|
Vendor Accent
Maintaining business-as-usual in an uncertain world
 The
business resilience framework evaluates each component of your business for
its resiliency By Pronish Jain
In today’s information-centric business environment, business continuity
is not just about reacting to every disruptive event. You need an integrated
strategy that anticipates and adapts to opportunities, regulations and risks
that could potentially have an impact on your business, so that you can maintain
your business operations and reputation.
As a result, it’s no longer sufficient to manage risk through any single
approach that addresses specific issues such as disaster recovery, high availability
or network security. The term ‘business resilience’(BR) has been coined
to describe a holistic, comprehensive strategy that incorporates all of the
key risk areas to be mitigated, as opposed to narrower approaches. Business
resilience integrates both risk management and information security needs to
include IT recovery, availability and business continuity programs, regulatory
compliance, and security and privacy initiatives in order to rapidly adapt to
risks and opportunities thereby ensuring resilient business operations.
Components of a business resilient framework
|
The term ‘business resilience’(BR)
has been coined to describe a holistic, comprehensive strategy that incorporates
all of the key risk areas to be mitigated, as opposed to narrower approaches
|
The unfortunate reality is that while the majority of organisations
agree on the importance of business continuity, only a few plan it. Business
continuity related items (covering disaster recovery, corporate governance and
security) remain among the top IT concerns for businesses worldwide, but a recent
BusinessWeek report reveals that only 22 percent of companies are prepared for
disruptions to business operations. This lack of readiness has been attributed
to the inability to plan and put in place an adequate resilience framework that
deals effectively with risk.
 In
a worldwide study conducted by The Fact Point Group, CEOs identified six key
areas that a BR framework should address:
- Maintain the continuity of vital
business operations: As a root requirement of any business
continuity plan, employees, partners and customers should continue
to have access to key applications and data in the event of a
disruption. To do so, businesses need to protect critical assets
and align recovery costs based on business risk and information
value–from IT through business processes.
- Stay compliant with regulations:
While complying with new and changing government rules and regulations
is a necessary cost of doing business, organisations need to find
ways to do so quickly and cost-effectively, especially in the
area of maintaining integrity and availability of information.
- Ensure security, privacy and data
protection: Businesses need to guard against internal and
external threats, and ensure the security and privacy of data,
information, systems and people with the right policies, methods,
tools and overall governance.
- Retain access to expertise and skills:
A workable BR framework requires easy access to and support from
experts and human resources, in the right place, at the right
time. Organisations need to upgrade and train their staff, or
consider the option of outsourcing these requirements if they
prefer to focus upon their core business.
- Respond rapidly to market changes:
Building a resilient business not only means anticipating disasters
but enterprises must also respond effectively to changing market
conditions so that products can be delivered to customers when
required. As such, resilience strategies must give a business
the ability to sense and respond to shifting customer demands
and new market opportunities.
- Integrate risk management to reduce costs:
To ensure that all components of the resilience framework work
together seamlessly and cost-effectively, businesses need to put
an integrated risk management approach into place. This approach
should help identify risks to business operations, and utilise
technology to understand, respond to, and manage those risks.
Step 1: Determine your risk exposure
The transformation lifecycle starts with identifying risks that
are unique to your organisation, covering both potential disruptions
(e.g. natural disasters, technical failures, new regulations)
as well as potential opportunities (For e.g. sudden spikes in
transaction volumes, new acquisitions or mergers, highly effective
marketing campaigns). This stage calls for a ranking of threats
based upon past occurrences, the amount of potential revenue
impact, the possible damage to your brand, compliance risks
and single points of failure.
Step 2: Rank processes according
to their importance to your business
To make resilience efforts more effective, you need to understand
the most vital functions of your business and to determine
the requirements necessary to keep these functions running.
Identify and rank critical business functions, link business
processes to the applications and data that support them,
and establish the critical physical recovery resources and
vital records, as well as timeframe needed for recovery efforts.
Step 3: Evaluate your resilience
capabilities
Once you have created a risk profile for your critical business
functions, you need to perform a gap analysis of your needs
and capabilities. This analysis should provide you with an
in-depth view of your company’s ability to meet the basic
requirements of resilience for each of the processes identified
earlier, and to identify its potential for improvement.
Step 4: Design a resilience strategy
At this stage, you are ready to incorporate your view of the
maturity of your existing capabilities into a resilient architecture
that can mitigate the risks identified for both business as
well as IT processes. To prevent over-engineering (which raises
costs unnecessarily) or under-engineering (which exposes you
to preventable risk), the baseline architecture must align
both business and IT objectives by incorporating inputs from
the relevant departments.
Step 5: Deploy the plan and validate
it
As a final sanity check, the implementation plan should provide
clear guidance on the following areas: workload division;
hardware alignment and provisioning; storage and replication
procedures; recovery and availability procedures; network
availability and capacity measures; system management mechanisms;
and command and control mechanisms. It is important to validate
the strategy by testing all aspects of your business resilience
architecture to ensure that it is working as per the plan.
Step 6: Manage the plan and adjust
it as and when needed
Business resilience is not a final destination, but an ongoing
process. Continual monitoring, testing and improvement are
needed so that evolving business needs and emerging threats
can be addressed.
|
Putting a BR strategy in place
Given that the resilience requirements are not same across industries, or even
across companies within an industry the process of becoming a resilient business
can vary greatly from company to company. While the business resilience framework
evaluates each component of your business for its resilience factors, the complexity
of the task requires a methodical transformation roadmap that charts out the
journey to BR.
The journey, while complex, can be eased with the help of a trusted partner
with the expertise and tools to establish your resilience requirements, identify
the gaps, map an optimal path to address these gaps, and put your plan in place.
The final objective should be a comprehensive, yet focused resilience strategy
that helps you deliver that much-valued promise to your customers, partners
and stakeholders that no matter what happens: “it’s business-as-usual”.
The author is Manager, Business Continuity and Resiliency
services, IBM Global Technology pronishj@in.ibm.com
|
