The Business Model Challenge
The hard part, particularly from a technology standpoint, is identifying all the layers of dependency. Business units may know about the payroll system, but it takes a lot of IT participation to get down the stack, layer after layer. Applications such as payroll run on operating systems and adhere to system configurations, which in turn integrate with an application infrastructure of back-end systems, identity management systems, and protocols. All of this sits on a physical infrastructure of server platforms, networking, and routing infrastructure, which in turn depends on an underlying critical infrastructure of cooling, power, communications, local and regional government services, and, perhaps most important, people. And, as obvious as it may seem, people depend on food and shelter and, perhaps less obvious, a perception of a certain amount of safety. “You may have a disaster situation in which the people didn’t die but the families panicked and forced them to quit,” Burton’s Henry says.
The other challenge is identifying dependencies that come from BPO and supply-chain arrangements. “If you’re outsourcing HR, you probably want to keep backups of everything you send to that company,” says Fred Cohen, CEO of Fred Cohen & Associates, information security specialists.
Mobility is another potential stumbling block. “Many people are surprised at how much data is on peoples’ PCs and laptops,” Unisys’ Dillman says. “If they can’t use them, which occurred after Katrina, the business may not be able to operate.” And finally, it’s important not to overlook information lifecycle issues tied to regulations such as HIPAA and Sarbanes-Oxley.
Several vendors -- including Fred Cohen & Associates, IBM, Paisley Consulting, PricewaterhouseCoopers, Protiviti, SAIC, SunGard, and Unisys -- provide services to help companies through this process.
What should this modeling exercise produce? In some cases it’s simply a spreadsheet or database that lists different processes and their dependencies. In other cases it may be a large diagram or several diagrams that map out these dependencies through the various layers using icons and colored arrows or process flows. In other cases, the diagram may be linked to a database. “We find that Excel spreadsheets are a major tool for this purpose,” Burton’s Henry says. Tools are also available from Paisley Consulting, Proforma, SunGard, Strohl Systems, and Triaster to help with parts of this process, as well as the final result. Protiviti and Unisys have their own tools that they use with customers.
“Our deliverable is usually a diagram with some type of text or database behind it,” Walch says. “The process model usually shows different entities such as people, business units, business partners, applications, infrastructure, and databases and describes the relationships between them and information flow. You’ll see integration with Tivoli, Remedy, Paragon, or something similar.” IT can use these diagrams and databases to understand the consequences and scope of various types of outages, as well as for subsequent forensic analysis.
Assessing the Risks
This model is then used in the other part of this workshop process, which is to rank the importance of processes and to assess risks. Disaster recovery specialists are more concerned about specific risks, such as hurricanes, but business continuity planners tend to talk more in systems and processes. “I need a plan to tell me what to do when the power goes out,” Protiviti’s Porier says. “It doesn’t matter what caused it.”