DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Introduction

Who are the stakeholders in the continuous operation of an information system? Stakeholders, as the name suggests, are those that have a stake in the system’s continuous operation. They may be affected by a discontinuity, or may be responsible for ensuring continuity.

An information system may have a large number of stakeholders. These stakeholders may be part of the information system, of the organization to which the system belongs, or of the environment in which the system operates. Put differently, they can be anywhere in an organization’s value chain.

How relevant is a stakeholder? Some stakeholders have a very broad constituency. They are relevant to many industries, organizations, departments, and decision-makers. CEOs, stockholders, and technology vendors are examples of such stakeholders. On the other hand, some stakeholders have a very narrow constituency. They are relevant to particular industries, organizations, departments, and decision-makers. The Joint Commission for Accreditation of Hospitals (JCAH), for example, is relevant only to the healthcare industry. Similarly, the Security and Exchange Commission (SEC) is relevant only to the financial services industry. Stakeholders with a broader constituency can be said to be relatively more relevant than those with a narrower constituency.

How important is a stakeholder? The consequence of a discontinuity is more severe for some stakeholders than for others. For example, the production department may be more severely affected than the human resources department by a discontinuity in the information system. Obversely, some stakeholders affect IS continuity more than others. The CEO’s priorities can have a greater impact than that of the CIO, for example. All the constituents – industries, organizations, departments, or decision-makers – may not agree on the importance of a stakeholder. Thus, the overall importance of a stakeholder is the average of the importance attributed to that stakeholder by the constituents, excluding those that do not consider the stakeholder to be relevant.

Stakeholders that are both highly relevant and important are the most significant ones. On the other hand, those that are neither relevant nor important are the least significant ones. Stakeholders that are highly relevant but not very important and those that are not very relevant but are very important are of intermediate significance.

IS continuity planning will be more effective if the stakeholders are correctly identified, and their relevance and importance quantified. Such knowledge can help prevent errors of omission – wherein significant stakeholders are considered to be insignificant, and errors of commission – wherein insignificant stakeholders are considered to be significant. Benchmarking such stakeholder data at a universal level, at an industry level, at a company level, and at a departmental level will help compare and contrast the needs of different constituencies. Such benchmarking will help an organization learn from its own and others’ IS continuity planning.

Following are the results of a preliminary web-based survey to benchmark stakeholders in IS continuity. It summarizes the relevance and perceived importance of different stakeholders to a broad group of respondents. Although the results cannot be generalized because of the non-random and small sample of respondents, they provide a good beginning for benchmarking stakeholders in IS continuity.
Survey

The objective of this survey was to determine the relevance and importance of stakeholders in the continuity of information system (IS). The instrument lists six categories of stakeholders, namely: (i) Owners, Creditors, and Insurers, (ii) Top Management, (iii) Functional Departments, (iv) Customers and Suppliers, (v) Vendors, and (vi) Governments. Multiple stakeholders were listed within each category. Respondents are permitted to add stakeholders to the list in each category. The respondents added a couple of new stakeholders, indicating that the list provided was quite exhaustive. These additional stakeholders have not been reported for the same reason.

The default response for each stakeholder is ‘Not Applicable.’ The other possible responses are ‘Very Unimportant’, ‘Unimportant’, ‘Neutral’, ‘Important’, and ‘Very Important’. The last five responses are coded on a five-point scale in increasing order of importance, ‘1’ being ‘Very Unimportant’ and ‘5’ being ‘Very Important’.

The World Wide Web-based survey was conducted by the Pontikes Center for Management of Information, College of Business and Administration, Southern Illinois University at Carbondale. Responses were solicited by sending e-mail to those that had visited the Disaster Recovery Journal home page. Those that did not respond to the first e-mail were sent a reminder after four weeks. Most data were collected electronically. A couple of respondents requested hard copies of the questionnaire, which they returned by mail. The questionnaire used can be found at the Pontikes Center web site http://www.pontikes.siu.edu/.

Results: Profile of Respondents

A total of 44 respondents interested in IS continuity completed the survey, resulting in 38 usable responses. The profile of these respondents is summarized in Table 1.

