyber disruption.
In a traditional supply chain you have raw materials, production, delivery to the consumer. Cyber is virtual, so it’s a lot harder to visualize and quantify, but it can have impacts both in the digital and physical worlds. In our energy company, we recently did an exercise involving some of our business units with a scenario of a physical disruption to a plant, but it turned out that it was caused by cyber issues. A real world example of that would be the case in Germany about three years ago, with a big factory fire that was caused by a digital hack from the outside. They shut down the function of the part of the machine that prevented overheating, and so the machine caught fire and burned the building. This shows how a cyber attack can cause physical damage, not just digital damage.
I worked with the National Institute of Standards and Technology (NIST) on cyber resiliency, in a way that is directly applicable to business continuity. Personally, I find the five categories of the NIST cybersecurity framework to have high crossover and applicability in business continuity – identify, check, detect, respond, and recover – and the correlation of “respond” and “recover” to prevention, so to speak, is significant in our field.
With NIST, I worked on using statistical analysis to demonstrate the value of cyber risk management, including business continuity planning. We developed a predictive analytics study between actions that organizations took in advance versus issues they faced down the line. We compared different companies and each of their frameworks, cyber hygiene profiles, and the controls they have in place, then correlated them to future digital disruptions. We found that companies with more robust business continuity plans are less likely to have issues. This is groundbreaking, because it’s very hard to prove a negative – to say that, because we had this in place, something did not happen. But this statistical analysis was able to validate the real-world benefit of business continuity planning, in the cybersecurity space.
[Editor’s note: click here to download this study.]
You’re one of the members of the DRI Future Vision Committee. Could you tell me a little bit about what the Future Vision Committee does?
It is important that DRI have its finger on emerging global trends and risks that could impact the profession. The Future Vision Committee is made up of professional specialists who have been in the field for a while, and have a sense for emerging issues and big picture developments. Most companies operate based on the one-year operating budget. We take a longer view – what’s coming down the pike in five years or more. Once a year, the Future Vision Committee produces a report predicting top future trends for the industry. You cannot manage what you cannot see, so this report offers transparency into potential areas of concern and opportunities to proactively mature your business resiliency efforts.
[Editor’s note: Click here to download the latest Future Visions Committee Trends and Predictions Report from the DRI Library.]
What is the one characteristic that you believe every leader in this field should possess?
The one characteristic that I think leaders need to possess is the ability to speak in terms that the business understands. Business understands financial terms – return on investment and monetary effects of not getting core business objectives accomplished. If you’re looking at disaster recovery and it is viewed as an expense, instead flip the conversation with the business from costing them money, instead to how we save money. Studies show that there’s a five-to-one ratio, that recovery costs five times more than prevention.
Tracking and reporting on compliance also helps drive participation by the business. We’ve instituted enterprise risk management metrics, to monitor that every business area updates the continuity plan and does an exercise each year. Once they know that we’re tracking those and reporting them up the chain to leadership, that helps make sure they participate. Whether a company has an enterprise risk management team or if they just have finance working directly with the CFO, getting business continuity and impact analysis as part of a report out to the broader business is important. It helps make continuity immediate and ongoing, rather than just an annual task that is later sequestered away, developing resiliency plans that go in a drawer.
Tell us about a real-world situation or crisis that taught you an important lesson – professionally, or personally.
This example actually crosses over between both professional and personal life. In 2003 there was a rolling power brownout that went up the U.S. east coast. I worked for a Swiss company, and I happened to be in Zurich at the time. I thought “this won’t impact me because I’m not in the U.S.” But I had to fly home through London, and it turned out that the plane in London had to come from the U.S. first. So I ended up flying to London and getting stuck overnight in the airport. It made me realize just how interconnected the world is – not just from the physical flightpath perspective but all the people and parts of the business behind the scenes that you don’t always think about, but which are vital to operations.
Risk interconnectivity is really one of the future areas on which people in our profession could focus more. For example, start with a disaster that takes a factory out – then ask, what does that mean for the production of some other parts somewhere else, or for the customer, and just starting to think through the down-stream impacts. I teach a graduate class at the University of Maryland on supply chain and risk management, and one of the things I have the students do is an interconnectivity map. If this thing happens – say snow – then what are 10 things that will happen or change as a result of it snowing? And then from that, what are the next impacts, and so on. That’s a useful exercise for continuity professionals to do about work functions.
What good advice did you get, professionally, that has helped you in the field? Anything specific to being a woman?
The one piece of advice that I got that I would like to pass on is that we should not be a separate siloed function. In many cases, we’re a little bit too isolated in continuity, doing our own thing. Instead, we should be so integrated in the business that we become part of the core team of the business areas that we support. We need to be seen as part of the financial success of the business rather than as a support function.
Advice especially for women? I have noticed that men and women differ in how we network professionally. As a generalization, women tend to network to form relationships, whereas men network to get things done, and come to you when they need things. For women, this task-focused approach can feel like we’re being selfish, but being task-focused can help one get ahead in business more. So I think that is a lesson for women – it’s good to build relationships, but also be direct and ask for what we need.
On the positive side, the skills that many women innately possess can be very helpful in this field. I don’t want to stereotype, but many women are used to organizing their lives and their families – maintaining busy social calendars and keeping everything going at home – and are also thinking ahead about what could go wrong and what to do about it. So that same organization and strategic and scenario planning can be a good natural fit for us at work in this field.
The thousand dollar question: How do you get others to perform work requests for you if they don’t report to you? Do you think this is more challenging for a woman to receive cooperation?
As far as how to get tasks done without direct authority, my approach is to invite people onto important roles in the team, which improves their collaboration. For example, for a global resilience project, I pulled one person from each geographic area into the project, and that person became the local point person to communicate the key messages out to their colleagues. By bringing them onto the team, they became invested.
What value do you think companies get out of doing BC/DR tests and exercises? You had mentioned regulation for the energy industry. But would it be worth doing even if there is no requirement like that?
I mentioned before that the energy sector is highly regulated, but I believe the benefit is just as high for industries without regulation. In exercises, we found that the coordination points between departments, and passing of control, are the part that need the most practice. For communications upward, we need to iron out who takes the lead in each area, when we turn it over from centralized business continuity specialists to a local team, and when senior management takes over.
One thing we found to be effective is to have some of your executives or board sit in on the exercise, and let them see first hand the benefit of building business resilience.