ALISON BROOKER (AB): Business resilience is a competitive advantage. According to a recent Forrester report, companies with more mature resilience capabilities are growing two and a half times faster than the competition. But as business resilience becomes more vital to success, it also has to be a shared responsibility across all C-suite executives.
I'm your guest host, Alison Brooker, and this is IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available.
On today's show, we talk to Kaushik Ray, Senior Vice President and General Manager of Recovery Services at Sungard AS about the future of business resilience, what this means for C-level executives and how they can adjust responsibilities to meet new requirements.
Kaushik, welcome to the show.
KAUSHIK RAY (KR): Thank you.
(AB): Before we get into the future of business resilience, let's talk a bit about how organisations have traditionally approached it. So historically, who's been responsible for business resilience?
(KR): Yeah, so I think traditionally, resilience has always been thought of as an IT thing, especially for organisations that have relied heavily on IT to run their business. And so, the executive in charge has always been the CIO, the chief information officer. It’s typically been a disaster recovery coordinator working in some portion of the CIO’s office. Sometimes it's part of the security office, the CISO’s office within the CIO organisation. But that's where traditionally we have seen it lie.
(AB): What limitations do you see with this arrangement?
(KR): Well, I think it's in the topic itself, right? The topic is not IT resilience, it's business resilience. It can't just be IT’s problem to solve, IT’s challenge to solve. In whichever organisation that we have been to where we have not seen a tight collaboration between the business side and the IT side, the results are not optimal.
(AB): Why has business resilience become more top of mind lately for companies?
(KR): Well, I think, you know, depending upon where a company's operations are located, whether it be the business offices or data centres, some companies might not have gone through any major crisis. Obviously, those companies that work out of tornado zones or hurricane zones, they have seen and faced crises. But if you're not - I'm based in Northern Virginia, if you're in the DC metro area, typically we have not seen a lot of natural calamities happen here. Maybe an odd winter storm once every 10 years or so, but not that often.
People have not faced it, but two things have completely changed that, where everybody is impacted. One is the pandemic. It came out of nowhere at us, globally impacting businesses for the last couple of years. And the other one is rising cyber attacks, which knows no geographical boundaries. You can be anywhere and still undergo a cyber attack and ransomware attack. So, these two things have brought business resiliency to the forefront for everybody, whereas previously it might have been in pockets.
(AB): What conclusions do you think companies have made as a result of this?
(KR): Companies have realised that especially, say with the pandemic - let's take one of them one at a time - where either IT systems might be up, but then if you don't have the operational continuity plan in place or business continuity plan in place that goes hand in hand with the IT resilience and availability, you be impacted, right?
Similarly, if you think about ransomware attacks where everything is fine from where you're working, what you're doing. But all of a sudden, all your data is locked, all of your workstations are locked up. So, I think what these two things have brought about is how, you know, these two parts of the organisations have to really work together and how resiliency has to be factored in whatever you do, however you set up your processes. It cannot be an afterthought. It cannot be reactionary. It cannot be figured out on the fly. And that's definitely two very, very strong lessons that these two things have taught us. That if you didn't have it, if you didn't think about it and have a plan for it, then you will undergo a pretty big disruption in running a business.
(AB): That makes definitely a lot of sense. Can we shift gears a bit? I'm really curious about how resilience is a competitive advantage for businesses. Can you talk a bit about that?
(KR): Yeah, it's a very interesting twist. I would say that also these last two years have shown some companies, there's a customer of ours who is in a particular industry that isn't that tech savvy in general. Whereas this customer has been tech savvy within that industry vertical. And what they were able to do because they had planned real well working with us on how to be resilient, not just from a technology as in data centre point of view, but also in terms of technology leveraged by their field engineers and their field representatives, that when this thing happened, when the pandemic happened, and a lot of their partners were suffering through it, they actually turned it into a line of business. They started selling consultancy, as well as you know, some of their systems to their partners and providers, upstream and downstream. So, it became a revenue stream for them, and some might think of it as ambulance chasing, but it's not. It's actually helping them out because if their upstream and downstream partners did not come back into operation even this customer of ours would be jeopardised in the way they ran their business. It was a win-win for all. They had it in there so they could turn it around into a revenue stream.
The other example is, let's take a very simple example. Everybody uses a virtual call centre nowadays. That's the sort of technology that is used so that your call centre representatives don’t have to be all housed in one single building. They could disperse working from home and you get much wider access to the workforce than if you wanted to have everybody in one single building and one facility. This has been around even before the pandemic, this particular area. But that application, that technology which is so essential to operate this kind of distributed workforce in this kind of scenario use case of a virtual call centre, if that's hosted only in one single place, and that software does not have resiliency built into it, maybe they're in the cloud, but what if they're only in one geographical zone in the cloud? We do know that public clouds are not infallible, they're fallible, they actually can go down and if you're only in one of their sites, then you are not resilient. That software is not resilient.
If I was a buyer of that software, let's say I am an executive in a company who's trying to buy a virtual call centre application, it behooves me to ask, not just assume that, “oh, it's in the cloud, it must be resilient.” It behooves me to ask, “OK, what is your resiliency posture? What is the SLA from an availability that you can get me?” Even if you have like say four nines availability, I'm so dependant on you. If you go down, how fast can you recover? Is it in seconds or minutes or hours? And therefore, there are so many virtual call centre companies out there, it becomes a competitive advantage for them, you know, to say that they have that kind of resiliency, and if they don't, it'd be tough for them to compete. And let me tell you, there are companies that don't have that resiliency in their platform, and yet you know, they are selling, and that's because a lot of the buyers don’t know to ask that question and make the assumption that if you're in the cloud, you must be resilient, which is pretty much a wrong assumption.
