Operational Risk Management: Reaping the Benefits

There is no question today that operational risk management is a fact of life for all companies and IT departments of all sizes. Not only are CIOs faced with a fluctuating roster of unpredictable external threats that include natural disasters, e-mail viruses, and pandemics but, worldwide, there are regulatory concerns as well, including Sarbanes-Oxley and Basel II.






Four Steps to Better Risk Management
Whether your company is just starting to build a business continuity and availability solution or evaluating an existing one, a comprehensive process is required to understand where you are now and what steps you need to take to build a resilient infrastructure.

This process should start from the perspective of the business users, and includes four main components:

Step 1: Define business requirements. If the goal of a business continuity and availability solution is to support the business, the logical place to start is defining the business needs.

Evaluate the requirements of all business processes and applications across the enterprise in regard to regulatory compliance, availability, security and business continuity. Measure the impact of downtime for each business application and process to determine how much downtime is acceptable.

Step 2: Assess and prioritize risk. Once an understanding of the business requirements has been established, it’s time to factor in the risk.

Comprehensive, in-depth availability, security and continuity assessments help to identify areas of risk and guide strategies for protecting the IT environment and improving IT service. Best practices frameworks such as the IT Infrastructure Library (ITIL) and others should be used to evaluate existing processes.

This is the step for identifying gaps and leveraging what you learned in the first step to prioritize the risks according to business impact.

Please see page two for Steps 3 & 4.


From an internal perspective, the situation isn’t much brighter. Day-to-day issues related to people and technology cause too much of downtime.

In 2006, HP commissioned a survey about organizations’ business continuity and availability plans. An astonishing 90% of downtime was reportedly due to network/telecommunications issues, hardware or software failures, or operator error.

Business continuity and availability is a major priority in business today as companies increasingly place greater emphasis on protecting the business and achieving the right levels of IT availability on a daily basis.

The cost of not focusing on this can be extremely high. According to Infonetics Research, IT downtime costs large U.S. businesses an average of 3.6% of their revenues per year, with manufacturing organizations losing nine percent and financial services organizations losing an even greater 16% of revenue.

While all companies need to be aware of what risks they face and how best to address them, the best solutions are built around each company’s individual characteristics. Successfully managing operational risk comes down to having a successful business continuity and availability strategy that:

  • Defines business requirements;
  • Includes an up-to-date profile of your risks;
  • Drives design and implementation of the right solutions for the specific business requirements;
  • Balances risk against cost, and;
  • Allocates the right resources to continually re-evaluate, test and improve business continuity plans and solutions.

    Following the criteria outlined above will help yield a solution that is tailored to each company’s particular risks, needs and appropriate level of investment.

    Integration with the Business

    Business continuity, availability and security are interdependent, requiring an integrated, systemic approach to planning, design, implementation and management. As outlined above, the starting point for building a resilient IT environment should be a thorough understanding of the business requirements, the risks and threats the organization faces, and the impact of downtime on each of its critical business process.

    However, recent history has shown that most businesses move through a predictable series of business continuity preparedness. Most begin with nothing — no disaster recovery plan or, if there is a plan, it’s not tested or actionable — and end with a comprehensive business continuity and availability solution that’s focused on process integration, end-to-end planning, including partner integration, and continuous improvement/best practices.

    By starting with a comprehensive, integrated approach, a company can build a reliable infrastructure where the business’ required service levels can be maintained through adjustment of IT availability and performance. The earlier a company adopts such an approach, the easier it is to bake into its culture the integration between people, processes and technology required to reach IT operational excellence.

    The importance of non-technical elements in a successful business continuity and availability solution cannot be stressed enough. The traditional view of business continuity ignores the contributions IT best-practices deliver achieving service Levels (especially, availability and performance).