White Paper: ITSC Planning: Performing Business Impact Analysis

Transcription

1 White Paper: ITSC Planning: Performing Business As given by ITIL, IT strives to ensure that the required technical and services facilities can be recovered within required and agreed business timescales. In order to meet this goal, the service level requirements for the organization s technical and services facilities have to be identified and agreed by both business and IT stakeholders. The business impact analysis (BIA) activity, as part of ITSC planning, is performed against selected business services to determine what the business stands to lose in the event of service unavailability. The BIA serves as the communications vehicle between business and IT and results in (1) a better understanding of the business by IT and (2) a better understanding of IT capability by the business. Without a fundamental understanding of business requirements, a satisfactory continuity solution is destined to be, at best, cost-ineffective and, at worst, completely elusive. It is the BIA activity that determines the level of service required to continue business at an adequate level and provides the input required for IT to employ a supporting infrastructure that provides the business with the required resiliency. All other activities performed during ITSC planning rely on the correct impact assessment of a business service. The BIA provides: Cost justification for the resulting continuity plan, Identification of potential losses due to service unavailability, and Identification of the probability of threats to service availability. Empowered with this information, IT can review the existing infrastructure for risk and suggest solutions that are inline with the service s impact on revenue or other, less tangible impacts, like credibility, competitive advantage or customer satisfaction. Organizations struggle with objectively assessing critical business services to determine required levels of service and impact to the business. What are the questions to ask to extract the information? Who is the authoritative source to provide answers and insight? What story do the answers tell? How are impact assessments compared across business services? ITIL does not define the contents of a BIA nor does it suggest how the analysis is interpreted. The execution of the BIA is left to the ITIL subscriber to define. To address this gap, Maryville has developed a framework under which to conduct business impact analysis for a given business service. The framework ensures: The right questions are asked to determine a service impact to the business, The right people are involved to determine impact, The analysis is consistently interpreted across business services, and s that are otherwise unrelated can be compared in terms of impact to business. Copyright Maryville Technologies 1 of 7

2 This paper focuses on the BIA framework used in Maryville s consulting practice to help clients determine the basis for continuity management. Specifically, this paper provides: A project approach for a continuity planning exercise, including the critical BIA activity. A description of participants in BIA discussions. A framework to objectively determine a working BIA rating for a critical business service and sample questions that explore business requirements. Challenges that Maryville has observed in the field related to BIA activities and suggestions for overcoming challenges. Project Approach The BIA is just one of a series of activities that comprise a service continuity planning initiative. The following image depicts the critical activities of a continuity planning project (displayed in blue-colored boxes), the deliverable(s) of each step (in green-colored documents) and red checkpoints indicating review and validation of deliverables before continuing to the next step: Week One Week Two Week Three Week Four Week Five 4 Review Architecture and Infrastructure 6 Component Failure Standby Configurations Organizational Standard Configurations 1 Initiation 2 Business (BIA) 3 Level Requirements (SLRs) 5 IT Level 7 8 Solution Design Design 8 Solution Costs Levels: Hot Remote Standby Hot Local Standby Warm Standby Cold Standby 9 Technology Recommend ation 1 Project Artifacts 2 3 Business 4 SLRs and Level Component Map (SCM) Component Failure Computing, Storage & Network Tier Selection Plan (SCP) Solution Costs Copyright Maryville Technologies 2 of 7

3 The following items further describe the activities performed in each of the critical steps in continuity planning as outline above: 1. Initiation: ITSC planning is initiated by drafting a continuity plan, identifying scope, roles and responsibility, allocating appropriate resources, determining the project methodology and project control structure and agreeing to the content of the deliverables produced by the effort. 2. Business (BIA): Business (BIA) is conducted specific to the critical business service identified during the initiation phase. Representatives of the business and IT are asked a series of questions to understand what the business stands to lose if the critical business service is unavailable, the extent of loss over time and the probability of a service interruption. 3. Level Requirements (SLRs): Following the BIA, business representatives and IT are asked a series of questions relative to the service level requirements for the critical business service. SLR discussions examine minimum and maximum performance, security and data retention. 4. Review Architecture and Infrastructure: A formal review of the infrastructure is conducted to diagram a Component Map (SCM) that identifies the underlying IT service components that enable the critical business service. 5. IT Level (SCL): After reviewing the BIA, SLRs and SCM, the Level (SCL) required to support the stated service levels as given by the business representatives is determined. 6. Component Failure (CFIA): Based on the targeted SCL, the existing infrastructure is examined to identify the components within the infrastructure that are at risk of not achieving the required service level. 7. Solution Design: The findings resulting from the Component Failure serve as the foundation on which to strengthen the infrastructure with respect to the level of service required by the business. Where applicable, multiple technology solutions that meet or exceed the required service levels are identified and included for costing activities. 8. Solution Costs: The continuity design is reviewed from a costing perspective. For each recommended technology or configuration, a cost estimate is provided. The business reviews the available options for component weaknesses that can be addressed with various technologies at differing costs. Participants Through consulting experience and industry awareness, Maryville recommends inviting two distinct groups of personnel to participate in BIA discussions: business unit representatives and IT staff responsible for the infrastructure and successful delivery of the service. Further, Maryville has found that meeting with the two critical groups separately is significantly more productive than assessing business impact of a critical business service with the groups in the same meeting. Increased value in meeting with representatives in separately scheduled meetings is due to a combination of the following factors: The business is free to discuss the questions and answers in their language. Copyright Maryville Technologies 3 of 7

