Jeff Dato, MBCP, is the Vice President of Risk Management and Information Technology for Pinnacle Airlines Corp. (PNCL), the holding company of Pinnacle Airlines, Inc. and Colgan Air, Inc. Dato is accountable for the collective technical infrastructure, enterprise risk and continuity of business operations. Dato has spent the last years working with domestic and international companies and governments to assess and manage operational and technology risks. Prior to joining PNCL, Dato lead regional advisory practices for several "Big 4" accounting firms with a specific focus on operational resiliency and technology availability as they relate to enterprise risk.
Myers: It appears that you are wearing two hats at PNCL, as CIO and CRO. Are there any natural conflicts in the two roles? Any natural synergies?
Dato: When executive leadership and I first talked about my joining PNCL, the only position discussed was that of CRO. As the role continued to be defined, we saw a tremendous need to formalize structure and process within the operational underbelly to support the aggressive growth planned within the next few years. Keep in mind that when I joined PNCL in November 2006, we had one customer (Northwest Airlines, who was bankrupt) and flew one aircraft type (Bombardier CRJ-200, 50-seat jet operating as Northwest Airlink).In less than four months, we purchased another airline, acquired 31 new state-of-the-art airplanes (Bombardier CRJ-900 and Q400) for new business partners Continental and Delta, and diversified both our customer base and aircraft types five-fold. Today, we fly five types of regional aircraft (CRJ-200 and, beginning in December 2007, CRJ-900 jets under Pinnacle and Beech 1900, SAAB 340 and, beginning in January 2008, Q400 turbo props as Colgan) for five major carriers (NWA, Delta, Continental, USAirways and United).
During 2007, just within information technology (IT) alone, we are implementing three new enterprise resource planning (ERP) systems (financials, HRIS and maintenance), implementing business intelligence tools, consolidating three disparate email systems into a single platform, introducing a distance learning tool and online performance management system – all part of the migration of a technology-starved company to a web-based operational model. We are charged to accomplish these challenges while, simultaneously, absorbing a new airline, bringing 31 new airplanes online, combining system operations control (SOC) centers, building operational resiliency across the subsidiaries and remaining in compliance with the plethora of regulations.
Needless to say, 2007 is a very important, yet risk intensive, year for PNCL, with much of the risk being technology-based. As such, the CIO role (amongst other hats) was added to my duties. Fortunately, the two roles compliment one another by managing enterprise risk across people, process and technology. The technology being deployed will automate many control aspects surrounding our enterprise risk activities, making compliance, financial, operational, strategic and technical risks easier to measure and manage. I do need to be careful, however, and remain objective in my actions and cannot let my technology role impair my risk vision. So far, I have been able to do that.
Myers: PNCL is headquartered in Memphis. How does your location play into your current risk management role?
Dato: You are probably referring to, in particular, the New Madrid fault line, which is located very close to the Memphis area. While a low probability/high impact event, it remains near the top of my mind during every operational discussion because of the sheer havoc it could wreak. We have made adequate preparations (i.e. building a backup SOC on bedrock), but, have chosen to accept some of the risk associated with this event. Additionally, with MEM being the largest cargo airport in the world, we are keenly aware of possible pandemic threats. Packages arrive multiple times a day from all corners of the earth, each a possible bioterrorism event waiting to happen. From a natural hazard perspective, Memphis is prone to violent thunderstorms (some tied to hurricanes), tornados, brown-outs and drought. Pinnacle has been working on mitigating, insuring and planning for risk inherent to such events (i.e. MEM airport shutdown, bridge or road closure, facilities damage, utility failure, etc.).
Myers: What are some specific issues found in the environment of an airline that is unique when compared with your roles in other companies?
Dato: I like the commercial aviation analogy of changing an engine while flying 30,000 feet in the air, knowing you cannot land to complete the job. It truly is a 24/7/366 business which begins and ends with operational performance and safety. Profit margins are extremely low, so the only differentiators are performance, safety and cost management.The airline’s heartbeat is the SOC, which is responsible for many of the critical processes associated with making a cycle (flight planning to multiple takeoffs/landings to overnight maintenance) successful. There are approximately 1,400 unique activities per cycle and the SOC is the conductor ensuring these all happen as planned. There is risk inherent in every one of the tasks and failure to complete even a single one can lead to the cancellation or delay of a flight(s). Talk about a risk management nightmare!
Add to that level of complexity other aspects of management concern – regulatory or airline service agreement non-compliance (significant financial penalties, per occurrence, galore), obtaining (and retaining) qualified resources (pilots, mechanics, trainers, dispatchers, etc.), hedging interest rates (re: funding aircraft), union actions, safe airline operations (dealing with the FAA, OSHA, DOT, TSA, etc.), technology infrastructure, emergency preparedness – and you have a cauldron of mishaps waiting to happen.
Myers: What have been your greatest challenges in business continuity at an airline?
Dato: Shifting the mindset from pure, unadulterated emergency response (i.e. plane crash) to continuity of operations – any unplanned event that could hinder our ability to support a safe and successful operation. This change in behavior and direction will take time, which is why we employ a crawl/walk/run approach to change. The IT side of the house has been addressed, specifically those systems supporting the SOC, via a high availability solution which allows for real-time data mirroring. Throughout the rest of this year and into next, our focus will be to finalize the people and process sides of BCM through expansion of the crisis management program (from "GO" teams dispatched to crash sites) and build out of an alternate facility for process recovery and resumption. Earthquakes? Thunderstorms? Tornados? Everyday "disasters" can (and often do) happen. My co-workers are used to dealing with crises daily to the point that an unplanned event has become "normalized." In my short tenure here, I have witnessed their fine-tuned responses first hand.
