“All eyes are on me. And I’m trying to deal with exploding online loads, people working remotely, new cyberthreats. Every day it’s something new.”
That quote from a banking chief information officer (CIO) reflects some of the urgency and pressure tech leaders are feeling. CIOs are facing the greatest challenge of their careers. We are seeing infrastructure breakdowns, denial-of-service attacks, and sites going down because of traffic load. Even as companies grapple with the implications of the COVID-19 pandemic, it is already clear that CIOs are playing a central role in navigating the crisis.
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at: McKinsey_Website_Accessibility@mckinsey.com
The COVID-19 pandemic is first and foremost a human tragedy, and technology is on the front lines of this crisis. Many of the changes reshaping how we work and live—from employees working remotely to consumers shifting their shopping online—rely on technology. And because technology ties so much of every company together, CIOs have a unique view into what’s really going on
and how to manage it.
COVID-19 is a global phenomenon, and companies from Asia to Europe to the Americas are at different stages of how they are reacting to the crisis. We see the crisis playing out broadly across three waves: Wave 1, ensuring stability and business continuity while containing the crisis; Wave 2, institutionalizing new ways of working; and Wave 3, using learning from the crisis to prioritize tech transformation for resilience.
The focus of this article is on how CIOs can navigate the first wave and begin shifting from reacting to the crisis to starting to get ahead of it. We believe that CIOs who successfully guide their companies through the first wave can not only stabilize core business operations but also emerge with a reputation for effective leadership.
In the past months, we’ve spoken with more than 100 CIOs at global companies. Based on these conversations and our experience helping businesses through previous economic crises, CIOs should focus their energies in the next 60 to 90 days on the following ten actions:
Focus on what matters now
1. Take care of your people. The CIO’s first order of business is to take care of her employees. It’s important to acknowledge that people are focused on caring for loved ones, managing their kids who are no longer in school, stocking up on necessities, and trying to stay healthy, all while trying to do their jobs. This requires empathy and flexibility from CIOs.
CIOs are moving to provide flexible work arrangements—working remotely, in flexible shifts, and preparing for absences. One CIO recognized that employees working from home will be affected by school closures and quickly designed a backup support model for each essential individual. One global company has committed to paying employees who contract COVID-19 so they can take the time to get healthy without worrying over lost pay.
For those people who still need to come into work, CIOs have a responsibility to make the work environment safe. One company, for example, has created six work zones. People cannot cross
from one zone into another. If someone gets sick in one zone, they can isolate it from the other zones quickly. At one European financial organization, leadership has organized shifts so that key leaders are not in the same room and has identified backups for executives and key managers.
That focus on people also extends to working with contingent workers and vendors, many of whom work on site. Another banking CIO contacted all vendors to ask where each individual had been physically during the previous two weeks, what they had been doing, and what their plans were for the following week. This helped him understand who was truly needed on the premises and who wasn’t, to reduce exposure for his own people.
A CIO’s success in helping their people through this crisis is likely to have a significant effect on employee loyalty and retention in the future.
2. Communicate confidently, consistently, and reliably. Uncertainty breeds fear and confusion. CIOs have to combat this reality by developing a crisis-communication program based on being transparent with both the C-suite and employees about what the current situation is and the steps being taken to address issues. Setting up regular briefings create a certain routine, which builds trust and confidence. Any delays to major deployments need to be planned for and communicated.
The “how” can be as important as the “what.” One CIO, for example, is texting the entire company with regular updates because he believes it matters more that the communication is human rather than coming from more “official” corporate channels.
Listening and learning are also crucial. Given how fast the situation is moving, the CIO needs to be the chief “learner” in these situations to help the rest of the group to keep getting better and better as things change. Just pushing out tech won’t work. CIOs need to prioritize reaching out to different stakeholders to understand their needs and the pressures they’re managing in order to provide the right solutions. In addition, CIOs should consider lightly surveying remote workers to understand what is and isn’t working to help refine capabilities and support levels.
