Digital transformation is a young discipline. It is a welcome aspect of business transformation, reorganizing and streamlining business processes, in order to make existing processes more efficient or creating new processes which would not have been possible without digital technology. I am thinking, for example, of processes like ordering from a web shop, interacting with your city or provincial administration through e-government, or signing an electronic receipt on a tablet computer when receiving a shipment. These processes may have existed in paper form before the transformation or might not even have existed in that form at all, as outlined above.
The base for this evolution is the diminishing cost of electronic computing, made possible through advances in hardware and semiconductor technology, as well as advances in software development and design. Processing, storing, and transporting data has become more efficient and cheaper than ever before.
We are witnessing an evolution from hard-copy based processes, where people fill in forms and then send them to the next person in the process, repeatedly switching storage and transportation media (paper, fax transmission, copying, reentering, and manipulation of data, etc.). If based on an efficient IT infrastructure, these processes can be sped up and provided the fraction of cost.
Enter business continuity. Business continuity as a holistic discipline serves to mitigate the effects of business interruptions — following a two-pronged approach of both preparedness and efficient recovery — certainly is an indispensable foundation stone for digital transformation. Apart from some other roots of the discipline, business continuity can be considered to have become an essential business tool when organizations started to process electronic data, some 50 years ago.
Before that era, business was mainly paper-based, all records were physical, and care had to be taken to safeguard the documents in the archive, the records governing all business processes (sales, purchasing, production documentation, worksheets, etc.) and, of course, the bookkeeping ledgers.
I think this was not an easy task, as the risk to lose everything in a fire or flood, for example, was high. You could not simply backup a whole cabinet of paper-based business documents with the push of a button. As a matter of fact, costly mitigation measures were put in place in order to reduce the risk of a total loss.
Where are we today? Depending on the type of business and its innovation maturity, many businesses are on the road to digital transformation. They have evolved and set up IT resources in order to save costs and/or to offer competitive services to their clients. As this is, in most cases, an incremental process executed in small and practical steps, the requirements to safeguard these processes (and their data) might receive secondary or no priority it all. At that point, a professional business continuity approach is needed. While the “b” in business continuity stands for “business,” indicating that all business processes need to be covered, in our context we will focus on the IT aspects. Actually, many people confuse business continuity with IT continuity and are of the opinion that when dealing with the latter, their whole business is safeguarded, which obviously is not correct.
As we deal with digital transformation aspects, let us have a look at the interrelation between digital transformation and business continuity. By now it should be clear that a resilient and solid path to digital transformation necessitates a business continuity approach. Ideally, this transformation process should not even start without considering a business continuity approach. While this is an ideal setting recommended by business continuity specialists and major globally accepted best practices, reality shows that this cannot always be attained. As a consequence, in most cases, we have to deal with a situation where insufficient focus was put on safeguarding IT resources and data, thus leaving the IT infrastructure (being the base for the digital transformation) in a vulnerable state. In such a case, a retrofit solution has to be applied. We have to deploy a business continuity approach preferably based on best practices. For example, ISO 22301:2019, the internationally accepted standard for business continuity management systems can be applied.
This standard serves to guide organizations through their first steps in business continuity up to a degree of maturity where the organization may apply for certification against this standard. Let me first underline two basic principles laid down in this standard: it is crucial to obtain top management commitment for the undertaking before deploying a business continuity approach and we have to develop a habit to consider a business continuity approach to observe the principle of continual improvement.
In other words, any implementation or deployment need not even be attempted if there is no top management commitment behind it, and business continuity is not a oneshot attempt which is implemented with a fire-and-forget mindset. From an organization’s point of view, business continuity is a tool to help the organization develop and prosper in a protected way.
So what are the primary phases of a business continuity approach? After obtaining management commitment, we need to analyze the key processes of the organization and their underlying resources. In the so-called business impact analysis (BIA) we need to identify the key products and services of the organization (those which are expected to be continuously delivered to the organization’s customers). Also, we need to get an overview of the interdependencies of key resources within the organization, in our case, an overview of the IT architecture. As this architecture might have become more complex and multi-level, the visualization of the relationship between the different components in the architecture may not easily be obtained, but will be very rewarding in the end.
One of the advantages of this procedure is the identification of so-called single points of failure. These critical elements — for which there are no redundant backups — need to be identified, as their failures would lead to unforeseeable consequences for the operation of key processes. Typically, these single points of failure need to be eliminated by deploying redundant components, thereby eliminating the threat to the organization. Another key feature of the business impact analysis is to obtain estimates about the accepted length of unavailability of certain business processes (which can be in the range of zero seconds to several hours or days) and, quite important in our context, indications about an accepted data loss (which might well be zero as well). Information derived during the business impact analysis phase is provided by structured interviews with key staff.
The next phase is the development of business continuity solutions or strategies, based on results of the business impact analysis. This is one of the reasons why a valid business continuity approach cannot be implemented without a business impact analysis. As already hinted in the previous paragraph, business continuity strategies are designed to provide answers to the range of problems unearthed during the business impact analysis phase. Depending on the severity of the identified shortcomings, a range of business continuity strategies might be identified. It is then the top management’s decision to select one or the other strategy for realization. It is easy to imagine that the cheapest and most ineffective strategy is to do nothing (we accept the risk and live with it). However, in order to provide a substantial protection against the consequences of business disruptions, real strategies, which are scenario-based, need to be implemented. In most cases, organizations may decide for a cheaper and simpler strategy in the first place, postponing more effective countermeasures to future business years.
Up to now the organization has only produced documents (analysis and strategy) but is not much better protected than before. In the following implementation phase the protection approach needs to be rolled out. In most cases, this will result in more or less substantial investments into additional resources (e.g., redundant systems), or even a redesign of the current IT architecture. On top of that, potential business interruptions need to be put together. We are dealing with a business continuity team or several teams dedicated to be summoned at short notice in case of a business disruption, in order to execute the predefined steps of the business continuity plans. Depending on the size of the organization, we may deal with a single small team or a hierarchy of teams with different tasks, distributed over several locations.
In the final validation phase, we need to verify that our business continuity approach is actually working. One of the components of this validation concept is to run exercises and tests. These exercises may range from simple table-top scenarios to full-scale realistic simulations of IT outages. Only through continual testing we can get the confidence that our business continuity teams will operate in accordance with the predetermined procedures during a real business disruption. Another component of validation is a review of the business continuity approach by independent specialists such as internal or external audit.
After having run through these four phases, 6 to 12 months may have passed. During that period the organization may have changed, grown or shrunk, may have acquired another organization, or simply the market situation may differ from when we initially started. According to the principle of continual improvement the business impact analysis needs to be rerun, either partially or completely.
As we have seen, digital transformation, heavily based on IT and telecommunication resources, needs to be properly supported by a holistic protection approach. Without underpinning digital transformation with a solid business continuity approach we are building castles in the air.