Transcript of Episode 2 - What is Business Resiliency
Episode 2 – What is Business Resiliency?
with James Hilliard
This transcript was first posted on the Connection Community
For organizations that suffer a complete catastrophic event, a true disaster, 40% of them will never reopen. It's end of business.
So, what can your organization turn to and rely on to avoid being such a statistic? Well, Connection's Senior Director for Data Center, Kurt Hildebrand, would argue you need business resiliency. Hey folks, welcome to another podcast from Connection. I'm your host, James Hilliard. Kurt, we just heard the stat. We don't want to go out of business. You are going to give us this deep dive into what BR, business resiliency, is. Let's start with your official definition.
So, James, business resiliency is something that we at Connection created. It's a kind of an overarching or umbrella term, which encompasses what is typically known out in the industry as business continuity and disaster recovery or BCDR. And the reason we created business resiliency as a term to you know, kind of provide the umbrella over those two really separate and different domains is, well, for a number of reasons, but primarily due to trying to alleviate customer confusion. Right? So BC, or business continuity and DR or disaster recovery, first of all, it's a mouthful to say. But secondly, I don't think the definitions of these terms really out in the industry are very clear.
There are some standards organizations that have created some definitions around these, but we find in our conversations with customers, that very, very frequently either the terms themselves are misunderstood or sometimes they're even conflated, like one being exchanged for the other. What we're really trying to do, we've been working with customers on business continuity and disaster recovery solutions for many years. And we've kind of seen it all. You know, we've seen all the different ways that customers go about this. We've seen ways that it succeeds and ways that it fails.
And we've had to coach a lot of customers to kind of get them over the hump of understanding how to approach BC and DR as a holistic concept, strategically. And from all of that experience was born BR, or business resiliency. Kind of the light bulb moment went off for us, you know, internally a couple of years ago and we realized hey, BC and DR, yeah, they're two separate things but they're part of one bigger thing. And that bigger thing really is targeted at, how do I make my business or my organization resilient in the face of whatever kind of adapting threat, change or adverse event that could threaten the organization.
So, this idea of it being an umbrella, we're not replacing the terms business continuity, disaster recovery, they fall under business resiliency. Who are you targeting with that message? Are you talking to the C-suite or are we talking to IT? Are we talking to line of business or are you talking to all three, getting them in the room and saying, "Hey, this is a thing for all of us. Business continuity, we all need to remain in business." So, you're trying to talk to all of them and say, "This will bring us all together."
You're spot on in kind of where you're headed with this, which is business continuity tends to speak more to the business level of the organization, the- the business decision makers, right? The C-suite, the senior executive, the director level, whereas disaster recovery tends to fall more on the IT organizations themselves and then also, the facilities and the department leads, the- essentially, the management up to the director level of the organization because those are the folks that actually have to execute on a disaster recovery plan, you know, when that unfortunate time comes. So, this is part of the confusion that we've found that customers are going through, which led us to create business resiliency. Which is that it's- it's two different programs and inherently two different audiences.
But to your point, everyone needs to be concerned about business resiliency. And so, sort of understanding where BR, as an example, kind of fits in to that bigger picture. That holistic business resiliency strategy I think is very helpful for particularly the IT department or, you know, the other more operational members of the, you know, let's say emergency response team. But also, we can't forget about that strategy. That business continuity strategy which is what ultimately maps out what parts of the business. What services, what functions, what processes, and ultimately what personnel are important and need to be protected.
So, I kind of, sometimes when I give these talks I kind of return for to it as, you know, it's like peanut butter and chocolate. They're both delicious, but you know together they're almost irresistible. So that's kind of how we look at BC and DR. We kind of try and bring them together. And the way that I define BR, you know, the dictionary definition, if there were one of BR, would be the functional state of an organization which is characterized by a holistic approach to preparing for, recovering from, and adapting to threats and challenges in an ongoing lifecycle methodology. And that lifecycle piece is kind of the- the secret sauce. That's kind of the critical component of how we at Connection look at BR and how we're trying to help our customers get into approaching business resiliency as a lifecycle.
