businessman on tightropeAre you confident in your ability to restore critical IT services after an outage? Have you identified risks with the potential to disrupt those critical services? Do you have plans, procedures, and the requisite infrastructure in place to mitigate those risks? Based on recent work with mid-size commercial and Higher Ed clients, I have the view that organizations in this class are likely to be exposed to greater risk than they realize.

While some organizations are likely to focus on natural disasters, historical studies have consistently shown that tornadoes, hurricanes, etc. cause less than 20% of data center down time. The risks to attend to first are more mundane and can be mitigated if not prevented. The other good news is that preparing for these more likely risks often works to limit the impact of natural disasters if and when they do occur.

Here are some risks to look out for; risks we commonly encounter during IT risk assessment and management projects.

  • Backups exist (. . . or so they say): Every client I have worked with in the past few years has been diligent about creating periodic backups of critical systems and data. Many however, fail to verify their ability to restore systems and data from those backups. In a few instances, the backup processes did not assure the integrity of the databases being backed up.
     
  • Data retention requirements (. . . IT defines those): When the leadership team guides the definition of data retention and recovery requirements based on its knowledge of government and industry rules and regulations, IT can use that information to guide the development and implementation of data management and archival plans. Without the active involvement of leadership and other key stakeholders, IT is left to guess and often guesses wrong. In a recent case, data was being retained for weeks when a multi-year retention was required.
     
  • DR plan (. . . it’s in our heads): Unfortunately, we have found that many mid-size organizations don’t have a formal, documented disaster recovery plan. Inevitably, there is someone on staff who can describe the process for recovering key systems and services. The danger is that the person with the knowledge will not be available when recovery is required. With a documented plan in place, each member of the team has a view of the actions to take.
     
  • SaaS providers (. . . who is in control): We see clients are transitioning an increasing number of administrative and support services to the cloud. While this activity can have a positive impact on the bottom line and shorten delivery timeframes, not all providers have the same level of capability and process maturity. Particularly in those cases where end-user departments are procuring these services, organizations would do well to provide enterprise wide contract guidance that end-users can adjust based on their needs (e.g. data backup requirements, retention requirements, availability requirements, disaster recovery requirements, support service levels).
     
  • Security (. . . when flexibility rules): When access to networks is closely managed via authentication tools and services, the activities of those on the network is occasionally overlooked. In Higher Ed especially, the desire for free access to 3rd party resources exposes institutions to malware and other deviants. Robust monitoring tools and practices are required as well as staff knowledgeable in their use.

Identifying and addressing IT service delivery risks in your environment will reduce disruptions and improve end-user satisfaction.

Stay tuned, my next post will focus on common project delivery risks and how to limit them.