3. Get beyond the tech to make work-from-home work. The sudden shift to employees working from home—one European institution saw its remote workforce increase by 15 times literally overnight—has created a host of issues, from inadequate videoconferencing capabilities to poor internet connectivity at employees’ homes. CIOs need to move quickly to advise the CEO and direct the company on how best to work remotely before every department goes off and picks its own collaboration tools. Many CIOs are already buying additional licenses and upgrading network to increase access. CIOs can address ISP capacity in employees’ homes by distributing 4G/5G modems or reimbursing upgraded internet plans.
In the end, however, tech is just an enabler. New ways of working require a culture change. CIOs can help to drive the cultural change by sharing best practices and providing effective learning sessions. They can drive testing and learning from different approaches and communicating them back to the business. Crisis management is a cross-functional game and the CIO is perfectly placed to facilitate the new way of working.
4. Drive adoption of new ways of working. As employees shift their work behaviors, many of them are confronting what can seem like a dizzying array of tools with little experience of how to use them effectively. As one CIO confessed, “ensuring adoption of new tools and protocols has been the most frustrating part of the process so far.”
New behaviors typically take about 30 days to take hold, so CIOs need to promote them assertively over the next month. As a rule of thumb, we’ve found that getting a tool adopted requires twice the investment of having it developed in the first place. So while it’s necessary to provide clear guidance on tools and routines (for instance, downloading necessary apps or using multifactor authentication), it’s crucial to invest in behavioral-nudging techniques, advanced training seminars, and certification to ensure that tools aren’t just adopted but that they actually help people do their work.
Role modeling is also an important way to influence behavior, such as communicating through collaboration tools, holding meetings on Zoom, Skype, or Webex, and asking every participant to turn on video. One CEO of a large pharma company has required everyone on video conference calls to “turn on” their cameras.
5. Be proactive on security. Threat actors are already stepping up cyberattacks to exploit confusion and uncertainty. We’ve seen attackers launch email-phishing campaigns posing as corporate help-desk teams asking workers to validate credentials using text (also known as “smishing”). In addition, remote working creates additional risks: employees may try to bypass security controls to get their job done remotely, unprecedented virtual-private-network (VPN) usage complicates security monitoring, and remote working may weaken deterrents against inside threats.
In response, CIOs, working closely with their chief information-security officers, must focus on security operations, especially de-risking the opening of remote access to sensitive data or to software-development environments, and implementing multifactor authentication to enable work from home. In addition, companies need to focus employees on both safe remote-working protocols and threat-identification and escalation procedures.
Security plans (for example, disaster recovery, vendor succession, technology risk backup), should be tested immediately. If those plans don’t exist, they should be created and tested. CIOs should muster resources to help with monitoring (for example, network availability, new strains of malware, endpoint data access) to shorten risk-response times.
Stabilize core systems and operations
6. Stabilize critical infrastructure, systems, and processes. Massive shifts in employee work and customer-behavior patterns are putting unprecedented strains on each institution’s infrastructure. Internet service providers in heavily affected areas are experiencing degradation of service due to overloads from remote workers. There are also much longer than normal lead times for infrastructure components (such as, servers, storage, parts, networking gear) given the disruptions to Asian supply chains.
In the fever to act quickly, it’s easy to get caught in a “whack a mole” situation—reacting to the latest issue. CIOs should take a step back and develop a clear perspective about which systems and applications are most critical to stabilize, and then prioritize that work. That includes scenario planning to help prepare for issues lying ahead, such as building up a supply of needed parts and hardware (for example, PCs, iPhones) and a distribution process for getting them where they need to go. Besides addressing key issues (such as, rapidly scaling up infrastructure capacity, network bandwidth, VPN access), CIOs should be thinking through second and third order effects.
They should also identify and test for a range of scenarios, including extreme use cases. One CIO did a holistic infrastructure and network test to determine how their company would operate under different levels of capacity needs. Another did a preemptive one-day stress test to remotely monitor and manage all core systems in case no personnel could come to work. Developing use cases will help to scope this work, for instance, how much network capacity to upgrade and how many licenses to secure. Another CIO determined that bandwidth constraints were so severe that all communications must be via audio rather than videoconferencing.
