Information systems remain the number
one mission critical priority for most businesses. David Honour
explains why this is so and looks at the key priorities in this
discipline of business continuity emerged from the primordial swamps
of computer disaster recovery. In the early days most companies
simply ensured that data was backed up regularly. Larger enterprises
normally utilised centralised mainframes which were supported through
hot, or warm site recovery centre contracts. However, although some
of the business continuity solutions remain current, the nature
and complexity of the systems that need protecting have changed
According to recent research by the Business
Continuity Institute and the Chartered Management Institute information
systems remain the number one mission critical priority for most
businesses. A survey published in March found that 79 percent of
the business continuity plans of UK organisations cover IT functions;
far in advance of any other area. Finance came second in importance
(57 percent) followed by facilities management (53 percent) , human
resources (53 percent) and security (51 percent). There are a variety
of reasons why the protection of information systems is of such
Data is the lifeblood of information systems, which, in turn, are
the lifeblood of most organisations. Yes, people are incredibly
important assets to businesses, but few firms would go out of business
due to the loss of an employee, however highly valued. Many more
companies would go out of business if they irretrievably lost critical
information. According to the National Archives & Records Administration
in Washington, 93 percent of companies that lose their data centre
for 10 days or more due to a disaster file for bankruptcy within
one year of the disaster. Even short periods of downtime can be
For many businesses globalisation has created a need for round-the-clock
operations. All-day, every day, information must always be available.
E-commerce, EDI and other data-driven trading systems also add to
this pressure. Today’s customers expect instant service and
tend to show zero tolerance of companies that fail to provide this.
of archiving and data storage
Growth in data processing has created an inevitable need for increasing
amounts of data storage, and business and regulatory pressures mean
that many organisations are archiving information for longer periods.
This results in a consistently growing data ‘mountain’
which must be managed and protected.
PLANNING FOR INFORMATION SYSTEMS
Creating a business continuity plan for a company’s information
systems can be a complex undertaking and often requires the assistance
of external expert consultants. Whether this route is chosen or
not there are some simple rules that should always be followed:
Business continuity plans for information systems should not be
developed in isolation. Such plans should be part of a wider business
continuity process that at least analyses all the major risks faced
by a company and makes an assessment of the areas that need protecting.
Information systems will undoubtedly emerge from this process as
one of the key risk areas that need the implementation of business
continuity measures, but if this process is not undertaken other
high-risk areas could easily be over-looked; with potentially devastating
future consequences for the business. There is no point having fortress-like
protection for your IT systems, if your telecoms systems are unavailable
in a disaster; or your staff have no premises to work from; or you
can’t print and mail critical invoices.
Avoid a silo mentality
When developing business continuity plans for information systems,
the temptation is to assume that the IT department is the fount
of all knowledge. It probably thinks it is; but the reality is often
very different. The IT department will be able to provide crucial
detailed technical information; but it is unlikely to understand
all the dependencies and business risks that flow from the use of
IT systems. This information must be gathered by mapping information
system usage and systematically interviewing all departments on
their critical information needs.
The risks of taking a silo approach are graphically
displayed in a recent survey conducted by the META Group. A cross
section of US business and technology executives were asked questions
about how well protected their critical business information was.
The survey found that while just 14 percent of business leaders
feel that their important business information is very vulnerable
to being lost in the event of a disaster, 52 percent of information
technology executives in the same organisations stated that their
data was, in fact, very vulnerable. Another gap emerged when respondents
were polled on their perceptions as to how long it would take to
resume normal business operations if a disaster did strike. Only
nine percent of business executives said that they would need three
days or more to resume, while 23 percent of technology executives
said that recovery operations would stretch from three days to more
than a week. If a silo approach is taken a skewed impression of
business risk often emerges. If all stakeholders are involved, a
wider picture can be seen and anomalies investigated.
Take a risk-based approach
There is no such thing as an off the peg solution to your information
system business continuity needs. Any business continuity plan must
be based upon a comprehensive risk assessment and analysis. This
starts off with the process of risk profiling, which itself consists
of three ‘sub-profiles’. First comes the threat profile.
