It was the end of fall, and I woke up at 4:30 a.m. to catch a flight from Norfolk, Va., back to Denver, Colo. My wife dropped me at the airport sharply at 5 a.m. before heading off to her routine call as a resident at Eastern Virginia Medical School. Passing through security I showed up at my gate close to the boarding time for the 6 a.m. flight, only to realize the flight was over sold and was being delayed by 30 minutes. The United agent at the counter made an offer to volunteers who were flexible with their schedule and willing to take a later flight – a full refund of the purchase price and an additional free round trip ticket to use anywhere in the U.S.
Before I tell the story any further, let me tell you my personal situation. I live and work in Colorado and my wife, who just started her residency, as you may have guessed lives in Virginia. We try to meet as frequently as our work schedules and budget permits. For a frequent flyer like me this offer from the agent was just God sent, but there was something I had to take care of that morning at work and could not afford to be late to work. My connection was through Chicago and on the very next gate there was an earlier United flight leaving to Dulles, which was half empty.
Suddenly this thought came to my mind: What if there is a connection from Dulles that can take me to Denver on my schedule?
If that is the case, I could still take the offer. I want you to hold on to that thought for a bit and think how different our reactions would be today as compared to say two years ago.
Let me tell you my version of it. Two years ago, I would have had to take the risk and approach the agent accepting the fact that I am willing to sacrifice my time for the offer she had made, and would have completely relied on my luck that day and the agent’s ability to find the next best flight for me.
In today’s scenario I would have used my BlackBerry to go to United’s website, check the schedules for flights from Dulles to Denver, their timings, seat availability, and then would have approached her and said that I am willing to accept the offer, if she can put me on one of these flights of my choice. Just imagine the arbitrage I would have had.
In my case the story did not quite end that well. Unfortunately I left my BlackBerry in my car when I was on my way from Denver and in a hurry to catch the flight. Needless to say, I chickened out and did not take the offer from the agent on a later flight. The moment I landed in Denver though, I rushed to my car switched the BlackBerry on, and found my theory was indeed right – as a matter of fact the IAD-DEN flight landed 30 minutes prior to my flight.
The point I want to make in this long story is that we are so reliant on information these days to make our decisions, that without it we are handicapped.
Businesses share the same handicap. There is this constant battle between business and consumers to outsmart each other, of who knows more than whom. Today technology no longer plays the support function for businesses as it did five years ago. Today technology is an integral part of business. It is what makes business happen. We cannot afford to conduct business today in this digital world without information technology.
As Dr. Ambuj Goyal, general manager of IBM Information Management Software aptly puts it “In the past, organizations have focused on automating operations. If you take a look at what customers are trying to do these days, it’s to make information-based decisions and optimize business. This necessitates a shift from managing ‘information at rest,’ where it gets stored, managed and archived, to putting ‘information in motion,’ delivering information where it’s needed, at the time it’s needed, to improve decision-making.”
As the technology industry progressed, so did the industry of business continuity and disaster recovery. We not only came up with strategizing extensive plans to continue our business in a catastrophic event, we began ensuring adequate strategies to protect our data centers that helped us run those IT systems that supported our business. Risk analysis, which in our world we call “business impact analysis” (BIA), was the basic step in that direction. The basic philosophy behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information systems were inaccessible.
A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance. Traditionally this BIA exercise has been done in a survey format, where the business continuity professionals interview the business units directly and gather adequate data for analysis and decision-making. In the past this exercise has been very useful, in prioritizing and focusing on the most important assets of the corporation and to alleviate the pain during business resumption –particularly when IT was just playing the support role as coined by Dr. Goyal in the “information addressed” arena.
However, in a service oriented industry, I think it is time for us to revisit and challenge our conventions of how we have been doing the impact analysis and see how we can take it to the next level. We need to keep up with this changing world where IT is playing the role of “information in motion.” As the influence and use of information technology is progressing, being an enabler of business and not just supporting it, the business continuity plans and the impact analysis need to focus more towards the technology resilience for business resumption. The one common tie between our business functions and IT systems today is the business processes that enable them or make them happen.
Today, more and more firms are becoming technology dependent and have identified those business processes that can be replaced by a technological solution. A few years back, sales organizations would hire equal amount of people in the back end offices as there were sales men out in the field to come up with pricing models and discount charts. The back office analysts would come up with fixed pricing models that in turn were used by sales people out in the fields to negotiate contracts and close the deals. Today, salesmen walk into a customer’s office with their wireless laptops, use the online interactive tools that take real time data and develop flexible pricing models, enabling salesmen to negotiate and lock the best deal for their company.
In one of my recent business continuity planning meeting a sales manager aptly said, “Just make sure my IT systems are running, the rest of it will be easy to figure out.”
To keep up with this changing world, instead of doing BIA top down by each business function or by data center, I propose we do BIA from the bottom up, at the granular level of “business processes/sub processes” and IT systems that enable those business processes/sub processes. Organizations may consider working on identifying all the business processes they currently own to run their operations and start tying them to the IT systems that make them happen. By redirecting the focus on protecting the business processes and their enabling IT systems, the organizations will automatically secure their business functions and be better prepared for handling a disaster.
