Robert Fucito, Vice President of Enterprise Resiliency & Workplace Security for Fannie Mae in Washington, D.C., has had a 30-year career that has put him in direct contact with some of the most catastrophic and dangerous moments in recent history.
His ability to create and implement resiliency and crisis management programs has placed him at the helm of several response and recovery efforts in the wake of global disasters, including 9/11, the 2003 Northeast blackout, the New York City’s MTA strike in 2005, the 2011 earthquake in Japan, Super Storm Sandy in 2012, and violent protests in India in 2016.
Having worked with major financial institutions BNP Paribas and J.P. Morgan, Fucito now directs efforts in an executive role for mortgage financing leader Fannie Mae during the coronavirus pandemic.
Fucito’s sincere enthusiasm for lending a hand goes well beyond the workday. His desire to help those in need drove him to create the first Corporate Volunteer Emergency Response Team in New York City. He then funded the training of a separate community emergency response team. Additionally, he served as a leader in an intense four-month rebuild effort in New Orleans following Hurricane Katrina. As a volunteer with World Cares Center to support its mission of educating and empowering responders in underserved, at-risk communities to prevent and react to disasters, he was recently honored by the organization with its “Ready Responder” Lifetime of Leadership Award.
On July 23, Fucito will join McIntire IT Professor Chris Maurer and Everbridge Chief Security Officer Tracy Reinhold as a panelist for a webinar on “Organizational Resilience in an Uncertain World,” hosted by UVA McIntire’s Center for Business Analytics and Center for Management of Information Technology.
In advance of the online conversation, we spoke to Fucito about resiliency, learning from mistakes, and how individuals can help prepare to defend their organizations during a crisis.
There are many threats out there, but which ones pose the biggest risk for you in your role at Fannie Mae? Where is the majority of your focus?
I wish I had a crystal ball to tell me what the next crisis is going to be; however, I have to rely on history, predictive metrics, and knowing what the current threat landscape looks like today. My focus is preparing the organization to respond to cyber threats in terms of destructive malware and/or ransomware, data corruption, and third- and fourth-party failures. Today, all of the continuity/resiliency professionals are dealing with the impacts of a global pandemic, while responding to the protests across the country right in the middle of the hurricane season. So, as you can tell, there’s always lots to focus on and plan for.
What’s the biggest mistake organizations make when grappling with a potential danger to the continuity of their operations?
There are actually three. During my time in this profession, I’ve seen and heard of organizations that fail when they (1) don’t properly invest, (2) don’t get behind the program from the top of the house, and, finally, (3) don’t have an experienced professional leading the charge. Many organizations don’t learn until it’s too late. Most organizations don’t take continuity of operations seriously until they’ve experienced a direct impact resulting from a power failure, workplace violence incident, flooding from severe weather, a ransomware attack, or most recently a full-blown global pandemic.
What’s a valuable lesson that you learned after an organizational failure to plan for or defend against a crisis?
In the five organizations I worked for over the course of my career, I had two instances in which there was a failure to respond effectively that I took on the chin. I was rolling out a global crisis management framework, and one of the regional heads did not give me the time or the support to implement the framework and conduct the training necessary. The individual did not embrace the construct of what I was tasked to build to protect the employees and the business. As a result, I personally had to fly to Asia to manage an incident directly and develop a playbook in real time so the incident could be managed locally. This was during the earthquake and subsequent tsunami in Fukushima, Japan, affecting the Fukushima Daiichi Nuclear Power Plant. I failed to gain executive-level commitment months earlier despite my efforts, and they were never committed to the program. I decided to leave the firm after only 11 months on the job.
The second was when the company I was working for experienced a partial power failure affecting multiple trading floors and the CEO started making decisions without following the protocol we implemented as a business function. This caused a significant disconnect for the next morning’s activity when we activated our alternate recovery site strategy. With two sites to utilize, one site worked flawlessly, and one site struggled. I should have pushed back on the CEO to follow the protocols we developed with the leadership team. It’s important to know who’s making the calls during a crisis and what the agreed protocols are. I won’t let that happen again.
Over the course of a career in leading teams and overseeing resiliency duties, what have you noted about the people best suited for positions in assessing and combating organizational risk? Are there universal characteristics and skills you see in those who succeed in your line of work?
I’ve seen folks with all kinds of skill sets. The ones who stand out for me have been the ones who are committed to doing the right thing for the company they work for, have a tremendous amount of common sense; a great sense of self-awareness; the ability to absorb and retain information, analyze data, and to communicate extremely well up the chain, horizontally, and down through the organization. Believe it or not, it’s folks with those skills who have the biggest impacts.
Obviously, what also plays a huge role is knowing the business products and the technology that supports them, and key stakeholders to pull it all together. A combination of all of that makes for being successful in this space. I look at the continuity certifications, and that helps me to know that you have a basic understanding of the continuity lifecycle; however, unless you can articulate with passion how you’ve implemented strategies, understand the challenges of a program, and know how to get folks to “drink the Kool-Aid,” the cert doesn’t add much more if you can’t share practical and successful application of the knowledge.
In your opinion, what’s the most useful way an individual at any level can help their organization to achieve resiliency in their daily activities?
Follow the guidance of the resiliency professionals and their program in your organization. Make sure your contact information is up to date for emergency notifications, learn about your specific role in the department’s continuity plan, and participate in testing. Get familiar with your company’s workplace violence program and emergency management training for evacuations, sheltering in place, and so on. You can become a great model and steward for the program. Finally, if you see something say something.
Interested in more insights about workplace security? Register for “Organizational Resilience in an Uncertain World.”