The rising tide of digitization across industries worldwide has had an unintended consequence: a spike in systems outages. While systems have typically failed for a variety of reasons, historically, the ongoing pivot to digital is creating a severe misalignment between the risk appetite of organizations at business service level and the underpinning IT architecture, which are often unable to keep pace with the rate of change required to support a digital business.
This is felt in areas that directly impact “moment of truth” customer experiences in addition to undermining mission critical and highly-regulated services in banking and financial service sectors such as cards and payments, e-banking, stock trading, as well as water and gas distribution in the energy and utilities sector.
Unplanned outages in these businesses have the potential to damage a company’s reputation, especially when flames of discontent are fanned through social media, which can result in an adverse impact on the brand as well as greater regulatory scrutiny.
As a result, organizations across the globe, particularly financial institutions, utilities and pharma companies, are significantly increasing their non-discretionary spend (including the restitution cost) to boosts service resilience. While business/service resilience is a broad topic, focusing on a few key elements is the difference between success and failure. Resilience, in our view, pertains to a particular service or a set of services that serve the end-user’s need(s). More often than not, organizations do not have the latest configuration of services, also known as a service model, which is a map of everything that underpins a given service (i.e., service components, applications, hardware, manual processes, people, etc.).
A service model should answer the following vital questions:
What does my service comprise of?
Do we have a baseline for service chain and service layers to which we can refer and immediately ascertain the point of failure, without having to boil the ocean when a “code red” is declared?
Service Resilience: A Necessary Spend
Organizations typically make significant investments in continuously upgrade various systems components (data center, network, operating system, etc.) that do not necessarily improve service resilience. To make the case that service resilience spend should be included in the non-discretionary expenditure list, the following points need to be addressed:
How do we make improvement in resilience (or not) as a decision criteria in spend decision to improve the whole service chain and don’t shift the bottleneck from point A to point B?
How much spend is enough?
How can we convince the sponsor and business about the cost of not improving resilience (and not meeting risk appetite) rather than merely relying on financial KPIs (return on investment, payback period, and internal rate of return etc.)?
Organizations must implement a comprehensive framework that covers relevant domains including (but not limited to) risk appetite, architecture, operations, manual process and controls, as well as business services and services (including IT) which underpin them.
Our service resilience framework assesses and recommends specific improvements to provide IT organizations with bidirectional traceability from improvement in business and service resilience (using risk appetite as a measure) to programs and initiatives required to create or bolster a resilience portfolio. The interactive figure below illustrates our framework and steps to ensure service resilience. Click on the different steps within the figure to reveal more details.
Organizations across the globe realize the need for sustained initiative on resilience. Such initiatives can be all encompassing and umbrella-like initiatives that can be combined with other ongoing focused and relevant projects such as cybersecurity, business continuity, simplification, IT risk management, etc. Once a resiliency initiative is completed, the next dilemma organizations face is how to start or positon a new project when other programs are in flight and at different stage of benefit realizations. Usually, it helps if business/ IT service resilience is driven through risk management function (business and / or IT) as they usually own the Risk Appetite and Residual Risk as a KPI and that would also offer right level of visibility, positioning and necessary attention for driving the initiative to its meaningful outcomes in terms of enhanced resilience and optimized residual risks.
To learn more, visit the application services section of our website or e-mail us at firstname.lastname@example.org.