Gemstar-TV Guide International hired Ed Sullivan to direct Business Continuity Services in 2003, soon after an audit found that TV Guide's infrastructure was essentially unrecoverable in the event of a sustained crisis. There was a time when Sullivan's first stop for addressing the issue would have been IT and the datacenter. But times have changed -- Sullivan first conducted several weeks of meetings with senior executives and various business unit executives to talk about the company's business processes. "The fact that I work for the CIO is almost irrelevant," Sullivan says. "I'm there to provide recovery for the business units."
Assessing potential impact to the business before crafting a business continuity plan is not new, but the trend is picking up steam as technology becomes more tightly bound up with ongoing operations and overall success. "Take just-in-time inventory," says Jim Grogan, vice president of consulting product development at SunGard Availability Services. "It would not be possible without the technology to enable it. But it's a business decision to manage operations differently, and its success means literally billions reinvested in the business."
Another reason to start with a business-impact analysis is that technology underpinnings are not as clear-cut as they once were. "We used to think that if we brought up the datacenter after a disaster, we'd be OK," says Fred Dillman, CTO of Unisys. "But with servers all over the world and laptops, desktops, and other devices playing such an important role, bringing up a datacenter is no longer enough, and it's simply not feasible to bring up everything. You have to know which business processes and their underlying technologies are critical to your goals."
Hidden dependencies are becoming more common. "Often, the application that was deployed two years ago with 'Yeah, let's give this a try,' is now silently driving 15 percent of revenue," SunGard's Grogan says.
Click for larger view.
Recent regulations such as Sarbanes-Oxley, as well as natural and man-made hazards now firmly rooted in reality, have made analyzing the business risks of technology failures and disasters critical. "Before Katrina, few companies had given much thought to what would happen if an entire city was out of commission," says Michael Porier, director of Protiviti's technology risk practice.
The risks to revenue and market capitalization are higher than ever. "Today you need to prevent an outage because if you get a customer service black eye, you'll pay a price on Wall Street," Grogan says.
Modeling the Business Modeling the business is the first big step toward falling in line with risk management aspects of best- practices frameworks, such as COSO (Committee of Sponsoring Organizations of the Treadway Commission), COBIT (Control Objectives for Information and related Technology), ITIL (Information Technology Infrastructure Library), and ISO/IEC (International Organization for Standardization and the International Electrotechnical Commission) 17799:2005, all of which can help with the nuts and bolts of business continuity planning.
"COBIT is a framework for IT control that can be used to mitigate risks once you've modeled the process," Walch says. "COSO is in many respects the counterpart to that on the business side, leaning to business control and governance as opposed to IT controls.