Operational risk management is a high priority in every quarter of the enterprise today, from the data center to the boardroom. It is not just the unpredictable security breach, natural disaster or malevolent act that worries managers - it is the need to comply with higher standards of corporate governance required by the Sarbanes-Oxley Act, Basel II and other regulations. It is also the simple fact that downtime and data loss are extremely costly in today's competitive business environment, where critical applications depend on IT as never before.
Many enterprises believe they need to do more to protect their businesses and deliver day-to-day high IT availability. Customers often voice concerns such as these:
"We understand the potential risk we face, and it is recognized at the senior level, but we can't always address it due to cost constraints."
"Our business model is so complex that we're not totally clear on where risk exists and how to measure it."
Given such concerns, the key question remains: How do you get a clear understanding of your risks, needs and the appropriate level of investment?
Changing the Mind-Set
Addressing operational risk with point solutions is an ineffective strategy for complex IT environments. Business continuity, availability and security are interdependent and should be approached in an integrated, systemic way. Vulnerability in any area can impact your ability to deliver the service levels your business needs.
By taking a holistic approach, you can build a reliable, secure infrastructure that enables you to continuously improve IT availability and performance as your business evolves. Technology is an important part of the solution, but best practices in staff skills, processes and procedures must also be in place.
The toughest job may be instilling business continuity, availability and security into your corporate culture so it becomes a way of doing business - and staying in business.
Know Your Threats and Risks
The starting point for building a resilient IT environment is a thorough understanding of your end-user business requirements, the threats you face and the potential impact of downtime on each piece of your business. Reducing exposure and vulnerability to protect your mission-critical operations against diverse downtime risks requires a comprehensive process for understanding where you are now and what you need to do to build a resilient infrastructure. It starts from the perspective of your business users and includes four steps:
- Define business requirements. Evaluate the requirements of all your business processes and applications across the enterprise in regard to regulatory compliance, availability, security and business continuity. Measure the impact of downtime for each business application and process.
- Assess and prioritize risk. Conduct comprehensive, in-depth availability, security and continuity assessments to identify areas of risk and strategies for protecting your IT environment and improving IT service. Compare your practices to industry best practices. Identify gaps and prioritize your risks according to business impact.
- Design and implement solutions. Translate your requirements into executable solutions of technology and services, encompassing storage, databases, applications, systems and networks. Build a continuous service improvement plan.
- Monitor, manage and evolve. Establish service management policies and training to align people and processes with best practices. As your business evolves, reassess, monitor and test your availability and continuity plan.
Few IT organizations have the resources to carry out a comprehensive strategy on their own. A business continuity and availability consultant can help you bring key stakeholders to the table. Seek a seasoned consultant so you can draw on decades of experience with clients who have similar needs and can leverage proven tools and methodologies for helping you get precise data to justify investments.
Additionally, ensure that the consultant's approach is comprehensive and integrated. A strong business continuity and availability partner should be able to address all points of risk for your business: data protection and integrity; redundancy and backup for your applications, databases, systems and network; data center physical security and backup, the site and office backup and recovery, and disaster tolerance over a wide region.
Also check if the consultant incorporates IT service management processes and best industry practices from ITIL, COBIT, ISO/IEC 17799 and others into an architecture that lays the foundation for keeping your IT services continually aligned with changing business requirements. A strong consultant should be able to assess your procedures against industry-standard best practices for service delivery and continuity, and identify IT management processes that help you comply with Sarbanes-Oxley, Basel II, HIPAA and other regulations.
When it comes to architecting and implementing solutions, look for a consulting partner and vendor who offers a broad portfolio of products and services plus extensive partnerships and expertise. Ideally, the partner's products will be tightly integrated to create seamless solutions.
Balancing Risk Against Cost
A major challenge in risk management is balancing risk against the cost of protecting your business. A business continuity and availability consultant will help you make rational decisions through a tiered approach. For each business process, a consultant should work with you to determine how to best address four questions: What level of availability is needed? How much data can the business afford to lose in case of a major disruption? How long can the business afford to be down? What level of security is needed?
A strong business continuity and availability partner should be able to provide solutions that meet those standards at three tiers, based on the criticality of the business process. At each tier, the consultant should recommend solutions to meet precise goals for recovery time, data loss and downtime per year. Using this meticulous method, you can feel confident that you are investing at the right level - no more and no less than needed.
By taking an integrated view of business continuity, availability and security, you can build an agile IT infrastructure aligned with business needs. Start small, perhaps by attending a one-day workshop offered by a reputable business continuity and availability vendor or partner to gain a more comprehensive understanding of where you are now, and what you need to do to build a resilient infrastructure. Using the approach we've described in this article will help you and your consulting partner assess the needs of a key business process.
Eight Best Practices in Managing Risk
- Test and update your business continuity and availability plan every six months.
- Replicate your IT over an adequate geographic distance to reduce regional threats.
- Audit the business continuity plans of major suppliers and customers in your supply chain.
- Drive operational risk management from the top in an integrated strategy.
- Instill business continuity, availability, and security awareness into your corporate culture.
- Quantify the impact of downtime on all key business processes.
- Address availability and IT performance from an end-user perspective.
- Implement a "hotel" model of security, with layers of security from the "room key" to the perimeter.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access