Business continuity management: helping to align information technology to the business needs

Steve Beck, MBCI, Business Continuity & Information Security Consultant Hitachi Data Systems Ltd.

Introduction
In today’s highly complex and competitive global marketplace, businesses are looking to become more resilient and more agile. Resilience is an ability to keep mission critical activities (MCA) going, and agility is the capability to respond quickly when addressing a change in business requirements or direction. Business resilience strategies derived from the best practices of business continuity management (BCM) and following the guidelines set by the Business Continuity Institute (BCI) and BS25999 will certainly position the business well, however, the resilient infrastructures needed within the IT departments also need to address the requirements of agility and also demonstrate values that are aligned to the business units and their respective needs.

How can we deliver business resilience and agility capable infrastructures? How, at the same time, can we demonstrate to the business a closer management of service levels, costs and risk exposures? To answer the first of these two questions we will need to look a little closer at what, exactly, is stopping business mission critical activities today. To answer the second question we need to take a look at the flexible infrastructure options that are available, and offer to keep the MCAs ‘active’ with an additional ‘upside’ of delivering cost savings, improved service levels and better risk mitigation and management.

A robust business continuity strategy supported by a business aligned, supportive IT infrastructure, provides the foundation for agility and positions the business well to compete through an added capability of flexibility, resilience, performance, reduced risk exposure and costs.

The festering problem of aligning IT to the business need
A recent survey of 140 senior level information officers at corporations in a range of industries conducted by The Stevens Institute of Technology in 2006 elaborates on the following findings and insights:

• IT and business alignment remain the very top concern of IT executives.

• The lack of alignment between IT with the overall business remains a festering problem, and business unit integration of IT is still far off.

• Improvement in business process management should have been among the top-two areas of improvement and development between 2005 and 2006, but it wasn’t.

• The past year witnessed an increase in chief information officers’ reporting to CFOs.

• Chief information officer tenure shortened marginally - to an average of 18 months.

• Few companies (16 percent) have a ‘federated’ IT function – one that’s in part centralized and in part imbedded in the business units. In an ideal company, the IT function is federated.

CIOs would like to know how they can get to grips with the complexity, cost, service availability and the management of their environments. The difficulty they are faced with in this new ‘agile’ world is that the business will continue to evolve and so will the requirements of the IT applications that support the Business Units’ changing mission critical activities. This evolution will continue throughout an IT application’s lifecycle and, what may need high performance, high availability or high protection today may not need it tomorrow and vice versa. Impossible to predict or anticipate and posing its own set of problems for the business continuity managers and supportive team members.

IT applications are king, but data is the true power
The reliance on supportive IT systems and processes has now made IT indispensable, a key component to the success of the business. Applications are the critical driver of business processes and decision making, impacting organisational growth, risk exposure, and profitability. Applications have supportive data structures that have unique performance, access, protection, and retention requirements. Not all business processes have the same value to the business and any supportive IT is classified in the same way, the business impact analysis (BIA) will determine the mission critical activities’ values, any supporting applications’ value and any other interdependencies that should carry the same value rating. Application interdependency includes the supportive data because without it you have very little application activity. In the sober light of day the real Achilles Heel of the MCAs is data availability, data is the power behind the application, data is at the heart of the business, data and the way it is used and managed is the key to business success.

Data availability and the mission critical activities
The importance of applications cannot be emphasised enough, but what often gets overlooked is the fact that an application needs data to be able to deliver to the business and it is the availability and performance of that data that will determine application service level capabilities. In a global, competitive marketplace the need to keep primary supportive IT systems running is now becoming the highest objective of business continuity strategies. The safety net of the disaster recovery capability is still required, however, by employing the best practices of business continuity management and being very selective about which mission critical activities are protected and how, then the savings made here can be invested where it is needed, in more resilient, agile primary infrastructures and IT systems.

The great majority of MCA downtime can be directly attributed to ‘planned’ IT stoppages. These stoppages are to effect application and data maintenance (housekeeping), data backups and any mix of upgrade activities, it is here that ‘continuous business’ objectives are not being met. A great majority of ‘unplanned’ downtime is due to operator/user error and application failure, in these instances the manipulation of data or data space for applications is a major culprit with ‘errors’ being introduced during housekeeping that is causing the ‘planned’ downtime window to be extended into ‘unplanned’ time. The connection between primary business continuity management objectives and effective data management is becoming stronger day by day.

The recognised power and value of data to the business has resulted in an explosive growth together with a requirement for longer periods of retention. This has led to increased pressure upon the IT departments to manage this growth with less budget and resources; all this when the existing, current general status of the environment reflects poor utilisation, availability and capacity controls.

Here are some typical industry figures on data utilisation, availability and planning:

• 51% of open system data is UNNECESSARY
• 22% of data is DUPLICATE
• 68% of data has NOT BEEN ACCESSED for 90 days or more
• 47% of open systems capacity is available, but IN THE WRONG PLACE
• 55% of unplanned server outages occur from OUT-OF-CONTROL disk space consumption
• Up to 70% of allocated storage is left UNUTILISED
• Unstructured data is growing at 10X the rate of structured data.
• Unstructured data represents about 80% of a company’s total data

Sources: Strategic Research Corporation, and SNIA ‘The Data Tsunami’.

