Monthly newsletter Weekly news roundup Breaking news notification    

the rise and rise of IT continuity

Information systems remain the number one mission critical priority for most businesses. David Honour explains why this is so and looks at the key priorities in this area.

Take part in our surveyThe discipline of business continuity emerged from the primordial swamps of computer disaster recovery. In the early days most companies simply ensured that data was backed up regularly. Larger enterprises normally utilised centralised mainframes which were supported through hot, or warm site recovery centre contracts. However, although some of the business continuity solutions remain current, the nature and complexity of the systems that need protecting have changed vastly.

According to recent research by the Business Continuity Institute and the Chartered Management Institute information systems remain the number one mission critical priority for most businesses. A survey published in March found that 79 percent of the business continuity plans of UK organisations cover IT functions; far in advance of any other area. Finance came second in importance (57 percent) followed by facilities management (53 percent) , human resources (53 percent) and security (51 percent). There are a variety of reasons why the protection of information systems is of such vital importance:

The importance of data
Data is the lifeblood of information systems, which, in turn, are the lifeblood of most organisations. Yes, people are incredibly important assets to businesses, but few firms would go out of business due to the loss of an employee, however highly valued. Many more companies would go out of business if they irretrievably lost critical information. According to the National Archives & Records Administration in Washington, 93 percent of companies that lose their data centre for 10 days or more due to a disaster file for bankruptcy within one year of the disaster. Even short periods of downtime can be very costly.

The importance of availability
For many businesses globalisation has created a need for round-the-clock operations. All-day, every day, information must always be available. E-commerce, EDI and other data-driven trading systems also add to this pressure. Today’s customers expect instant service and tend to show zero tolerance of companies that fail to provide this.

The importance of archiving and data storage
Growth in data processing has created an inevitable need for increasing amounts of data storage, and business and regulatory pressures mean that many organisations are archiving information for longer periods. This results in a consistently growing data ‘mountain’ which must be managed and protected.

Creating a business continuity plan for a company’s information systems can be a complex undertaking and often requires the assistance of external expert consultants. Whether this route is chosen or not there are some simple rules that should always be followed:

Be holistic
Business continuity plans for information systems should not be developed in isolation. Such plans should be part of a wider business continuity process that at least analyses all the major risks faced by a company and makes an assessment of the areas that need protecting. Information systems will undoubtedly emerge from this process as one of the key risk areas that need the implementation of business continuity measures, but if this process is not undertaken other high-risk areas could easily be over-looked; with potentially devastating future consequences for the business. There is no point having fortress-like protection for your IT systems, if your telecoms systems are unavailable in a disaster; or your staff have no premises to work from; or you can’t print and mail critical invoices.

Avoid a silo mentality
When developing business continuity plans for information systems, the temptation is to assume that the IT department is the fount of all knowledge. It probably thinks it is; but the reality is often very different. The IT department will be able to provide crucial detailed technical information; but it is unlikely to understand all the dependencies and business risks that flow from the use of IT systems. This information must be gathered by mapping information system usage and systematically interviewing all departments on their critical information needs.

The risks of taking a silo approach are graphically displayed in a recent survey conducted by the META Group. A cross section of US business and technology executives were asked questions about how well protected their critical business information was. The survey found that while just 14 percent of business leaders feel that their important business information is very vulnerable to being lost in the event of a disaster, 52 percent of information technology executives in the same organisations stated that their data was, in fact, very vulnerable. Another gap emerged when respondents were polled on their perceptions as to how long it would take to resume normal business operations if a disaster did strike. Only nine percent of business executives said that they would need three days or more to resume, while 23 percent of technology executives said that recovery operations would stretch from three days to more than a week. If a silo approach is taken a skewed impression of business risk often emerges. If all stakeholders are involved, a wider picture can be seen and anomalies investigated.

