|
|
7.1.1 Why ITSCM?
7.1.2 Goal for ITSCM
7.1.3 Scope of ITSCM
7.1.4 Basic concepts of ITSCM
7.1.5 Benefits of ITSCM
7.1.6 Business Continuity Management and ITSCM
7.1.7 Management commitment
7.1.8 Relationship with other IT Service
disciplines
Since the IT Infrastructure Library produced its book on 'Contingency Planning', there have been significant changes in technology and the way in which technology is used within business. The dependencies between Business processes and technology are now so inter-twined that Contingency Planning (or Business Continuity Management as it is now sometimes referred) incorporates both a business element (Business Continuity Planning) and a technology element (IT Service Continuity Management Planning). Their dependencies on each other determine that one is a sub-set of the other, depending on the nature of the business and the extent to which technology has pervaded the organisation. In this Chapter it is assumed that Business Continuity is the main driver and that IT Service Continuity Management (ITSCM) is a sub-set of the Business Continuity Management (BCM) Process.
In today's highly competitive and service oriented business Environment, organisations are judged on their ability to continue to operate and provide a service at all times. ITSCM is concerned with managing an organisation's ability to continue to provide a pre-determined and agreed level of IT Services to support the minimum business requirements following an interruption to the business. This may range from an application or System failure, to a complete loss of the business premises. As such, ITSCM forms an integral part of the BCM process to ensure that IT Services and facilities can be provided.
The goal for ITSCM is to support the overall Business Continuity Management process by ensuring that the required IT technical and services facilities (including computer systems, networks, applications, telecommunications, technical support and Service Desk) can be recovered within required, and agreed, business timescales.
ITSCM focuses on the IT Services required to support the critical business processes. The Impact of a loss of a business process, such as financial loss, damage to reputation or regulatory breach, are measured through a Business Impact analysis, which determines the minimum critical requirements. The specific IT technical and service requirements are supported by ITSCM. The scope of ITSCM within an organisation is determined by the organisational structure, culture and strategic direction (both business and technology) in terms of the services provided and how these develop and Change over time.
As organisations become more dependent upon technology, which is now a core component of most business processes, continued Availability of IT is critical to their survival. This Availability is accomplished by introducing Risk reduction measures such as resilient systems, and recovery options including back-up facilities. Successful implementation of ITSCM can only be achieved with visible senior management commitment and the support of all members of the organisation. Ongoing maintenance of the recovery capability is essential if it is to remain effective. This is achieved through:
ITSCM supports the BCM process and delivers the required IT supporting Infrastructure to enable the business to continue to operate following a service disruption.
The annual spend on ITSCM can be likened to an insurance premium and, like insurance, the optimum spend is determined by the circumstances and risks that could influence the organisation's business. The variety and frequency of events that pose a threat to businesses in today's technology age have forced organisations to regard the continuing requirement for ITSCM as part of their corporate and management philosophy and culture.
This allows an organisation to identify, assess and take responsibility for managing its risks, thus enabling it to understand better the environment in which it operates, decide which risks it wishes to counteract and act positively to protect the interests of all stakeholders (including staff, Customers, shareholders, third parties, creditors). ITSCM can complement this activity and help to deliver business benefit.
The IT organisation can actively manage the Infrastructure and systems to reduce the impact of component, multiple component or site failure (e.g. RAID implementation on disks, multiple processors/power supplies, mirroring or clustering of systems etc.). The consequence of not managing this and other risks effectively is likely to impact on the ability of the organisation to meet its client's expectations, potentially resulting in lost Customers, revenue and market share.
Conversely, the advantages of ITSCM include:
In many industries, consumers and business Customers are requesting an ability to make enquiries, place orders, monitor progress and settle bills with much less human intervention than is currently the case. Technology allows products to be tailor-made to Customers' exact requirements and advanced just-in-time production systems allow inventories to be reduced to a minimum.
