IT Service Continuity Management: 7.4 Management Structure

7.4 Management Structure

7.4.1 Management roles
7.4.2 Responsibilities

As with most IT issues, ITSCM crosses organisational boundaries and consumes management time and financial Resources, these should however, be in proportion to the risks being addressed. Sponsorship at the highest level and integration into the IT and ITSCM structure is paramount to its success. Without this level of sponsorship, ITSCM risks include:

misalignment with the business and IT strategies, thereby failing to address the true values and risks as perceived by senior management
lack of momentum, profile or resources to develop into a successful management and operational discipline
lack of extensive co-operation and input required from management at all levels.

Hints and tips

Without senior management sponsorship investment in ITSCM may be wasted and fail to address the requirements of the business, resulting in the organisation failing to survive a major disruption to its business due to IT systems failure.

In order for ITSCM to be successful within an organisation, a suitably capable management structure should be implemented. The roles should be integrated into the existing suite of IT management responsibilities. The optimum management structure will:

allow responsibilities for ongoing ITSCM to be clearly defined and allocated
integrate into existing management structures, hierarchies and responsibilities
avoid concentrating responsibility in an isolated centre of excellence
allocate responsibilities to functions or individuals that have the necessary presence, credibility, skills, knowledge and expertise within the IT organisation
ensure that the management structure to manage ITSC on an ongoing basis, closely resembles the structure that will control and facilitate Continuity or recovery should the ITSCM mechanisms have to be invoked
ensure the ITSCM strategy and requirements are integrated with the business and IT strategies.

Hints and tips

A frequent mistake is for the IT organisation to implement recovery mechanisms for Business processes that it considers to be the most critical, without proper consultation with the business, and in isolation from the overall Process.

Invariably, these mechanisms will be, at best, only partially right and result in some business interruption and lead to a lack of faith in the IT organisation and the ITSCM process. Conversely, the business may assume that IT and Service Infrastructures will be available and provided. Unless these mechanisms have been notified to and agreed with the IT providers, this is unlikely to be the case. If ITSCM is driven by business need and is fully integrated into the management structures of the organisation, significant benefit will be achieved in terms of awareness, education, and the effectiveness of the mechanisms implemented.

Hints and tips

Ensure that the business and the ITSCM process are fully integrated to determine the mechanisms to be implemented - otherwise there is a strong likelihood they will fail to fully meet the business requirements.

7.4.1 Management roles

A typical management structure for large organisations, that supports both ongoing management and Invocation for ITSCM is shown in Figure 7.9.

Figure 7.9 - Typical management structure for business and ITSCM

Since management sponsorship at Board level is often given to a person whose responsibilities already encompass most of the organisation (for example Facilities, Finance or IT) it is not unusual for an IT Director to have responsibility for ITSCM. Day to day responsibility for Business Continuity, often falls to a senior manager (shown in Figure 7.9 as Business Continuity Management) in an operational management Role, who:

advises the Board representative or Board on ITSCM strategy and policy, and ensures that these are in-line with the Business and IT strategies and policies
ensures that the ITSCM strategy and mechanisms remain up-to-date and effective
ensures that Change control, testing, auditing, awareness and training programmes are established.

In larger organisations, the Business Continuity Manager may be supported by a junior manager for day to day activities. The ITSC Manager supports the Business Continuity Manager in achieving these objectives within the IT organisation. Within small and medium organisations, there may not be the resources available to allocate individual roles as illustrated. In organisations such as these it may be necessary to allocate one or more roles to an individual. For example, the Business Continuity Manager might also be a Business Area Manager or the IT Service Continuity Manager. In the latter case, being responsible for both Business Continuity and ITSCM.

Many larger organisations establish steering committees at senior management level to co-ordinate Business Continuity activities across the organisation and support the Business Continuity Manager. The steering committee should meet regularly to:

confirm the ITSCM strategy is still valid and that deliverables are still being maintained
ensure that any Changes that could effect the strategy, e.g. business or IT strategy Changes, are addressed and reflect in the ITSCM strategy
review and agree test programmes for ITSCM mechanisms
initiate any actions necessary to address upcoming Changes or to resolve difficulties.

Senior management within the IT organisation is typically given ownership of the ITSCM deliverables that relate to their area of expertise or responsibility, e.g. the ITSCM mechanisms for external communications such as voice and data links will be owned by the External Communications IT manager. Ownership not only involves responsibility for ensuring deliverables are met, but also for ensuring that they remain up to date and fit for purpose.

Invocation of Continuity mechanisms and recovery options is usually undertaken by one or a series of ITSCM teams, focused on specific areas of the IT organisation (e.g. external communications, local area networks, servers, mainframes, etc.). During periods of operational stability, the Service Continuity teams play a vital role in the implementation, testing, maintenance and support of these Continuity or recovery and Risk reduction mechanisms and associated plans.

The approach described above correlates the management structure with the ITSCM structure and allows the team, in times of operational stability, to convert easily into an IT Service command and control structure during times of Problems and crisis (e.g. hardware or network failure, or major service disruption to the operational Environment). This in turn facilitates commitment, education, and awareness and allows cross-functional integration to take place with business activities.

IT may establish a working group that, typically, fills key roles in the IT recovery process and fills operational management roles to deal with the Continuity and Availability management issues. ITSCM typically chairs the working group and leads the co-ordination team during recovery.

Hints and tips

Responsibilities for ITSCM should be integrated with corresponding operational responsibilities to maximise synergy and capitalise on existing knowledge, skills and expertise in the operating environment.

7.4.2 Responsibilities

Normal Operation

Figure 7.10, outlines the typical responsibilities for ITSCM during times of normal operation. These layers of responsibility also correlate with the typical management structure for ITSCM shown in Figure 7.9 and if properly implemented allow these responsibilities to be carried out in an effective and efficient manner.

Figure 7.10 - Typical responsibilities for ITSCM during normal operation

These responsibilities should be clearly defined, communicated to the managers concerned and documented in appropriate role or job descriptions. To ensure continual management of ITSCM at an operational level (for instance Change control of the ITSCM mechanisms), best results have been achieved by incorporating specific deliverables into individual staff objectives and responsibilities into job descriptions.

Invocation Responsibilities

Following a disruption to the normal operating environment and the invocation of crisis control, management responsibilities change in line with command, control and operational roles and responsibilities outlined in the crisis control and recovery plans. These include responsibilities for taking corrective action to minimise Impact and contingency or recovery facility invocation. Typical responsibilities for the various management layers during times of crisis or disruption to normal operations are shown in Figure 7.11.

Figure 7.11 - Typical responsibilities for ITSCM during times of crisis

Hints and tips

For individuals associated with ITSCM, ensure high-level responsibilities are documented in job descriptions, deliverables are detailed in personal objectives and performance is monitored and reviewed during the appraisal process.

Specific responsibilities during the invocation include recording all actions taken - to be used in subsequent debriefs, agreeing additional costs of working, liaison with the media and regulatory bodies. It is also important to understand that there may be casualties involved, such as after a terrorist bomb explosion, which may require a need for counselling during and after the service disruption and subsequent claims on the organisation for mental and physical disability.