Take a risk-based approach
There is no such thing as an off the peg solution to your information system business continuity needs. Any business continuity plan must be based upon a comprehensive risk assessment and analysis. This starts off with the process of risk profiling, which itself consists of three ‘sub-profiles’. First comes the threat profile. Here an assessment of potential damaging risks is made. After this an ‘impact profile’ is created. This takes the threat profile and considers how much ‘pain’ would be felt by the business should individual risk events occur. Finally, a ‘gap profile’ is created. This reflects the current defences that are in place to protect the business against its risks and highlights areas of weakness where additional defences will be necessary.

Once a risk profile has been created the next step is to understand how these risks inter-relate, this is termed dependency modelling. When a risk event occurs its effects spread throughout the business until they reach ‘barriers’ which prevent the risk effects continuing. The propagation of effects is due to the interdependency of processes, people and systems.
The gap profile identifies weak points and the dependency model shows how exposed the company is to particular threats. Without this knowledge the business has no framework with which to make quantified and informed decisions about the types of protective measures that need to be established.

Keep abreast of technology developments
Business continuity technology is developing at a rapid pace and the options can be extensive. This is an area where specialist advice can be very helpful, depending on the confidence that you can place in the knowledge of your own technicians. Traditional solutions such as recovery centres have been joined by myriad high availability solutions. The business continuity manager can not be expected to have an expert knowledge of all the available solutions but he/she should keep up to date with the general developments in the market, so that an intelligent judgement can be made on the options presented by the expert advisors.

Outsourcing considerations
Outsourcing is seen by many organisations as an effective way of passing responsibility for non-core business functions to third party specialists. IT related functions are often prime candidates for outsourcing; for many companies these are non-core activities - they are not key revenue generating areas. The mistake that some companies make is in equating ‘non-core’ with ‘not-critical’. In outsourcing non-core activities you may still be handing over responsibility for mission critical activities to third parties. Outsourcing does not absolve you from the responsibility for managing all your mission critical risks.

The first vital element in protecting the mission critical assets managed by your outsourcer is the contract agreed between the two parties. The majority of outsourcing contracts will include a business continuity clause, but it is vital that this is not just a ‘box-ticking’ exercise. The contract must deal with specifics, not generalities and this will not be a quick process. As in all things relating to business continuity, you need to go back to the risk assessment and analysis. You will be aware, from having conducted these, of the critical risks which could impact upon the business function that you are outsourcing. For each of these the contract must ensure that the outsourcer is aware of the nature of the risk and agrees to take responsibility for managing it. The contract must also specify what mitigation steps will be taken. Recovery time objectives (RTO) –the amount of time by which the business process in questions needs to be operational again following an outage - should be built into the contract, with provisions for legal liability should the RTO not be achieved.

Outsourcing contracts tend to be long term, therefore, over the contract period, the risk profile of the outsourced business function is likely to change. This must be taken into account in the contract. Periodic risk assessments need to be conducted and the responsibility for handling these needs to be made clear. Will the outsourcer manage these or will your company? If new risk controls are required who will implement and pay for these? Who will take the decision to stand-down risk control measures that have become defunct and are no-longer needed?
At this stage in the contract writing process you may find the outsourcer starting to lose interest in winning your business! However, this is not the time to compromise – it is vital that your mission critical risks are fully protected and if the outsourcer is unable to guarantee this in the contract then you are talking to the wrong company.

It is also important that you are dealing with an outsourcer that is prepared to be transparent in terms of the business continuity provision for their own mission critical risks. Have they a fully documented, adequately resourced and frequently tested business continuity plan? If so, you would be wise to conduct a comprehensive audit of this. If they decline this request for reasons of ‘company confidentiality’ you really must consider refusing to work with this company. Your company’s survival is more important than another’s confidential information. If the trust is not there to allow this vital audit, is the outsourcer really a suitable partner to be working with?

All the above is unlikely to make you popular with your contracts and legal departments and will probably add additional costs to your outsourcing agreement. But to fail to address these issues is to fail to protect your organisation.

David Honour is editor of Continuity Central. This article was first published in Enterprise Risk magazine

Date: 12th December 2003 •Region: Worldwide•Type: Article •Topic: IT continuity
Rate this article or make a comment - click here

Copyright 2005 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help