Meta Report: Ignoring Business Impact Analysis Invites Disaster

META Trend: By 2002/03, regulatory pressures will force more than 30% of Global 2000 firms to adopt a formal risk management (RM) model such as COBIT (Control Objectives for Information and related Technology) or CRAMM (the UK government's Central Computer and Telecom Agency Risk Analysis and Management Method). By 2005, more than 40% of G2000 firms will adopt RM and a balanced risk/reward reporting process, improving portfolio investment decisions (build, buy, retire, table, postpone) based on defined and accepted RM analyses.

Our research shows that approximately 50% of Global 2000 companies have a credible disaster recovery (DR) plan that is up-to-date, tested, and executable. That percentage is growing, and the events of recent months have focused senior management interest on DR (data center focus), business continuity planning (BCP; work-area recovery focus), and “homeland security.”

These events, as well as the resultant publicity and awareness, are making it easier for CIOs to sell the importance of DR to the executive committee. And therein lies the paradox of having an easy sell – access to funding and resources is readily available, but no clear process exists for deciding on what risk controls, contingent strategies, and recovery plans should be funded.

Many CIOs fail to conduct a business impact analysis (BIA) to determine the effects and consequences of loss events by first assessing the company’s business requirements. We believe that more than 50% of G2000 CIOs are overinvesting in DR capabilities or, more commonly, allocating costly IT resources and investments in the wrong areas.

During 2002/03, we expect 80% of G2000 IT organizations (ITOs) to re-evaluate their DR/business continuity plans. By 2004/05, risk and security strategies, operational availability models (technology and process), and DR/BCP will overlap. Near-time proximity recovery techniques will appear in 40% of G2000 ITOs by 2006.

By 2005/06, we expect public-sector CIOs to establish comprehensive security architectures across their jurisdictions, facilitating data sharing that supports both physical and digital security requirements driven by federal, state, local task force, and post-September 11 terrorist-response initiatives (e.g., National Infrastructure Protection Center –

Recent Meta Reports

Nine Deadly Sins Of Hiring

The Future of Instant Messaging

The Business/IT Dating Game

CIOs Adopt Triggers for Portfolio Management

Increased DR spending continues to be fueled by growth in total computing power, extension of DR provisions into traditionally unprotected environments (e.g., distributed/departmental computing), and growth in “supercritical” applications (real-time, 24×7 business systems). This last group (ERP, CRM, and Web-based transactional systems) typically requires the most costly DR solutions (e.g., full failover employing disk storage mirroring high availability [HA] consumer-oriented applications).

For organizations seeking thoroughness, these HA applications obfuscate the DR budget delineation (along with other factors), because HA provisions are operationally necessitated and not universally related directly to DR initiatives. By 2003-05, we expect 70% of HA replicated solutions to properly become part of the normal operations (versus DR/contingency) budget and simply the “cost of doing business” paradigm.

BIA Study: Getting Started

CIOs should enjoin their line-of-business (LOB) colleagues to consider the potential business impacts of a disaster. The CIO should adopt an enterprisewide BIA process that will do the following:

  • Identify the business’s needs for data currency/availability (data recovery point objectives)
  • Assess and determine the financial and consequential aggregate loss exposures for each business unit caused by IT-related service interruptions (infrastructure, voice, data)
  • Establish business-unit IT/infrastructure and services recovery time objectives
  • Solicit LOB management’s expectations and tolerance for IT risk acceptance
  • Determine existing IT risks
  • Mitigate IT-related risks, wherever possible, with cost-effective controls
  • Understand the underlying IT and business residual risks
  • Determine DR life-cycle costs (both ITO and LOB)
  • Determine levels of ITO/LOB risk acceptance/tolerance
  • Fund appropriate IT controls, DR contingencies, and recovery plans based on the business exposures, IT recovery requirements, and costs versus exposures (financial, legal, regulatory, market)

CIOs should consider the following DR/BCP risk management (RM) approaches:

  • Forming an enterprisewide DR/BCP steering committee: The role of the CIO and DR/BCP staff is to act as advisors to the corporate steering committee. It is not the purview, or responsibility, of the CIO/ITO to establish enterprisewide DR policy or develop business-specific work-area recovery plans. The role of the CIO/ITO and committee is to determine the end-user IT requirements, business recovery time objectives, and data-related recovery point objectives. The committee is most effective when chaired by an LOB executive with top-down, executive support, usually from the CEO/president. The role of the CIO/ITO is to act as a planning facilitator, and to use the committee to support the BIA study, establish enterprisewide policy, evaluate risks, determine risk tolerance and/or funding levels, and report overall progress to the management and audit committee.
  • Assessing the data center physical security posture and mitigating the risk of a disastrous situation: CIOs should do the following: conduct a physical site and inventory review to determine existing threats, vulnerabilities, probabilities, and exposures; match physical inventory with IT infrastructure insurance coverage and ensure the ITO maintains an ongoing inventory of assets (including desktops) to establish proof of loss in the event of a catastrophic event; include a review of primary utility power feeds, alternate substation feed(s), power, and telecom conduits (entry/termination points into the data center); test all alarms and annunciators (especially for remote, “lights out” data centers); verify that card key/cipher locks are operational; consider mantraps; ensure media, supplies, and combustibles are stored in a contained, fireproof area; inspect Halon/water fire-suppression systems; and review access policies, procedures, and practices for employees, vendors, visitors, as well as temporary and terminated employees.
  • Architecting site-level data availability: This involves using different HA approaches for dissimilar infrastructure tiers; minimizing planned downtime before addressing unplanned downtime; ensuring the IT staff focuses on process and protecting data by following HA best practices (e.g., business units must determine their cost of downtime and recovery point objectives); and ensuring the ITO provides HA infrastructure options and costs for business funding of data availability/recovery alternatives (e.g., tape backup, transaction journaling, data mirroring solutions).

CIOs should address DR/BCP needs by conducting a BIA study and take action to mitigate IT risks (threats/vulnerabilities) that can cause a disastrous event/extended system outage.

Business Impact: CIOs who fail to conduct a business impact analysis risk overcommitting or underinvesting resources in disaster prevention and contingent recovery operations.

Bottom Line:Savvy CIOs address disaster recovery requirements by leading with a business impact analysis to balance risks with the cost of disaster prevention/mitigation controls and contingent solutions.

META Group of Stamford, Conn., is a leading research and consulting firm,
focusing on information technology and business transformation strategies.
For more information, visit