The updated corporate governance requirements in the King III report set out four key focus areas for IT governance: strategic alignment, value delivery, risk management and resource management.
Disaster recovery and business continuity are explicitly mentioned as risk management elements; if they've never been an item on your board agenda, your governance may be open to question.
“Today's investors are very risk-averse,” says Ansophie Strydom, GM of marketing at Continuity SA. “There may be no legal obligation to comply with King III, but if you want to attract the right investors, you will be forced to have plans in place that can withstand scrutiny.”
If your business continuity planning doesn't involve the head of risk and the head of finance, it won't deliver what the business needs.
Bryan Balfe, business development director, CommVault
One of the great steps forward is that IT governance needs to be led from board level, not just left to the IT department. “The business has to give IT a clear mandate,” says CommVault's business development director Bryan Balfe. “If IT is left to go off and do its own thing, you will inevitably have problems. Vendors try to sell all sorts of things by banging the compliance drum, but the problem is: compliance with what? The business has to make its own priorities clear.”
The business continuity plan and process can be run by the CIO, agrees Dimension Data's Samresh Ramjith, but not alone: “The CIO needs the blessing of the board to pull it all together across different divisions of the organisation and even across geographies. IT can build a systems-level plan, but not a process-level plan. For that, the business needs to get involved.”
And yet, says Balfe, inter-disciplinary involvement in business continuity planning is very rare. “At most of the places we go, the conversation is led either by a vendor or by IT. In the past six months of attending three or four meetings a day, I've only been at two meetings where there were business people in the room who both understood the context and had input that was respected by the IT people.”
The bottom line, says Balfe, is that “if your business continuity planning doesn't involve the head of risk and the head of finance, it won't deliver what the business needs or wants. IT people aren't psychic - if they try to go it alone - it leads to a train-smash. But the people who get the partnership between the business and IT right are the ones who are building efficient businesses.”
Andrew Stekhoven, MD of Escrow Europe SA, says taking a business-eye view of continuity needs can lead to very different decisions. “When business people look at any particular technology, the critical question is: what revenue stream does that technology support? That very quickly makes it clear which systems are critical and which are not.”
Stekhoven's company specialises in protecting organisations against the seldom considered risk of critical software becoming unavailable because something happens to the supplier: an insolvency, a takeover or a decision to no longer support your version of the software, for example. Escrow Europe provides what Stekhoven calls “additional continuity of use warranties” - essentially, it requires that the software's source code be placed in trust, to be released under specified conditions if some kind of disaster happens.
“It's like having the key to the fire extinguisher in a glass box,” says Stekhoven. “Chances are, you'll never need to use it - but if that chance does happen, it better be there.”
Software escrow offers the additional advantage of giving clients a source of leverage over their suppliers when all else fails. “We had one client whose payroll system wasn't working properly, and they couldn't get the supplier to do the necessary maintenance of the software. So they put in a formal request for the code to be released, and suddenly their supplier was all over them like a rash. They got everything they had been asking for. A tool like this can focus the mind very sharply.”
One software problem an escrow agreement can't solve is that of legacy systems only a few people still have the knowledge to run and maintain. “It's becoming more and more difficult to find admins who can manage older systems,” says Adrian Hollier, channel manager for Comztek. “Sometimes the most critical people are way down the food chain, and if you don't have a clear succession plan for them, you're in trouble. It's not the case that somebody can just a pick up a manual and takeover, because most of the time there's little or no documentation. You should never allow your organisation to reach a point where it can be held to ransom by one or two key individuals; systems do need to be updated.”
Not everyone can adopt everything, of course: each organisation has different needs, quite apart from the budget constraints. But even the tightest budgets are no excuse for ignoring the problem. King III is helpful here, with its “adopt or explain” approach: if you don't adopt the guidelines, you'd better be able to explain why.
Share