 

Respondent Title    Number 
President 5
Owner  2

Business Continuity Manager

 12
IS Department Manager
 6
Sales Manager
 1
Business Continuity Consultant 3
Risk/Contingency Managers
 5
Others
 6
Total

 40 

Clearly the respondents have a variety of titles: Business Continuity Managers, IS Department Managers, Business Continuity Consultants, and Risk/Contingency Managers constitute a majority of the respondents. Except one Sales Manager no other functional area manager is represented. There are a few Presidents/Owners.

Relevance of Stakeholders


The relevance of different stakeholders to the above respondents is summarized in Table 2. Relevance is measured by the percentage of respondents that considered a stakeholder as being relevant. If the default response of ‘Not Applicable’ is unchanged then that stakeholder is assumed to be not relevant to that respondent. If all the respondents considered a stakeholders as being relevant then that stakeholder’s relevance is 100; if only half of them considered the stakeholder to be relevant then that stakeholder’s relevance is 50.

At one extreme, all respondents see individual customers as stakeholders. At the other extreme, only 40% see business continuity consultants and the local government as relevant stakeholders. The low relevance of business continuity consultants may simply indicate that most respondents do not have them. On the other hand it is difficult to imagine any enterprise that is not under the jurisdiction of some local government. The low relevance of the latter may simply indicate the absence of any relationship between the local government and the enterprise’s information system in the minds of a majority of respondents. Similar explanations can be given for the relevance of all the other stakeholders

Analyzing the relevance by categories highlights many interesting points. Owners, Creditors, and Insurers cluster together in the middle band of relevance at 70%. The relevance of Top Management ranges from 90% for the CEO to 60% for the COO; that for the Departments too falls in the same range with Finance and Marketing at 90% and Risk Management at 60%. The relevance of Customers and Suppliers falls in a higher band compared to Top Management and Departments, ranging from 100% for Individual Customer to 80% for Suppliers. In contrast the relevance of Vendors covers a wider, slightly lower band ranging from 80% for Software and Hardware Vendors to 40% for Business Continuity Consultants. Last, the Governments fall in the lowest band, ranging from 50% for Federal and State Governments to 40% for Local Government.

 

Importance of Stakeholders


The importance of different stakeholders is summarized in Table 3 based on their respective mean score. ‘Not Applicable’ responses were not considered in the computation of this score. Hence there is considerable variation in the divisor used in the computation of importance.

Overall, the Business Continuity Department is rated the most important and the Local Government the least. Most stakeholders were rated as being ‘Important’ to ‘Very Important’. Some were rated between ‘Neutral’ and ‘Important’. None was rated below ‘Neutral’ as being ‘Unimportant’ or ‘Very Unimportant’.

Among Owners, Creditors, and Insurers the last are rated the most important, and the Creditors the least, although all three are rated as being ‘Important’ to ‘Very Important’. Similarly, the Top Management stakeholders fall within the same band, with the CIO rated as being the most important and the Marketing Chief the least. The Sales Chief too is close to the bottom of the band. The Departments as stakeholders are spread over a wider band ranging from ‘Very Important’ to less than ‘Important’. The Business Continuity Department, the Production Department, and the IS Department, in that order are at the top; the Human Resources Department, the Facility Management Department, and the Marketing Department, again in that order, are at the bottom – rated between ‘Neutral’ and ‘Important’. Customers and Suppliers fall into a lower band. Both Institutional and Individual Customers are rated together as more than ‘Important’, but the Suppliers are rated as less than ‘Important’ – in fact they are rated the second lowest among all the stakeholders. Among Vendors Business Continuity Consultants are at the top and Software and Hardware Vendors at the bottom, with Telecom Network vendors and Outsourcers in between. The Vendors range in importance from a shade below ‘Very Important’ to a shade below ‘Important’. Last, the Governments are rated as the least important, between ‘Neutral’ and ‘Important’, with the Federal Government being rated the highest and the Local Government the lowest among them.

