Business Continuity Management of Business Driven IT Landscapes

Introduction

New emerging technologies, such as virtualisation, web-services and cloud computing have created whole new business ecosystems, in which business processes depend more than ever on IT services provided by partner organisations. Often, disruptions in services delivery affect immediately thousands of business customers and consumers. For example, on January, 4th 2010, SalesForce, a company offering online enterprise support services, experienced an outage for over an hour which effected 68'000 business customers (Miller, 2010)⁠. Another example would be Paypal, a service to process online payments. Paypal was down for 4.5 hours worldwide on August, 4th 2009. Paypal usually processes 2'000 USD per second for its customers.

Disruptions do not only have a financial impact or cause damage to reputation; they may also have legal consequences. In particular key industrial sectors, such as energy, gas, oil, pharmacy or finance, have to demonstrate business continuity competence, which is sometimes required by regulations and laws. An interesting study to quantify IT business continuity risks at Essent Netwerk, a Dutch electricity and gas distributer, revealed, that a four hour outage of an IT landscape would cost 5 million EUR, and might result in a withdrawal of the licences to operate, which would be even worst (Wijnia & Nikolic, 2007)⁠.

Business Continuity Management addresses these problems and aims to:

• •

  Identify potential threats to business processes, IT system, services and operations,

• •

  Assess the business impact of an adverse event, estimate probabilities and compute risk exposures,

• •

  Determine strategies and responses to these threats, and model a business continuity plan to overcome or mitigate a possible business disruption.

In service-oriented systems, where business support systems and solutions are provided by partner organisations as services, the Business Continuity Manager has to further define Service Level Agreements (SLA).

However, in order to define adequate SLAs the Business Continuity Manager faces several challenges. First he has to understand the business, business processes and the impact of business disruptions. He has to take not only financial indicators into consideration, but also other non-financial Key Performance Indicators (KPIs), such as customer churn rate, customer satisfaction, etc, other business objectives/targets and legal obligations, e.g. BASEL II (Basel Committee on Banking Supervision, 2005)⁠ or Sarbanes Oxley (107th Congress, 2002). Second, he has to determine various Business Continuity Metrics for every business process and business function. For example the Business Continuity Manager has to determine the Maximum Tolerable Outage Time (MTO) of a given business process. Third, the dependency and risk graph is used to translate business-level BCM metrics down to Service Level Agreements terms and penalties. For example the MTO of a business process is translated down to Return Time Objective (RTO) or Recovery Point Objective of services the process depends on. SLA penalties can be derived from the estimated business impact.

Background

Business Continuity Management is standardised by the British Standards Institution (BSI) and formally defined as follows:

The business continuity lifecycle is a closed-loop and comprises four groups of activities, which are (1) understanding the organisation, (2) determining Business Continuity Strategies, (3) developing and implementing a BCM response, and (4) exercising, maintaining and reviewing BCM arrangements.