Here an assessment of potential damaging risks is made. After this
an ‘impact profile’ is created. This takes the threat
profile and considers how much ‘pain’ would be felt
by the business should individual risk events occur. Finally, a
‘gap profile’ is created. This reflects the current
defences that are in place to protect the business against its risks
and highlights areas of weakness where additional defences will
Once a risk profile has been created the next
step is to understand how these risks inter-relate, this is termed
dependency modelling. When a risk event occurs its effects spread
throughout the business until they reach ‘barriers’
which prevent the risk effects continuing. The propagation of effects
is due to the interdependency of processes, people and systems.
The gap profile identifies weak points and the dependency model
shows how exposed the company is to particular threats. Without
this knowledge the business has no framework with which to make
quantified and informed decisions about the types of protective
measures that need to be established.
Keep abreast of technology developments
Business continuity technology is developing at a rapid pace and
the options can be extensive. This is an area where specialist advice
can be very helpful, depending on the confidence that you can place
in the knowledge of your own technicians. Traditional solutions
such as recovery centres have been joined by myriad high availability
solutions. The business continuity manager can not be expected to
have an expert knowledge of all the available solutions but he/she
should keep up to date with the general developments in the market,
so that an intelligent judgement can be made on the options presented
by the expert advisors.
Outsourcing is seen by many organisations as an effective way of
passing responsibility for non-core business functions to third
party specialists. IT related functions are often prime candidates
for outsourcing; for many companies these are non-core activities
- they are not key revenue generating areas. The mistake that some
companies make is in equating ‘non-core’ with ‘not-critical’.
In outsourcing non-core activities you may still be handing over
responsibility for mission critical activities to third parties.
Outsourcing does not absolve you from the responsibility for managing
all your mission critical risks.
The first vital element in protecting the mission
critical assets managed by your outsourcer is the contract agreed
between the two parties. The majority of outsourcing contracts will
include a business continuity clause, but it is vital that this
is not just a ‘box-ticking’ exercise. The contract must
deal with specifics, not generalities and this will not be a quick
process. As in all things relating to business continuity, you need
to go back to the risk assessment and analysis. You will be aware,
from having conducted these, of the critical risks which could impact
upon the business function that you are outsourcing. For each of
these the contract must ensure that the outsourcer is aware of the
nature of the risk and agrees to take responsibility for managing
it. The contract must also specify what mitigation steps will be
taken. Recovery time objectives (RTO) –the amount of time
by which the business process in questions needs to be operational
again following an outage - should be built into the contract, with
provisions for legal liability should the RTO not be achieved.
Outsourcing contracts tend to be long term,
therefore, over the contract period, the risk profile of the outsourced
business function is likely to change. This must be taken into account
in the contract. Periodic risk assessments need to be conducted
and the responsibility for handling these needs to be made clear.
Will the outsourcer manage these or will your company? If new risk
controls are required who will implement and pay for these? Who
will take the decision to stand-down risk control measures that
have become defunct and are no-longer needed?
At this stage in the contract writing process you may find the outsourcer
starting to lose interest in winning your business! However, this
is not the time to compromise – it is vital that your mission
critical risks are fully protected and if the outsourcer is unable
to guarantee this in the contract then you are talking to the wrong
It is also important that you are dealing with
an outsourcer that is prepared to be transparent in terms of the
business continuity provision for their own mission critical risks.
Have they a fully documented, adequately resourced and frequently
tested business continuity plan? If so, you would be wise to conduct
a comprehensive audit of this. If they decline this request for
reasons of ‘company confidentiality’ you really must
consider refusing to work with this company. Your company’s
survival is more important than another’s confidential information.
If the trust is not there to allow this vital audit, is the outsourcer
really a suitable partner to be working with?
All the above is unlikely to make you popular
with your contracts and legal departments and will probably add
additional costs to your outsourcing agreement. But to fail to address
these issues is to fail to protect your organisation.
David Honour is editor of Continuity Central.
This article was first published in Enterprise
12th December 2003 •Region: Worldwide•Type:
Article •Topic: IT
Rate this article or
make a comment - click