By Cheryl Bieson, CBCP

Where Are We Today?

During the past decade, as organizations migrated their business applications from a mainframe legacy environment to a distributed environment (LAN, WAN, Internet), a higher level of operational risk was introduced.  Some of the factors that contribute to this include:

• Business applications have been widely distributed, either on the Internet or across wide area networks.
• Databases required by the business applications are now stored in separate physical locations.
• Legacy data, applications, and hardware have been leveraged across the organization and in some cases made available to customers, partners and suppliers.
• Applications may now be accessible by thousands of users, many of whom are potentially unknown to the company’s IT organization.

Unfortunately in many organizations, enhanced management controls have not accompanied this migration; organizations have been left vulnerable to a much higher level of risk. In a recent publication of the magazine ‘Smart Business’, research indicated that U.S. companies with revenue greater than $100 Million are spending only $213.00 of every $1 Million on security; this represents only two-hundredths of one percent. In a recent publication of the Contingency Planning & Management magazine, the 2000 CPM/KPMG Benchmark Survey indicated almost 75% of the respondents had allowable downtime of less than 24 hours, however 72% still had budgets under $500,000.  Based on these numbers and trends, we can conclude that the business continuity requirements of the next decade will be far more focused on mitigating operational risk. The threat of a major disaster, while still a key element, will become less of the planning focal point. 

What About the Future?

The Internet has become the single most important business tool in the 21st century.  We have seen the growth in the Internet from electronic mail to electronic publishing to electronic commerce and electronic business. The risks inherent in this environment are driving the trend towards continuity planning as opposed to recovery planning. Professionals in the industry are no longer planning exclusively for catastrophic problems or major events such as earthquakes and tornadoes. There is a growing need to deal with risks that are more fundamental to the operation and management of the business.

The ‘line in the sand’ between planning for major catastrophic events and managing operational problems is being erased. We are in a new paradigm where significant financial loss will be realized within hours of a service interruption. There is diminishing tolerance for service outages and a drastically diminished recovery time objective. This is driving us towards high availability solutions and E-Continuity planning.

Traditional approaches for developing Business Continuity Plans include Risk Assessment and Business Impact Analysis as a planning foundation. Both of these initiatives will continue to provide a foundation for E-Continuity planning efforts in the future. Some of the specific findings from Risk Assessment and Business Impact Analysis that are invaluable to the planning process include:

•  Identifying vulnerabilities and exposures;
• Determining critical business functions;
• Quantifying financial impacts of an outage; and
•  Establishing recovery time objectives.

Identifying vulnerabilities and exposures as well as determining critical business functions is essential to establishing E-Continuity program priorities. Understanding the recovery time objective is paramount to generating the appropriate solution strategies. Quantifying financial impact is essential for completing a cost/benefit analysis to support the most appropriate solution strategies.  

For example, a traditional business environment may still rely on a central Data Center with recovery time objectives (RTO’s) falling between 48 and 72 hours for their critical business applications. In this case a Data Center Hotsite strategy with a traditional tape backup/restore process may be an acceptable continuity strategy. In an e-business environment where the RTO is less than a few hours, a Data Center Hotsite strategy with a traditional tape backup/restoration process will not meet the E-Continuity requirements.

The reduced RTO of the e-business environment demands ‘high availability’ solutions such as mirrored IT environments and online data backup and storage. These ‘high availability’ solutions place a lot more emphasis on mitigating potential outages. This increases the need for integration of Business Continuity Planning with the everyday management of the IT environment.

Where Should We Start?

There are management disciplines within the Information Technology (IT) environment that need to be considered when E-Continuity planning. A partial list includes:

• Help Desk Management;
• Problem/Change Management;
• Data Storage Management;
• Project Management; and
• Service Level Management.

In the case of Help Desk Management, it is essential to identify the trigger points that will signal the transition from standard operating procedures to the activation of an appropriate Business Continuity Plan (BCP). The information gathered as part of the BIA process is a fundamental element in identifying the trigger points for the BCP activation. Once the trigger points are clearly understood and identified it will be necessary to monitor and track problem resolution so that when a trigger condition has been recognized, the appropriate BCP is invoked.    

Existing Problem/Change Management processes need to consider Business Continuity Planning from a couple of perspectives. The first will occur dynamically when an operational problem escalates into a major outage or loss of service. In this circumstance the ability to tap into existing continuity solutions in a timely manner will enable an organization to minimize the potential loss scenario, i.e. activation of a server replacement quick ship agreement. The second is when a planned ‘change’ impacts an established continuity solution, i.e. a functional reorganization that impacts roles and responsibilities or an upgrade in technology (hardware or software) that has not been considered in an existing vendor agreement. In these cases it is not only necessary to adequately plan for the operational change, it is necessary to plan for the corresponding change to the BCP.

Data backup and restore processes are typically designed as part of an overall storage management strategy and are key components in effective E-Continuity planning. Information gathered as part of the BIA process is fundamental to understanding the data backup and storage requirements for the critical business functions. At a minimum, business functions will have two primary requirements for their backup process; the first is to safeguard data in the event of daily operational problems; the second is to safeguard data in the event of a major incident or problem. In both situations an understanding of the RTO and the potential financial impact of not meeting the RTO should be considered when selecting the appropriate strategy.

Another area for consideration is Project Management. A majority of large-scale change is introduced as part of a major project initiative. For example, in-house development of new business applications and/or the implementation of 3rd party business applications may be delivered utilizing a standard Project Management process and lifecycle methodology. At an early stage within this lifecycle it is necessary to consider the business continuity requirements. It is important that the new project does not jeopardize the ability to recover existing systems and functions. For instance, if the new project introduces a ‘single point of failure’ or strains the organization’s current recovery capabilities, then remedies for these issues should be investigated before proceeding with the project. To this end, each new project should pass a cross-functional review. This review needs to include both critical business units and the IT management entities that may be affected.

Outsourcing agreements based on pre-established service levels are common within today's business and IT environments. It is not unusual for businesses to rely upon a 3rd party to manage aspects of their Information Technology environments. This can be as broad as a Data Center outsourcing agreement or an agreement that encompasses an entire Data/Voice Network to an Application Service Provider hosting a single mission critical business application. In all cases consideration for a service level agreement that reflects an ability to meet established RTO’s is essential. The monitoring of these service levels and the 3rd party’s ability to meet them, as well as the ongoing management of the contracts themselves is crucial to establishing and maintaining an appropriate E-Continuity capability.

How Will We Measure Success?

We measure our success at Business Continuity Planning through our ability to meet recovery time objectives. Ideally, the measurement is taken as part of an ongoing test program. In the e-business environment we will measure our success at BCP through our ability to maintain continuous operation of our critical Internet-based applications and services. A primary success factor for achieving this result will be our ability to facilitate a closer alignment of IT Management, Business Management, and Risk Management functions. The traditional Business Continuity Planning approaches, recovery strategies and solutions of the past will need to evolve. New processes and systems that better support real time management will be required to meet the E-Continuity challenges of the future.

About the Author
Ms. Bieson, President, Deucalion Inc., has over 18 years Information Technology experience with a 10 year specialization in Business Continuity Planning. She currently holds the positions of President DRIE West, Vice Chair DRI Canada Certification Committee, and is a DRI International Instructor.  For more information, contact the author at cbieson@deucalion.net or visit www.deucalion.net