Investing in IT Service Continuity without first undertaking a Business Impact Analysis risks wasting money
I’ve written this post to rebuff the actions of a number of IT product and service companies who promote their wares under the banner “Business Continuity”.
To my mind, and that of ITIL (Information Technology Infrastructure Library – a UK government initiative to improve the quality of IT services) , these topics really fall under the term IT Service Continuity. Business Continuity has a far wider remit and tends to focus more on the operational processes in a business.
British Standard BS:25999 defines Business Continuity Management as
… an holistic process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause. It provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of key stakeholders, reputation, brand and value-creating activities.
Personally I prefer the more simple definition that Business Continuity Management is “… a management discipline that ensures an organisation is able to continue serving its customers and generating value; even when something untoward has disrupted its normal operations.” Regardless, the emphasis is on the organisation and its operations as a whole. There is no mention of IT as such.
Of course, IT is a major factor in modern businesses and it is important that a company’s IT systems are as resilient as is needed to meet the operational requirements: but it is the context of the business operations that is an important factor. Too many times, businesses have invested in their IT systems to the point at which they achieve far higher availability than the business needs.
I myself witnessed a situation where a company had been persuaded to invest in an expensive continuous processing environment for a part of their operations when a proper Business Impact Analysis revealed that the said part of the business was not at all critical. In fact, the business as a whole would not have suffered unduly if that part of the business took two days to recover from a failure.
Before you invest money on making your Information Systems more resilient, improve your backup system or move to the Cloud; make sure you know what your resilience requirements really are. You may have a gut feel for it, and you may be right. But, as the example above shows, you could also be very wrong.
Business Continuity is about Operational Risk Management. It isn’t just your IT. Take the time to conduct a formal Business Impact Analysis before you start investing in serviceability.
Agdon Associates and Business Continuity UK are no longer in business. This website is not being updated: it has been left online solely as a source of useful information on Business Continuity.