Finally, CIOs also need to partner with their colleagues in other critical business functions to evaluate system needs and prepare for changes and support requirements. As the organization goes virtual, for example, CIOs can stress test the payroll process under various scenarios to ensure employees are paid.
7. Enable the shift in business processes. Stress on the system has come from spikes in a number of specific channels: call center, help desk, websites, and consumer-facing apps. In one McKinsey survey of Chinese consumers from three weeks ago, online penetration has increased significantly (+15 to 20 percentage points), in particular for categories with higher purchasing frequency.
In Italy, e-commerce went up from the last week of February by 81 percent.
CIOs should upgrade capacity to handle more traffic loads on consumer-facing websites and apps, roll out self-service tools and interactive-voice-response capabilities for customer-support needs. They can also increase dedicated lines to manage COVID-19-related calls, extend systems to enable customer-service employees to work remotely, and ensure sufficient coverage in user help desk to cover increase in ticket volume. CIOs should also organize and group queries received by their help desk and call centers to find patterns and see if additional actions are needed.
Start anticipating what’s next
8. Stay the course on key priorities. In this high-stress situation, the natural instinct is to think about what programs to cut and revert back to old ways of working. It’s important, of course, to reevaluate priorities, shift resources, and track progress closely. But it’s also crucial to see that this current crisis is a major turning point and a competitive situation. We know from past crises, in fact, that companies that take a slash-and-hold approach fare worse than those that both prune and thoughtfully invest.
CIOs need to take a through-cycle view and stay committed to broader transformation goals they’ve been leading such as programs on data, cloud, and agile. Cloud migration provides the flexibility to manage the current spikes and changing employee and customer needs rapidly and cost effectively. The goal for CIOs is to emerge from this not having just “managed” the crisis but being stronger because of it.
For this reason, it’s important for CIOs to keep a steady hand on initiatives and programs that can help the business become tech forward.
It’s important to reevaluate priorities, shift resources, and track progress. Companies that take a slash-and-hold approach fare worse than those that both prune and thoughtfully invest.
9. Stay focused on customers. Amid the frantic activity to ensure business continuity, it’s easy to lose track of customers. Customer behavior is shifting radically during this time, and in many situations, to digital channels. There will likely be a residual stickiness of these learned behaviors, as with the explosion of Chinese e-commerce following the severe acute respiratory syndrome, or SARS, epidemic.
At the same time, there is reason to believe that there will be pent-up demand when the worst of the crisis is past. A recent McKinsey survey of Chinese consumers revealed that they are optimistic about overall economic recovery post-COVID-19, and more than 80 percent of them expected to purchase at the same levels or more as before the outbreak. And they’re much more likely to continue to spend through digital channels.
CIOs should accelerate investments that create competitive distance for their companies. One fintech CIO who focuses on online payments took this opportunity to aggressively test and market the company’s product, recognizing that it was “now or never” to get the product to succeed at scale. CIOs need to support business leaders to design new business models with the help of technology and make it happen quickly; for instance, grocery stores will need to enable online order and home delivery to support affected populations.
10. Understand implications of the ‘new normal.’ While the economic consequences of COVID-19 are still far from clear, we believe that the end of the crisis will not mean a return to business as usual. The business impact of COVID-19 will inevitably require CIOs to cut costs, particularly in the short term. That includes, for example, evaluating fixed capacity that’s not being used and deprioritizing initiatives. As CIOs work to mitigate downturn impact from this outbreak, they should also start to identify ways to drive productivity.
More important, CIOs will need to understand what that shift means and what the new tech-enabled operating model can look like. Some CIOs have started thinking about these new ways of working to lock in new behaviors, such as eliminating attachments for internal emails and only using Slack for communications. Some also see the opportunity to build improved routines around work intake and demand management to ensure the ability to pivot toward only the most essential and valuable work in a time of crisis or reduced capacity. CIOs have the opportunity to become leaders of innovation, rather than merely effective managers of the downside.
How companies react to the new employee and customer needs will likely shape their competitiveness in the years to come.
We know that in many places things are likely to get worse before they get better, and there are still many unknowns. However, we also believe that for those CIOs who can manage and lead effectively, this can become their moment to shine.