Relevance and Importance of Stakeholders


The data from Tables 2 and 3 can be combined graphically as shown in Figure 1. The Northeast quadrant of the graph shows stakeholders that are highly important and relevant, the Southwest quadrant those that are neither important nor relevant. The northwest quadrant shows stakeholders that are important but are not broadly relevant, and the southeast quadrant those that are not important but are relevant. In the Figure a relevance of 70% has been arbitrarily chosen as the dividing line between high and low relevance, and an importance of 4.0 has been arbitrarily chosen to demarcate high and low importance. These values may be changed. With different cutoffs the grouping in the four quadrants will be different.

 

Highly relevant and highly important stakeholders are those that most respondents think as interested in IS continuity and as being important to the maintenance of such continuity. The Finance Department, CEO, IS Department, CFO, Board of Directors, Accounting Department, Institutional Customers, and Individual Customers are the most relevant and important stakeholders. These are the most significant stakeholders. On the other hand, stakeholders of low relevance and importance are those that most respondents think as not being interested in IS continuity and as not being important to its maintenance. Of these, the Local Government is the least relevant and important. The State Government, R&D Department, Facility Management Department, and Creditors also are in the same quadrant of low relevance and importance. Stakeholders in this quadrant are relatively the least significant. The Sales Chief, Sales Department, Marketing Chief, Marketing Department, Hardware and Software Vendors, Human Resources Department, Purchasing Department, and Suppliers fall into the high relevance-low importance quadrant. Among those in this quadrant, the Suppliers are probably the archetypal stakeholders. At the other extreme, Business Continuity Consultants appear to be the archetypal stakeholder that has low relevance but is highly important. In other words these are relevant to relatively few respondents, but are highly important to those they are relevant. Other stakeholders in this quadrant are the Business Continuity Department, Business Continuity Service Providers, Federal Government, Outsourcers, Production Department, CIO, COO, Controller, Insurers, Telecommunication Network Vendors, Corporate Security Department, and Risk Management Department. The stakeholders in these last two quadrants are somewhat significant.


This particular configuration simply reflects the perception of a sample of respondents. A different sample may result in a different configuration. A sample of CIOs, for example, may view the stakeholders differently than a sample of Marketing Chiefs. Similarly, a sample of respondents from the healthcare industry may view the stakeholders differently than a sample from the financial services industry. Mapping the stakeholders based on relevance and importance as shown in Figure 1 will enable one to document, interpret, and respond to the similarities and differences. It can be an effective planning tool as explained below.

Conclusion


A planner has to segregate stakeholders by their significance. Significance can be defined as a function of relevance and importance. This study provides a significance-map of stakeholders from the perspective of a non-random, small group of respondents. However, the methodology of this study can be used more broadly to map the stakeholders based on the perceptions of key people within a department, an organization, or an industry. These maps can be insightful to the planner in many ways.

First, these maps can help formulate goals for IS continuity. For example, if the Finance Department and the CFO are more significant than the Marketing Department and the Marketing Chief, it would be natural to give higher priority to the continuity of financial operations than to the continuity of marketing operations.

Second, these maps can help aggregate and validate perceptions. These maps provide the ‘big picture’. Ideally, all the planners and the stakeholders should subscribe to a single map. But this is rarely the case. A local government may consider itself far more significant than indicated by the respondents of this study. Similarly a CEO may consider herself far less significant than the IS executives believe. The map provides a basis for highlighting, articulating, and subsequently incorporating these different points of view.

Third, these maps can highlight biases and inconsistencies. For example, in the world of electronic commerce, should the Marketing and Sales Chiefs and their respective departments increase in significance? Similarly, with EDI (Electronic Data Interchange) and JIT (Just In Time) should Suppliers be more significant than indicated in Figure 1? Similarly, should Governments in general be made more significant as many organizations such as PPBI (Private Public Business International) are attempting to do?

Thus, mapping the stakeholders can illuminates the planning terrain by quantifying and visually depicting the significance of different stakeholders. However, good maps require good data. Such data can be obtained only from a large representative sample of respondents. Our next step is to collect such data from multiple industries and corporations.
 



Arkalgud Ramaprasad, Mikhail Komorov, and Paul Ambrose, are with the Pontikes Center for Management of Information, College of Business and Administration, Southern Illinois University, Carbondale, IL 62901-4627