In today’s world of 24x7x365 global operations and competition, downtime results not only in immediate lost revenue and productivity, but also in lasting damage to corporate reputation that erodes customer confidence in your brand. No organization is immune: with ever increasing risks and more dependence on technology, major outages are becoming more common and more costly. We've reached a critical juncture where resiliency is more critical than ever because:
- There is less tolerance for downtime — of any kind. BC/DR historically focused on events such as natural disasters, extreme weather, major IT failures, critical infrastructure failures, pandemics/epidemics, and other events that have a low probability of occurring but have a very high impact on the business. However, in today’s world of global, 24x7x365 operations and intense competition, downtime, regardless of whether it’s a natural disaster, a simple hard drive failure, or a security breach, is unacceptable. The business doesn’t care what caused the downtime; instead, it wants service restored as quickly as possible with as little data loss as possible, regardless of which groups are responsible for the execution.
- More business processes are technology dependent. For years, businesses made every effort possible to move BC management out of IT because, for too long, most BC programs were about business continuity in name only. In reality, they were IT DR programs. However, most businesses have overcompensated to the point where there is minimal integration between BC and IT DR groups. Given that the majority of business processes are technology enabled, or in many cases, technology dependent, this is untenable. In fact, many processes are so technology dependent that there are no longer manual procedures to fall back on in the event IT services are unavailable.
- The perceived and actual risks are increasing. According to a joint Forrester and Disaster Recovery Journal survey, 82% of BC decision-makers and influencers feel that their organization’s risk level is increasing. The top risks are an increasing: 1) reliance on technology; 2) business complexity; 3) frequency and intensity of natural disasters; and 4) reliance on third parties. These perceptions are not so misguided, as in the past five years, more than 60% of companies invoked BC plans at least once, and more than one-quarter invoked these plans three or more times.
To remain competitive and reduce risks and costs of downtime, infrastructure and operations (I&O) professionals must deliver services that are designed for uptime but prepared for failures. In order to achieve this vision, Forrester recommends that companies evolve from risk management, business continuity, and disaster recovery silos to a holistic approach to business technology resiliency. The more that these silos come together, the more that an organization can achieve business technology resiliency — the ability to spring back from any kind of disruption in a coordinated fashion.
The transformation from BC/DR to business technology resiliency is not an easy one, which is why we've developed Forrester’s business technology resiliency playbook, which provides you with the necessary tools to clearly define your requirements, assess your capabilities, define your strategy, implement your strategy, and manage it on an ongoing basis. Whatever your resiliency requirements, whether your tolerance for downtime is zero or a few hours, building a business technology resiliency program requires a four-step process:
- Discover: Establish the value of business technology resiliency and assess capabilities. Building the business case for resiliency spending is difficult because it is challenging to demonstrate immediate value or contributions to the bottom line. You have to understand and calculate the cost of downtime, as well as understand the probability of occurrence for certain risks. Once you have quantified the cost of downtime and analyzed the risks, you can determine your organization’s uptime requirements and build the business case for investment.
- Plan: Create a strategy to manage business technology resiliency as an ongoing program. Once you understand the business’ continuity requirements and you’ve identified the gaps in your capabilities, you can start to formulate a strategy that outlines the mission, scope, goals, and objectives of your business technology resiliency program. Part of your strategy will include a five-year road map for capital investment in business technology resiliency technologies, services, and staffing to close the gap between your current state and future requirements. You can also assess your current capabilities against those requirements and identify gaps in your strategy.
- Act: Hire staff, develop governance policies, and implement technologies and services. Determining the appropriate mix of process and technology skills to support your business technology resiliency program and recruiting talent will not be easy. You need staff who understand how to conduct a business impact assessment and risk assessment, write and maintain BC/DR plans, create test scenarios and exercise objectives. To make your business technology resiliency strategy a reality, you will need to identify and influence stakeholders on both the business and IT side, from executives, LOB owners, facilities, and other operational risk owners to enterprise architects, app developers, and security professionals. To make your business technology resiliency program successful in the long term, you’ll need a strong central governing function that can enforce policies and best practices across geographically diverse business units and strategic partners. And you also need staff who understand how to architect high availability solutions using the latest technology and services.
- Optimize: Measure, monitor, and market business technology resiliency results. Business technology resiliency is an ongoing program, not a one-time planning event. You’ll have to measure and monitor its effectiveness, as well as report value to the organization. With an effective metrics program, I&O leaders will be better prepared to demonstrate business value, develop a proactive culture, and align priorities and performance incentives with business strategy. You’ll also be in a better position to understand how your program compares with that of your peers. A strong metrics and reporting program is also a powerful marketing and communications tool that can help you establish and promote a culture of resiliency through the marketing of your successes, as well as through ongoing training and awareness. This is critical not just for response teams, but also for the entire organization.
So where should you start? I recommend that you begin by reading our executive overview for the playbook and our future look, Move Beyond Disaster Recovery And Prepare For Business Technology Resiliency. This will ground you in our definition of business technology resiliency and give you an outlook on what these documents will contribute to your ongoing continuity initiatives. The documents in this playbook are living, so as needed, we will refresh these documents with new data and examples to ensure that you're always getting the most up-to-date information.
So what do you think? How does Forrester’s vision of business technology resiliency compare to yours? And will our playbook be useful? We are interested in your thoughts and feedback as we refine this playbook to help you in your job.