How organizations should conceptualize, assess, architect, and validate a plan for true enterprise resilience.
Today’s business environment is characterized by rapid, unpredictable changes – some of which present opportunities, others that introduce challenges and sometimes even threats. Irrespective of circumstance, it’s imperative that businesses be responsive and resilient – seamlessly taking advantage of opportunities while mitigating risks.
As such, an IT infrastructure must be designed to help ensure the continuity of business operations in the event of an unexpected disruption and to secure data integrity. Additionally, it must bolster government and regulatory compliance efforts and integrate risk strategies to reduce costs. And the infrastructure must rapidly and automatically scale to address marketplace changes.
In order to help organizations understand and manage the process of becoming resilient, an object-oriented framework and transformation lifecycle can be used as a guide. Leveraging the concept of an object-oriented database, a business resilience framework can assist in identifying the object layers that make up an organization – ranging from the strategic overlay, all the way down to the nuts-and-bolts technologies and facilities.
Within each layer, objects are assigned specific attributes that help manage the risks associated with each object. Once the attributes of, and the relationships among, objects have been defined, areas for improvement can be identified.
Implementing the first steps to business resilience transformation lifecycle will help:
- Determine which risks may affect an organization
- Calculate the potential impact that these risks could have on an organization
- Plan for how the objects in the current infrastructure could respond to these risks
- Design or update the infrastructure to mitigate these risks and to leverage any opportunities that might arise from marketplace changes
- Execute a strategy for improving business resilience
- Implement the changes to each object layer
Coping with continuous change
Fluctuating business conditions are a double-edged sword. Almost any risk – whether it comes in the form of an opportunity or a threat – requires a business response. Reacting inappropriately or too slowly could cause organizations to lose competitive ground.
And while success may not sound like a threat, it can become one if businesses are not prepared to handle a surge in customer demand. For example, when Victoria’s Secret televised a fashion show during the 1999 Super Bowl, the company was unable to scale to meet the ensuing demand for access to its Web site, resulting in significant performance degradation and customer dissatisfaction.
Moreover, disruptions in business operations and services can seriously impact revenue streams and even inflict long-term damage to a corporate brand. Natural forces and terrorism, malicious hackers, system failures, and human error – even coffee pots – can present serious risks to businesses.
The best response to the threat of disaster is to combine several disparate risk management strategies into a single, integrated resilience strategy that will allow an organization to adapt and respond rapidly to opportunities, regulations, and risks – in order to maintain security-rich business operations, be a more trusted partner and enable growth.
As this approach addresses both the positive and negative ramifications of risk, the term “business resilience” is used to distinguish between this comprehensive strategy and narrower approaches, such as disaster recovery, high availability, security, and business continuity.
What business resilience means – some basic requirements
CEOs typically share a common list of concerns that a business resilience framework should address:
- Continuity of business operations – become more anticipatory, adaptive, and robust, from IT through all business processes
- Regulatory compliance – comply with new and changing government rules and regulations more quickly and cost effectively
- Integrated risk management to reduce costs – stay competitive by managing risk more efficiently and cost effectively
- Security, privacy, and data protection – protect against internal and external threats and help develop a critical information management policy
- Access to expertise and skills (via outsourcing or training) – develop the infrastructure to support the easy acquisition and management of expert assistance in maintaining continuous business operations
- Marketplace readiness – anticipate and respond to changing marketplace conditions and accelerating research and development as necessary to get the right products to the right buyers at the right time.
Historically, businesses have addressed these concerns separately. However, many companies now recognize that it’s more cost effective to combine them into a single, integrated strategy. A holistic approach can help minimize risks, maximize opportunities, and address compliance needs – all at the same time.
But how do IT professionals perform a holistic risk assessment of the entire enterprise without missing any critical elements? An object-oriented framework can help model the total business infrastructure and identify issues that must be addressed to make the business more resilient.
