E-Business Continuity: 'You've Come a Long Way Baby!'

In the last 10 years, business continuity has broadened in scope, moving from disaster recovery planning to business recovery planning. With e-business, business continuity includes planning for all downtime — for any reason.

E-business is shortening recovery-time objectives (RTO) and recovery-point objectives (RPO), intensifying the trend that started in the late 1990s with business process re-engineering. E-business is changing the way we think about business continuity planning and disaster recovery: full 24x7 operation is now a necessity. Much has changed during the past 10 years, and with e-business, now is the most exciting time for business continuity and disaster recovery planners:

• In the early 1990s, business continuity was positioned mainly as disaster recovery. In the event of a major disaster — scenario planning primarily dealt with major technology failure, power failure, fire, flood or natural disaster — technology (systems, networks, applications, data) was recovered in an alternate location in about three days' time. Most enterprises implementing a disaster recovery plan did so because they were regulated (e.g., banks and other financial services companies), or because they had the foresight to protect critical business processes. Most business continuity and disaster recovery planners spent their time trying to raise visibility in the enterprise to protect enterprise assets — much to no avail. There was a significant amount of apathy toward recovery planning during this time.
• In the mid 1990s, business continuity expanded to include critical work processes. For example, enterprises realized that if impacted by a disaster, it was not good enough to recover the call center technology; without a place to locate the call center itself (e.g., people, workspace). Business continuity/disaster recovery planning scenarios and RTO/RPO remained much the same.
• In the late 1990s, partly in response to year 2000 remediation, enterprises made massive investments in re-engineering their business processes (e.g., implementing integrated enterprise resource planning systems). When conducting contingency planning for year 2000, many enterprises began to realize that if critical systems and applications fail, so does the business process (for example, orders couldn't be taken, and products couldn't be manufactured or shipped, negatively impacting corporate profits and survival). From 1997 until 2000, enterprises invested like no other time before in business continuity and disaster recovery. Critical business processes had RTOs reduced to less than 24 hours — and sometimes just a few hours — and RPOs were often set as up to the point of disaster. The interdependencies between internal processing and outside service providers started to raise the complexity level of recovery solutions. But scenario planning still remained pretty much the same.

Starting around 1999 and continuing today, the Internet and e-business came along, and enterprises began re-engineering their business processes once again — but this time integrating them with customers, suppliers and business partners. This has greatly affected business continuity and disaster recovery. RTO and RPO are shortening again, and in some cases have moved to zero. A zero RTO means zero downtime — 24x7 continuous business process availability. In addition, scenario plans have broadened to take on the new risks of e-business — for example, downtime due to:

• Operational risk (such as the recent Microsoft.com three-day outage)
• Security risk (such as last year's denial-of-service attacks bringing down Yahoo)
• Lack of capacity (such as the spikes in business volumes incurred by Victoria's Secret when advertising its Internet fashion show)
• Application failure (such as the full-day's outage last year by the London Stock Exchange)
• Partner/outsourcer unavailability (such as ISP network failure or links from a Web site to those of partners that are unavailable).

Any downtime risk must be a concern to every enterprise, because any downtime today results in a press event, which could impact the image and reputation of the enterprise.

What does this business continuity evolution mean for business continuity managers? First, it means increased budgets for dedicated, non-shared recovery solutions for e-business applications and systems. Not just increases in the business continuity budget, but increases in the production budget. Business continuity is being integrated into the project life cycle of the business process and applications. Old and new risks are being addressed where they belong — in the business requirements phase of the project, and not as an afterthought after production completion. Furthermore, enterprises that integrate legacy applications with new e-business applications need to review the recovery capabilities of the legacy applications to ensure that they also meet the new business recovery requirements, e.g., the RTO of the legacy application may now be the RTO of the Web application. Second, it means respect for business continuity planners. There is no more justifying why business continuity is important — "it's the business, stupid!"

Enterprises in general are much more organized for business continuity today than they were prior to 2000. Due to the growth of e-business, by 2005, more than 60 percent of large enterprises will have invested in business continuity planning, compared to less than 25 percent today (0.8 probability). However, the majority of business leaders still do not view business continuity as integral to the long-range viability of the enterprise. Therefore, business continuity/disaster recovery coordinators still jump through hoops to obtain funding that may still not be allocated, because to the business leaders, business continuity is an insurance issue. CXOs must realize that without proper planning, they will lose market share to their competitors.

This month's Security Matters! Spotlight delves further into the impact of e-business on business continuity. Fred Luevano provides insight into business continuity trends and organizational issues with details behind a recent survey he conducted (see QA-13-8626, "How E-Business Is Changing Business Continuity Programs"). Roberta Witty covers how business continuity is being integrated into the project life cycle (see TU-13-8386, "Integrating BCP Into the IT Project Life Cycle"). Simon Mingay writes on a critical business continuity topic: whether to insource, outsource or both (see DF-13-5293, "Sourcing Recovery and Continuity Services"). Kristen Noakes-Fry and Anthony Allan bring our readers up to date on available business continuity planning software on the market to ease the creation and maintenance of business continuity plans (see COM-13-6971, "BCP Tools: Your 'Friend in Business'). David Neil and Bob Hafner bring us a technology piece on how to plan for fault-tolerant networks (see TU-13-7964, "Fault-Tolerant Networks: Is There Such a Thing?"). Donna Scott, Jon Rubin and Josh Krischer offer insight into the many data-replication technologies that are used to obtain short recovery time and point objectives (see T-13-6012, "Disaster Recovery: Weighing Data Replication Alternatives").

E-business is blurring the lines between who is an insider to our business and who is an outsider; it is also blurring the lines between what is the production environment and what is the recovery environment. They are one and the same, and require collaborative continuity planning among all interdependent parties. Your feedback is welcome — mailto://security.matters@gartner.com.