Reading Time: 5 minutes
In our previous articles, we outlined the reasons why the Business Continuity Management (BCM) Program is essential to your organization. The conclusion was that to be successful and effective, Business Continuity Planning must be an organization-wide activity. It involves the collaboration of all business functions and all departments.
So why is it so darn hard to engage an Information Technology (IT) organization (internal or external) in any business continuity planning activities?
It’s happening everywhere!
I spoke with many Business Continuity Professionals, and this seems to be the case in many organizations. The conclusion is that IT is too reluctant to engage in BCM activities, very slow to react and deliver, and typically a cause of delayed business continuity planning engagements. Sometimes, for the sake of completing the project on time (and on a budget), IT is even excluded from the business continuity planning efforts.
This is not beneficial for any organization, which, as a result, will widen the gap between IT capabilities and business requirements, and potentially expose the organization for even more significant business disruptions. Working in silos was never a solution.
IT is already doing (some of) it!
Does IT understand that their mission is to deliver critical business strategies, business models and business services? Is this because IT already completed some of the Business Continuity Planning activities by developing an IT Disaster Recovery Plan, and this is just repetitive? Is this disconnect result as IT sees a Business Continuity Planning as a business process, and not particularly an IT activity?
It has a few components that are directly dependent and connected to IT, but the rest of the processes, such as Business Impact Analysis or Risk Analysis, are seen by IT as business processes. Is this where the disconnect is? Are we again in the Business vs IT turf wars?
IT is (always) busy!
We all know that IT is busy. They are delivering new projects, firefighting with IT issues (sometimes daily), patching applications, servers and IT security gear at some wee hours (when the business is getting their beauty sleep). They are continually implementing workarounds to address chronic underfunding of their departments. I can tell you from my personal experience, that it was a way more fun to patch the servers at midnight than to write IT documentation or to fill some business spreadsheets (BIA anyone?).
To see the extent of the problem, follow the news. A significant security breach happens almost daily somewhere in the world. There is a graveyard of unpatched, unsecured and outdated IT infrastructure, which in the end, underestimates entirely any business continuity planning efforts. There are just not enough hours in the day for the IT department to deal with everything on their ever-expanding list of things to do.
In mid-2019, I spoke at the local Disaster Recovery Information Exchange conference and outlined some reasons for this divide. In my 20+ years in IT, I experienced many of these challenges and divisions, and I can categorize them in a few Business vs IT points of view:
The business view of IT Organization:
- IT doesn’t know what is important to us (business);
- They (IT) are somewhat resistant to business ideas;
- IT is slow to deliver; and
- Overall lack of business vision.
IT Organization view of the Business:
- The business would do well to moderate their blue-sky thinking;
- Business have no clue what they really want;
- No downtime – everything has to be available and protected all of the time, but typically there is no budget for it; and
- Our efforts are not appreciated.
IT is (still) excluded!
Reading some of the Gartner reports, it is still evident that Chief Information Officers (CIO’s) and Chief Information Security Officers (CISO’s) are still seen as technology leaders, and not as business leaders. They are often excluded from the business (strategy) table and only included too late in the strategy process in many organizations.
This divide and gap must be closed. The “business” will need to see IT as an integral part of their mission statement. On the flip side, IT will need to make time and effort to support business continuity planning activities.
Within business continuity planning efforts, IT organization holds the key for the successful delivery of the Business Continuity Management Programs. The Business Continuity planners need to find a way to leverage already completed IT resiliency activities and integrate them into BCM efforts.
IT must be engaged (early)!
Not properly engaging, or completely excluding IT organization will diminish all business continuity planning results. Here are some examples where the IT organization is critical for BCM efforts:
- Recovery Priority – A critical IT infrastructure and IT applications, in most instances, must be restored before any business applications and services. The key here is only to restore components that are required to provide critical IT infrastructure and deliver mission-critical functions outlined in Business Impact Analysis (BIA). But how do you prioritize this if IT is not included in your BIA?
If excluded, IT may put the emphasis on the recovery of IT components that are not aligned with business recovery requirements. A result will be delayed service/function recovery and potential breach of business requirements (e.g. compliance, regulation, service level agreements, etc.).
- Business Recovery Strategy – An IT organization plays a key role in the development of a business recovery strategy. IT has to outline current capabilities, research and price disaster recovery options, which will be required to meet the business requirements. IT also must participate when business Recovery Point Objectives (RTO) and Recovery Time Objectives (RTO) are discussed (negotiated) with a business. It will be impossible to complete the recovery strategy without having an IT at the table.
- Training and exercising – We all know that any organization’s business continuity plan will be only effective if thoroughly tested and exercised. If not, and as I mentioned many times before, it’s not a plan - it is only a strategy.
IT must be present and participate in all business continuity testing and exercising efforts. The recovery of many, if not all, functions depend on IT capability to respond in time. It becomes even more challenging if IT infrastructure or applications are outsourced to third-party providers.
Change is required!
What’s in it for the IT organization? If you think of it, an IT organization can benefit immensely by supporting business recovery activities and requirements. It could help IT to secure the budgets, as the current capabilities may not meet the “business” recovery requirements. Having a pulse on the business requirements will provide an argument that IT is essential to the organization and should not only be seen as a cost center.
The business will need to either adequately fund IT organization, or dial down on business recovery requirements. A duct-tape IT workaround solution might not work during the disruptive business event, especially if not documented or ever tested.
In conclusion, business continuity planning is an organization-wide activity. It must include your internal or outsourced IT organization to be effective. This coordinated and integrated approach will ensure that your organization is ready for unexpected and that your IT organization can meet its requirements.
StratoGrid Advisory is a Business Continuity Management (BCM) Advisory firm in the Ottawa/Gatineau region that can provide you with the experience and knowledge needed to successfully implement a BCM Program in your organization.