Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Bridging the business continuity and IT disaster recovery gap

By Jacque Rupert.

One of the most common question questions asked by business continuity managers is “How can my organization increase coordination between different groups performing preparedness activities, specifically ‘the business’ and IT?”

In my consulting activities I have seen many organizations’ business and IT teams struggle to come to an agreement on common requirements, such as application recovery time objectives (RTOs) and data loss tolerances (RPOs). The business tends to complain that IT does not listen to their recovery requirements, while IT tends to complain that the business is far too aggressive and unrealistic on recovery requirements.

This article seeks to address these issues, providing five tips to bridge the business – IT gap.

Tip #1: Create a cross-functional governance structure
The first step toward bridging the gap and creating an effective business continuity management system (BCMS) is to establish a cross-functional top management team responsible for setting up, overseeing, and approving the performance of the BCMS. In order to facilitate effective decision making, this top management team should comprise individuals who direct and control the organization at the highest levels of both IT and the business.

This team should work together to ensure BCMS alignment with the organization’s strategic direction and risk appetite (see Tip #2), identify the BCMS’ objectives and scope (see Tip #3), and make decisions regarding readiness capability versus investment (see Tip #4). Overall, this team is responsible for conducting recurring management reviews in order to hold the business and IT accountable for meeting the BCMS’ objectives and tightly coordinating recovery objectives, strategies, plans, and exercises.

Tip #2: Understand the organization’s risk appetite
Following the establishment of a top management advisory group, the business continuity team should work to understand the organization’s risk appetite. Utilizing a clear, documented, and management-endorsed risk appetite helps align business continuity and IT disaster recovery strategies with organizational strategy and other risk management efforts, enabling better integration into broader risk management. Further, when done correctly, risk appetite becomes a major input to (and it may overlap significantly with) the BCMS’ scope and objectives. Overall, risk appetite provides a common method of assessing criticality and determining which risks require mitigation for both the business and IT.

Tip #3: Establish a program-level scope statement
After the organization establishes a top management advisory team and understands the organization’s risk appetite, the top management team should work together to identify the scope of the BCMS. Often defined in terms of products and services, the BCMS scope statement ensures that the BCMS plans for and protects the most critical outputs of the organization.

After developing the BCMS scope statement, the top management team should work together to establish minimum levels of products and services (often referred to as ‘downtime tolerances’) that is acceptable to the organization (in accordance to its risk appetite). The identification of downtime tolerances drives the assignment of recovery objectives for business activities and associated resources (including technologies). Utilizing management-approved scope statement and downtime tolerances results as an input to determining recovery objectives not only ensures a level of impartiality, but also alignment to organizational strategy and management’s risk appetite.

Tip #4: Establish requirements and implement capabilities
The business impact analysis (BIA) effort should be scoped using the BCMS scope statement, and recovery objectives for business activities and technologies should be assigned based on downtime tolerances established by the top management team. Using downtime tolerances as an input to assigning recovery objectives ensures that they are aligned with the organization’s risk appetite.

Following the approval of the BIA by the top management team, the IT team should perform an interdependency analysis (sometimes referred to as an application impact analysis, or AIA) and apply the business’ requested recovery objectives to upstream and downstream dependencies. In the event that the IT team disagrees with the recovery objective requested by the business, the discrepancy should be escalated to and evaluated by a cross-functional business/IT team, and then endorsed by the top management team as required.

Once the top management team approves all recovery objectives, the business and IT should work to identify strategy options that meet recovery objectives. This may include the business and IT working together to identify manual workarounds as a means of relaxing aggressive, cost-prohibitive recovery objectives. Where multiple strategy options exist, the business and IT should present options to management for selection and investment approval. Utilizing the top management team to review, amend, and approve recovery objectives ensures the transparency and alignment of business and IT requirements and capabilities.

Tip #5: Perform integrated testing/exercising
Following strategy implementation, consider creating an integrated exercise/testing program in which the business and IT work together to validate each other’s recovery capabilities. Coordinated exercising/testing may involve the business testing and evaluating applications following an IT disaster recovery (data center) test. Or, vice versa, coordinated exercising/testing may involve IT participating in a business continuity tabletop test or IT working with the business to perform an alternate workspace/relocation drill. Performing integrated exercises/tests allows the business and IT to work together to validate strategies and ensure they are meeting top management’s objectives.

Jacque Rupert is a managing consultant with Avalution Consulting: Business Continuity Consulting.

•Date: 31st May 2013 • US/World •Type: Article • Topic: BC general

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here