How should the practice of business
continuity evolve to manage the threats and opportunities faced
by organisations today and in the future? How much resilience is
enough? When talking about resilience, how do we ensure the focus
is not upon technology but upon the business itself and its key
processes? Robin Gaddum explores these questions in the following
What is business continuity management?
Business continuity has evolved over the years, taking shape under
the influence of a mixture of constituent parts including IT disaster
recovery (DR), contingency planning, crisis and emergency management
to name but a few. The Business Continuity Institute currently defines
business continuity management as:
“an holistic management process that
identifies potential impacts that threaten an organisation and provides
a framework for building resilience with the capability for an effective
response that safeguards the interests of its key stakeholders,
reputation and value creating activities.”
term business continuity management has broadened the discipline’s
scope from that of business continuity planning, which is now just
another constituent part. It talks about “building resilience”,
which moves us from the sense of reacting to recover from an event
to becoming impervious to the event but what does this mean in practice?
What is resilience?
A number of people have asked me what is meant by the term ‘resilience’?
In the context of business continuity, the term has often been used
with regard to IT and the facilities environment. A high availability
computer system offers resilience to failure, for example by mirroring
between two identical servers where a failure of one is automatically
detected allowing the remainder to take over seamlessly so that
system access continues uninterrupted. On a facilities basis, a
data centre might be protected by N+1 (one more than you actually
need) air-conditioning units, Uninterruptible Power Supplies (UPS),
standby generator sets, and so on.
There are a number of common shortfalls and
misunderstandings with this narrow view of resilience:
* Are you really adding resilience? Adding a single UPS has simply
moved the single point of power failure to this device.
* IT resilience is not a substitute for DR. In the example of a
system mirroring between two identical nodes, a creeping data corruption
could replicate itself before detection rendering the fallback ineffective.
An additional recovery layer is needed, such as a snapshot of the
* Resilience implemented poorly merely adds more points of failure.
Making resilient architectures work effectively can be complex and
prone to failure if created or operated by the inexperienced.
* Resilience without monitoring is useless, as the first failure
goes undetected until service is lost through a second failure.
* Resilience implementations are often tactical and fail to support
the business process end-to-end. So, for example, a building’s
power supply might be made resilient through supplies from two separate
substations, the provision of UPS and standby power generators making
it resilient to external power interruptions whilst the building’s
internal power distribution infrastructure remains replete with
single points of failure.
Even resolving these shortfalls and misunderstandings really is
only part of the picture when seeking to create true resilience
– we really must focus more broadly than on the technology
and the facilities. Business resilience should be our goal. IBM
has articulated its concept of business resilience as:
“The ability of an organisation’s
business operations to rapidly adapt and respond to internal or
external dynamic changes – opportunities, demands, disruptions
or threats – and continue operations with limited impact to
Business continuity has been focused upon a
defensive resilience posture, consisting of three basic building
blocks - recovery, hardening and redundancy – that are widely
recognised as vital ingredients for successful business continuity
plans. A defensive posture is useful in protecting the organisation
and its revenue streams but it does not help the bottom line. It
is an insurance or bomb-shelter mentality; a static initiative that
makes you feel more secure or protected, but rarely gets updated.
IBM has identified three further building blocks
that support an offensive resilience posture, which are focused
upon improving the organisation’s competitive position –
accessibility, diversification and autonomic computing.
In practice, these building blocks can be used
all together or in various combinations depending upon need. For
example, diversifying operations might allow hardening to be limited
other than at sites where critical applications and data reside.
The resiliency building blocks are illustrated diagrammatically
A term here that might require some further explanation is autonomic
computing. Autonomic computing implies the inclusion of self-managing
hardware and software components in the infrastructure. A number
of products exist today but as the field develops, resilient infrastructures
will contain more autonomic components with self-configuring, self-healing,
self protecting and self-optimising capabilities. Autonomic computing
clearly has the added benefit of lowering total cost of ownership.
A layered approach
Business resilience must encompass business as well as IT operations.
It can be thought of as spanning six discrete layers: strategy,
organisation, processes, data / applications, technology and facilities
/ security. The model itself is scaleable and can be applied to
an enterprise, to an individual location, a key business process
or IT system. Clearly, a number of lower level considerations are
embedded in each layer. For example, the facilities / security layer
should consider various aspects of physical and logical security,
power protection and environmental considerations. The resiliency
layers are illustrated below:
What does business resilience consist of? IBM believes that a mixture
of continuity, availability, security, recovery and scalability
spanning and supporting the six discrete layers outlined above combine
to deliver business resilience.
As an example, let us define the scope as a
particular location and consider just the security component. To
deliver security there must be a security strategy, organisation,
processes, perhaps some data / applications (CCTV, physical access
control, system logon id), associated hardware and software technology
and the facilities elements themselves (perimeter fences, cameras,
alarm sensors, barriers). These can be configured to support business
resilience, most typically (but not exclusively) through hardening.
Clearly, security requires a holistic approach if it is to be successful
– one that actively involves people and their behaviours rather
than relying upon technology alone.
IBM’s concept of business resilience is about:
* Protecting the enterprise
* Mitigating business and technology risks
* Assuring continuity of business operations
* Decreasing effort associated with resilience-related programs
* Enabling seamless and continuous business transactions and IT
* Enabling the enterprise to adapt and respond to exploit market
/ business opportunities
By focussing on business resilience, business
continuity practitioners can make a further positive contribution
to their organisations in two key ways:
(i) Enhancing organisational effectiveness
through improved availability across all six layers
(ii) Enabling the organisation to better exploit new opportunities
The focus of business continuity is changing
to become ever more concerned with prevention / avoidance of interruptions
and business resilience supports this trend. In the tradition of
business continuity, business resilience moves what was traditionally
an IT-centric concept of resilience into a holistic business concept.
Finally, and perhaps most importantly, it moves business continuity
practitioners into the arena of handling upside risk, or opportunities.
Perhaps it will transform business continuity from an overhead activity,
perceived as existing to highlight the negative aspects of any new
venture, into the mainstream by facilitating the realisation of
new revenue streams as well as protecting those already in existence.
About the author
Robin Gaddum is a senior consultant with IBM Global Services in
the UK and responsible for leading the UK consulting team for IBM’s
Business Continuity and Recovery Services. He can be reached at
IBM Business Continuity and Recovery
IBM Business Continuity and Recovery Services (IBM) is a leading
provider of business resilience, continuity and disaster recovery
solutions. IBM is able to draw upon more than 35 years experience
in assisting clients to develop and implement their business continuity
strategies and plans. As part of this service, IBM has completed
thousands of engagements, large and small, on behalf of over 5,000
clients across a range of industries around the world.
Besides its expertise in business continuity and emergency management,
IBM has skills in security, high availability solutions, systems
and data management, network design and implementation, machine
room building and desktop infrastructure as well as platform and
© Copyright IBM Corporation, 2004
16th April 2004 •Region: UK/World •Type:
Article •Topic: BC
Rate this article or
make a comment - click