And I want to get into that because what I'm hearing from you is this another one of those journey stories. It's not a project that starts and then has an end. And, "Hey, we're done. Pat ourselves on the back. Move onto the next one." This is a- a way of conducting ourselves. And then we'll come back to that in just a moment. My big question. More of an enterprise push? Is this for SMB’s as well? Does this have any vertical limitations? Who is and who needs BR?
All organizations need business resiliency to a certain degree. But I think there certainly are different approaches which are going to be better fit for a small to medium sized business. Mid marketing to the enterprise and then a large enterprise organizations as well. And certainly, from a vertical perspective, and in different industries different vertical industries certainly have wildly different requirements when it comes to business resiliency. You know, a software company that's running the majority of their, you know, IT infrastructure in the cloud, and has a very versatile remote workforce is going to have a very different business continuity and disaster recovery strategy than, for example, a manufacturing organization that has physical plants full of equipment.
And let me give you a statistic about why organizations need business resiliency. For organizations that suffer at a complete catastrophic event. A true disaster that really takes their systems is completely down. That puts their business out of commission for a period of time. For those organizations that suffer that complete disaster, 40% of them will never reopen. It's end of business. But for those same companies, the ones that survive that initial outage, a further 25% of them will be out of business within the next year due to reputation. Due to the financial costs. And after three years, 80% of those organizations that suffer that catastrophic meltdown type failure are out of business. Only 20% will actually survive. So, business resiliency is pretty important. And, you know, business continuity and disaster recovery work together to create that resiliency. But what we find is that customers, in many cases, are disconnected. Their siloed in their approach to BC and DR. And that's why in many cases their BC and DR plans aren't functional when they need them.
You've got silo's as you mentioned. Also, one of the things that I've come to recognize. And my conversations over the years about this topic area is the need for something. And so- so let me ask you here. How custom, how unique is a business resiliency plan? I can only imagine that if you've got five different companies, you might have five different approaches to business resiliency. And it leads me to then ask, if that's the case, how do you and team go about going in, surveying, auditing, checking out, seeing how someone is set up, and then knowing how to guide them, and where to guide them.
Yeah, that's a great question. And, you're right, you know, to a certain degree. We believe, Connection’s philosophy certainly is that every customer situation is unique. However, there are common strategies that can be employed, that work very well. Particularly within, let's say a particular industry vertical. It's a matter of putting them together in the correct configurations to meet that specific customer's unique challenges. But the one thing that's very consistent that we find is the program. The overarching program. The specific technologies make differ. Right? Under the hood. Whether we're protecting application A with a cloud backup scenario, and application B by replicating it to a remote site. But the methodology of getting to the point where we are implementing the correct technology, or the correct workload, and protecting it in the- in the, in the way that is in alignment with that particular business’s requirements. That's the same.
And- and that is our methodology that we employ for customers to take them through what we have developed as a five step, or five milestone approach to taking a customer from zero to full BR. A functional, implemented lifecycle strategy of protecting the business. Not just at a point in time, but indefinitely into the future.
Let's break down. What are those five kind of checkpoints?
Sure. So, we take business resiliency first, and of course, we split it into two main halves. Business continuity and disaster recovery. Then within business continuity we have two major milestones. First, we take a customer through a business impact analysis, or sometimes also known as a business risk analysis. So, the purpose of the BIA, and this is a very important step that a lot of customers maybe don't give sort of a sufficient emphasis to. But the purpose of the BIA is to first take that sort of internal accounting, to take that inventory of what are those critical services, functions, processes, and personnel, that ultimately need to be protected. By going through a BIA, a customer can avoid, you know, essentially under-sizing or over-sizing. Under-scoping or over-scoping. Their ultimate disaster recovery plan. So, the BIA first takes that accounting and it defines what are my business-critical services, and what risks are they exposed to? And what impact will they have, quantifiably in terms of dollars and cents. In terms of loss of reputation, or regulatory requirements. Quantifying those impacts of the loss of those services to the business.
