Recoverability of an organisation was once considered a luxury. After all, why would a company spend any time let alone any money in ensuring IT services are available in the event of a crisis? Thankfully this viewpoint has become far less common that it used to be. Yet still companies struggle to adequately prepare and plan for events that are now becoming more and more common.
The road to a successful IT Service Continuity Management (ITSCM) implementation is fraught with challenges from identifying what services to focus on to where the investment should be best placed to support those services. So often are recovery planning investment efforts distracted by technical desires which cause investment to be diverted to the new shiny technology of the hour instead of the foundational recovery requirements that will support continuity of IT services.
Small steps
The first step is to identify the services that are critical to your business. This sounds like a simple exercise, and many have misunderstood how to go about it effectively. To protect what is critical, an organisation needs to have a frank and open discussion with itself around what determines a critical service and or process. This is usually carried out via a formal Business Impact Assessment (BIA). The BIA process allows for an assessment to be carried out to determine the impact of loss of a service to an organisation. Once this is completed the portfolio of services can be organised by criticality and then subsequent recovery planning can commence based on the chosen criteria.
Some organisations may choose only to protect the critical services, whereas another may choose critical and high-impact services. There is often a balance to be found between the current risk profile and investment available to ensure these identified services are covered.
The benefits of a detailed analysis are often underestimated and the value of doing this correctly will bring many more benefits than just within the ITSCM area. Clear and accurate identification of an organisation’s services can also be used in other areas such as Application Portfolio Management (APM) to assist in health checks and potential application rationalisation.
Single source of truth
Ensuring that the work completed at the BIA stage is not wasted, it is good practice to retain this information within the CMDB. This ensures a single source of truth for this initial ITSCM data. This can then be leveraged to ensure the BIA remains current and will ensure accurate information is fed into the broader ITSCM process.
Why complicate something that’s already complex?
When it comes to the next stage of an effect ITSCM implementation it is important to keep it simple and effective. So often, organisations make the recovery planning process more complicated than it needs to be. A review of the identified services can now be done to see which services have existing recovery plans in place, and which require the initial plans to be drafted.
The journey continues with a review of existing plans and creation of those service plans that are not catered for. Depending on the resources available, a two-pronged approach can be deployed, with a technical walkthrough alongside the review. It’s at this technical review stage that many organisations realise their existing plans are now outdated and or of little currency in terms of effectiveness.
The more proactive organisations may now feel that their portfolio of services is in fairly good shape, and once the portfolio is understood and plans are in place, the next step in the journey begins.
A time and a place for everything
Organisation and scheduling keep our lives on track, and the same can said for our approach to an effective ITSCM implementation. Having an agreed testing schedule within the organisation is imperative to remaining on top of the recovery capability. This can either be in the form of independent component testing or a complete end-to-end recovery test of central and dependent supporting services.
A key point to note here is that, when something is tested and fails, the organisation should remediate and retest as soon as possible. Often this step is missed; the failed test is recorded or noted, and the remediation is not addressed immediately. Such an oversight can heavily impact on organisational recoverability. This is one of the key purposes of the testing and scheduling step in the ITSCM process.
The journey continues
Implementing an effective ITSCM process is a journey and one that needs close attention to detail throughout. The industry has at times seen recoverability of services as a chore; however its importance is finally getting more airtime. Products are becoming more and more effective at supporting the once time-consuming action of recovery. Having a product that facilitates this is a great first step, but equally essential is an effective ITSCM process that ensures consistent recoverability no matter what the scenario or type of recovery required.
For more information, why not join our ITSCM masterclass in October?
Paul is an experienced IT Service Continuity Management SME with over 20 years' experience in the IT industry.