Few would question the necessity for ICT continuity solutions – but how many have interrogated how much they cost and how effective they are? That’s a question posed by Jaun Harmse, senior business continuity management advisor at ContinuitySA, who asks how many organisations are aware of how accurately their ICT service continuity (traditionally known as IT disaster recovery) solutions match business requirements.

He also questions just how well such solutions will support business continuity when they are called upon; if they don’t, of course, any money that was spent on them is wasted.

“IT people sometimes don’t know what the actual business requirements for recovery are. They know they need to get the ICT services back up and running, but, owing to the traditional disconnect between IT and business, don’t have the necessary insight into the business requirements to ensure that the system recovery can support the people and process recovery requirements,” says Harmse.

The result is an absence of good corporate governance for what is a traditionally technical discipline and either a cost blowout through overinvestment on one end of the spectrum, or exposure of the business to unreasonable risk on the other.

He notes that ICT continuity is distinct from business continuity; the former is the technical component of the latter which also includes people and process. “ICT continuity is typically seen as a technical function and not as part of the management of risk – but that has to change,” Harmse adds.

He says the implementation of an ICT Service Continuity Management (ICTSCM) framework, aligned with the ISO27031 standard for ICTSCM, supports a clearer understanding of business requirements for recovery. It also helps ensure that the ICT Service Continuity strategy is tailored to meet specific organisational needs.

The ISO27031 standard provides guidance to business continuity and IT disaster recovery professionals on how to plan for IT continuity and recovery as part of a more comprehensive business continuity management system. Importantly, it is now referenced by the more recent ISO22301 standard for business continuity.

“The aim is to bridge the gap between business requirements and actual capabilities and incorporate ICT requirements analysis with business analysis. Understanding the business requirement better and involving IT in the discussion leads to more relevant strategy development and a strategy which is fit for purpose,” Harmse adds.

He turns his attention to cost, noting that it is the business which holds the purse strings, while the IT department tends to require the contents of the purse to provide services including those for ICT recovery.

“With the establishment of a fit for purpose strategy, access to the purse is eased: business has a better view of what it is paying for,” says Harmse.

In developing a business continuity management and ICTSCM strategy, he says cognizance of “the facts” is necessary in order to align cost with benefit.

Points to bear in mind are:
* Every organisation does not need a fully replicated data centre.
* Every organisation does not need work-area recovery for every single staff member.
* Modern technologies make it easier to design fit-for-purpose and cost-efficient solutions.
* Recovery strategies should take both the capital and operating expenses of proposed solutions into consideration.
* Understanding requirements and risks delivers buying power.

If these facts are not understood, Harmse points out that there is little hope of achieving ICTSCM measures which are both cost effective and which also effectively support business continuity. “It is very important that you understand the variables and the risks and translate that for the IT department, or outsourcing service provider, to make sure that the resulting strategy is fit for purpose and to your requirements, not theirs.”

Failure to do this, says Harmse, means the investment in ICTSCM cannot be accurately matched to business needs, and cannot be expected to support business continuity effectively when it is needed most. “Achieving process and cost efficiencies for ICTSCM doesn’t lie in individual activities, but rather the implementation of integrated processes – and cost savings can be achieved as a direct result of good information and informed decisions,” he concludes.