by Joe Wolke and Michael Croy
For many years, the convergence of business and information technology (IT) has remained a hot topic. Today, business and IT are fully integrated. If the business changes, IT changes. If IT changes, the business changes.
But what does this mean for business continuity and
disaster recovery (BC/DR)? It is no longer an afterthought, built on top of the
IT infrastructure. Rather, BC/DR is now at the service level, not just at the
IT organization level.
An effective BC/DR model for today’s converged
infrastructure is called ‘service resilience’ – which incorporates BC/DR into
the design of each system, based on the specific needs or requirements of both
the business and IT.
As a result, IT leaders need to adopt a methodology built
around some key areas. Such a methodology is needed to elevate IT leaders’
approach from traditional disaster recovery and business continuity planning to
a more holistic, comprehensive strategy that embraces the concept of service
Think about it this way – service resilience provides the
continuity necessary for IT services to run the business. Technology has become
the business. Everyone and everything is wired and tethered to a bigger,
faster, more agile, and more complex infrastructure.
Chief information officers and IT leaders recognize these
new challenges, but preparation still lags. Meanwhile, the increasingly
holistic relationship between IT and business means that technology changes can
occur daily. These changes create an environment where events such as mergers,
acquisitions, and process changes can threaten business continuity just as much
as a devastating event can.
Resilience in the Age of Transformation
Mission-critical applications are important to focus on
when resiliency planning because applications now drive business processes and
ultimately business functions. Applying that concept at a broader level, the
implementation of any new technology — applications included—requires planning
not only to understand what it can do for your business but also to recognize
how the business can become dependent on IT, and therefore, can be crippled
should it fail or be turned off.
Imagine something as simple as implementing a new set of
servers with increased capabilities. The benefits would prove plentiful.
However, in order to mitigate the associated risks, IT organizations
introducing new technology must anticipate and scrutinize potential resilience
issues by asking themselves six important questions:
1. Is my infrastructure able to meet the resiliency
requirements of every application?
2. Are all my supporting services, including backup and
recovery capabilities, in place to support my new environment?
3. How will my new capabilities impact business and
4. Is my environment implemented and utilized correctly
to best support the business?
5. Are my applications keeping up with the infrastructure
6. Are my data and IT assets optimized? For example, can the local business
support the global regions when a crisis hits?
The Cloud Conundrum
Cloud computing raises new questions and answers. In
virtualized environments, it seems that the business by nature becomes more
resilient. But many new questions arise.
As with any technology on which your business runs, the
best course of action is to determine what threats exist, how they will impact
your business, and how they will be resolved—if and when they occur.
While cloud partner contracts include availability
service levels, they don’t allow an organization direct control over issues
when they arise. In other words, it is important to get past the hype by
defining resiliency requirements before architecting. For example, it is wise
to consider the following: Are the partners reliable and can they deliver on a
There could be multiple third parties along the
technology delivery chain and resiliency depends on all of them. By better
understanding the chain, you can determine what resiliency levels are
appropriate for each link in the chain. Some may require less than others,
which would allow for flexibility in managing costs.
Whether it’s a cloud provider or any other service
provider, vendors must meet the same rigorous standards that your organization
sets for itself. That means it’s important to take a look at the vendor’s
disaster recovery plans to determine if they meet your requirements. Often
times, vendors will not share their disaster recovery plans, in which case
organizations should establish a written agreement on minimum required service
levels during a disaster. A backup supplier should also be identified and made
familiar with your service needs.
Ensuring Service Resilience: No Surprises
The basic fact is that major threats to service
resilience are caused not just by sensational events like hurricanes, fires,
and floods, but also by unidentified operational failures that support the
business. It can be as simple as a business need or expectation being poorly
communicated or interpreted, and therefore, not properly supported by the
The best way to avoid these threats is to validate four
main areas. These include:
1. Your current business requirements and infrastructure.
2. The strength of your infrastructure recovery plan.
3. Your infrastructure’s ability to support future
business objectives and strategies and their impacts.
4. The process of assessing and ensuring resiliency
Your efforts to validate these four areas will likely yield
surprises that you can’t afford to overlook. Bringing in the proper outside
expertise to help you collect this information from business and IT leaders can
be one of the wisest business decisions you can make.
Auditors are trained to document the good, the bad and
the ugly. What they uncover quantifies the costs of being ill-prepared. The
case will be extremely compelling. If you think your organization is the
exception to the surprise rule, think again. The good news is that whatever
issues arise, they can be fixed.
Joe Wolke is the director in IT strategy practice and Michael Croy is the business continuity practice manager at Forsythe Technology (Skokie, IL). www.forsythe.com