Monthly newsletter Weekly news roundup Breaking news notification    

Business resilience – the next step forward for business continuity

How should the practice of business continuity evolve to manage the threats and opportunities faced by organisations today and in the future? How much resilience is enough? When talking about resilience, how do we ensure the focus is not upon technology but upon the business itself and its key processes? Robin Gaddum explores these questions in the following article.

What is business continuity management?
Business continuity has evolved over the years, taking shape under the influence of a mixture of constituent parts including IT disaster recovery (DR), contingency planning, crisis and emergency management to name but a few. The Business Continuity Institute currently defines business continuity management as:

“an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation and value creating activities.”

Get free weekly news by e-mailThe term business continuity management has broadened the discipline’s scope from that of business continuity planning, which is now just another constituent part. It talks about “building resilience”, which moves us from the sense of reacting to recover from an event to becoming impervious to the event but what does this mean in practice?

What is resilience?
A number of people have asked me what is meant by the term ‘resilience’? In the context of business continuity, the term has often been used with regard to IT and the facilities environment. A high availability computer system offers resilience to failure, for example by mirroring between two identical servers where a failure of one is automatically detected allowing the remainder to take over seamlessly so that system access continues uninterrupted. On a facilities basis, a data centre might be protected by N+1 (one more than you actually need) air-conditioning units, Uninterruptible Power Supplies (UPS), standby generator sets, and so on.

There are a number of common shortfalls and misunderstandings with this narrow view of resilience:
* Are you really adding resilience? Adding a single UPS has simply moved the single point of power failure to this device.
* IT resilience is not a substitute for DR. In the example of a system mirroring between two identical nodes, a creeping data corruption could replicate itself before detection rendering the fallback ineffective. An additional recovery layer is needed, such as a snapshot of the database.
* Resilience implemented poorly merely adds more points of failure. Making resilient architectures work effectively can be complex and prone to failure if created or operated by the inexperienced.
* Resilience without monitoring is useless, as the first failure goes undetected until service is lost through a second failure.
* Resilience implementations are often tactical and fail to support the business process end-to-end. So, for example, a building’s power supply might be made resilient through supplies from two separate substations, the provision of UPS and standby power generators making it resilient to external power interruptions whilst the building’s internal power distribution infrastructure remains replete with single points of failure.

Business resilience
Even resolving these shortfalls and misunderstandings really is only part of the picture when seeking to create true resilience – we really must focus more broadly than on the technology and the facilities. Business resilience should be our goal. IBM has articulated its concept of business resilience as:

“The ability of an organisation’s business operations to rapidly adapt and respond to internal or external dynamic changes – opportunities, demands, disruptions or threats – and continue operations with limited impact to the business.”

Business continuity has been focused upon a defensive resilience posture, consisting of three basic building blocks - recovery, hardening and redundancy – that are widely recognised as vital ingredients for successful business continuity plans. A defensive posture is useful in protecting the organisation and its revenue streams but it does not help the bottom line. It is an insurance or bomb-shelter mentality; a static initiative that makes you feel more secure or protected, but rarely gets updated.

IBM has identified three further building blocks that support an offensive resilience posture, which are focused upon improving the organisation’s competitive position – accessibility, diversification and autonomic computing.

In practice, these building blocks can be used all together or in various combinations depending upon need. For example, diversifying operations might allow hardening to be limited other than at sites where critical applications and data reside. The resiliency building blocks are illustrated diagrammatically below.

A term here that might require some further explanation is autonomic computing. Autonomic computing implies the inclusion of self-managing hardware and software components in the infrastructure. A number of products exist today but as the field develops, resilient infrastructures will contain more autonomic components with self-configuring, self-healing, self protecting and self-optimising capabilities. Autonomic computing clearly has the added benefit of lowering total cost of ownership.

A layered approach
Business resilience must encompass business as well as IT operations. It can be thought of as spanning six discrete layers: strategy, organisation, processes, data / applications, technology and facilities / security. The model itself is scaleable and can be applied to an enterprise, to an individual location, a key business process or IT system. Clearly, a number of lower level considerations are embedded in each layer. For example, the facilities / security layer should consider various aspects of physical and logical security, power protection and environmental considerations. The resiliency layers are illustrated below:

What does business resilience consist of? IBM believes that a mixture of continuity, availability, security, recovery and scalability spanning and supporting the six discrete layers outlined above combine to deliver business resilience.

As an example, let us define the scope as a particular location and consider just the security component. To deliver security there must be a security strategy, organisation, processes, perhaps some data / applications (CCTV, physical access control, system logon id), associated hardware and software technology and the facilities elements themselves (perimeter fences, cameras, alarm sensors, barriers). These can be configured to support business resilience, most typically (but not exclusively) through hardening. Clearly, security requires a holistic approach if it is to be successful – one that actively involves people and their behaviours rather than relying upon technology alone.

IBM’s concept of business resilience is about:
* Protecting the enterprise
* Mitigating business and technology risks
* Assuring continuity of business operations
* Decreasing effort associated with resilience-related programs
* Enabling seamless and continuous business transactions and IT applications
* Enabling the enterprise to adapt and respond to exploit market / business opportunities

By focussing on business resilience, business continuity practitioners can make a further positive contribution to their organisations in two key ways:

(i) Enhancing organisational effectiveness through improved availability across all six layers
(ii) Enabling the organisation to better exploit new opportunities

The focus of business continuity is changing to become ever more concerned with prevention / avoidance of interruptions and business resilience supports this trend. In the tradition of business continuity, business resilience moves what was traditionally an IT-centric concept of resilience into a holistic business concept. Finally, and perhaps most importantly, it moves business continuity practitioners into the arena of handling upside risk, or opportunities. Perhaps it will transform business continuity from an overhead activity, perceived as existing to highlight the negative aspects of any new venture, into the mainstream by facilitating the realisation of new revenue streams as well as protecting those already in existence.

About the author
Robin Gaddum is a senior consultant with IBM Global Services in the UK and responsible for leading the UK consulting team for IBM’s Business Continuity and Recovery Services. He can be reached at

IBM Business Continuity and Recovery Services
IBM Business Continuity and Recovery Services (IBM) is a leading provider of business resilience, continuity and disaster recovery solutions. IBM is able to draw upon more than 35 years experience in assisting clients to develop and implement their business continuity strategies and plans. As part of this service, IBM has completed thousands of engagements, large and small, on behalf of over 5,000 clients across a range of industries around the world.
Besides its expertise in business continuity and emergency management, IBM has skills in security, high availability solutions, systems and data management, network design and implementation, machine room building and desktop infrastructure as well as platform and application knowledge.


© Copyright IBM Corporation, 2004

Date: 16th April 2004 •Region: UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here

Copyright 2005 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help