The business continuity (BC) gap is the difference between the actual availability of an organization’s information systems and the level of availability expected by its business units. In most organizations, the gap is discovered only after disaster strikes. Closing the gap requires participation by the information technology (IT) department, the business units, and key executives to identify and assess vulnerabilities, and then to develop effective risk management strategies to address them. Risk management strategies include accepting the risk through financial reserves, assigning the risk to an insurer or outsourcer or mitigating the risk with proactive or reactive strategies appropriate for the organization’s IT infrastructure and recovery objectives.
Defining the Business Continuity Gap
Strategies to keep a business alive after crises have evolved in recent decades. In the 1980s, the primary concern was a physical crisis—a natural disaster, such as an earthquake or hurricane—and the best solution was a geographically remote site where critical operations could be resumed. In the early 1990s, logical crises became an additional concern—system outages from hackers, viruses, or even simple hardware or software disruptions that cascaded into a major disruption because of interdependencies. Continuity strategies expanded to protect data and operations at all times—not just during stormy weather.
Since then, the Internet explosion, the proliferation of devices and a burgeoning data load have increased dependencies on IT and its availability. In this new millennium—with its market crash, the 9/11 tragedy and issues of corporate governance—BC has become a major focus of organizations.
A BC gap exists when the business units within an organization expect a level of availability for data, software, hardware and communications that cannot be met by existing IT infrastructure or business processes. Most business units assume that because all data flows to IT for storage and backup, they will have full computational utility at all times, no matter the circumstances.
Yet, it is unlikely that an organization’s IT infrastructure supports continuous availability. For most organizations, that level of responsiveness is simply too costly to justify. Consequently, the business units’ expectations do not match the IT infrastructure’s capabilities. For many businesses left in this vulnerable state, the dire ramifications of the BC gap aren’t realized until too late.
The gap represents the difference between expected and actual availability for both recovery time objective (RTO), the time it takes before the system is up and running again, and recovery point objective (RPO), the point in data flow to which a recovery is possible (minutes, hours, days or weeks, depending on the frequency and scale of a backup program).
Why Close the Gap?
Simply put, closing the BC gap makes good business sense. Few companies can afford to compromise productivity or customer responsiveness for any extended period of time. Lost revenue, liability costs, and a diminished reputation can be too great a burden for a business to survive. This has proven true again and again, especially when a crisis strikes both physical assets (buildings, plants, stores) and logical assets (data, systems, communications).
Even if a massive system failure never occurs, a sound BC strategy can significantly reduce risk insurance premiums. Organizations may face significant fines for failing to meet an industry’s regulations for data protection, such as Health Insurance Portability and Accountability Act (HIPAA) and Securities Exchange Commission (SEC) regulations.
In addition, in the current climate of increased executive level scrutiny and accountability, effective BC planning demonstrates a conscious effort by executives to minimize their company’s vulnerability and to protect its assets and long-term viability.
Expected Versus Required Availability
The process of closing the BC gap often reveals that expected availability does not match required availability. Organizations should strive to strike a balance between the compute utility availability and the business need, while demonstrating fiscal responsibility. By truly understanding an organization’s availability needs, continuity strategies can be developed that meet, rather than exceed, the availability needs to minimize cost while delivering needed protection.
Achieving near-continuous availability is much more costly than lower levels of availability in terms of both spending and staffing. The expense of data availability increases as the RPO becomes more immediate and the RTO decreases. Continuously available data will be more expensive than best practices data, depending on the organization’s tolerance for downtime.
Organizations need to decide their optimum availability points based on their business needs. While a manufacturer’s customers may tolerate shipping delays of a day or two, a financial services organization, with numerous legal requirements governing transactions, requires a significantly higher level of availability to minimize lost transactions. The optimum availability points could vary between an organization’s business units, with departments that don’t impact customer transactions requiring lower availability than those performing business critical operations.
Requirements for Closing the Gap
While the IT organization may be aware of the gap, it may not have the expertise to assess individual business units’ needs or the leverage to involve business units in planning. Laying the groundwork that positions continuity planning as a top business priority helps secure the business unit participation needed to establish practical capabilities as well as the executive supervision necessary to balance spending. Few business units have participated in continuity planning or experienced a crisis or logical disruption, and few managers clearly understand RTO and RPO, so it is not surprising that gaps exist.
Although the IT organization bears the majority of the responsibility for systems availability, the business unit also may have significant responsibility in data and information recovery. For example, business units could help control costs by agreeing to reinput data from hard copies of transactions, outsource the recreation of lost documents, and back up data from laptops on floppies.
The Process for Closing the Gap
To close the BC gap, the executive team, the business units and the IT organization need first to understand the nature and extent of the gap. Assessing the gap involves:
I. Identifying vulnerabilities for each business unit and assessing risks
II. Selecting a risk disposition strategy for each vulnerability
Phase I: Identify vulnerabilities and assess risks
In this phase, vulnerabilities are identified for each business unit and risks are assessed by considering the following:
What is the probability of occurrence?
- What is the impact on occurrence?
- Is it preventable?
- What is our current IT infrastructure’s recovery capability?
- What is our acceptable level of loss?
- How much can we insure against?
- Can the risk be mitigated in a cost-effective manner?
A business impact analysis (BIA) may be needed to understand the extent to which a crisis might affect the business, by identifying business process interdependencies and mission-critical functions. Some critical elements, if disrupted, will cause a cascade of disruptions that can lead to complete failure. An IT risk mitigation study can help identify the available options for closing the continuity gap while ensuring that is matches the business’s actual need.
Phase II: Develop a risk strategy for each vulnerability
Once both the IT organization and the business Once the IT organization and the business unit understand the costs involved to accept, assign, or mitigate a risk, they need to decide the appropriate strategy for each risk.
Accepting risk means the organization understands the potential loss and accepts the possible negative impact to the bottom line, assigning money to deal with the risk.
Assigning risk involves turning the risk over to another party by either buying insurance or outsourcing the business function.
Mitigating risk requires choosing a prudent approach to protect mission-critical data and transaction power. This involves designing and implementing proactive plans, reactive plans, or a combination of the two to reduce risk to acceptable levels.
Proactive strategies increase the availability of the IT infrastructure in order to work through potential occurrences. Business units with shorter recovery time and higher recovery point objectives should use proactive strategies, including diversified network routing and highly available server clusters.
Reactive strategies help business units recover and resume work, usually within a specified time window, after disruptions occur. Business units that can tolerate longer recovery times and lower recovery points can implement reactive strategies, including offsite data storage and hotsite or quickship vendors.
Once the organization has developed appropriate strategies, the solution should be implemented with an eye toward continuous change in business risks, with processes in place to manage BC plans on an ongoing basis.
Advantages Gained by Assessing the BC Gap
Understanding the extent of the BC gap is the first step in developing strategies to meet an organization’s actual needs by finding appropriate solutions to deal with risks.
Closing the BC gap reduces some risk in today’s business environment. Preventing or minimizing disruptions help organizations stay responsive to customers, comply with government regulations, control risk insurance premiums, and maintain employee productivity. If a crisis does occur, organizations that have thoroughly examined their potential liabilities and created solid continuity plans will be best positioned to recover.
