Housekeeping: slight name change
thanks for reading.
Developing business continuity strategies and embedding business continuity processes into an organization's procurement process can enhance the organization's ability to actively assess and monitor vendor capabilitiesGoing farther, Mr. Sikich also talks about possible implementation strategies and approaches, proposing a phased implementation of 5 phases:
* Phase 1: Assessment & Vendor Continuity Questionnaire -- deliverable: letter report with executive summary that will include discussion and recommendations based on the results of the review of essential elements of analysis (report)In conclustion, the author exhorts senior management to:
* Phase 2: Procurement Integration (vertical/horizontal) -- deliverables: procurement management system, vendor business continuity management program and plan integration criteria guide (tools); and procurement management system, vendor business continuity management program and plan integration criteria guide training program materials (knowledge transfer)
* Phase 3: Monitoring & Enforcement -- deliverable: procurement management system, vendor business continuity management program and continuity plan integration criteria guide maintenance criteria (sustainability)
* Phase 4: Sustainability -- deliverable: periodic metrics, event response reports
* Phase 5: Maturity Model Evaluation -- deliverable: metrics for maintaining the process, change management procedures
"Using their status as Âleaders, senior management and board members can and must deliver the message that survivability depends on being able to find the opportunity within the crisis."and makes a claim, quite credible in my opinion, that:
Market research indicates that only a small portion (5 percent) of businesses today have a viable plan, but virtually 100 percent now realize they are at risk. Seizing the initiative and getting involved in all the phases of crisis management can mitigate or prevent major losses. Just being able to identify the legal pitfalls for the organization by conducting a crisis management audit can have positive results.The forum for the article, published in Supply & Demand Chain Executive magazine, is also one of the primary targets for business continuity efforts. It would seem; however, that it is also a more narrowly focused audience than the subject of overall risk management and business resilience. Clearly lessons and thoughts expressed here can be applied over the whole enterprise, not just the procurement process.
At the tactical level the focus is generally on event response and mitigation. The focus at the tactical level should be on response and mitigation while the need at the tactical level is for support from the next level (grand tactical). At the grand tactical level, the focus should be on support for the tactical response.
Additionally, at the grand tactical level the focus should be on the prevention of cascade and containment of cascade effects on the organization. At the strategic level the focus should be on management oversight, coordination and facilitation of restoration of services. It is important to note that a key element in this vertical and horizontal process of detection, classification, response, management, recovery and restoration is seamless communications. Seamless communication is based on the adoption of common terminology and in the functions represented at each level.
A good diagram is also presented. It would interesting to see organizations model the interactions between tiers not just on a formal level - similar to ones in the article, but also on business process, product, or supplier-specific level. The charts could look something like this for vendor X:
As a result of the closing of the frontier, several significant changes occurred. As the availability of free land was basically exhausted ... At the closing of the frontier, we entered a period of concentration -- of capital, as with monopolies and trusts -- and of labor, responding with unions and cooperation.
Viewing the software-as-a-service market as a major new-growth industry, IBM is offering a package of services and incentives to help software companies and channel partners deploy their products as hosted applications.
For starters, SAAS goes beyond the now well-understood Application Service Provider (ASP) model. ASP implies that an application, usually one which covers at least one complete business process, is hosted by a service company rather than an internal IT department. From a computing perspective there is often little difference. After all, most large and medium-sized companies today have widely distributed IT deployments and most users do not know whether the web application they are using is coming to them from a data center 3 floors above or 3 thousand miles away. So what does it matter whether someone else is running a web server instead of your organization? Better organized resiliency programs certainly take this outsourcing into account when creating plans, treating ASPs as critical vendors as much as someone else supplying financial data or iron ore might be.
SAAS is a slightly different beast. One can think of an ASP provider as an implementation of SAAS, providing that "service" in SAAS in fairly large and monolithic chunks. But it need not remain that way. What if a SAAS provider is someone like former hitbox, providing a very specialized service of web analytics, or qualys continuously searching your network for vulnerabilities. In both cases, data might be downloaded and analyzed by a tool hosted by some other 3rd party, or internally. This software service is now provided as a small part of an overall business process, and may not even be known to the business unit as a component of the process that is provided by an outside vendor. To re-use the examples of services in this paragraph, we can consider the following scenario for web analytics:
IT Department provides traffic report and analysis to all departments in the enterprise. Most likely 90% of the department could not care less about the accuracy and granularity of the results. Marketing; however, is an exception. While it carefully tracks website usage all the time, a day-long outage of analytics would not be a major problem unless it coincides with a test run of a new marketing campaign. At which point and to which internal customers should IT direct an awareness campaign of the outside vendors it is using for the moment? Once a service become part of the enterprise services, their origin becomes largely transparent to the business level consumers of the service. It is worth noting that for most services only a small number of users will have a critical need of it. How should vendors be now evaluated for reliability and contracts structured?
Previously, when a department wanted to use an ASP both that business unit and IT would be involved in the evaluation process. However, SAAS will now allow both IT and business units to go it alone. That's where things can start falling through the planning cracks since a lot of the services may not be part of the primary impact analysis process. In our scenario Marketing may not be aware that web analytics is separate from web server maintenance, and IT may not know that its outsourced analytics service is critical to some group - in this case Marketing - 3 weeks out of the year.
Similarly to how cheap Windows and Linux servers proliferated in workgroups a few years ago, cheap and transparent services will have a huge impact on how applications and business processes are assembled and executed in the future. Different providers may even be used for similar process steps in various locations or processes across the enterprise. How should customers reconcile their needs for efficient and cost-effective services with an increasingly flexible software services environment? One way, of course, is for an organization to forbid the casual use of outside software services and require than any allowed uses go through a rigorous evaluation process for each service, with clearly identified IT and business level integration points and fully performed cost-benefit analysis. That would work to keep smaller service vendors out, but they are also the most innovative ones.
Another way is for someone like IBM to step in. Salesforce is already doing something similar with its AppExchange, and I think other players are gearing up. IBM has an advantage over Salesforce and others, such as SAP or Oracle in that it has a much more independent platform. IBM can become, effectively, a guarantor of a service, whether it was developed by them or not. By providing the infrastructure, IBM can make sure the basic hosting things go well - such as service uptime, bandwidth, power, etc. Furthermore, IBM can host the same service in different configurations - critical for Marketing and delayed for other department, for example. Its market power would require service vendors to certify their products for stability and scalability, and remove the uncertainty from customers of dealing with a small and unknown entity. Organizations could then provide business rules for department to use, or at least test services, provided they comply with certain requirements - certified by IBM, and are hosted by a reliable vendor - such as IBM. At some point a need to both a certified host and certifying authority will become too strong not to produce a whole sub-industry. Currently, Accentures & Delloite's of the world have the lead on certifying implementations (information security, for example). However, IBM already has a host of certification programs for its WebSphere Catalogue, as well as Ready for Virtualization and others relevant to organizational resiliency. Moreover, IBM has the ability the Accenture and its ilk lack of becoming insourced not only at the customer level, but vendor level as well. What that means is that vendors could develop services and solutions concentrating on their core competencies, not peripheral requirements of hosting an on-demand software service, for example.