Today, businesses have to balance those inputs with fiduciary considerations, such as the impact of governance and regulatory issues, not to mention service level agreements and quality of service within business organizations.
To determine fiduciary accountability, one must consider specific vulnerability zones that may have an impact on the fiscal side of the business. Vulnerability zones could certainly include the brick and mortar (facilities, manufacturing, transportation), as well as the softer side of the business, such as systems and personnel.
Documented vulnerabilities and risks drive fiduciary action, as each requires a business decision to accept, assign or mitigate risk – and in turn impacts the fiscal side of the business.
Understanding the Business Continuity Gap
Obviously, to truly understand vulnerabilities and risks, companies must honestly face the business continuity gap before it’s too late. In other words, they need to be able to answer this question: how far off are the senior management’s expectations from the reality of IT availability?
In the case of a disruption or disaster, how much longer will the actual recovery rate of information take than the business units expect or require? Obviously, the gap will be larger when continuous availability is needed, as would be the case for financial services companies, for example. If only best efforts are required, as might be the case for some manufacturing companies, the gap may be the smallest. Optimum points of availability could be one of the following:
- Best efforts (could take days or longer)
- Traditional recovery (hours to days)
- Transaction protection (minutes to hours)
- High availability (minutes)
- Continuous availability (always up and running with minimal information loss)
Dealing with the business continuity gap requires both IT investment to improve availability, and business unit planning to drive appropriate business unit response. To close the gap, the business needs to develop a “contingency service level agreement” between IT availability needs and business unit responsibility. Determining and approving that agreement helps the business decision makers understand that fiscal responsibility matches up with fiduciary input.
Understanding the qualitative and quantitative business impacts of the business continuity gap necessarily drive fiduciary action, which in turn impacts the fiscal side of the equation.
One way to understand the business impact of the business continuity gap is to develop an IT recovery scorecard for your business. That means identifying several aspects:
- IT recovery configuration level
• at risk
• minimum acceptable
• highly available
- Probability of meeting objectives
• effort required at time of disaster
- Cost to implement and manage
- Percent of equipment and resources to meet each recovery configuration level
Breaking down the impact in these ways can help one determine the appropriate amount to spend on closing the gap to an acceptable level. Of course, this can vary within a business by area, function and business unit.
We also need to determine the business’s current capability in terms of compute utility restoration and lost data, in comparison to the business’s perceived or desired baseline, and the operational, logistical, and financial impact of the business’s current availability versus its desired availability.
Knowing all of the above information helps us place a business in Gartner’s IT Management Model according to its five levels, which are as follows:
1. Chaotic – companies with minimal IT operations process and reactive notification
2. Reactive – companies with event up/down, console, trouble ticket, backup, topology, and inventory
3. Proactive – companies with perform, change, problem, configuration, availability management and automation
4. Service – companies with portal, capacity planning, service-level management
5. Value – companies with IT/business metric linkage
Service level objectives must be totally aligned to balance fiscal and fiduciary concerns, closing the gap. Of course, the cost of closing the gap increases as the need for availability increases. Therefore, one should be aware that:
- The amount a company is willing to spend to reduce risk may be directly related the financial performance of the business
- Sequence matters; know how much a company is spending and why
- Priority matters, too; identify a priority level on processes or applications.
Closing the Business Continuity Gap
As decisions are made to close the business continuity gap, remember that the decision-making process should always be based on the business context of the organization, or what is good for the company, with IT working as a tool.
Here is a high-level strategy for closing the business continuity gap:
1. Prioritize applications to optimize the recovery process, taking into account resources required, cash flow, and timeframes.
2. Address physical and logical vulnerabilities to reduce the probability of disaster and assure information integrity, including building access, physical security, and firewalls.
3. Implement a more effective management process to support the business continuity program, paying special attention to training and staff rotation, currency and accuracy, and distribution and access.
4. Establish and validate IT availability service levels, including recovery time objective, recovery point objective, system performance, information access and delivery, network performance and monitoring, and security – to enable business unit continuity planning.
5. Coordinate, plan, document, and practice within the business units the synchronization and reproduction of lost data/transactions and manual re-entry of data.
6. Validate information access to and between all business units, including at alternate facilities and return to home, the WAN/LAN network, information exchange via e-mail and the Web site.
As one goes through this process of closing the business continuity gap, remember that decisions should be fiscally responsible and meet the organization’s fiduciary challenges – and that the ultimate responsibility for business continuity lies within corporate management, supported by IT.
Michael Croy is business continuity practice manager for Forsythe Solutions Group. Croy is responsible for risk analysis, best practice models for continuity of IT infrastructure and disaster recovery planning, strategy, and management.