I don’t know about you, but I cannot remember the last time I got to work a “Greenfields” client. What a shame then that so many people still treat all situations as being greenfield.
Sometimes you can find that there is no real BCM Program in place, but generally there is some form of “tick in the box” BC Plan on a shelf somewhere.
Irregardless of this, it is very rare to find an entity that does not have a sunk investment in IT, and perhaps some form of DR in place. Even if it is just a backup tape the IT guy takes home each night.
Brownfields IT will probably contain infrastructure, applications and perhaps SOA services that have not been designed to facilitate failure nor designed for recovery.
The real bottom line here is that in this situation the Recovery Time Objective (RTO) is not always going to be derived from any analysis of business needs, but from the “as built” IT DR solution. Sure an Enterprise Business Impact Analysis may provide the input for a business case for future DR investment, and after that investment has been made and commissioned the new DR Plan can work to a new RTO.
Until then your business users better have manual workarounds to cover the difference between the time they would like to be without systems and the time they are going to be without them.
Shocked? Heresy? No, supported by a best practice guide …
- “A RTO represents the required level of capability that the organisation aims to recover within a defined time frame. This is often determined by the ‘provider’ of the infrastructure or service.” •
- Standards Australia, HB 292-2006, p64
Do you know what the “as built” recovery of your IT systems is?
Do you have “fantasy” plans that are not related to real, proven recovery capability?
I have two views:
Firstly, in todays world, there is no longer an excuse for shoddy DR. Incidents are happening too often and are becoming severe. The cost benefit of wasted business time and the loss of IP or corproate knowledge as a result of Shoddy DR is simply unacceptable. DR has moved from a simple compliance issue to forefront business – the CIO must be accountable for this.
Secondly, Executives are too removed from BCM/DR matters. Continuity of business is just as important as the next new business roll out or strategic project. Put BCM/DR matters squarely in the face of the executives and you quickly have a changed IT environment – Brown does indeed become Green and very quickly do the other “pie in the sky” initatives such as process resiliance and new technology such as virtualisation quickly become a reality. People shy away from the executives and believe that they are wasting valuable executive time – how wrong they are!
Excellent points Pat, thanks for the comment.
Executive sponsorship is the only way to effect these changes. I have been talking to people about this Brownfields concept a lot recently as I encountered far too many examples where the issue was not being addressed in the fashion you have outlined.
In fact just the opposite. A “Fantasy RTO”, which was what the greenfield-assuming BIA suggested, was being used in all BC Plans as a guide to the period of manual processing that would need to be undertaken. The business could cope with that impact.
The “as built” RTO was significantly longer, so we have a major disconnect between IT and Business recovery. Nobody realised the gap (because both used the term RTO with different meanings) and no business case was ever created to fix the problem.
This was technically a good IT DR solution – shoddy BC Program Management meant it did not align with the real business need.
I have two views:
Firstly, in todays world, there is no longer an excuse for shoddy DR. Incidents are happening too often and are becoming severe. The cost benefit of wasted business time and the loss of IP or corproate knowledge as a result of Shoddy DR is simply unacceptable. DR has moved from a simple compliance issue to forefront business – the CIO must be accountable for this.
Secondly, Executives are too removed from BCM/DR matters. Continuity of business is just as important as the next new business roll out or strategic project. Put BCM/DR matters squarely in the face of the executives and you quickly have a changed IT environment – Brown does indeed become Green and very quickly do the other “pie in the sky” initatives such as process resiliance and new technology such as virtualisation quickly become a reality. People shy away from the executives and believe that they are wasting valuable executive time – how wrong they are!
Excellent points Pat, thanks for the comment.
Executive sponsorship is the only way to effect these changes. I have been talking to people about this Brownfields concept a lot recently as I encountered far too many examples where the issue was not being addressed in the fashion you have outlined.
In fact just the opposite. A “Fantasy RTO”, which was what the greenfield-assuming BIA suggested, was being used in all BC Plans as a guide to the period of manual processing that would need to be undertaken. The business could cope with that impact.
The “as built” RTO was significantly longer, so we have a major disconnect between IT and Business recovery. Nobody realised the gap (because both used the term RTO with different meanings) and no business case was ever created to fix the problem.
This was technically a good IT DR solution – shoddy BC Program Management meant it did not align with the real business need.
Fantasy RTOs are a great starting point out of BIA. Engaging executive management and giving them the real picture, and the gap between the fantasy and the reality, certainly gets a response. The real work starts when trying to cost the RTOs. Executive management then have some hard decisions to make.
Your point about shoddy Program Management is right on, however, as an IT practitioner, and based on bitter experience, we must be involved in BCP whenever it is undertaken to ensure a clear understanding by all.
Fantasy RTOs are a great starting point out of BIA. Engaging executive management and giving them the real picture, and the gap between the fantasy and the reality, certainly gets a response. The real work starts when trying to cost the RTOs. Executive management then have some hard decisions to make.
Your point about shoddy Program Management is right on, however, as an IT practitioner, and based on bitter experience, we must be involved in BCP whenever it is undertaken to ensure a clear understanding by all.
Agree. One of the biggest challenges in any risk process that engages IT is bridging the gap between “the Ignorance of the Business and the Arrogance of IT”. If that sound offensive, don’t worry. I’ve used the phrase in front of corporate IT directors and they do get it.
Agree. One of the biggest challenges in any risk process that engages IT is bridging the gap between “the Ignorance of the Business and the Arrogance of IT”. If that sound offensive, don’t worry. I’ve used the phrase in front of corporate IT directors and they do get it.