Myers: No company, probably much less an airline, wants to talks about disasters. However, where do you see your risk management focus over the next several years leading?
Dato: In such a heavy operational and safety-minded environment, one can surmise that the risk focus has been primarily regulatory and operational in nature. Over the next 3 to 5 years, with my chief risk officer hat firmly on, we will migrate toward an enterprise risk model, expanding upon those more mature areas (compliance and operational) and venturing into others which have not been necessarily in play when the company was much smaller.The regulatory landscape changes weekly with new TSA, OSHA, EPA and OSHA guidelines being added often. Pinnacle has become more advanced and creative in our aircraft financing and is facing a parent/child organizational structure for the first time. Both, along with other activities, will require us to further probe into managing financial risk more diligently. As we continue to expand our business model and airline partner relationships, strategic risk becomes an increasingly important aspect needing our attention.
From a technical standpoint, as I mentioned earlier, 2007 is the "year of change" for our people. Driving that change is IT, which is bringing over 6,000 employees into the 21st century through the introduction of a completely web-based environment. Gone will be the labor-intensive and frustrating manual processes (i.e. it currently takes 29 separate forms to onboard a single employee) and replacing them will be a fully-integrated automated system which will dramatically alter and streamline existing processes (i.e. the new system will invoke a paperless process that will cover, cradle to grave, the entire position requisition/onboarding/termination process). With this extreme change brings good and bad attributes … and risk.
Myers: I am happy to see a business continuity professional raised to the rank CIO. How have your experiences prior to PNCL prepared you for your current position?
Dato: While I enjoy the CIO hat, I am actually more excited and encouraged by the CRO role as it relates to BCM. To me, for the first time, I can see a defined career path for BCM professionals – one that I have consciously worked on my entire career. I have been fortunate in that I have come up from the non-technical (risk) side of the business. In my banking years right out of college, I always reported to the de facto CRO – they just didn’t have the fancy title back then – instead of the CIO. As a result, I have viewed BCM as a subset of managing risk versus an outreach of technology recovery. Even as a consultant with the "Big 4" firms, BCM was entrenched within a risk-based advisory practice, though usually more tied to technology and information controls.Nonetheless, the skills acquired as a direct result of working within the BCM industry are the reason I landed my current dual role at PNCL. Risk-focused, business/analytically-minded, process-driven, technically astute (strategically speaking, not a techie SME), time/results-oriented, and communications savvy are, in my opinion, the optimal attributes of a successful BCM professional. Ironically, these equally apply to those individuals seeking to become C-level executives.
For instance, our top three executives did not come to me looking for a BCM professional, but, someone who fit the aforementioned criteria. They realized they needed someone to drive and build the non-airline infrastructure to support the pending operational growth. Did they care that I have never been either a CIO or CRO? Not really. In fact, the COO made it clear they wanted a non-technical, process-driven individual to lead the IT group into the future as they already had solid technologists, just not someone with a business-first mindset. As the only non-aviation executive within Pinnacle, I bring a different perspective to business problems through my experiences gained via BCM and other complex and diversified companies.
Myers: What lessons have you learned while operating in an airline that may be helpful for business continuity professional back in a less risky environment?
Dato: I have worked in over a dozen different industries with regards to BCM. While the aviation industry is more operationally-driven than most others, I can say that certain guidelines apply to all business types. With commercial aviation, it is about life and death. If we do not operate with the utmost care every single time, lives can be lost. Fortunately, most industries are not like that, though, consequences do exist if one does not follow prudent practices. Work diligently with your executive management team to fully comprehend the downside risk of not being operational. While the line of business leaders may demand recovery times in the minutes (they have to justify their operational importance), you will find the senior executives understand the strategic operational picture, have a much more pragmatic view of the cost benefit of downtime, and open to alternative means to managing (mitigate, insure, plan or accept) risk.
Myers: Are there any closing thoughts you would like to leave with the readers?
Dato: I would advise BCM professionals to exercise all three sides of your personality: Pessimism – belief that bad things can (and will) happen; Optimism – you can prepare adequately prior to an unplanned event; and Realism – knowing bad things will happen and not go as planned. Understand your company’s business. If you can learn to apply BCM in a practical manner that can improve the way your company operates, you will meet with much less resistance with the executive suite. Think strategically (vs. tactically) – attack the issue from a process standpoint, outlining the expected improvement in operational efficiency. By doing so, the return on investment (ROI) will resolve itself. Your solution(s) can be technical – just don’t go into the meeting with that as the end result. If you follow that formula, your professional image and credibility will receive an instant boost … and, likely, the key to the door of career advancement. Remember: Individuals with strong business savvy and aptitude, combined with a dose of self-confidence, are the future business leaders of tomorrow.
Martin Myers, MS, MBCP, is a business continuity manager in the card services division of Bank of America. He has more than 18 years of experience in developing and evaluating disaster recovery and business continuity plans including emergency preparedness and response, and crisis management for prominent domestic and international companies. His work has taken him throughout the U.S., and to Canada, Bermuda, Panama, Costa Rica, Ireland, the United Kingdom, and South Korea. Myers is currently a member of the DRJ Editorial Advisory Board and is the vice-president of the Contingency Planning Association of the Carolinas.
"Appeared in DRJ's Fall 2007 Issue"
