Business Resiliency Prevents Downtime, Data Loss & Disaster
used with permission from IBM ForwardView
For years, midsize companies have protected themselves against downtime and data loss caused by disasters such as hurricanes and fires. But in today’s intelligent and interconnected world, where information is one of the most valuable assets a business can have, many midsize companies are not doing enough to protect themselves from the full range of risk.
Despite reminders from experts that most businesses at some time will experience an event that results in serious data loss, significant numbers of midsize companies’ IT managers acknowledge that they do not have an adequate backup strategy for their critical data.
Why is this? To a large extent the answer lies in the economic climate. Over the last few years, companies accepted greater levels of risk to reduce expenses. But as the economy picks up, companies are focusing on initiatives for growth. Meanwhile, data protection and business continuity remain on the back burner.
Growth, of course, is good for business. But too much risk can endanger the entire company, including any new growth it might achieve. As Don DeMarco, IBM Vice President, Business Continuity and Resiliency Services, explains, “The continuous flow of information is inseparable from the operational performance of the firm.”
Properly managing risk to ensure data availability is a foundation of all other functions. On a smarter planet, where data is collected and used in greater quantities than ever before, data protection is imperative to building a dynamic and resilient IT infrastructure. Companies need to protect data to ensure continuous operations in the global marketplace. They need to use data to understand their customers. They must deliver data to enhance customer and business partner service. Ultimately, protecting business data becomes a core responsibility for ensuring the financial well-being of the organization.
The path to data protection and risk management
Organizations have made steady progress on the path to protection. Disaster recovery initiatives created plans to guard the data center against natural and man-made catastrophes. Business continuity initiatives tiered protection to match the importance of business functions and meet increasing regulatory requirements. Today, business resilience initiatives provide a comprehensive approach that recognizes that significant data loss can be caused by both mundane and extraordinary events, everything from human error to corrupt software, a hardware failure, a malicious security attack or a natural disaster.
Business resilience, says IBM’s DeMarco, “includes disaster recovery. It includes business continuity. But it also includes information security as an IT risk. And it includes application-level risk. Business resilience is really the ultimate in contemplating IT risk as an element of the corporate risk management profile.”
But business resilience does not happen by itself. Companies should prepare now to take this next step, which DeMarco says looks closely at IT risk and positions companies to make important decisions about accepting or mitigating risk. “We’re seeing clients not just thinking in terms of the unthinkable—the hurricanes, the power failures and the fires in the building. We’re now seeing clients that are recognizing the everyday performance of their IT, which needs to be highly available, so you can be absolutely certain that that business process remains operational at all times.”
This growing recognition is confirmed by the IBM study “Inside the Midmarket: A 2011 Perspective,” in which midsized companies ranked security, including business continuity, first among the top ten focus areas for their technology initiatives. In the study’s findings, customer relationship management and business analytics score nearly as high as security. While such initiatives are important, diverting attention away from data protection and risk management can weaken the foundation on which business initiatives are built.
Understanding your ability to tolerate risk
A more instrumented and interconnected world brings new risks, and organizations require a smarter approach to manage risk and achieve business resilience. It’s no longer enough to implement a set of tools to minimize the impact of risk and recover from disruptions. It’s not enough to simply assign risk management a new level of importance. On a smarter planet, organizations need a new and holistic point of view to develop an intelligent business strategy that takes risk management into account.
Successful companies are not treating protection as a standalone issue. Neither are they treating protection solutions as standalone goals. DeMarco explains, “Those companies that are enabling business outcomes will very often look at it as full-fledged business resilience, with information security melded with data protection, data backup and data archiving, disaster recovery and business continuity.”
It is important, however, that melding initiatives into a comprehensive whole reflects the needs and characteristics of the company. Some companies can tolerate more downtime than others. “One might be very risk tolerant, and one might be very risk adverse,” explains DeMarco. “So the way the program would be built for those two companies might be very, very different even though they seemingly are serving a common market.”
In creating a plan, companies should consider key areas that influence their ability to tolerate risk and shape their business resilience plan. One such area is regulatory compliance, including Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA), which require organizations to demonstrate that data is managed, protected and secure. Another is supply chain compliance wherein partners within a business ecosystem must meet agreed-upon standards to ensure operations and quality within the group. “We often find that there is a company or two in a business ecosystem that establishes resilience criteria for all inside that ecosystem,” says DeMarco. “It’s typically the large gorilla in the room if you will, the large entity inside that supply chain.”
So how can a company get begin creating its resiliency plan? “The first thing I would ask them to inspect is the success rates of their nightly data backups,” says DeMarco. “We often find that the Achilles heel to a disaster recovery program or a business continuity program is that the client has not successfully backed up the data from which they wish to restore their business.”
And for an ongoing program, DeMarco has more advice. “Most important is test, test, test,” he says. “What really gives you the confidence to know that it will work and the discipline to have it work is that you’re constantly testing.”
Ensuring resilience on a smarter planet
On a smarter planet, attention to business resilience is critical. Companies have to protect data, but they also need to manage the wide-ranging risk that comes from external and internal influences as well as from threats, disasters, system failures and downtime.
“There are a lot of incredibly intelligent things that can be instrumented, and therefore there’s a lot more data,” says DeMarco. “So we see a tremendous amount of interest in instrumented growth, and it’s because there’s so much more data at your reach to analyze and make decisions in the way that you serve your clients.”