Four steps to protect your business from IT risk

by Hossien Dakkak20 Apr 2016

Ricoh IT Services’ Hossien Dakkak provides four essential steps every organisation should take to protect its IT systems from potential risk of disaster

With continued advances in enterprise and cloud technology, it’s tempting to think that applications and data are no longer at significant risk from disaster events. However, that’s far from reality.

Today, organisation must have plans in place to address a wide range of crises and disasters. The health of the business, the relationship with customers, the reputation with suppliers and the safety of staff depends on it.

To begin with, let’s identify the purpose and value of the two main strategies organisations use to avoid and mitigate risk from both an overall business and technology perspective:

1. Business Continuity (BC) Planning

A BC Plan determines how a business continues to deliver its services in the face of different levels of internal issues (human, environmental or technical) or external situations. A BC plan ensures a response is effective, timely and appropriate for each issue or situation. However, the value of a BC Plan goes far beyond the effectiveness of the response.

Competitive Advantage and Reputation

A well communicated BC Plan demonstrates to both customers and suppliers that an organisation is mindful of business risks and aims to deliver a service even in the face of extreme disruption. Should a disaster event occur, a well-executed BC Plan helps limit or negate reputational damage.

Limiting Financial Impact

Interruption of service can cost companies millions of dollars in lost revenue, incur damages from missed SLA’s with customers, see regulatory penalties imposed and disrupt an industry supply chain. Limiting the number of lost orders, regulatory penalties or SLA penalties is a major focus of many BC Plans.

Improving IT Operational Performance Through Knowledge Capture

Capturing key IT policies and processes offers many organisations a unique opportunity to centralise critical IT operations information. This exercise, as part of a BC Plan, gives an excellent insight to IT operational effectiveness, how improvements can be made to daily operations and how the organisation can increase their preparedness for a BC event.

Mitigating Risk and Ensuring Regulatory Compliance

A BC Plan risk assessment builds a comprehensive view of the likelihood and impact of BC events. Greater understanding of organisational risks helps drive practical risk management strategies. The BC Plan risk assessment also gives a company the opportunity to understand the threats to their regulatory compliance and the steps they must take to avoid non-compliance.

2. IT Disaster Recovery (DR)

An IT DR Plan is a subset of BC Planning – along with other DR planning considerations such as how to maintain business operations should your premises burn down, flood or lose power. Your IT DR Plan specifically provides for how you respond to a disaster event affecting part or your entire technology infrastructure.

A DR Plan, much like the BC Plan, limits the financial impact of a disaster, can assist develop company reputation and provides an opportunity to capture and centralise key knowledge. Two further benefits of a DR plan include:

A business focused recovery of IT systems

A DR plan, embedded into IT operations, helps risk management and DR planning should become part of day to day operations. IT system risks are more closely monitored, DR costs are included in budget planning and systems are more rigorously tested for failures. This helps build confidence in the preparedness of an IT operations department. Reviewing the business importance of systems also helps an organisation understand the priority in which to restore systems during a DR event.

Step 1: Define Your Business Requirements

In the event of a failure of some aspect of your business technology systems, which critical services must your organisation keep running or recover and within what timeframe? The answer will lie in your business risk management strategy and, in some cases, regulatory requirements.

The BC and DR Plans you develop must closely match your specific business demands. For instance, if you’re an electricity generation company you must transmit data from smart meters to the relevant electricity retailer within a specific number of hours. This requirement, along with the threat of a large fine, will drive both your BC and IT DC requirements.

Step 2: Evaluate your Technology Landscape

Will your technology infrastructure meet the required recovery or uptime of a given system or service? Can these BC requirements be met with your existing IT infrastructure, or must new or replicated hardware, software or services be ready for deployment in the case of a disaster?

Access by your staff is another consideration. If any of your premises become uninhabitable, modern communications technologies enable staff to remotely access your company’s IT infrastructure from elsewhere.

In times of disaster or catastrophe, running a call centre or service desk with staff connecting remotely from their homes is now a realistic solution – provided the necessary communications infrastructure and switching is prepared to be put in place.

Virtualisation and cloud computing technologies have improved the movement and replication of application workloads, making organisations less dependent on the location of their IT systems and better able to respond to critical local situations.

Step 3: Plan your response to BC and DR events

Assessments of both your business risk profile and technology landscape will inform your BC and DR Plans. Key to their success is the development of a collection of clearly documented processes to follow in the event of a disaster.

At the time of a disaster, there’s no time to ask “What do we do next?”, your plans must cover all aspects of your business potentially affected by a disaster –from IT support and systems such as ERP, CRM, email and productivity applications to customer service desks, your finance department and accounting applications, retail outlets, websites and remote access for both senior management and staff.

Only comprehensive BC and DR strategies will give you a clear guidance on the actions to take, key roles and responsibilities and how you communicate with essential people and resources within and beyond your organisation.

Step 4: Test your BC and DR Plans

It is not enough to just create plans for your BC and DR strategies. You must also regularly test and prove these plans. Many an organisation has developed, but not tested, its BC and IT DR Plans – only to discover data restore times measured in days instead of hours, a network link unable to cope with extra traffic during a recovery event, server configurations different to their documentation or support from a vendor unavailable when needed.

Controlled testing involves deliberately invoking a disaster such as network or grid failure, loss of a data centre or hardware breakdown to prove your plans will work during a real disaster event. The testing process discovers these issues, giving you the opportunity to resolve them before they occur during an actual emergency.

Better safe than sorry

BC and DR Plans are the insurance policies that keep your organisation running in the event of a disaster. Like insurance premiums, it’s essential to invest your organisation’s time and effort to create and test your BC and DR Plans to best ensure the continued operation or swift recovery of business services. Just like insurance, while you hope to never use them, having them in place helps protect you from the unexpected.

About the Author

Hossien Dakkak is National Technology Services Manager at Ricoh IT Services Australia. He has worked in IT since 1992, and has advanced expertise in the delivery of IT Service Management, ITIL, Service Desk, and cloud computing.