For over two decades IT has been fine tuning the disaster recovery (DR) process as storage technology has advanced from tape to virtual tape to low cost disk. In the process, organizations have been able to meet increasingly tight recovery point objectives (RPO) and recovery time objectives (RTO). The addition of deduplication and asynchronous replication among other technologies has contributed to the effort. Today, any organization can have a reliable and efficient data protection and DR process at a reasonable cost.
Now, it turns out, DR alone may not be enough. Organizations face myriad kinds of risks that should drive them to adopt an integrated, or holistic, risk management strategy that encompasses not only DR and data protection but a business resilience strategy. Business resilience encompasses all facets of risk management from identification through to mitigation and more.
The more refers to new opportunities. Based on its 2011 Global Business Resilience and Risk Study IBM is suggesting a more proactive and forward thinking approach to DR is needed, one that encompasses business opportunities as well as risks. The study is available here.
To ensure business resilience, companies are moving toward a risk management process that addresses the myriad types of risk that organizations face by adopting, according to IBM, a more holistic approach to risk management as they deal with growing uncertainty and the increasing inter-connectedness of the varied risks they face. At this point, only a minority (37%) of companies has implemented an organization-wide business resilience strategy, but 42% say they are likely to do so within the next three years. Almost two-thirds (64%) say they already have a business continuity plan of some sort, and a robust 58% have dedicated contingency plans for dealing with a variety of risks.
Furthermore, the study found that organizations are diversifying their strategies to build business resilience, while keeping continuity, IT, and compliance risks in the forefront. They are not abandoning DR but augmenting it through business resilience strategies that may include cloud computing as a key risk and opportunity management tool.
The study makes it clear that DR and business resilience are evolving into enterprise-wide risk management. Such risk management, the study notes, should involve everyone in the organization and imbue responsibility for risk management at every level if companies are to respond effectively to changes and unexpected events.
For example, a majority of respondents (60%) say that business resilience is considered a joint responsibility of all C-level executives although CIOs and IT professionals remain key players. Similarly, a significant majority of survey respondents (85%) say that data and application security, data protection (79%), infrastructure security (77%), security governance (75%), identity and access management (74%), and compliance management (69%) now are part of their organization’s broader risk management strategy.
The focus of the IBM study is business resilience, not DR or business continuity or even risk management. Business resilience, according to IBM, refers to the ability of enterprises to adapt to a continuously changing business environment, not just to restore operations after a disaster or to continue to function despite operational problems.
Of course business resilience helps organizations maintain continuous operations in the face of disruptions and disasters. But IBM envisions it as something more. IBM distinguishes business resilience planning from enterprise risk management (ERM) in that it resilience planning is more likely to build the organizational capacity to seize opportunities created by unexpected events. As such, it requires the engagement of everyone in the organization and often means a change in corporate culture to instill awareness not only of risk but of potential opportunities.
The addition of opportunities to the risk management calculus adds a new dimension to the challenge. Now it is not just about restoring servers in response to a sudden disaster but to bring back the right capabilities and capacity to take advantage of new opportunities that may emerge from the unexpected events.
A focus on this kind of business resilience will require new investments and the involvement of new players across the company. For example, 58% of the respondents reported investing in new risk-related IT strategies. As noted above, cloud computing with its ability to rapidly deploy new resources and capabilities is emerging as a preferred option.
Business resilience, of course, continues to involve the CIO and IT because, in the end, it is still about the protection of and accessibility to the organization’s applications, systems, and data assets. However, 62% of respondents also noted they brought onboard other C-level executives and 44% even include Board Members.
Nobody is advising organizations to abandon their DR strategies. Instead, the study suggests companies augment DR with business resilience and opportunity identification strategies. Suddenly DR becomes strategic.