The cost of system downtime adversely affects productivity, delivery schedules, commitments, and credibility. Downtime is always a negative; sometimes it is even a business killer. The recent US East Coast and Italy blackouts proved that major IT outages can affect consumer confidence, organizational image, brand, revenues, and sales. CIOs should provision contingencies for business continuity and address the disaster recovery and continuous availability of systems to minimize the impacts of outages and to further ensure the IT organization's credibility.
META Trend: By 2007, best-practice business continuity (BC) architecture will be a three-way team effort: 1) IT architects and business leaders will establish objectives and business impact; 2) infrastructure and engineering teams will manage availability (planning and building the infrastructure to meet BC requirements); and 3) operations command-and-control groups will run/test and monitor/report on disaster recovery preparedness.
By 2007, 40% of Global 2000 users will support two data centers for high-availability (HA) requirements (and workload balancing), deploying capacity-on-demand capability for less critical recovery services. However, only 10% of these two-data-center environments will have perfected real-time recovery solutions (e.g., zero downtime and no data loss). Through 2007, a single “hardened” data center delivering traditional, cost-effective disaster recovery (DR) services (48- to 72-hour recovery utilizing third-party services) will suffice for more than 50% of users. During 2004, 80% of IT groups will re-evaluate continuity plans to ensure alignment with business impact statements (e.g., recovery point, recovery time, viability horizon). By 2005/06, DR operational availability models (technology and process) and business continuity planning (BCP) will overlap. “Near-time” and continuous-availability (CA) proximity recovery techniques will appear in 60% of IT shops by 2007.
The blurring of business-as-usual and always-available environments is requiring the integration of CA into business processes and a more comprehensive and planned approach to BCP. The commensurate project cost impact is dramatic (2x-3x of current 48-to-72-hour recovery) and requires BCP be addressed at the application/infrastructure design phases of all projects (currently not a common practice), because afterthought accommodations tend to be at least 3x as expensive. CA environments must be designed from the ground up (project initiation) to mitigate risks of operational, application, infrastructure, and business process failures. End-to-end business impact analysis (BIA) of both internal and external information/business flows is required to successfully provide recovery options for all potential scenarios. A note of caution, however: two-hour recovery time objectives (RTOs) are typically 10x regular operating costs. If they are wrong (poor planning/execution), costs can escalate 2x to 5x.
On September 5, 2002, the Board of Governors of the US Federal Reserve System (FRB), Office of the Comptroller of the Currency (OCC), and the US Securities and Exchange Commission (SEC) published for comment a draft interagency white paper on sound practices to strengthen the resilience of the US financial system. Approximately 90 comment letters were submitted to one or more of the agencies by clearing and settlement system operators; banking organizations; investment banking firms; industry associations; technology companies; federal, state, and local officials; and other interested parties.
The respondents to regulatory rule-making comments agree that a within-the-business-day recovery and resumption objective for core clearing and settlement organizations is appropriate and acknowledge that a two-hour RTO is an achievable goal, though somewhat aggressive for some because of the volume and complexity of transaction data involved. There is general consensus that the end-of-business-day recovery objective is achievable for firms that play significant roles in critical markets, though many state that this is possible only if firms are able to use synchronous data storage technologies, which can limit the extent of geographic separation between primary and backup sites. CIOs of financial institutions regulated by one the FRB, OCC, or SEC) must comply with the interagency directive issued April 7, 2003 (see Figure 1).
CIO Compliance Commitment
Key activities (and compliance dates) that CIOs must acknowledge, consider, and commit to include the following:
Business continuity is a corporate responsibility. CIOs and IT operations are enablers and facilitators. The IT organization has an obligation to help build BC plans and facilitate execution of those plans through architecture, technology, and process. CIOs need to be cognizant of IT organization capabilities and lines of business’s expectations of its capabilities. They must ensure that they align with business requirements and business’s service levels. Enterprisewide failure to comply with regulatory BCP/DR directives can result in government sanctions and fines.
Business Impact: CIOs who fail to provide continuous/high-availability systems necessary to complete the clearing and settlement of pending transactions within the business day could create systemic liquidity dislocations, as well as exacerbate credit and market risk for critical markets.
Bottom Line: CIOs must commit to robust recovery capabilities and prepare the ITO to respond to a wide-scale disruption by adopting sound BCP and DR practices.
META Group originally published this article on 29 October 2003.