Business data is growing at an extraordinary rate and this is leading to a paradoxical situation, namely, the more data a business has then the better it is positioned to compete, however, the more data you have then the more you have to manage and this can lead to increased business vulnerabilities and risk exposures.

Growing data and storage volumes are causing major problems for many UK companies, with some recording a 200 percent increase in the amount of data their organisation now holds, according to the latest survey on business continuity and IT infrastructure issues (PMP Research).

There are growing demands imposed by various ‘compliance’ drivers that are compelling businesses to keep more of their data ‘online’ or instantly accessible. These demands can also mean that any archived data is retrievable within a specified timeframe, this is adding further grist to the business continuity ‘problem mill’.

Understanding the relationship between data and mission critical activities downtime emphasises these exposures to the objectives of business continuity, a BCM strategy has to take this into account to be truly effective. So, what strategy can be employed to get to grips with this ‘data tsunami’ threat and at the same time deliver addition business values of service level improvement, reduced costs and better risk mitigation and management?

Optimisation is key
Delivering the optimum resilience strategy to the business should be the aim of business continuity management, however, this strategy can be weakened by a supportive IT infrastructure that is not optimised and aligned to the framework of that strategy; this misalignment will lead to inflexibilities and higher costs. It may be that the envisaged costs of IT will be considered unacceptable and compel the business to accept more risk exposure.

Optimisation for the business continuity manager is the balancing of risk exposure against the costs of mitigation and the management of those risks. Optimisation of supportive IT infrastructures, and this include data storage, should ensure that this balance is delivered up to the business units and maintained as business needs change over time. Optimisation is achieved through introducing greater flexibilities and these flexibilities are delivered through increased granularity of functional choice.

Remembering that business continuity should address the needs of a MCA (or groups of) to remain functioning in the first instance and then to deliver recovery capability should it (or they) fail, then the elements of supportive IT, protection and recovery mechanisms should be aligned to the MCA values discovered through the BIA. The BIA classifies the importance of the process and application together with any interdependencies that will require the same ‘impact assessment’ rating.

IT budgets should be targeted in a business aligned way and based upon the findings of the BIA. By ensuring a delivery based on an optimised alignment with the business needs then the value of IT to the business can always be demonstrated. This optimisation ‘dovetails’ directly into the objectives of the business continuity manager to ensure a business continuity capability from the very front of the business right back to the heart, its data.

Managing the data tsunami - application optimised storage solutions
All IT function should be optimised to meet the specific requirements of the mission critical activities, it is in this way that costs can be controlled and IT integration with the business demonstrated. The data infrastructures that support the MCAs should be optimised to, again, meet the specific needs of the MCA and any data protection mechanisms chosen have to reflect the value of the data which is highlighted through its recovery point objective (RPO) and its recovery time objective (RTO).

Physical data infrastructures should be based on the granularity of tiering and this tiering is delivered through a collection of the storage hardware capabilities of performance, availability and cost.

Tiering is the framework for the data delivery to specific MCA requirements. Overlaying this is the management capability to ensure proactive views of performance to ensure that SLAs are not threatened and also to deliver additional QoS function and any chargeback reporting to business units. This management has to simplify complex structures by being able to managing disparate hardware platforms and also deliver the tools to dynamically move data across the physical tiers as the value of the data changes, it is vitally important that this movement and management of data is non disruptive to the applications and the mission critical activities.

The data protection technologies can range from simple backup to tape for the bulk of lower value data all the way up to synchronous ‘real time’ copies for ultra high value data. All too often we see all data, irrespective of it’s value, being protected in the same fashion either in a way that exposes the business to risk or to excessive costs. If the value to the business dictates a non stop MCA then, with today’s technologies, they do not have to be stopped to be able to effect a data backup.

How to manage the ‘data tsunami’ should be a high priority with business continuity managers and IT managers alike, together and through the best practices model of the BCI they can deliver true integration of IT functionality with the business and at the same time increase resilience, agility and cost savings.

The majority of businesses today still face the problems of getting their IT departments to show tangible business benefits through visible alignment of their expenditures and function to the needs of the business. Businesses are also increasingly tasked with requirements to demonstrate resilience through business continuity management best practices and to move to a more agile operational capability. Data infrastructures and data management plays a major part in each of these business requirements; by extending the BCM disciplines down into the IT departments the supportive IT aspects of business continuity can be aligned to the business values of the mission critical activities, a clear and tangible IT alignment to the business can be demonstrated and competitive edge gained through the creation of an agile infrastructure.

Steve Beck MBCI, will be talking on the ‘data tsunami’ at the BCM Challenges for 2007 conference organised by Automata Global Business Continuity Services. The conference will be held at Beaumont House, Old Windsor on 29 and 30 January 2007. As well as Steve Beck, the event will feature many other expert speakers and a debate and question time. In addition there will be breakout sessions for newcomers to business continuity management. See details at http://www.automataservices.com/conference.htm

•Date: 12th Jan 2007• Region: UK/World •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here