Meta Report: Ignoring Business Impact Analysis Invites Disaster

By Al Passori

(Back to article)

META Trend: By 2002/03, regulatory pressures will force more than 30% of Global 2000 firms to adopt a formal risk management (RM) model such as COBIT (Control Objectives for Information and related Technology) or CRAMM (the UK government's Central Computer and Telecom Agency Risk Analysis and Management Method). By 2005, more than 40% of G2000 firms will adopt RM and a balanced risk/reward reporting process, improving portfolio investment decisions (build, buy, retire, table, postpone) based on defined and accepted RM analyses.

Our research shows that approximately 50% of Global 2000 companies have a credible disaster recovery (DR) plan that is up-to-date, tested, and executable. That percentage is growing, and the events of recent months have focused senior management interest on DR (data center focus), business continuity planning (BCP; work-area recovery focus), and "homeland security."


These events, as well as the resultant publicity and awareness, are making it easier for CIOs to sell the importance of DR to the executive committee. And therein lies the paradox of having an easy sell - access to funding and resources is readily available, but no clear process exists for deciding on what risk controls, contingent strategies, and recovery plans should be funded.

Many CIOs fail to conduct a business impact analysis (BIA) to determine the effects and consequences of loss events by first assessing the company's business requirements. We believe that more than 50% of G2000 CIOs are overinvesting in DR capabilities or, more commonly, allocating costly IT resources and investments in the wrong areas.

During 2002/03, we expect 80% of G2000 IT organizations (ITOs) to re-evaluate their DR/business continuity plans. By 2004/05, risk and security strategies, operational availability models (technology and process), and DR/BCP will overlap. Near-time proximity recovery techniques will appear in 40% of G2000 ITOs by 2006.

By 2005/06, we expect public-sector CIOs to establish comprehensive security architectures across their jurisdictions, facilitating data sharing that supports both physical and digital security requirements driven by federal, state, local task force, and post-September 11 terrorist-response initiatives (e.g., National Infrastructure Protection Center - www.nipc.gov/).

Recent Meta Reports
Nine Deadly Sins Of Hiring

The Future of Instant Messaging

The Business/IT Dating Game

CIOs Adopt Triggers for Portfolio Management

Increased DR spending continues to be fueled by growth in total computing power, extension of DR provisions into traditionally unprotected environments (e.g., distributed/departmental computing), and growth in "supercritical" applications (real-time, 24x7 business systems). This last group (ERP, CRM, and Web-based transactional systems) typically requires the most costly DR solutions (e.g., full failover employing disk storage mirroring high availability [HA] consumer-oriented applications).

For organizations seeking thoroughness, these HA applications obfuscate the DR budget delineation (along with other factors), because HA provisions are operationally necessitated and not universally related directly to DR initiatives. By 2003-05, we expect 70% of HA replicated solutions to properly become part of the normal operations (versus DR/contingency) budget and simply the "cost of doing business" paradigm.

BIA Study: Getting Started
CIOs should enjoin their line-of-business (LOB) colleagues to consider the potential business impacts of a disaster. The CIO should adopt an enterprisewide BIA process that will do the following:

CIOs should consider the following DR/BCP risk management (RM) approaches:

CIOs should address DR/BCP needs by conducting a BIA study and take action to mitigate IT risks (threats/vulnerabilities) that can cause a disastrous event/extended system outage.

Business Impact: CIOs who fail to conduct a business impact analysis risk overcommitting or underinvesting resources in disaster prevention and contingent recovery operations.

Bottom Line:Savvy CIOs address disaster recovery requirements by leading with a business impact analysis to balance risks with the cost of disaster prevention/mitigation controls and contingent solutions.

META Group of Stamford, Conn., is a leading research and consulting firm, focusing on information technology and business transformation strategies. For more information, visit MetaGroup.com.