The business resilience framework — an object-oriented approach
As mentioned, to ensure business resilience, a collection of components called “objects,” can be used to model an entire business infrastructure. Inspired by the concept of database objects, these components have attributes that help define them in terms of their ability to address the six basic requirements of business resilience.
Objects can share similar attributes. These shared attributes, in turn, help define the relationships among objects. Objects with shared attributes can be grouped into object classes and companies can then use these classes to understand common issues and speed the deployment of improvements and upgrades designed to promote resilience.
The same type of analysis may also be applied throughout the organization, so businesses can assess whether they have undue risk associated with any individual, technology, or process. Once these single points of failure are identified, failover techniques and redundancies for certain types of object attributes can be developed.
At the same time, some objects have attributes that can be consolidated for more efficient risk management. For example, under change management, owner and control attributes may have multiple values. While this may be sound from a redundancy standpoint, it can introduce unnecessary confusion into a resilience program. Instead, it may be more efficient to assign primary and secondary owner attributes, so it’s clear who will take over if the primary owner is unavailable. In any case, an object-oriented framework for business resilience is a useful tool for understanding the strengths and vulnerabilities of an existing infrastructure.
Clearly, an organization will identify many objects in the process of creating a comprehensive model of its business resilience capacities. To simplify what would otherwise be an unwieldy list of objects, a super-set of object classes have been created, which for this purpose, can be referred to as layers within the business resilience framework. Not surprisingly, they echo the layers of most business organizations.
These layers are:
- Strategy – objects related to the strategies used by the business to complete day-to-day activities while enabling continuous operations. Examples include financial, manufacturing, and disaster recovery strategies.
- Organization – objects related to the structure, skills, communications, and responsibilities of employees. Examples include human resources, training, and internal and external communications.
- Applications and data – objects related to the software necessary to enable business operations, as well as the method used to develop that software. Examples include customer relationship management (CRM) applications, enterprise resource planning (ERP) applications, databases, and transaction processors.
- Processes – objects related to the critical business processes necessary to run the business, as well as the IT processes used to ensure smooth operations. Examples include accounts receivable, accounts payable, change management, and problem management.
- Technology – objects related to the systems, network, and industry-specific technology necessary to enable applications and data. Examples include host systems, workstations, and Internet Protocol (IP) networks.
- Facilities – objects related to the buildings, factories, and offices necessary to house the organization and production or service technologies. Examples include data centers, office buildings, and physical security operations.
While these object layers can help IT professionals conceptualize and identify the components of their organization’s business resilience, it’s possible to obtain a view that’s even more granular. Attributes, too, can be classed according to common traits that may enable an object to respond to risks and opportunities.
There are five major attribute classes associated with improved business resilience:
- Control and comply – the attributes necessary to anticipate, evaluate, and control risks associated with complying with industry and government regulations, as well as those risks associated with environmental, social, technical, and economic factors
- Detect and report – the attributes necessary to detect, estimate, measure, and report events to maintain security, privacy, and protection of critical data, enabling the business to better respond to any threats that may jeopardize business operations
- Deflect and solidify – the attributes necessary to create a solid physical and logical topology to deflect problems and ensure continuity of operations through reliability, redundancy, and failover
- Adapt and optimize – the attributes necessary to enable adaptable, efficient, and flexible integrated risk mitigation strategies, technologies, and processes
- Protect and preserve – the attributes necessary to help keep the business preserved and protected against accidental and intentional damage, alteration, or misuse
Using these attribute classes as points of reference can help ensure that each object can address the basic requirements of business resilience. The six object layers expand into more than 140 objects, which can be examined through the lens of the five attribute classes. This offers a complete analysis of an organization’s resilience capabilities, and helps IT gain an understanding of where they are today and where they need to go as a first step in becoming a resilient business.
Richard Cocchiara is an IBM distinguished engineer and the chief technology officer for Business Continuity and Resiliency Services in IBM Global Services, specializing in helping customers drive higher business resiliency in order to realize increased business availability.
"Appeared in DRJ's Winter 2009 Issue"