Every business is vulnerable to a variety of incidents, events that can happen in any economy, any climate and at any time of day. The initial inclination is to think about natural disasters, those weather-related events that draw the attention of the media. A 2004 study published by the Federal Emergency Management Association (FEMA) indicates that since 1976 the US has averaged roughly 35 of these incidents on an annual basis. These are typically catastrophic incidents for which contingency planning consideration should be given;
however, the likelihood of their occurrence is quite small for most organizations.
There are many other types of everyday risks, though, that businesses should also be prepared for. This extensive list (Equipment & Facilities, Malicious Acts, Personnel, Human Error. Legal, Financial, etc) spans multiple disciplines of the organization, and can be overwhelming.
So contingency planning is a broad arena that addresses the myriad of risks facing the organization. Responsibility for these various programs has broadened as trends hold executive leadership more personally responsible for the wellness of the business that they oversee. While information technology (IT) is a crucial part of any business in today’s environment, contingency planning is a much more comprehensive business initiative. Still, information technology leadership is often asked to lead the charge in disaster recovery (DR) and business continuity (BC) planning programs. The lines are being blurred.
IT leadership’s role is most appropriately focused on planning for those business risks that are directly related to the provision of data center services. This process involves DR strategy development, DR restoration planning, and BC planning for critical business functions that must be maintained during an outage of IT services. In the formulation of DR/BC Strategy, IT leadership is being asked to make tough decisions. And, this places a tremendous responsibility upon these individuals. Put in the position of determining which business
units are most important, what priorities should exist after a disaster, and how to ensure business continuity, IT leaders can be overwhelmed. Business unit managers and executives must take part. Not only in providing assistance in the development of the appropriate DR/BC strategy, but also in planning for their own survival during an outage of data center services. This is why IT-Centric Business Continuity Planning (IT-BCP) is an appropriate parameter of accountability for IT leadership in today’s contingency planning environment.
IT-Centric Business Continuity Planning Overall DR/BC strategy relies on a few main factors including budget, operational priorities, the breadth of risks to be evaluated, the
timeframe in which recovery is expected, and what a recovered environment includes. Let’s begin with two key principles that have a significant impact in assisting the IT organization in defining the objectives of its DR/BC strategy:
Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The RTO is defined as the period of time within which pre-defined business processes must be restored (e.g. “our business unit/process can operate without access to the data center for 2 hours before there is a critical impact”). In some cases, the RTO is nearly instantaneous. Consider financial trading environments, where even a momentary loss of communications or computing systems would have a dramatic customer service and financial impact. Other processes at the trading company may, however, allow for some degree of outage period, such as the generation of daily reports, the creation of invoices, or the issuance of checks for payments. While
inconvenient, these later types of incidents rarely have immediate impact, and the recovery time can be extended over the course of minutes to days, depending on the nature of the system and business. The RPO refers to the maximum acceptable level of data loss following an incident (e.g. “our business unit can accept the prospect of having to recreate up to 4 hours of work.”) Like the RTO, the RPO can differ depending on the nature of the business and type of system/process involved.
If the IT department is asked to establish the overall DR/BC Strategy without business unit participation, what RTO/RPO is appropriate, an industry benchmark that may not be
appropriate to the specific organization? While zero downtime (immediate RTO with no data loss) may sound ideal for a business, the cost to achieve this may be prohibitive, and entirely unnecessary. This thinking is analogous to using overnight freight for a shipment that will not be used until a week from now. These decisions cannot be made in a vacuum. With the help of the various business departments, a realistic recovery time can be set – one that fits the budget and minimizes business
risk. Here is how it can be done, step-by-step:
The IT-BCP Process:
Step 1 (Business Objectives) – includes the capture of business goals and objectives from organizational management.
Step 2 (Inventories and Process Mapping) – includes the review of core departmental processes and their reliance upon IT services.
Step 3 (Business Risk and Impact Analysis) – includes departmental reviews of incident scenarios, the preparedness of the business units for various types of IT-related risks,
and the potential impact of data center loss should there be an interruption
Step 4 (Strategy Development) – includes the establishment of RTO, RPO and prioritizations with organizational management
Step 5 (Continuity/Recovery Planning) – includes the development of detailed IT contingency plans, effectively the operating manual for the company in a disaster scenario.
However, this also encompasses stopgap operational procedures for functional business areas as they await the restoration of
data center services.
Step 6 (Testing, Audit and Maintenance) – includes the development and implementation of testing procedures, the training of personnel, the audit of test results,
and the maintenance of the plan as the business changes.
Planning for disasters has become much more complex in today’s environment. Businesses navigate through legislative compliance requirements, risk management programs, disaster recovery planning and business continuity planning initiatives, to name a few. While business continuity exercises can be IT-led, they require the combined
expertise of planners, facilitators, business minds and technologists in order to develop the optimal contingency plans – effectively preserving the continuity of the business, and serving the continued interests of all of its stakeholders.
The IT-BCP process is cross-functional in its approach. It draws upon business expertise in mapping business process and evaluating business risk throughout the organization. And, it clearly requires technology expertise as the end result of any effective exercise is the reestablishment of data center services within the RTO and RPO objectives of the organization.
Furthermore, IT management may be better situated to develop a full DR/BC plan with outside experts that can speak both the language of IT as well as business. These outside resources bring an independent view that aids the business in prioritization; they are trained in the development of contingency plans, fully understanding the process and bringing the experience of other organizations to bear.
== Cheers ==