“The oak fought the wind and was broken, the willow bent when it must and survived.” – Robert Jordan, The Fires of Heaven
Many businesses are suffering the same fate as the oak mentioned in Robert Jordan’s quote. It’s Jordan’s willow that is standing the test of time thanks to its agility and resilience.
As is true with business agility, business resilience is a much broader and deeper consideration than many typical discussions of the subject.
Discussions surrounding resiliency tend to focus on disaster recovery and business continuity (DR/BC) tactics and tools. However, true business resilience is more than disaster recovery and even more than business continuity.
True enterprise resilience is a strategic focus on maintaining operational integrity and restoring it as quickly and completely as possible after any disruption—planned or unplanned, minor or catastrophic.
ISACA (formerly the Information Systems Audit and Control Association) is a membership organization that provides certifications, information, and guidance focused on auditing controls for computer systems.
Volume 3 of the 2009 ISACA Journal features an article by information security expert John P. Pironti called “Key Considerations for Business Resiliency.” That article provides both a comprehensive definition and a significant caveat for those pursuing business resilience (or resiliency).
“Business resiliency is the maturation and amalgamation of the individual processes of crisis management, incident response, business continuance and disaster recovery into one succinct set of processes and capabilities that work collectively, instead of independently.
This combination allows organizations to have minimal disruption in the event of a business-impacting incident that affects the entire organization, instead of focusing on incidents that involve specific information infrastructure areas.
“When evaluating these capabilities, it is important to understand that they are only as effective as the proactive planning and considerations that go into their development. Too often, planning accounts for only the most obvious considerations and does not incorporate crucial and essential considerations that have a greater effect on the business.”
Resilience defines the bottom line
As the ISACA quote above states, resilience includes multiple other elements beyond DR/BC. Despite the inclusion of BC in the description and intent of most DR/BC plans, these tend to focus on DR and IT.
True resilience, however, focuses more on the needs of and effects upon the business.
The goal of true resilience is to enable the business to avoid threats, disasters, and disruptions, and to recover rapidly and seamlessly from those that cannot be avoided.
A specific focus area for resilience plans and strategies is the availability of essential IT and business services. Small-seeming differences can mean a lot.
For example, the difference between 99 percent availability and 99.9 percent availability is the difference between just more than 10 minutes and 1.68 hours of downtime every week. Most IT service level agreements (SLAs) focus on availability levels of 99.99 percent, or “four nines,” and 99.999 percent, or “five nines.”
These differences merely hint at the range of options available to those seeking to balance availability with cost, since higher availability almost always requires higher investment in infrastructure. IT decision makers are often significantly challenged by the need to associate costs with availability levels in ways meaningful to their business colleagues.
This challenge is a primary driver behind the growth of enhanced reporting and “chargeback” and “showback” features in IT infrastructure and service management offerings.
However, these can only improve the presentation of relevant information. They do nothing to make the underlying infrastructures and the services they enable more available, resilient, or robust. Such features can and should be included in resilience strategies and solutions, but they cannot and should not stand alone.