The purpose of a BIA for a service-oriented company in this new methodology should be to assess the risk by identifying:
- Critical business processes
- The potential damage or loss that may be caused to the organization as a result of a disruption to critical business processes
Specifically, the BIA will identify impacts resulting from an inability to complete the normal business processes. Impacts are measured against particular scenarios. For example, the inability to provide call center services for a period of time. The BIA, when done at this level, enables each business area and IT to understand at what point the unavailability of their business process would become untenable within the organization – immediately – after a day, week, month or so on. This allows the most appropriate continuity mechanisms to be determined to meet these business requirements. The BIA should also consider any implications associated with loss of integrity of information, and for IT systems the impact of the loss of data.
As compared to the traditional BIA as a survey, the new BIA model should be through a more interactive intelligent tool bringing both business and IT together to figure out the impact of each of the business processes they own. The objective of this tool should be to achieve:
- Prioritization/ranking of the business processes and associated IT systems that enable those business processes (tier classification)
- Establish true intrinsic value of the business processes
- Establish the critical chain of IT systems at the business process level and the overall organization’s critical chain
Why a statistical tool? What is wrong with the survey methodology?
As Ian Ayres vividly explains in his book “Super Crunchers,” humans, even the very best subject matter experts in their fields, have a high tendency to err on their judgments, as it’s based on the beliefs/convictions they have experienced. Sometimes emotions play a role in it as well. Not only that, as humans it is hard for us to consistently use the same logic again and again, number of times. For us to prioritize the business processes and rank our IT systems we not only have to have a sound logic, we need to have a consistent methodology being applied each and every time. There are a lot of factors that go in to looking at the impact from a 360-degree perspective, and our ability to include all those factors consistently and in the right way, what statisticians call “to build the confidence intervals/ranges” for each situation gets highly impaired.
On the other hand, by taking that logic, and building statistical hypotheses behind the scenes and introducing it to an automated tool, we can keep applying that methodology consistently and derive sound predictable outcomes without being biased. Ayres also provides an example where an economist and a professor at Princeton, Orley Ashenfelter, developed this statistical tool, which can predict the quality of the Bordeaux wine more consistently and accurately better than the wine tasters who have been doing this as a profession for centuries.
Even better, the model can predict the quality of the wine, as soon as grapes are harvested, even before they are processed.
In essence what I want to propose is that we move more towards “data driven decision making” and not letting emotions rule over logic. It is very important particularly in our business continuity and disaster recovery industry, in the current world we are in.
The tool should have the ability to make the data gathering exercise, a more participative and interactive process for both business and IT. By engaging both IT and business together, we can derive good information to achieve a better impact analysis. The tool should be able to ask a few simple questions, and based on the responses given be able to figure out what questions to ask next or how much to ask next.
Past history is a good indicator of future performance. I am a big proponent of leveraging all the historical data we have collected from previous years to build the intelligence into the tool to ask questions in a focused manner. The tool should also be able to use the previous business impact analysis and tier classification empirical data to build a statistical bell curve (the statistical hypotheses) behind the scenes. Based on the responses from the IT and business owners, the tool should be able to automatically classify the tier for that IT system and corresponding business processes that are enabled by that IT system. On the back end the tool should take all the data dependency/constraints and build the “enterprise critical chain.” One of the lessons we have learned during our previous survey methodology of tier classification was that, many of the IT owners would get emotional and not understand the big picture when you downgrade their IT system based on enterprise standards. In this new process, the IT system owners will automatically be aware of how they fit in the business process tree, what value they are adding and why or why not their system is important, in the grand scheme of things.
The information collected from the tool in turn can help pave the way towards:
- Defining the RTO and RPO for the IT system and the business process
- Restart prioritization for IT systems in data centers.
- IT system dependency mapping
- IT data dependency mapping
- Work around procedures and recovery procedures
- Business continuity planning
- Disaster recovery technology architecture
Information gathered in the tool at an IT system level and a business sub-process level should be aggregated to an enterprise level and that information should be the driving force for the corporation behind the enterprise disaster recovery strategy. The analysis and data by each business process can be put to use in different prospects, helping the organization to make more informed decisions. The corporation can identify and focus on areas that bring more business value and protect them. All the vulnerability and threat management decisions can now be based off of the business process impact analysis. Management can make better DR funding decisions using this data and put more money in those business areas which are more valuable and where the business is growing the most.
As an example, the executive management’s decision on the DR budget can be a factor of revenue growth, operating margin and the corresponding financial impact in a disaster, which traditionally had just been a percentage of IT spending. I propose to the BIA industry and vendors out there to re-engineer and redesign their products and solutions to provide these features / functionalities.
Figure 2: Example of a BIA dashboard for executive management decision
We all know that business impact analysis is not a one-time deal. I can’t agree more. Some people in the Industry believe that doing it once a year is probably a good practice. What I propose is to weave the BIA as a critical step in the project management life cycle of the corporation. Whenever a new project comes on board or an existing project is going to make a major change to the IT architecture or the business process, then the business and IT teams should get together and complete the BIA at the project planning stage. This way the business continuity is built right into the way we do business.
As an ancient Chinese proverb goes, “May you live in interesting times.” We are indeed living in interesting times, a time where information technology is more than a set of machines and procedures and a time where the thirst for information is beyond one’s comprehension. In this world of ever changing technology the one thing that is fairly constant is the business processes the corporations own. In my opinion, a business impact analysis focused on business processes and the IT systems that enable them will help corporations to be successful in a service-oriented industry.
"Appeared in DRJ's Winter 2008 Issue"