Resiliency is no longer optional
We've reached a critical juncture where resiliency is more critical than ever
Published 14:00, 20 September 12
- There is less tolerance for downtime — of any kind. BC/DR historically focused on events suchas natural disasters, extreme weather, major IT failures, critical infrastructure failures, pandemics/epidemics, and other events that have a low probability of occurring but have a very high impact nto the business. However, in today’s world of global, 24x7x365 operations and intense competition, downtime, regardless of whether it’s a natural disaster, a simple hard drive failure, or a security breach, is unacceptable. The business doesn’t care what caused the downtime, instead it wants service restored as quickly as possible with as little data loss as possible, regardless of which groups are responsible for the execution.
- More business processes are technology dependent. For years, businesses made every effort possible to move BC management out of IT because, for too long, most BC programs were about business continuity in name only. In reality, they were IT DR programs. However, most businesses have overcompensated to the point where there is minimal integration between BC and IT DR groups. Given that the majority of business processes are technology enabled, or in many cases, technology dependent, this is untenable. In fact, many processes are so technology dependent that there are no longer manual procedures to fall back on in the event IT services are unavailable.
- The perceived and actual risks are increasing. According to a joint Forrester and Disaster Recovery Journal survey, 82 percent of BC decision-makers and influencers feel that their organisation’s risk level is increasing. The top risks are an increasing: 1) reliance on technology; 2) business complexity; 3) frequency and intensity of natural disasters; and 4) reliance on third parties. These perceptions are not so misguided, as in the past five years, more than 60 percent of companies invoked BC plans at least once, and more than one-quarter invoked these plans three or more times
- Discover: Establish the value of business technology resiliency and assess capabilities. Building the business case for resiliency spending is difficult because it is challenging to demonstrate immediate value or contributions to the bottom line. You have to understand and calculate the cost of downtime, as well as understand the probability of occurrence for certain risks. Once you have quantified the cost of downtime and analysed the risks, you can determine your organization’s uptime requirements and build the business case for investment.
- Plan: Create a strategy to manage business technology resiliency as an ongoing program. Once you understand the business’ continuity requirements and you’ve identified the gaps in your capabilities, you can start to formulate a strategy that outlines the mission, scope, goals, and objectives of your business technology resiliency program. Part of your strategy will include a five-year road map for capital investment in business technology resiliency technologies, services, and staffing to close the gap between your current state and future requirements. You can also assess your current capabilities against those requirements and identify gaps in your strategy.
- Act: Hire staff, develop governance policies, and implement technologies and services. Determining the appropriate mix of process and technology skills to support your business technology resiliency program and recruiting talent will not be easy. You need staff who understand how to conduct a business impact assessment and risk assessment, write and maintain BC/DR plans, create test scenarios, and exercise objectives. To make your business technology resiliency strategy a reality, you will need to identify and influence stakeholders on both the business and IT side, from executives, LOB owners, facilities, and other operational risk owners to enterprise architects, app developers, and security professionals. To make your business technology resiliency program successful in the long term, you’ll need a strong central governing function that can enforce policies and best practices across geographically diverse business units and strategic partners. And you also need staff who understand how to architect high availability solutions using the latest technology and services.
- Optimise: Measure, monitor, and market business technology resiliency results. Business technology resiliency is an ongoing program, not a one-time planning event. You’ll have to measure and monitor its effectiveness, as well as report value to the organisation. With an effective metrics program, I&O leaders will be better prepared to demonstrate business value, develop a proactive culture, and align priorities and performance incentives with business strategy. You’ll also be in a better position to understand how your program compares with that of your peers. A strong metrics and reporting program is also a powerful marketing and communications tool that can help you establish and promote a culture of resiliency through the marketing of your successes, as well as through ongoing training and awareness. This is critical not just for response teams, but also for the entire organisation.