So, the second step to business continuity is to actually create that business continuity plan. Now a business continuity plan is an actual document. It's a strategic policy setting, and program creating document. It's a living document. And it describes the, in broad terms, based on the outcome of that BIA, or business impact analysis. It describes what are the critical business services and to what level must they be protected? And based on that sort of strategic, or executive level, definition of what the business continuity plan must be, or program needs to be. That business continuity plan provides the definitions for what will later become the disaster recovery plans and procedures for the organization.
So, with that business continuity plan in hand, we can now take those policies. Recovery time objectives, recovery point objectives, service level objectives, and so forth. And we can now start to translate them into a specific disaster recovery design. And the disaster recovery design is in fact the first of the three steps of the disaster recovery half. So, we take the outcome from our business continuity exercises, and we now start to put pencil to paper and we design out specific systems. But not just systems, also alternate work locations, organizational structures, emergency response teams. All of the things that are not necessarily IT related, or not even technology related. But then none the less, these are the requirements for actually implementing a successful disaster recovery.
So, we map out all of those elements that will be required for disaster recovery, and the disaster recovery design phase. Then we can actually take that design and we put it into- into practice. So we implement an actual disaster recovery plan. The disaster recovery plan, like the business continuity plan, is a document. It's a living document, and it's a much more detailed and specific document which maps out the actual procedures. It is a run book for what to do in the event of a disaster. Team by team, system by system, department by department, and so forth. In addition to that, we implement the actual systems. All of those elements that will actually need to be used in the event of a disaster.
Finally, the fifth and final phase of the business resiliency roadmap, and the third and final phase of disaster recovery, is disaster recovery management. So, this is probably the one thing that customers forget the most about disaster recovery. Is that the funny thing about it is, it can't possibly be a one and done. Because as soon as we implement the disaster recovery plan and strategy, practically it's kind of like how a car loses value the day you drive it off a lot. You know, practically the day that you implement your disaster recovery plan it starts to become obsolete.
New threats, merger and acquisition, any number of things that can happen in the business climate, the economy, everything is organic and dynamic and changing.
Correct, yeah. Your business isn't static. It's, right? And neither are your systems. Your users aren't static. And so, and to your point, the environment is constantly evolving as well. And so your disaster recovery strategy, and your business continuity strategy as well, inherently has to be in a constant state of evolution in order to account for your changing business and the changing environment as well. And that's why disaster recovery management is an ongoing lifecycle methodology. It's so critically important to be in one of those 20% that survive the disaster, and then go on to survive and even thrive as a business long-term
Included in as part of that disaster recovery management. Is that then the testing, the not only theory kind of testing, but maybe even putting people through the paces. I know that there are some organizations out there, in terms of disaster recovery, will even do dry runs where someone from IT might come in and just pull a plug. (laughs) Obviously they might not be doing it on production. They're not doing it during the craziest, busiest part of the year. But they really put the people through the paces to see how are they going to react when now given the news, that they have to do something to the network, or they need to replicate things over to another location, or what have you. Is that part of the DR management now?
Right, and probably the most important part of the DR management, you know, portion of the lifecycle is that continuous testing, validation, and refinement of the DR plan itself. And you know, I can tell you in my experience, I've been, you know personally, I've been consulting for customers for nearly 20 years in disaster recovery and business continuity. You know, collectively my team of engineers and consultants, we have decades of experience. Probably over a century of experience. And I don't think any of us have ever seen a DR plan work perfectly on the first try. It just doesn't happen. Actual human beings have to have been trained, have to know how to operate. And think about this. Folks are gonna have to be doing this under duress. This isn't you know; this isn't like a migration that we get to plan for, and we get to do it on a weekend. This is the hurricane is coming. (laughs) Right?
So, you know, it's just the- it's one of the most challenging things in the world. And it can be done. And we've done it for many customers. But the thing is that the customers that do this successfully, they're successful because they implement, they test, they find all the holes, they find all the bugs, they fix them, they test again, they find a few more, they test again, and they never stop testing. When that event occurs, you know, everyone has that muscle memory. It's just like another test. We're just gonna run through the sequence. We do it twice a year. We just do it again, and you know, ideally everybody- everything comes true.
