Resilience is key to business continuity

Supporting business continuity from
an IT perspective has often been viewed in Cayman in the context of ensuring a
disaster recovery plan is in place for systems, that select personnel know how
the plan operates, and that the plan includes a checklist of actions to
undertake before, during and after disaster occurs.  In today’s business environment, however,
organisations must address a broad range of exposures that not only include
hurricanes, but also malware threats, IT disruptions, natural disasters,
epidemics, or even airline strikes holding up supply chains for parts and
staff.  These events often don’t fit
neatly to checklists, may occur with little to no warning, and can leave
organisations struggling to respond. 

“In the past 12 months, we’ve seen
several Cayman-based organisations hit with significant business disruptions,
in some cases of up to a week, caused by malware infections, the failure of
building air conditioning systems in data centres, patch management issues, key
staff departing, or even just plain old failure of IT systems at the most
inconvenient times – basically Murphy’s Law in action,” said Steven Taylor, a
senior consultant at Deloitte & Touche in Cayman. 

To tackle this risk, Deloitte sees
leading businesses evolving towards thinking of business resilience rather than
just business continuity and disaster recovery – that is, making the business,
and the IT systems that support it, more resilient overall, rather than cherry
picking specific scenarios to guard against.

Constantly changing business
requirements have driven expectations of recovery timeframes from days and
weeks, to same day or even real-time continuous business and IT
operations. 

“Companies are now challenged with
real-time processing expectations from users and customers, and technologies
that are advancing and changing on a far more regular basis,” said Mr.
Taylor. 

“Developing an overall approach
that encompasses these aspects as well as acceptably mitigating risk, is the
next evolution in business continuity management.”

Building in resilience

With hurricane season now underway,
and with predictions for an active season, there is a heightened awareness of
the need to be resilient.  Deloitte this
month released its 7th annual Global Financial Services Security Study, which
surveyed over 350 financial services institutions worldwide, including in
Cayman and elsewhere in the Caribbean. 
One of the results from this survey is that disaster recovery and
business continuity management issues are rising in the ranks of the most
frequent external / internal audit findings from an IT security perceptive,
moving from the 10th most common source of findings to the 7th.

On Island, Deloitte, who operate
the Disaster Recovery Centre at Citrus Grove, and who consult on business
continuity and disaster recovery design, testing, and implementation, see
several approaches to these issues been taken in relation to IT. 

Many organisations still use
so-called super checklists and disaster recovery plans which are very tactical
in nature, and continue to build these out, while a smaller, but growing, number
of organisations are focusing on resilience.  
“The checklist approach to business continuity management and disaster recovery
may be appropriate for small or non real-time operations where realistically a
major event means shutting down gracefully or moving to one fixed overseas
location,” said Andrew Douglas, a senior manager at Deloitte.

“However, checklists are mostly
tailored to assumed scenarios, ignoring the question of how you make the
organisation more resilient overall or how you respond to unexpected
threats.  Thinking about overall
resiliency can actually be simpler than trying to enumerate all the possible
scenarios that could occur and trying to make checklists fit multiple
situations.”

Common steps

Deloitte have identified several
common steps to help support business resilience for IT environments in Cayman,
recognising that many organisations are heading out of the recession with less
capacity and resources to undertake major BCM or DR projects.  

The first step is to understand the
organisation’s implemented IT infrastructure and how it is used. 

“This is a conceptually simple
task, though care must be taken not start with preconceived assumptions, as it
is easy to overlook components simply because they are small, are only used by
a small number of individuals, and may not be owned or operated by the
business,” said Mr. Taylor.

“Often there will be a number of
applications, spreadsheets, or databases that are critical to the business, and
which IT has no knowledge of as they are home grown by the business users,” he
continued.

“This can actually be as simple as
sitting down with a blank sheet of paper, several representative business
users, and IT, to list out the systems used day to day, including any third
party applications or online services such as corporate banking websites, outsourced
AML services, or others.”

Once an accurate inventory of
systems and applications is developed, it is then possible go through the
process of identifying and prioritising the critically of these items to the
business, which will assist with the development of the recovery time and recovery
point objectives. 

At this stage, an extra step needs
to be is taken to identify the current controls that are in place to protect
the overall availability (and therefore resiliency) of IT systems that are
critical to the business.  These controls
may involve specific IT solutions. 

For example, many Cayman based
firms use virtualised servers, allowing systems to be seamlessly moved or fail
over to different hardware, or products such as the Mimecast email management
system for the use of email if the organisation’s servers fail. 

Beyond technology, however, these
controls need to be examined to identify issues with people and processes.  For example, if the lead IT support staff is
injured, who would also have access to passwords for core systems, or can
otherwise undertake key support roles? 

“For our IT managed services
clients, we like to document this out into something we call a network
infrastructure document,” said Mr Douglas. 

“It allows knowledge to be
transferred to staff, and helps make sure it is not trapped in one member of
staff.  It again doesn’t necessarily take
a large investment in time or cost to undertake.  Simply having this information available can
prevent minor issues escalating into a disaster recovery event, improving the
organisation’s overall resiliency.” 

A standard consideration

Lastly, to help smooth the cost and
effort involved, business resiliency should be baked in as a standard
consideration of both business and IT change, not just treated as an annual
exercise to be done before 1 June every year. Business resilient organisations
are building in simple questions of availability and resilience into everyday
processes such as purchasing and change management, with IT actively involved
in changes to business operations to make sure they are understood and
supported by IT.

“A move towards building resilient
IT to support the business helps build competitive advantage, as well as
protection for threats that may not yet even by on your radar,” said Mr
Douglas.

“We’ve seen a lot of interest from
our clients, on-island business partners, and other organisations to take the
protection of IT systems to a new level, maintain competitive edge, and meet
customer expectations – and we believe thinking in terms of business resilience
is where the game is going.”

NO COMMENTS