Lynn James Senior Advisory Consultant

Siloes: they are the bane of organizational resiliency and efficiency, but they are notoriously hard to tear down. Departments that focus on business continuity, IT, disaster recovery, third-party management, and incident management all tend to function independently of one another, even though the intersection of their responsibilities is where organizational resiliency and efficiency live.

This siloed approach to business operations results in duplicative work, gaps in addressing risk, and lack of optimization. However, business continuity is uniquely positioned to destroy departmental siloes and improve the alignment of these various functional areas. The way to do so is by creating and sharing the benefits of an all-encompassing information foundation.

Creating the Foundation for Increased Business Resiliency and Efficiency

Business continuity’s responsibilities involve a tremendous amount of data collection and analysis. This includes information from business impact assessments, risk assessments, configuration management databases, application impact analyses, technical impact analyses, and other sources. The purpose of this data collection and analysis is to:

• Identify and prioritize critical business processes • Identify process dependencies • Develop process recovery and mitigation actions and procedures • Validate critical processes through exercise facilitation • Identify and communicate critical process risks and impacts

Notice that everything centers around business processes. That brings us to the crucial point: business processes are the foundation of every department in the enterprise, and many of these business processes and required support of the processes cross departmental siloes. For example, if IT updates an application, it can have a direct impact on finance. If vendor management chooses not to renew a contract, it can have ramifications from production to pricing to sales.

Frequently, the existence of siloes means that such connections and interdependencies are not recognized – to the detriment of the business. But, by creating an information foundation and sharing its data across siloes, business continuity can help diverse business functions work together to optimize organizational resiliency and efficiency.

The information foundation can be defined as a single source of truth about business data and business processes that can be shared and accessed across departments and disciplines to improve not only recovery and continuity, but overall organizational resiliency and efficiency. With this as the definition, it is readily apparent that the right software is key to creating, maintaining, and leveraging the information foundation. The volume of data and the number of connections within an enterprise make it impossible to build and manage an information foundation manually, or to deliver desired outcomes with any level of efficiency.

The right software, however, makes it easy to build an information foundation that contains data regarding the business units that comprise the enterprise, the business processes they are involved with, their recovery plans, the applications and vendors that they engage, and more. This data can be viewed from any angle; for example, you could zero in on a business unit and identify all the applications that unit uses, or, conversely, look up an application and see all the business units that use that particular application.

The information foundation, therefore, contains a tremendous amount of actionable data – data that is useful, practical, and relevant not only in terms of specific business continuity activities, but also to enhance daily support for many business processes within the enterprise. By understanding each department’s processes and priorities, information and insights can be shared that will break down siloes, build partnerships, improve organizational efficiency, and increase resiliency across the enterprise.

Let’s take a look at how the information foundation can be leveraged in four (usually siloed) areas of business: IT, disaster recovery, third-party or vendor management, and incident management.

A SINGLE SOURCE

OF TRUTH

Lynn James is a senior advisory consultant who has over 30 years of experience in business continuity, disaster recovery, and emergency management. Lynn currently focuses on guiding executives and business continuity leaders to maximize the value of business continuity management programs and solutions.

Lynn James Senior Advisory Consultant

Information Technology (IT)

In a typical organization, IT is tasked with: • Providing a redundant, hardened processing environment • Protecting systems and data from unauthorized access • Ensuring that data and applications are available to meet business process

requirements in production • Managing current capacity • Planning for future capacity • Providing for the recovery of systems and applications that support critical

business processes in response to a major incident

These priorities may be applied to on-premise environments owned by the business, or toward managing a relationship with an external IT provider or cloud service. The question then becomes, what data does business continuity already have in the information foundation that could support IT with these priorities?

One place where the information foundation can be of assistance is when there is an IT storage upgrade. Take the case where an older storage frame needs to be replaced. Using the shared information foundation, the IT storage team may discover the storage frame is connected to a Linux server and the server supports a critical revenue generating business process. Therefore, the IT storage team will need to work with the Linux team to insure error free operation after the upgrade and work with the process owning business unit to investigate how an upgrade could potentially impact the revenue process should problems be encountered. Representatives from the business unit could also be engaged to validate successful process operation following the upgrade. By collaborating with these other business units, IT can make plans to upgrade the storage in a way that will not generate a negative impact on enterprise operations.

