Gemstar-TV Guide International hired Ed Sullivan to direct Business Continuity Services in 2003, soon after an audit found that TV Guide's infrastructure was essentially unrecoverable in the event of a sustained crisis. There was a time when Sullivan's first stop for addressing the issue would have been IT and the datacenter. But times have changed -- Sullivan first conducted several weeks of meetings with senior executives and various business unit executives to talk about the company's business processes. "The fact that I work for the CIO is almost irrelevant," Sullivan says. "I'm there to provide recovery for the business units."
Assessing potential impact to the business before crafting a business continuity plan is not new, but the trend is picking up steam as technology becomes more tightly bound up with ongoing operations and overall success. "Take just-in-time inventory," says Jim Grogan, vice president of consulting product development at SunGard Availability Services. "It would not be possible without the technology to enable it. But it's a business decision to manage operations differently, and its success means literally billions reinvested in the business."
Another reason to start with a business-impact analysis is that technology underpinnings are not as clear-cut as they once were. "We used to think that if we brought up the datacenter after a disaster, we'd be OK," says Fred Dillman, CTO of Unisys. "But with servers all over the world and laptops, desktops, and other devices playing such an important role, bringing up a datacenter is no longer enough, and it's simply not feasible to bring up everything. You have to know which business processes and their underlying technologies are critical to your goals."
Hidden dependencies are becoming more common. "Often, the application that was deployed two years ago with 'Yeah, let's give this a try,' is now silently driving 15 percent of revenue," SunGard's Grogan says.
Recent regulations such as Sarbanes-Oxley, as well as natural and man-made hazards now firmly rooted in reality, have made analyzing the business risks of technology failures and disasters critical. "Before Katrina, few companies had given much thought to what would happen if an entire city was out of commission," says Michael Porier, director of Protiviti's technology risk practice.
The risks to revenue and market capitalization are higher than ever. "Today you need to prevent an outage because if you get a customer service black eye, you'll pay a price on Wall Street," Grogan says.
Modeling the BusinessModeling the business is the first big step toward falling in line with risk management aspects of best- practices frameworks, such as COSO (Committee of Sponsoring Organizations of the Treadway Commission), COBIT (Control Objectives for Information and related Technology), ITIL (Information Technology Infrastructure Library), and ISO/IEC (International Organization for Standardization and the International Electrotechnical Commission) 17799:2005, all of which can help with the nuts and bolts of business continuity planning.
"COBIT is a framework for IT control that can be used to mitigate risks once you've modeled the process," Walch says. "COSO is in many respects the counterpart to that on the business side, leaning to business control and governance as opposed to IT controls.
ITIL looks at business continuity, change management, and problem and incident management from a service perspective. All of these frameworks are very complementary to the business modeling process." ISO/IEC guidelines contain a wealth of best practices specific to information security management.
Increasingly then, an effective strategy for business continuity planning lies first with carefully modeling the business itself. This means gaining an in-depth understanding of business goals, priorities, functions, underlying processes, and the people and expertise involved with those processes. "It's too easy to get down to the guts of networks, systems, servers, and patches without understanding that the real mission here is to wholesale leather shoes," says Trent Henry, senior analyst at the Burton Group. "IT has to understand fundamentally the business they're in the middle of. Then they need to understand the dependencies of the business processes on the infrastructure that they're running." This business-impact analysis is generally followed by a technology profile and is a staple of many enterprise business continuity teams. "That begins to pull in risks to the business," Henry says, "and what aspects need to be prioritized, including people."