One of the most common questions we receive at Avalution is, “How can my organization increase coordination between different groups performing preparedness activities, specifically ‘the business’ and IT?” We have seen many organizations’ business and IT teams struggle to come to an agreement on common requirements, such as application recovery time objectives (RTOs) and data loss tolerances (RPOs). The business tends to complain that IT does not listen to their recovery requirements, while IT tends to complain that the business is far too aggressive and unrealistic on recovery requirements. This article provides recommendations on how the business and IT can work more seamlessly toward the “right” level of preparedness for your organization.
5 TIPS TO BRIDGE THE GAP
Avalution recommends that organizations struggling to foster effective communications and decision making consider implementing the following five tips:
Tip #1: Create a Cross-Functional Governance Structure
The first step toward bridging the gap and creating an effectively coordinated preparedness program (referred to in this article as a business continuity management system, or BCMS) is to establish a cross-functional top management team responsible for setting up, overseeing, and approving the performance of the BCMS. In order to facilitate effective decision making, this top management team should comprise individuals who direct and control the organization at the highest levels of both IT and the business.
This team should work together to ensure BCMS alignment with the organization’s strategic direction and risk appetite (see tip #2), identify the BCMS’ objectives and scope (see tip #3), and make decisions regarding readiness capability versus investment (see tip #4). Overall, this team is responsible for conducting recurring management reviews in order to hold the business and IT accountable for meeting the BCMS’ objectives and tightly coordinating recovery objectives, strategies, plans, and exercises.
Tip #2: Understand the Organization’s Risk Appetite
Following the establishment of a top management advisory team, the BCMS should work to understand the organization’s risk appetite. Utilizing a clear, documented, and management-endorsed risk appetite helps align business continuity and IT disaster recovery strategies with organizational strategy and other risk management efforts, enabling better integration into broader risk management. Further, when done correctly, risk appetite becomes a major input to (and it may overlap significantly with) the BCMS’ scope and objectives. Overall, risk appetite provides a common method of assessing criticality and determining which risks require mitigation for both the business and IT.
Tip #3: Establish Program-Level Scope Statement
After the organization establishes a top management advisory team and understands the organization’s risk appetite, the top management team should work together to identify the BCMS’ scope. Often defined in terms of products and services, the BCMS’ scope statement ensures the BCMS plans for and protects the most critical outputs of the organization.
After developing the BCMS scope statement, the top management team should work together to establish minimum levels of products and services (often referred to as “downtime tolerances”) that is acceptable to the organization (in accordance to its risk appetite). The identification of downtime tolerances drives the assignment of recovery objectives for business activities and associated resources (including technologies). Utilizing management-approved scope statement and downtime tolerances results as an input to determining recovery objectives not only ensures a level of impartiality, but also alignment to organizational strategy and management’s risk appetite.
Tip #4: Establish Requirements and Implement Capabilities
The business impact analysis (BIA) effort should be scoped using the BCMS scope statement, and recovery objectives for business activities and technologies should be assigned based on downtime tolerances established by the top management team. Using downtime tolerances as an input to assigning recovery objectives ensures that they are aligned with the organization’s risk appetite.
Following the approval of the BIA by the top management team, the IT team should perform an interdependency analysis (sometimes referred to as an application impact analysis, or AIA) and apply the business’ requested recovery objectives to upstream and downstream dependencies. In the event that the IT team disagrees with the recovery objective requested by the business, the discrepancy should be escalated to and evaluated by a cross-functional business/IT team, and then endorsed by the top management team as required.
Once the top management team approves all recovery objectives, the business and IT should work to identify strategy options that meet recovery objectives. This may include the business and IT working together to identify manual workarounds as a means of relaxing aggressive, cost-prohibitive recovery objectives. Where multiple strategy options exist, the business and IT should present options to management for selection and investment approval. Utilizing the top management team to review, amend, and approve recovery objectives ensures the transparency and alignment of business and IT requirements and capabilities.
Tip #5: Perform Integrated Testing/Exercising
Following strategy implementation, consider creating an integrated exercise/testing program in which the business and IT work together to validate each other’s recovery capabilities. Coordinated exercising/testing may involve the business testing and evaluating applications following an IT disaster recovery (data center) test. Or, vice versa, coordinated exercising/testing may involve IT participating in a business continuity tabletop test or IT working with the business to perform an alternate workspace/relocation drill. Performing integrated exercises/tests allows the business and IT to work together to validate strategies and ensure they are meeting top management’s objectives.
Overall, Avalution believes that implementing the tips provided above will assist organizations in fostering more effective communications and decision making between the business and IT – ultimately ensuring the organization has the appropriate level of preparedness, aligned to the management’s risk appetite and the organization’s strategic direction.
Please reach out to us if you’d like to further discuss how to bridge the gap between the business and IT in your organization.
Jacque Rupert, Managing Consultant
Avalution Consulting: Business Continuity Consulting