4 The business and IT do not engage tangential discussions related to specific outages or events, blame shifting or unrealistic requirements. The business feels they are being heard without translation of requirements by IT representatives. Separate discussions highlight areas of differing opinion that are further explored in follow-on discussions. The business is able to discuss impact from the business perspective. However, the business may have limited knowledge with respect to probability of failure due to internal or external causes of service disruption. While IT representatives may be unaware of certain implications of the business service, IT is able to validate probability of failure based on knowledge of redundant systems, underpinning contracts in place with suppliers and historical challenges in the infrastructure. Together, the business and IT provide complete answers that consider both perspectives. From the perspective of conducting a BIA discussion, Maryville recommends a minimum of two people. One person is responsible for the overall structure of the discussion and ensuring that responses are received and recorded for key questions. The other person is responsible for active listening and asking questions outside of the BIA framework. This approach enables the appropriate level of understanding of the business service and its corresponding service level requirements needed to determine the optimal service continuity level. BIA Framework The BIA activity consists of a series of questions regarding three aspects of service availability: (1) the consequences of service unavailability, (2) the volatility of the consequences as time elapses and (3) the probability that the service becomes unavailable. The responses to key BIA questions (or group of questions) are weighted to enable a BIA rating to be calculated once the discussion concludes. A calculation that considers the number of key questions asked and percentage of responses that indicate high impact, medium impact and low impact determines the BIA rating. The BIA rating serves as a method by which to objectively compare business impacts of multiple, unrelated critical business services. The following table represents a framework and sample questions under which a BIA discussion takes place: Business Framework Customers and Users of the Legal and Contractual Obligations Owners of the Relationships Sample Questions Who is the Customer? Where is the Customer located? Where is perspective Customers located? Are there legal obligations for service availability? Are there contractual obligations for data products of the service? Who is responsible for the service? Where are the owners located? Who supports the service? Do other services provide critical data? Are the supporting services under the organization s control? Copyright Maryville Technologies 4 of 7

5 Business Framework Unavailability Escalation of Unavailability Probability of a Failure Sample Questions Where does the supporting data reside geographically? If the service is unavailable, does the business lose: Customer faith? Competitive advantage? Ability to invoice? Ability to manufacture product? Data? Employee productivity? If a consequence of losing customer faith is an impact of unavailability, does the impact occur immediately? Does the impact increase in four hours? Eight hours? Three days? How does the increased impact manifest? What is the likelihood of natural disasters? What is the likelihood of malicious attacks? What is the likelihood of a power grid failure? What is the likelihood of WAN failure? Challenges Bridging the gap in understanding between IT and the business for the purposes of ITSC planning is not without challenge. During impact assessment with the business and IT, participants often express confusion as to the purpose of the assessment, suspicion relative to hidden agendas or doubt in the value of the exercise. In addition, challenges in corporate culture, scheduling, data collection, willingness to share information and agreement on the resulting BIA rating present can hinder or prolong the BIA activity. Each of these challenges can be proactively addressed so as to not derail the planning effort before it gets off the ground. Confusion, Suspicion and Doubt When meeting with a new group of business representatives or IT representatives to discuss service impact of a critical business service, interviewers are often met with general confusion relative to the purpose of the meeting, concern about not having the right skills to provide the information, suspicion as to the real reason the business service is under investigation or doubt that the analysis will be conclusive. A kick-off meeting is always conducted at the onset of an ITSC planning project and the kick-off is repeated for each new service investigation. The kick-off meeting serves to bring all participants, business and IT representatives, together to discuss the project initiative, timeframes, deliverables and expectations. Participation of executive sponsors in the kick-off meeting also goes a long way in relieving concerns. Invincibility The nature of ITSC is to consider disastrous events and the organization s committed response to restoring critical business service. However, organizations frequently delay ITSC discussion under the premise that an event will never occur. Organizations suffer from perceived invincibility and struggle to Copyright Maryville Technologies 5 of 7