Before we wrap up here, and get into ... The final thing I want to talk about is kind of how people can get started working with you and team. But before that, a team that adopts business resiliency as an overall idea, and then goes through these steps to get their business continuity plan in place. Document the disaster recovery plan and design and all that. Who owns that? Who are you seeing today owns that? Is that an IT job? Is it an executive? Again, is it back to a team? Is it a group of people? What's a best practice there for really being able to own the idea of business resiliency and shepherd it through?
Yeah, that's a good question. And, it also kind of the answer to that question kind of gets back to the point I made earlier about how there are silos that tend to develop in an organization once it reaches a certain size. A silo is between business continuity and disaster recovery. And typically, there are different business owners of those two different concepts. Usually for the worse. Because, you know, unfortunately what- what we see is when customers come to us, many times the BC or DR initiative will be driven by either the business stakeholders. That is to say folks at the senior executive level. And they're- and they're coming in, they're coming to Connection with a business continuity request. Right? Not necessarily DR. In some cases, they're not even particularly concerned about DR.
Or, we're seeing customers coming with us with a DR request, which is coming from IT typically speaking. And IT is concerned with protecting information technology systems. And they're not particularly concerned about, you know, documentation and strategy. And definitions of objectives, and all of these things which are more BC level concepts. And this is really the biggest problem that we see, and one of the biggest reasons why we are creating business resiliency as a concept to include both BC and DR. Because inherently if an organization is only focusing on BC or DR, then it's almost certain that- that the BC or DR plan will not be sufficient when the company needs it.
Or, when BC and DR are both being accounted for, but are being led by different teams. And those teams aren't necessarily working together under one holistic vision. The requirements can be out of alignment. And so when those two houses are kind of out of alignment, ultimately something's not going to work properly. And so, you know, what we are advocating for is that either ... And I think that more and more customers, more and more organizations are starting to acknowledge this that either there needs to be a business resiliency owner within the organization that has oversight over the entire business continuity and disaster recovery strategy. Even if those two initiatives may still be led by different teams. But someone needs to be rationalizing that.
Or, a company like Connection can sort of be that point of rationalization for customers as well. And sort of be watching both sides of the house, ensuring that, for example, by following the side step methodology that I've articulated earlier. That everything comes together in the end as a holistic vision.
How do people get started?
So, what we would suggest is if you are the business owner of a business continuity initiative, let's just say. Or if you're an IT director, a manager, or someone, CIO, you know, someone in the IT organization that's being tasked with a disaster recovery initiative. What we would suggest, and what we- what we try to strongly coach our customers to do is to try to reach out internally within their organization and find out if there's a bigger picture strategy at play. And ultimately what we would like to do, what we would like to see customers do. To have them identify what elements of the five step methodology that I've described. They may have already conducted. What pieces of the puzzle are already in place? And start to just fill in the gaps.
And of course, Connection can help customers no matter where they are in their journey. Right? Whether they're starting from square one, and need to make their way down the path. Or whether they've already completed some of the elements of the journey that we would recommend to them. In which case we can just help them fill in the blanks. But really, the biggest thing that we would want customers to do is to take inventory internally. And whether you're living on the business continuity side, or whether you're living on the disaster recovery side, or maybe you even have some elements of visibility to both. Keep both of those houses in mind, and how they play into the bigger picture, which is the resiliency of the business overall. And try to identify where those initiatives need to be developed in order to fill in that complete picture.
Hey, Kurt, I've enjoyed hearing about this business resiliency plan and get an idea. Overarching umbrella idea includes the business continuity, the disaster recovery, those ideas we're familiar with. But really connecting it all and trying to make sure that we've got something that's very cohesive. Something that people can follow. And then again, we played into this idea that's an ongoing journey.
Folks, if you've enjoyed listening, we hope you have. If you have more questions about the idea about business resiliency then we definitely invite you to talk to your account manager. You can schedule time to have these conversations. Then we, as needed, can bring in Kurt and his team to chat with you as well. On behalf of Kurt Hildebrand and the entire Connection team, we are going to wrap things up at this point. Again, my name is James Hilliard. Thank you so much for listing and we do look forward to connecting with you down the road.