When the unexpected happens business functionality may cease and all parties involved will feel the pain, but most especially customers. Regardless of the type or size of business, what would happen “if” systems, applications, databases, records, staff, facilities, and products are not available? Has this been thought about in advance? What are the most critical (vital) business functions, transactions or customers who need protection from harm, damage, or loss?
It is important to recognize that every business should have a business continuity plan for the entirety of itself which then cascades across all areas that fuel and feed the business capabilities, including IT (Information Technology) service dependencies.
To protect your business from every possible risk can be very costly. The key is to narrow the scope of protection and preparedness to that which is the highest priority of need and scale the plan and budget from there. Hence, the starting point is a Business Impact Analysis (BIA).
A business impact analysis (BIA) is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption (Gartner IT Dictionary).
1 – Identify vital business functions.
With the appropriate business stakeholders (thoroughly understand daily business operations), identify the most vital business functions. Vital business functions are those core capabilities that must be present for the business to continue to provision its products and services to customers. Examples: 1) e-commerce website the cart check-out steps and credit card processing may be more vital to complete a transaction than “what’s on back order”, “shipping confirmation” or “people who bought this also bought this” features. These features are still important but less vital to the completion of the transaction. 2) ATM if a “receipt cannot be printed” or “balance inquiry” features are not working may be less vital than the customer’s ability to withdraw cash or deposit funds.
2 – Identify dependencies with IT services, systems, and components.
Match the IT dependencies which enable the provision of the identified vital business functions. By understanding that which is vital, IT can then assess the dependent digital capabilities that support those business efforts.
Leverage already existing tools and documentation to determine the relationships for IT services, systems, components, processes, suppliers, information, any capabilities to vital business functions. Well run IT service providers utilize service catalogs, configuration databases and infrastructure management tools to assist. However, humans are always needed to properly determine and validate exactly what is currently essential for the vital business functions to operate.
3 – Risk and impact assessment.
Working directly with its business stakeholders once again, “what if” scenarios can be discussed should a vital business function become unavailable. Examples of disaster scenarios; cyber-attacks, power outages, supplier failures, fires, floods, key staff unavailability, data center failures, and natural disasters.
The current COVID-19 pandemic is an example of a natural disaster. Those businesses who already had WFH (work from home) capabilities as part of their continuity plan fared much better than others. K-12 schools for example never imagined a long-term facility lock out and how to prepare for remote delivery of education, whereas higher education usually has online learning capabilities, so the pivot was much easier for their students but perhaps not for the other staff to WFH.
Other disaster scenarios may be shorter in length but still just as impactful. What will it really mean to a business if credit card transactions cannot be processed for minutes, hours, days or more? What if data cannot be accessed, kept compliant, or what if the website were down for “x” length of time?
Loss of revenue, damage to reputation, loss of customers, inability to retain or attract talented workers, non-compliance, loss of competitive advantage and even legal actions against the business may be some of the possible impacts. Many of these can be quantified and translated into monetary loss. This of course is serious, as a business can go bankrupt very quickly or be closed if it cannot honor its commitment to customers, owners, or shareholders. Only through these deep dive conversations can we effectively understand the harm, damage, or loss to the business. This information will then justify the essential investments for the desired protections.
4 – Recommend solutions.
IT is now armed with the right information to identify specific service continuity solutions that meet the needs of the business it serves. Since IT understands the current design and resilience levels of services, any gaps for improvement and re-alignment will be factored in. Solutions will vary based on the discovery above. Examples: backup and recovery, high availability design, contingency data centers, internet fail over, cloud options. Comprehensive solutions including process, roles and responsibilities, communication, information, safety of people, transportation, invocation steps in addition to technologies must be considered.
Recovery time objective (RTO) represents the maximum agreed time within which a product or an activity must be resumed, or resources must be recovered. Recovery point objective (RPO) is the point to which the information for a particular purpose must be restored to enable an activity to operate effectively upon resumption. Understanding these allows alignment of solutions that fit the business needs. Agreed targets set expectations in advance. Investment decisions are then appropriately aligned.
5 – Create plans and establish preparedness.
Based on the minimum target service levels agreed with business stakeholders, plans will be documented on how to recover from a disaster and return to pre-disaster condition for the various IT services involved. These plans are comprehensive in nature as the solutions may rely on people, processes, suppliers, and technologies.
Should a disaster plan ever need to be invoked it should execute accordingly in a seamless effectively orchestrated manner. Steps to return to normal operation after the disaster are also within scope. Establishing the capabilities and staging “to the ready” in advance, periodic testing of the recovery capabilities, review and updating plans ongoing will keep your business prepared and vigilant.
The overall approach is to take various perspectives to improve resilience, recovery, and contingency to protect the business. The business case to justify investments for the solutions comes from the BIA. IT providers and professionals must be well versed in industry best practices which include service continuity management (ISO 22301:2012, ITIL 4). Be vigilant, follow a business / service continuity process, plan, and invest accordingly. Seamless recovery and business protection from unforeseen disaster is the goal.
AKAVEIL Technologies has business management experience, process knowledge, and vast technical expertise. Our consulting services staff work directly with your business as a trusted advisor. Our customer success model is Assessment + Strategic Planning + Alignment + Execution = Return on Investment (ROI). Remain competitive and grow your business with AKAVEIL.