Return on Investment (ROI) for IT Resilience
19 May 2016
It’s still Business Continuity Awareness Week 2016 (BCAW) and in our fourth article on this week’s theme, Return on Investment, James Cooke talks about the return on investment for IT Resilience.
It is astonishing that in the digital age when organisations and businesses are so dependent on IT and when outages are extremely costly and embarrassing, that IT Resilience is seen as a “nice to have” by many IT departments. This is often compounded by the IT’s wider inability to articulate why the services they provide are anything but a costly utility that needs its budget slashed every year.
With this mindset, any expenditure on risk mitigation is the first item to go in the annual budget; starting with ITDR, moving through resilience, and test environments and quite often basic IT controls. Unsurprisingly organisations then find themselves with an unstable IT estate suffering regular outages, which impacts both the bottom line and the reputation of the business.
IT in this scenario is still in a utility mindset, making vacuous “we’ll do more with less” statements, then suffering more outages, leadership team changes, until they find themselves clutching at straws and claiming that the latest IT trend is the salvation to all problems. Panaceas over the years have included en-masse outsourcing, cloud, and off-shoring, all of which have merits, but none of which help IT services’ capability and availability unless implemented in a measured way taking resilience into account from the outset.
How then do we make the case for IT resilience or even just for IT Disaster Recovery? The key is to work with the business terms to re-set their view of what their IT services represent to them (and IT’s view about their own priorities!).
For most organisations, particularly those that are regulated, have high-throughput transitions and/or provide online services to others, the integrity and currency of their data and the availability of service are essential. If IT services are compromised then the business is compromised as well: and costs, both tangible and intangible are immense.
We in IT are often too unwilling to have the difficult conversation with the business, especially when part of the conversation is to make sure the business understands that IT outages and associated impact are a risk to them – it is a risk they need to own. But if they accept that, they quickly see the benefits of stable and reliable IT services and are very keen to invest properly to protect themselves!
It is also a challenge to ‘get what you paid for’ in terms of ITDR capability, even after IT has had a proper conversation with the business about risk and ITDR is funded properly. ITDR solutions, once implemented, sometimes expensively, often do not work, especially when outsourced. This gives no return on investment, as the business will find out the hard way as soon as there is an incident.
IT has to get over a perception that ITDR is boring and invest real time and effort into understanding their environment and applying that knowledge to the solution. It is not easy - it requires an end to end view of the IT estate and it requires different parts of IT to work together, often with an incomplete view (keeping repositories like configuration management databases up to date is not always the IT department’s forte!). On top of this the capability, be it resilience or just ITDR, needs to be governed, maintained and regularly tested, otherwise it quickly becomes ineffective.
Finally where elements of IT services are outsourced (including cloud), you need the right contracts in place, allowing you to manage the risk and challenge the recovery arrangements your supplier has in place. All too often we see expensive solutions that miss fundamental technical components and considerations, which have never really been tested with IT and cannot in this form deliver what they are supposed to. The supplier will often tell you that despite the gaps everything will be fine and they’ll “fix forward”, which is another way of saying we will make it up as we go along if ever we need to.
In summary, organisations and businesses who do get a return on investment for IT resilience and ITDR do the following:
- Articulate the tangible and intangible value of IT’s services to the wider operation and success of the business.
- Articulate the risks and their impact, clearly to the business and ensure they take ownership of them.
- Take the deployment of ITDR and IT resilience capability as seriously as other IT endeavours and ensure it works through a programme of control, maintenance and testing.
- Challenge outsourcers/cloud providers to demonstrate capability.