6 justify time and resources to consider what if scenarios. Current worldly events prove that disasters do occur, in varying degrees, and mindsets are shifting accordingly. It is possible to construct successful ITSC plans and achieve coordinated responses to the unthinkable. Scheduling As staff certainly has ongoing, day-to-day responsibilities, dedicating two hours to discuss what if scenarios can appear fruitless. In situations where workload or priority dictates less than ideal access to business and IT representatives, Maryville has requested an hour of scheduled meeting time and the ability to seek clarification with resources through offline mechanisms as appropriate. In situations such as these, it is critical to have champion support in order to encourage staff response to offline requests for information. Data Collection Because Maryville conducts BIA discussions based on a framework of business impact and probability questions, clients have asked to review the questions offline in lieu of an in-person meeting with the commitment to return answers accordingly. However, the questions that comprise the business impact analysis are not intended as a questionnaire. The questions represent a framework in the strictest sense: it gives structure to the discussion but is not limited by the structure it suggests. In fact, answers received in-person often uncover details not otherwise known and frequently leads to related questions not included in the framework. All deliverables of an ITSC planning engagement rely on the accuracy and completeness of the data collection activity; thereby, it is critical to explore business impact of a service through all available avenues, including: in-person meetings, offline follow-on discussions, system-level data capture and existing documentation (e.g. infrastructure diagrams, contractual agreements, policies and procedures). Knowledge While some of the questions asked in a BIA discussion are relatively easy for the business to answer, Maryville has observed general reluctance to divulge real dollar figures in terms of service contribution to revenue and estimated cost of unavailability per hour of down-time. The financial aspect of unavailability impact is a key consideration as the organization selects a cost-effective continuity strategy and configuration. Because continuity solutions differ in effectiveness and cost, revenue contribution and the cost of service unavailability provide a business case for the selected continuity technology. Management commitment to an overall business continuity process can empower business representatives to provide financial information. Alternatively, senior management may suggest a dollar figure to use or otherwise designate a representative to disclose financial impact of service unavailability in real terms. Agreement Real world experience suggests that the business and IT are often at odds in agreeing to level of service. The business often tolerates zero data loss and requires infinite data retention which IT typically views as unfeasible and unrealistic. In cases where IT and the business differ in opinion of stated requirements, Maryville recommends that the design activities conclude before deciding feasibility. In fact, design costing activities often result in the business becoming aware of the cost of their requirements. It must be the decision of the business as to the IT investment made to support the Copyright Maryville Technologies 6 of 7

7 business service at the required level. In situations where alternative technologies are available at a less cost, the business has the authority to accept the frequently increased risk of a more cost-effective solution. Summary As organizations turn focus to business continuity management, IT is tasked with ensuring service continuity in support of the overall business continuity strategy. While executive management may indicate which business services to include in continuity strategies, IT must determine how to extract the information required in making cost-effective and efficient technology decisions. Business impact analysis becomes a mechanism to join the needs of the business with the capability of IT. An accurate and complete BIA is the cornerstone of a successful ITSC plan and, ultimately, a successful continuity solution. A repeatable, strategic BIA framework is essential to: Provide a baseline for service impact by which to compare critical business services, Guarantee that key drivers in continuity decisions are reviewed by business and IT stakeholders, Give structure and purpose to BIA discussions, and Act as a common language between IT and the business. While the BIA is only one of the key activities performed in an ITSC planning project, it serves as a key deliverable on which all other deliverables in the project are based. If the BIA is wrong, incomplete or inaccurate, the proposed continuity solution will likely be neither cost-effective nor efficient and results in continued exposure of the business to risk. About Maryville Technologies: Maryville Technologies is a leading independent IT professional services firm. Maryville delivers integrated solutions in support of IT service provisioning and IT service management that facilitate IT operational excellence. Our technical prowess, process expertise, project management discipline and history of facilitating IT organizational change help businesses optimize IT service levels at the lowest operational cost. Maryville s IT Resource Optimization ITRO methodology combines detailed process understanding that maps to industry standards with a practical how to implementation approach. Our entility IT service management utilities complement our service offerings and vendor alliances with cost effective, feature rich functionality. Maryville also has extensive experience designing, implementing, and managing the enabling infrastructure for business applications. Every day, Maryville delivers the consulting services, processes and technology that others only talk about. Contact Information: For more information, please visit our web site at or call (636) Copyright Maryville Technologies 7 of 7