These changes make business even more dependent on technology and ITSCM than ever before. Failure of a centralised electronic order capture system or an inventory management system will stop a business in its tracks. In the digital world, 'no systems' means 'no business'. In order to address these risks, resilience, security, Business Continuity and the ITSCM components have to be designed into electronic business services from the outset in a way that is rarely done today.
| Examples (1) If a mobile phone provider were to lose the messaging capability on its service, this would be unacceptable to many Customers who may transfer to another Service provider either immediately or when the contract renews. (2) Supermarkets rely on just-in-time to provide stock control and ordering. A failure at any stage in the supply chain management, such as bar code scanners, could mean that stocks of perishable items such as milk are not re-ordered. This will result in no milk on the shelves within a very short period of time and a consequent loss of Customer income, confidence and loyalty. (3) Profit for a financial institution involved in money market trading is dependent upon decisions taken based on split second Availability of pricing information delivered through the computer Infrastructure. If this information is not available, the organisation immediately loses its ability to make informed decisions and could potentially begin to lose money. Similarly, if IT Services fail in a heavily automated manufacturing plant utilising just-in-time processing, the plant will almost certainly lose production time and therefore money. (4) In the electronic commerce environment, if an organisation were to lose the Availability of its Internet site then this could lead to an immediate loss of business and Customers as they will immediately find alternative sites and organisations offering similar products and services. In addition, Customer loyalty cannot be relied on and once Customers are lost, they are unlikely to return. |
Business Continuity Management (BCM) is concerned with managing risks to ensure that at all times an organisation can continue operating to, at least, a pre-determined minimum level. The BCM process involves reducing the risk to an acceptable level and planning for the recovery of business processes should a risk materialise and a disruption to the business occur.
ITSCM must be a part of the overall BCM process and is dependent upon information derived through this process. ITSCM is focused on the Continuity of IT Services to the business. BCM is concerned with the management of Business Continuity that incorporates all services upon which the business depends, one of which is IT.
There is a need for the minimum business requirements to be determined to a level of detail and agreed between the business and the IT Service providers (internal or external) prior to the ITSCM scope being defined. These requirements may define a need to establish an immediate transfer of the service to an alternative location or a requirement to recover elements of the service over a longer period of time (e.g. a week). It is vital that these prerequisites are fully understood, defined and agreed by the business as part of the BCM process to ensure ITSCM is specifically used in the most effective and efficient manner to deliver the IT portion of these requirements.
The implementation of ITSCM mechanisms, identified through the BCM process, must be based on business requirements in order to reduce the risk from interruption or failure of critical business processes and ensure business benefit. The process is concerned with the performance and, at the most elementary level, the survival of the business and is, therefore, a top management issue. The process must be understood and visibly supported by all senior managers and directors.
However, management commitment does not end when the initial project has been completed. Ongoing commitment is necessary to maintain the effectiveness of the recovery capabilities and there is a requirement for a continual review, update and test process for the ITSCM plans, facilities and service provision. Providing this is achieved, ITSCM will react to changes in the business world that it is there to protect. Business Continuity and recovery must be considered as part of the culture of the organisation and indeed be part of business as usual. To help achieve this, responsibility for ITSCM should be a key objective in a business manager's job description.
Business-as-usual pressures tend to focus management time on the business itself and ITSCM typically takes a back seat. It is essential that the necessary Resources are focused through a strategic directive from the highest levels of management to prevent business-as-usual pressures being used as an excuse for the non-delivery of the recovery facilities.
To this end, ITSCM becomes one of the multitude of corporate management activities performed in operational and executive roles, enabling ITSCM to be embedded, either explicitly or implicitly, within business strategy, business objectives and key performance indicators through all levels of the organisation. Similarly, as the IT strategy is generally a derivative of the business strategy, this should reflect those changes in terms of ITSCM.
Failure to include the ITSCM process as part of the corporate planning activities will result in the ITSCM mechanisms becoming inaccurate or 'out of date' and failing to meet business requirements.
ITSCM interacts with the other IT Service disciplines such as:
|
|
