Business Continuity Management of Business Driven IT Landscapes

Business Continuity Management of Business Driven IT Landscapes

Ulrich Winkler (SAP Research Belfast, UK) and Wasif Gilani (SAP Research Belfast, UK)
DOI: 10.4018/978-1-61350-432-1.ch017
OnDemand PDF Download:
No Current Special Offers


The overall objectives of this book chapter are (a) to provide an introduction of Business Continuity Management, (b) to discuss the importance of business continuity in a service-oriented IT environment, (c) highlight and discuss major challenges and approaches to translate business requirements and objectives down to BCM related service level terms and metrics and (e) identify requirements, such as modelling methodologies or analyses, to enable such translations.
Chapter Preview


New emerging technologies, such as virtualisation, web-services and cloud computing have created whole new business ecosystems, in which business processes depend more than ever on IT services provided by partner organisations. Often, disruptions in services delivery affect immediately thousands of business customers and consumers. For example, on January, 4th 2010, SalesForce, a company offering online enterprise support services, experienced an outage for over an hour which effected 68'000 business customers (Miller, 2010)⁠. Another example would be Paypal, a service to process online payments. Paypal was down for 4.5 hours worldwide on August, 4th 2009. Paypal usually processes 2'000 USD per second for its customers.

Disruptions do not only have a financial impact or cause damage to reputation; they may also have legal consequences. In particular key industrial sectors, such as energy, gas, oil, pharmacy or finance, have to demonstrate business continuity competence, which is sometimes required by regulations and laws. An interesting study to quantify IT business continuity risks at Essent Netwerk, a Dutch electricity and gas distributer, revealed, that a four hour outage of an IT landscape would cost 5 million EUR, and might result in a withdrawal of the licences to operate, which would be even worst (Wijnia & Nikolic, 2007)⁠.

Business Continuity Management addresses these problems and aims to:

  • Identify potential threats to business processes, IT system, services and operations,

  • Assess the business impact of an adverse event, estimate probabilities and compute risk exposures,

  • Determine strategies and responses to these threats, and model a business continuity plan to overcome or mitigate a possible business disruption.

In service-oriented systems, where business support systems and solutions are provided by partner organisations as services, the Business Continuity Manager has to further define Service Level Agreements (SLA).

However, in order to define adequate SLAs the Business Continuity Manager faces several challenges. First he has to understand the business, business processes and the impact of business disruptions. He has to take not only financial indicators into consideration, but also other non-financial Key Performance Indicators (KPIs), such as customer churn rate, customer satisfaction, etc, other business objectives/targets and legal obligations, e.g. BASEL II (Basel Committee on Banking Supervision, 2005)⁠ or Sarbanes Oxley (107th Congress, 2002). Second, he has to determine various Business Continuity Metrics for every business process and business function. For example the Business Continuity Manager has to determine the Maximum Tolerable Outage Time (MTO) of a given business process. Third, the dependency and risk graph is used to translate business-level BCM metrics down to Service Level Agreements terms and penalties. For example the MTO of a business process is translated down to Return Time Objective (RTO) or Recovery Point Objective of services the process depends on. SLA penalties can be derived from the estimated business impact.



Business Continuity Management is standardised by the British Standards Institution (BSI) and formally defined as follows:

A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities (Smith, 2002)

The business continuity lifecycle is a closed-loop and comprises four groups of activities, which are (1) understanding the organisation, (2) determining Business Continuity Strategies, (3) developing and implementing a BCM response, and (4) exercising, maintaining and reviewing BCM arrangements.

Key Terms in this Chapter

Dependency and Risk Analysis (DA/RA): Aims to identify dependencies among business processes, resources and services, and possible root-causes of adverse incidents.

IT Business Continuity Management: A management process that identifies potential threats to an organisation’s IT landscape and the impacts to business operations that those threats, if realized, might cause. IT BCM aims to build operational resilience with the capability for an effective response that safeguards an IT landscape and business operations.

SLA Translation: The process of translating business level BCM metrics and KPIs to BCM objectives for individual IT elements.

IT Landscape: A set of hardware, software and facility elements, arranged in a specific configuration, which serves as a fabric to support the business operation of an enterprise.

Business Impact Analysis: Aims to (a) identify critical business processes, stakeholders, assets, resources and internal/external dependencies and (b) assesses and evaluates potential damages or losses at business level that may be caused by a threat to IT landscape.

Complete Chapter List

Search this Book: