Operational Resiliency: Getting to Recovery Faster

By Thomas Schmidt

Interest in operational resiliency, a key element of business continuity planning, is intensifying. In business terms, operational resiliency represents an organization’s ability to protect its critical assets and keep its critical business processes and services up and running, even in the face of a disruption or security event.

Operational resiliency has been a particular focus of the Financial Services Technology Consortium (FSTC). As part of its ongoing efforts to help organizations deal with business continuity issues, the FSTC has been working with Carnegie Mellon’s Software Engineering Institute to develop a resiliency model.

“Operational resiliency and effective risk management are board-level issues affecting shareholder value,” the FSTC has observed. “Management disciplines such as business continuity, information security and operations have become a strategic focus and management priority. Organizations have elevated these disciplines and are increasingly active in pursuing new innovations to manage operational risks.”

This article looks at how operational resiliency is helping financial institutions adapt to changing risk environments while at the same time encouraging them to take a more holistic approach to their operations.

Learning from recent events
The emergence of operational resiliency as a vital concern of the financial services industry can be attributed to a number of factors. To begin with, the risks the industry faces today are often more daunting than the natural disaster scenarios that formed the basis for most continuity planning in the past. Carefully targeted physical and cyber attacks are becoming an increasingly prevalent source of risk (and are far more difficult to manage).

At the same time, recent catastrophic events, such as terrorist attacks, hurricanes, power outages and tsunamis have disrupted the flow of business on a global scale. In addition, increasing regulatory requirements have created a new environment in which security must be effective and efficient.

Simply put, how do we protect the functions of the business with a minimum of pain?

To answer those questions, as the FSTC has observed, financial institutions can’t rely on the ad hoc approaches of the past.

“Simply put, new tools and methodologies are needed to consistently manage risk, improve our processes and keep costs under control,” the FSTC has stated.

A model approach
The resiliency model being developed by the FSTC and Carnegie Mellon is specifically designed to:

• Identify and prioritize risk exposures
  
• Define a process-improvement road map
  
• Measure and facilitate strategic planning
  
• Address interdependencies
  
• Promote proactive regulatory compliance

Charles Wallen, managing executive of the FSTC’s Business Continuity Standing Committee, told Bank Systems & Technology when the Resiliency Model Project was launched: Banks have been impeded from achieving uniform resiliency because of their “siloed” operating environments.

“We want to look at resiliency and operational risk areas holistically so that we see information security, business continuity and IT management together,” Wallen said.

Recently, the FSTC and Carnegie Mellon announced the availability of the Resiliency Engineering Framework, which provides a road map enabling organizations to establish, manage and evaluate operational resiliency.

The framework consists of more than 20 capability modules, and organizations can implement as few or as many as their needs require. According to the FSTC and Carnegie Mellon, “benchmarking against the framework will help organizations optimize their operational resiliency investments, make objective peer-to-peer comparisons in their industry sector and select capable third-party suppliers.”

Simplify, simplify
Operational resiliency is making inroads in the financial services industry for another reason as well: Its potential to help reduce complexity and costs in the data center.

As every data center manager knows, the amount of data generated by data center applications is exploding and much of it must be protected, as a result of new privacy and government regulations, and retained for longer periods of time. These constant pressures are, in turn, the main reasons for many institutions to implement so-called “green” strategies. For them, it’s beyond environmental concerns -- it’s about meeting business goals and reducing costs. And that’s where operational resiliency can play a part.

Part of the appeal of operational resiliency is the potential to simplify operations, to decrease complexity, experts say. Increased complexity can also result when financial institutions merge and wholly unrelated systems are forced to work together. That was the case with Clearstream International/Deutsche Börse Group, which offers settlement and custody services to more than 2,500 financial institutions worldwide.

Numerous acquisitions over the years had resulted in a heterogeneous and complex IT environment at the company. Because of the lack of server cluster and storage integration, it was estimated that it would take up to two hours to recover from a cluster failure. This was unacceptable in Clearstream’s critical real-time business. Instead, Clearstream turned to a high-availability clustered solution, based on Veritas Cluster Server and integrated with Veritas Storage Foundation for Oracle and Veritas Storage Foundation for Oracle RAC.

“In one of our most complex applications, we recently experienced a node failure on one of the clusters and were able to fail-over the system in only a few minutes,” said Yves Baguet, Managing Director of Technology at Clearstream. “This is in comparison with the couple of hours it used to take.”

Conclusion
Operational resiliency refers to an organization’s ability to adapt to changing risk environments and to manage the risk that is inherent in day-to-day operations. Interest in operational resiliency is on the rise because escalating physical and cyber threats, complex technologies, interdependent supply chains and the global marketplace are making the job of managing disruptions increasingly difficult.

 

Thomas Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.