(AB): Right. So it sounds like there's some opportunity from a competitive advantage standpoint. But as business resilience becomes more important for businesses, how is it complicating relationships within the organisation? Are you seeing anything there?
(KR): I would say it's complicated if you want to make it complicated. I think it all starts with understanding what does your organisation stand for? What is the model of your organisation? What is your USP to your customer base, right? And then aligning everything to that. If I go and ask the IT group of a company, “how many units of recovery do you have? If you want to recover all of your environments, all of your applications, how many such units do you have to recover?” They might tell me a number like, “oh, I have to recover 113 applications.”
Now, if I go and ask the business, “how many different business processes do you guys have?” They might tell me, “well, we have a total of 10 or 13 business processes.” And then the question would be which one of those 10 or 13 are important, are in the lines to meeting your commitments? Your USP, your value that you deliver to your customer base? That number might be actually lesser than even 13.
It's understanding this that is the most important thing. How do you connect the dots between the nuts and bolts of IT up to the layers that I've talked about - the infrastructure, the servers, the data centre sites the network, the storage, to the application service layer - then from that to the business processes and then the business process to the critical functions, the business-critical processes, that drives the valuation of the company in front of their end users. Understanding that is probably the most complex thing. But it's not complicated once you get started and you go through it, and we have assisted many customers in doing that. But that's where if you don't have that understanding, then it becomes something overwhelming. You don't know where to start.
And then when you add to this data, it's not just about business processes and applications and you're thinking about cyber, it's about the data. How do you protect your data from undergoing a ransomware attack? It takes a slightly different twist to it. Because vital data assets could be different than what you, through your business impact analysis, determined to be the critical business functions. So linking and joining these dots is what's complicated.
The other thing that has complicated the situation is actually the adoption of cloud. You know, previously, there was a time where a company's IT used to be run in one or two physical data centres. And that was it, you know, everything was housed in those two physical data centres. Now, with the adoption of cloud, customers are not only having their own physical locations (sometimes that's required), they have probably multiple cloud providers. It's not uncommon for us to see customers buying into AWS and Azure or Azure and GCP for different functions. And then you have SaaS, software as a service. So essentially what is happening on the technology side, your end points or points of failure, points of dependency, have grown up. So that's where the complications around mapping out, the blueprint of IT, has increased, has grown.
But you got to get started. If you don't get started thinking, “I'm just overwhelmed with where to get started with,” then it's a problem. I think that's kind of where I would say things have become complicated. It shouldn't be as much about the relationships within the organisation. To me, there should be a business risk office that should work hand-in-hand with IT risk, IT disaster recovery. The structure has been there for many years now. Some companies have done it right in that sense. It's more about understanding the relationships between the processes, between the functions, between the data assets, between your suppliers and providers. That's where the complication lies.
(AB): Yeah, and it really ties into really the main crux of the report: the future of business resilience is shared accountability across those different business units. Can you talk a little bit about how, a little bit more about how these departments can work together that are sort of traditionally siloed to really get towards that common goal?
(KR): Yeah, so I kind of led into that in my previous answer, but yes. So obviously, CIOs can no longer be held completely accountable for business resiliency. And I hate to say no longer. I don't think CIOs could have ever been held solely accountable for this. But now more than ever, I think the pandemic and ransomware attacks, cyber attacks have shown us that it's a joint responsibility. So, this needs to be a priority at the board level and that's what we are seeing. That it is something that is being asked more and more at board meetings where members or directors of the board are asking, “are we resilient from cyber attacks? How are we resilient from cyber attacks?”
And actually, when it comes to things like cyber, it's not a matter of can you guarantee that I'll never be attacked? No, it's not that. Nobody can guarantee that but if we do get attacked, do you have a plan on getting us back into operation as fast as possible? These are starting to become boardroom topics of discussion and therefore, it's not just the CIO's responsibility, it’s a responsibility that has to be shared with the CFO, the CIO, the chief accounting office, the business functional heads that might be there. Everybody needs to designate somebody from their group that can work together in a matrixed way to address this problem. And it can always be run out or driven out of the business risk office, which sometimes we see is part of the legal department. Sometimes there is the security, it's not just information security. The business security and risk office is a separate department. Compliance could be a separate department that runs this, but it has to be a joint responsibility from all the departments.
(AB): That makes a lot of sense and really great advice and insight, Kaushik.
The growing importance of business resilience means it can no longer fall squarely on the shoulders of your IT department. It must be factored into all business decisions. The future of business resilience requires C-suite executives to work together and share accountability with an eye toward the needs of their end users and customers. organisations that take this approach will have a competitive advantage over their counterparts while being able to maintain brand reputation and deliver value even in a disaster.
Kaushik, thank you so much for joining the show today.
(KR): Thanks so much for having me.
(AB): Kaushik Ray is Senior Vice President and General Manager Recovery Services at Sungard AS.
You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow.
Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available.
IT Availability Now is a production of Sungard Availability Services.
I’m your guest host, Alison Brooker, and until next time, stay available.