One of the things I most enjoy about running IDC's InTEP management forum is the opportunity it gives me to hear how local CIOs have laterally addressed a generic problem within the industry. At a recent InTEP session in Melbourne, a number of members spoke to me about the difficulty in developing an IT disaster recovery plan in an era when significant business systems can be distributed across mainframe, server and desktop systems.
It was a dilemma one InTEP member faced when his organisation downsized from a mainframe to a decentralised architecture. In so doing they had to abandon the traditional mainframe recovery approach of a hot back-up site. However, in researching alternative solutions, the company realised that there was more to disaster recovery than just IT. Unintentionally, they had stumbled across the need for business continuity planning.
The InTEP member appreciated that disasters were not just confined to earthquakes and hurricanes; at the wrong time, a minor disruption in its business activities could have a major impact on the organisation. As such, the company recognised that it needed to understand its critical business cycles and processes. Then an assessment was needed to determine how long the company could perform effectively if these were "lost", and what contingencies were necessary to insure against disruption.
The IS department knew it needed the support of the rest of the organisation if it was to prepare an effective business continuity plan. However, it also knew that the costs of undertaking and implementing such an exercise were an unknown quantity. The department faced the daunting challenge of asking its CEO for a blank cheque.
Realising that this approach was likely to be nixed, the InTEP member broke the project into phases. He first asked the CEO to finance a scoping exercise to highlight potential exposures in the company's operations. This would document the critical business processes, the potential exposure of the business at various times of the year and the maximum outage that could be endured before clients were affected.
With approval to proceed, a questionnaire was sent to a select group across departments. It asked for information on the critical functions the departments performed and the resources they needed to perform the functions. From the feedback, IS was able to build a matrix for each business unit within the company, providing it with a clear picture of how everything in the organisation interrelated.
IS then obtained funding for the next phase of the project: development of business recovery strategies in the event of a disruption. Four components of business recovery were considered: workplace recovery (the availability of alternative premises), workload recovery (how it would catch up on the backlog), technical issues (the need for fall-back equipment) and human issues (if people need to relocate on short notice are arrangements in place?).
To date, the company has spent less than $50,000 to develop the business continuity plan; this seems a modest price to pay for peace of mind.
The activity also generated a number of valuable side benefits for the IS department. Foremost, it provided it with an excellent insight into how the business operates and the critical activities on which it depends. Furthermore, since the project was initiated and driven by IS, it helped establish its business credentials within the organisation.
It may well pay - in more ways than one - for CIOs to ask their CEOs just how well the business could handle some plausible disruptions to its operations.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.