KMF ADVANCE

I.T. Solutions - that put you ahead of the game!
 
  ITIL Explained
  Services
  About KMF
  Publications
  Links
  Contact KMF
  Home Page

KMF Advance
8 / 22 Fletcher Street
Essendon VIC 3040
Australia

Telephone:
(03) 9375 7765

Email:
info@kmfadvance.com

KMF Advance Publication

Published: itSMF Australia Bulletin June 2003 as commentary column:

"In My Opinion - Karen Ferris Speaks Out"

Heading For Disaster - When Will They Listen?

© 2003 Karen Ferris

In an article I penned for Service Talk and the itSMFA Newsletter last year entitled “Answering The ITIL Sceptics”, I questioned how any organisation could not have a tested and proven IT Service Continuity Management (ITSCM) plan in place after the events of September 11 2001.

I even quoted Gartner:

 “Two out of five enterprises that experience a disaster — such as the World Trade Center attack — go out of business within five years. Business continuity plans and disaster recovery services ensure continuing viability”.

Source: GartnerGroup September 2001

It seems to me that few are listening or preferring to use this newsletter to soak up the coffee spills rather than read it! What they are doing with the Service Delivery book – who knows!! 

Organisations do not need to have an all singing – all dancing ITSCM plan. The aim of ITSCM is to focus on the IT services required to support the critical business processes. Organisations today are judged on their ability to continue to operate and provide a service at all times.

The criticality of service (ie the impact of loss of service) is measured through a Business Impact Analysis, which determines the minimum requirements.  

If I go into an organisation and discover that they do not have an ITSCM plan, I ask for the Business Impact Analysis output. The results of the study that looked at the impact of the loss of each business process and determined that the organisation did not have to take any action. The day I come across that I will eat my words and congratulate the organisation because they have justified the reason for not having an ITSCM plan. 

Most organisations just don’t have one because they think it is too hard or too expensive or it will never happen to them. 

In November 2002, globalcontinuity.com published the results of a Business Impact Analysis (BIA) survey. They asked Business Continuity Managers the question “How many times have you conducted a Business Impact Analysis for your present company?” 

26.7% had only conducted a BIA once during the initial development phase of the business continuity plan. 

This means that the business has not changed since the first BIA? New services and amended services have not been provided? The importance of some business process has not increased (or decreased)? 

I think you get my point But, it gets better! 16.3% had never conducted a BIA. 

Lets look at the positive side – 39.5% conducted a BIA once a year. A round of applause for those Business Continuity Managers. That is exactly how it should work. The BIA should confirm that the current Business Continuity Plan (BCP), of which ITSCM plan is an integral part, is either still valid or that changes are needed to ensure that the minimum critical requirements to support the business are in place. 

Meta Group published a report on Business Continuity Gaps in August 2002. Even though they highlighted that 80% of Global 2000 organisations had Business Continuity plans in place, only slightly more than half of those plans would be effective (ie recovery time and recovery data points met). One of the reasons for this was the existence of gaps in the plans. 

Lets say that some organisations did pay greater attention to their BCP and ITSCM plans after September 11 and the war in Iraq. The problem is that due to poor BIA, they have only concentrated on infrastructure and the ability to continue business by relocation and backup facilities.  

The war in Iraq highlighted the potential of biological warfare. What good is a BCP and ITSCM plan, if there are no staff? 

Even as we speak, organisations in Hong Kong, China, Singapore and Canada are struggling with the implications of the SARS outbreak. 

Controls are being imposed that keep employees from travelling to work. This means that telecommuting has to be considered as part of Business Continuity Planning and ITSCM. 

Organisations need to conduct a Risk Assessment to look at the people aspects and communications (especially voice) and determine the impact on the business of loss of personnel and communications networks. 

Asia Pacific organisations have realised that they are poorly equipped in the current situation to deal with a remote workforce – which is a way of continuing to operate in a situation like the SARS outbreak. 

A Risk Assessment needs to cover all threats and risks to the business processes and IT services. This includes threats to the workforce (including customers and suppliers) and all aspects of communications. 

As of 17th April, 3 cases of SARS in Australia have been reported – thankfully all of which recovered.  

However, if the same degree of outbreak was to happen here like in China where 1959 cases (as of 21st April) have been reported, and your workforce could not travel to work either because of quarantines, transport closures, travel delays, taking care of children whilst schools are closed, or just plain fear…..how will your organisation cope? 

Will you be ready? 

As it is stated in the Service Delivery book “Failure to assess all the relevant risks will result in an incomplete risk assessment leaving the business exposed to disruption.” 

Is anyone listening now? 

 

Karen Ferris is an independent IT Service Management consultant and can be contacted via www.kmfadvance.com

  

(c) Copyright 2002 KMF Advance Melbourne, Australia