About Us | Search | FAQ | Contact Us
e-continuity(tm) - A new age and new demands?
Earlier in the year, 'e-continuity(tm)! - A corporate lifeline for Internet operations' introduced the concept of ensuring continuous availability for Internet operations to readers of this publication. The question remains what new demands - if any - the Internet age poses for 'traditional' businesses as they ensure continuity for e-commerce operations. And, more importantly, how should they be addressed?
Areas to consider include:
The relationship between business continuity planning (BCP) and disaster recovery (DR)
The changing business model
nThe risks of 'e'
n The new approach to BCP and DR
n The technical difficulties
The relationship between
BCP and DR.
Historically, most BCPs reflected a slow moving business environment with no great or dramatic changes to the plan or the process. But when the decision is made to move from 'bricks' to 'clicks', will the old model for BCP still work in an environment where the Internet moves at the speed of light? Technology is different, working practices are different - or are they?
For any 'traditional' company moving into the Internet (rather than start up dotcoms) all of the 'old' principles still apply. There may be changes, but they are not as dramatic as may be imagined. The basic approach to BCP doesn't change. A move into e-commerce is not carte blanche to throw away all learning applied thus far, it just needs to be applied to a new set of risks - and therein lies the fundamental change.
The changing business
As recent years have demonstrated, new technologies force or permit change. For example, computing in the workplace has become ever more prolific, resulting in widespread automation and the ability to transact in ways previously unheard of. Allied with advances in telecommunications, our world today is one vast network. We have ATMs and phone banking in order to manage our finances and obtain cash; pagers and mobile phones deliver the ability to manage mobile workforces; laptop computers and modems have made the ability to work from variable locations reality; faxes and email allow us to conduct business with greater speed and immediacy.
Risk Management and DR coped with these, so what is the difference with the current set of changes?
The risks of 'e'
Some developments associated with 'e' that should be addressed include:
Internet business is much more transparent to customers.
n Volume of business could 'rocket' beyond control, consider the experiences of Egg (Prudential) and Cahoots (Abbey National) who both fell foul of an under anticipated demand.
Data Security is a major issue.
The new approach to BCP
n The 'Snapshot' approach to Business Impact and Risk Assessment.
Because things move at an accelerated pace, long term risk and impact analyses familiar to more traditional commerce cease to be an advantage. Take a snapshot of the business, apply 'known' risks and make judgements based on those, you probably will not have sufficient time to get too detailed.
n Technology is likely to play a much greater part, so take an integrated approach to systems, ISPs, telcos, 3rd parties
suppliers / maintainers, etc, to ensure seamless operations. Additionally, their risk management processes should be interrogated to ensure they cannot undermine the business.
n Upstream suppliers may play a more significant role - doing things for you at unsocial hours or days (e.g: Simply Computers busiest transaction period is Sunday afternoon). E-business may differ significantly from its off line counterpart and the BCP must reflect this.
BCP needs to provide implementation services to put the suggestions and observations into action. The key change is to keep the plan (and risk assessments) up to date with the changing business.
The new approach to DR
1. The old "24 hours will do"
2. The "we need this in 4 hours"
3. And the "if this ever goes down we've had it"
Evidently different elements of the e-business have different functions and therefore levels of criticality, and an e-continuity(tm) approach to DR will include a combination of solutions to address the levels identified above in an integrated way. These may include:
n Traditional 'hot fixed-site' disaster recovery or mobile services
n High availability - ensuring maximum uptime, rather than minimum, downtime
n Continuous availability - delivering no downtime whatsoever
n Hosting / co-location - a view needs to be taken if any of the equipment/site/services are 'hosted' or co-located in terms of DR provision. What measures are in place or can be put in place and is your recovery provider in a position to assist? Bear in mind guarantees are worthless (would you buy a parachute with a guarantee?), but proven performance counts. The evolution of the business continuity industry is such that host, network performance & access, data and server resilience may all be enhanced.
n Site monitoring - in the e-world forewarning of impending or actual doom becomes more valuable than ever before. You need to be continuously monitoring your site's availability, its 'look' and its performance.
n Security reviews - Security over the web is an often raised and tangible issue. PKI, file and folder encryption, firewall security, intrusion detection, door rattling attacks, inside jobs, are but some of the issues that will need to addressed as part of an e-continuity(tm) recovery process. Elements of such a solution could include simulated hacker attacks and penetration testing; crime prevention consultancy; and implementation services.
The technology challenges
Appendix a: Ten Tips
for Business Continuity
n Consider the effect of a corporate e-culture on your business. However big you think the task and impact on your current workload may be, think again. If you want your e-commerce investment to deliver to its full potential the efforts required will be much much bigger and many times more expensive than your initial estimates.
n Consider the Information Security implications of introducing e-commerce into your business. Perimeter security is not enough, you must assess all points of threat and address each of them individually. You must also look for the early warning signs which usually precede an 'attack' of some description.
n Know your ISP, it does matter. Continually re-assess your ISP to ensure that your website has the best route of access to your target market, and that your ISP is operating with good Risk Management practices, don't rely on fine words or glossy publicity materials, ask for proof.
n Know what can cause your Internet presence to disappear and when it has. Make yourself aware when your web site is not available to the Internet or when it has been modified, don't wait for your customers to tell you.
n If the impact of failing to deliver service from web generated business is catastrophic, devise a means of assessing the 'reliability' of all of your 'upstream' dependencies. Your suppliers, 3rd parties and other companies on whom you depend to fulfil your customer service expectations must be operating to the same standards, timeframes and quality as you. Demand proof that they are - consistently - and that it is an ethos.
n Equip your company and its suppliers to cope with dramatic growth. Expect the best performance and align your technology accordingly! Ensure that your systems are truly scalable, ensure that your suppliers have the scope to deliver, ensure that your systems won't by undermined by the need for significant amounts of manual input during the fulfillment process.
n Having made the investment in e-commerce, anticipate what the impact on your organisation will be if that particular route to market becomes unavailable. Undertake and maintain risk assessments on your business as your business develops through use of the Internet as a market. Put in place the appropriate measures to protect ALL of the key elements which would have the greatest impact.
n Assume that the worst will occur - your site will disappear, or become overloaded, and what your response will be. PLAN! Plan to address the PR and Brand issues that may be raised. Plan to provide the highest quality customer service - even if not business as usual. Plan to regenerate a presence of some description, somehow, on the Internet.
n Be aware of laws or controls imposed on e-commerce. Take the appropriate advice when you set out on any Internet related business to ensure that you are not offering or delivering anything in contravention of any current laws
Copyright Guardian iT Group 2000
More details can be obtained from:
or by calling 0500 855311.
Shields is also vice-chair of the CSSA's Business Continuity Management Group, a member of the Disaster Management Forum's Advisory Board, and was instrumental in kick-starting the Business Guide to Continuity Management.
|Home | About Us | Search | FAQ | Contact Us|