Global
enterprises are increasingly vulnerable to disruptions of different kinds. Though
they can’t stop many of these disruptions, with adequate planning they can make
their organizations resilient. For regulated industries such as banking and
finance having massive business impact due to disruptions, business resilience
capability is of utmost importance. For
this reason, multiple U.S. governmental agencies published an interagency paper
on sound practices to strengthen the resilience of the U. S. financial system, http://www.sec.gov/news/studies/34-47638.htm.
This paper suggested that an enterprise’s board of directors should
review business continuity strategies to ensure that plans support the firm’s
overall business objectives and risk management strategies. Regulators also want
banks to provide safe, secure, sound, efficient, accessible and resilient
services.
Recognizing this significant evolution, IBM created the Resilience
Maturity Assessment Framework (RMAF) to help institutions determine their
preparedness. This framework is based on quantifying the business resilience as
an index to measure and improve it further. The quantification includes key resiliency
aspects that are meaningful to businesses. While RMAF provides a strong basis
and broad coverage, we are always considering further enhancements to keep it
relevant.
Business resilience assessments of some sort should be done proactively
and periodically to ensure resiliency capabilities improve and are aligned with
changing market dynamics and regulations. I recommend starting with a limited assessment
scope, in order to realize rapid improvements.
For example, banks could focus on one or two massive-impact business
processes or an associated business unit rather than a bunch of processes or a
large organization. Payments, internet banking, ATM, POS, integrated core banking
services, card issuance and management, and mobile services are examples of bank
business processes.
In IBM’s assessment methodology, we consider six layers:
1) Business
/ IT processes
2) Applications
3) Data
4) Technology
5) Facilities
6) People
To calculate an organization’s resilience,
we develop a resilience model by identifying components. For example, common components
of a typical payment process could be payment application, server, storage and
data/voice networks, email, Data center (DC), offices, IT service management (ITSM)
processes and people. Each component has one or more attributes which describe
various capabilities of the component.
IBM’s methodology also considers substitution
and dependency relationships amongst components to arrive at a more realistic
resiliency model and an improved Resilience Maturity Index (RMI)+.
For example an email component depends on the network component while
the primary data center (DC) can be substituted by the secondary DC
during disruptions. Furthermore, substitution is always qualified with the degree
of substitution.
Once components, attributes and relationships are
identified, the resilience model is complete and attributes are given a score
between 1 and 5 based on standard maturity definitions. Raw component scores
and rationalized component scores are calculated. The rationalized score takes into account factors
like substitution (increases a component’s raw score) and dependency (decreases
the raw score). Eventually, all component scores are mathematically combined to
give the organization’s overall RMI score.
The methodology also helps determine a component’s
impact. For example, if the overall
score increases when an individual component’s score increases, then that
component is said to have a higher impact on the organization’s resilience. This
sensitivity analysis helps prioritize components, which is essential for prioritizing
improvement actions and associated investments.
End to end resiliency
consideration, followed by resilience index determination, sensitivity analysis,
improvement actions and then revising the index calculation form a continuous
resilience improvement cycle. In addition to strengthening the enterprise’s
resilience, this cycle helps document resilience capabilities in a way that can
be reviewed by the board or regulators.
For more information on the
Resilience Maturity Index, feel free to contact me at sambath.narayanan@in.ibm.com.
Many thanks to my guest contributor: Dr. Sambath Parthasarathy,
an executive consultant in IBM’s Systems and Technology Group Lab Services
organization
+RMI is a
patent pending innovation from IBM Research