This example shows how, through the information foundation, data concerning process criticality, impacted audiences, teams and contact information, applications used, affected locations, and more are all available to IT to increase production process efficiency and reduce potential undesired ramifications, thereby increasing organizational resiliency.

1

Disaster Recovery

Business continuity and disaster recovery share many of the same priorities – but there are key differences. The term “disaster recovery” typically refers to re-establishing the IT infrastructure and IT services to support the continuity of critical applications following a disruptive event. “Business continuity” goes beyond that to include the people and processes who work with the IT infrastructure, applications, and services.

Specifically, IT disaster recovery priorities include:

• Providing IT infrastructure to support critical applications following an incident, minimizing downtime and data loss

• Overseeing technical resources to support recovery • Managing resources to support validation without impact on production

Business continuity’s information foundation can be very helpful to disaster recovery with regard to the third priority. For example, assume that the disaster recovery team is preparing a component recovery validation of a Linux server. The validation of the active-passive recovery strategy involves moving workload from the production server to the passive or recovery server. As with any activity involving production data, there is a risk of unanticipated impacts.

Using the information foundation, the disaster recovery team can quickly see all related components and applications. Since the information foundation is based on process data gathered during the BIA, data concerning process criticality and the critical processing time periods are readily available. For instance, the information foundation might show that the server supports a critical revenue generating business process, and that the most critical time of the year for this process coincides with the targeted fail-over validation schedule. Based on this insight, disaster recovery might choose to reschedule the component exercise to reduce risk to the production critical process during its most critical processing period. This reduction in operational risk via a better understanding of business processes is an example of increased resilience supported by the information foundation.

Third-Party and Vendor Management

With enterprises increasing their reliance on vendors in support of critical business functions, the role and visibility of third-party or vendor management has grown substantially. The production priorities of this function include:

• Vendor qualification • Contract negotiation • Capability assessments • Service level agreement monitoring

Business continuity has worked with third-party or vendor management for many years to ensure that business continuity language is included in contractual agreements, thereby reducing operational risk. But can business continuity further assist third-party or vendor management with their priorities?

Once again, the information foundation can be leveraged. Take the scenario that an equipment supply vendor’s contract is coming up for renewal. Vendor management can access the information foundation to see that the vendor currently supports two business processes. Plus, vendor management can readily see if there is an alternative vendor already working with the company who may provide the same services. These factors can be taken into account in the upcoming contract renewal decisions.

2

3

Incident Management

Finally, let us turn to incident management. Incidents occur and must be addressed within a business on an almost daily basis. Most are not critical and do not result in a crisis, but some do.

The name “Incident Management” can refer to the activities of several different groups in the enterprise, including enterprise operations centers and application availability command centers (an IT related function). Regardless of a department or function’s title, the priorities of any group with incident management responsibilities include:

• Resolving incidents of all sizes • Quickly determining the scope and impact of incidents • Identifying impacted locations and processes • Notifying appropriate teams as required for resolution • Communicating incident status to stakeholders and leadership

In addition to supporting large catastrophic events, the information foundation managed by business continuity can benefit incident management in non-catastrophic production incidents. For example, suppose that a company’s enterprise operations center is notified that due to scheduled electrical transfer switch maintenance, electricity will be disrupted for 48 hours at a certain site the following week. Being proactive, the Enterprise Operations Center references the information foundation to determine the impact and discovers that critical revenue generating business process is dependent on the site.

As a result, the EOC coordinates with representatives from finance, facilities, and IT to ensure that the business-critical process can be performed in an alternate facility during the maintenance window. That is the power of the information foundation!

Building on the Information Foundation

These are just a few examples of how the information foundation can increase resiliency and efficiency across the enterprise. The actual uses of the data and defined dependencies contained within the information foundation are limitless! To begin leveraging the power of the information foundation, review the data and process information you have collected with an eye toward organizational resiliency and efficiency. Be sure to understand not only the continuity needs of the other departments in your enterprise, but also their production drivers and priorities. Then, be an evangelist for the information foundation! Start conversations across siloes and share the data that is available to all. Encourage your colleagues to explore the information foundation for themselves. You will see firsthand how siloes crumble and how organizational resiliency and enterprise efficiency rise up – built on the solid base of the information foundation.

4

Ready to create your own information foundation? Learn more about how Fusion can help you create your own knowledge base at fusionrm.com/framework