Opinion

Why business leaders need to be masters of disasters

IT failure is not limited to cyber-attacks. Business leaders need to have a resiliency plan in place to respond to all of the threats posed today.

Mijee Briana Walker Aug 04th 2017

In the first half of 2017, the world has been subjected to two major ransomware attacks, the most recent of which is the June 27 Petya cyber-attack that impacted both businesses and government services. More and more businesses are relying on IT for mission critical processes, but some businesses are failing to plan for potential IT failure.

IT failure is not limited to cybersecurity threats, from natural disasters, terrorism, power failure, espionage and accidents. Every business leader needs to have a resiliency plan in place to respond to all of the threats posed today to our highly digital, global business environment.

To understand how the world’s most resilient businesses recover in the face of IT failure,IBM’s Centre for Applied Insights commissioned a report, entitled Masters of disaster recovery, to learn how highly resilient organizations excel at resiliency.

“A robust resiliency plan incorporates both cyber security and data management compliance and governance.”

More than half of the 310 respondents in the IBM’s Masters of Disasters report said the top challenge they face is incorporating an increasing number of business-critical systems into their recovery plans. From ERP to mainframes and mobile apps, businesses are data-rich with an increasingly complex ecosystem of interdependent apps.

As the number of critical applications and workloads grows, so does the degree of difficulty for IT integration. The result of that is more potential points of potential failure that disaster recovery teams must manage. Other key challenges facing disaster recovery include demonstrating ROI, finding IT experts with disaster experience, meeting recovery time and point objectives, and securing sufficient funding for recovery planning.

Masters of disaster are strategic, collaborative and practice often

To be considered a master, the most highly resilient organizations are first able to ensure rapid resumption of the revenue generating processes, within recovery time frames higher than industry average. Additionally, ‘masters’ can rapidly resume interface with their partners, and are also expected to be able to deliver lower recovery costs in the process.

Businesses that can master disaster ensure that there is tight integration between IT and senior management during planning, and that the board is involved and engaged in planning to ensure that resiliency investments are properly funded.

By forging a strong system of collaboration between IT and senior management, masters of disaster closely monitor the new applications entering the business and balance the business priority of the different systems in their planning.

Masters of disaster recovery incorporate enterprise security and risk management as a critical part of planning. They also include security policies in their testing, simultaneously vetting both their recovery plan and their security processes.

Establish a strategic, integrated disaster recovery approach

Masters of disaster build an integrated approach, by working with multiple internal leaders within the organization, including the board, as well as outside partners and experts to ensure maximum input and high-level buy-in. An integrated approach ensures the plan is understood, well considered, well-funded and supported, and that all business and technical priorities are considered. Additionally, masters work with legal, security and IT to ensure that strategy incorporates compliance requirements

Businesses that can master disaster ensure that there is tight integration between IT and senior management during planning, and that the board is involved and engaged in planning to ensure that resiliency investments are properly funded.

Collaborate with security and risk leaders

A robust resiliency plan incorporates both cyber security and data management compliance and governance. Additionally, masters look for further validation, support, and input by securing the review, endorsement and approval of their resiliency plans by an internal or external audit team for the business. As a risk mitigation tactic that’s essential to business continuity, it’s highly recommended to have the business IT resiliency program in view of the risk, security and compliance officers.

Design a robust testing program

At a minimum, businesses should be testing their response times annually, and more frequently if possible. To conduct a thorough, meaningful and robust test, businesses need to develop the ability to test the robustness of their recovery times in real-time, with ad-hoc queries from any device.

Businesses should also be continuously evolving and improving their testing methodologies by incorporating analysis from previous tests, and incorporating testing that accounts for any new environments, partners, devices, applications or services that have been introduced to business-critical functions since the last test. Businesses should also be benchmarking themselves not only against their previous results, but against the recovery times in their industry to pinpoint areas for improvement.

Incorporate new technologies into disaster recovery plans

 Masters of disasters stay abreast of the latest tools, and evaluate their efficacy in improving recovery times. The recent adoption of cloud and cognitive solutions that are built to automate and orchestrate disaster recovery plans are pushing the industry forward towards a more healthy, efficient, and productive business model. Masters of disasters also use social technologies both internal and external to communicate system status updates to adverse events in real time, but they also use social tools to monitor economic, environmental and other external events that could disrupt service.

The potential for businesses to drive more value through new IT and digital services is almost limitless. But the increasing reliance on IT for business-critical functions, means that risk must be mitigated. And while every good IT plan includes prevention and protection, businesses should also develop a well-rounded, integrated, funded and tested business resiliency plan.

The author is Resiliency Services Leader at IBM APAC.

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).