As you know, fluctuating business conditions are a double-edged sword. Almost any risk — whether it comes in the form of an opportunity or a threat — requires a response from your business. If you respond inappropriately or too slowly, you could lose ground to your competitors. For example, while too much success may not sound like a threat to your business, it can become one if you’re not prepared to handle a surge in customer demand. When Victoria’s Secret televised a fashion show during the 1997 American football Super Bowl, the company was unable to scale to meet the ensuing demand for access to its Web site, resulting in significant performance degradation and customer dissatisfaction.
On the other hand, a disruption in business operations and services, whether from a natural disaster, a terrorist strike, a cyber attack or a simple malfunction, can seriously reduce your revenues and even do long-term damage to your brand. Industry estimates indicate that upwards of 40 percent of organizations without business continuity and recovery plans will go out of business within a few years of a major disaster.
IBM Global ServicesOctober 2005Beyond disaster recovery: becoming a resilient business.An object-oriented framework and methodologyby Richard Cocchiara Chief technology officer for business resilienceUntitled DocumentBeyond disaster recovery: becoming a resilient business.Page 22 Executive summary4 Coping with continuous change5 What business resilience means some basic requirements 6 The business resilience framework an object-oriented approach12 The business resilience transformation lifecycle a roadmap for becoming a stronger, more responsive business23 Why IBM?ContentsExecutive summaryAs you probably understand all too well, today s business environment is characterized by rapid, unpredictable change. Some changes bring opportu-nities for your business, while others bring challenges and sometimes even threats. But no matter what, your business has to be responsive and resil-ient seamlessly taking advantage of opportunities while mitigating risks. Your IT infrastructure must be designed to help ensure the continuity of your business operations in the event of an unexpected disruption, and to secure data integrity. It also must help you comply with government regu-lations and integrate risk strategies to reduce costs, and it must be able to scale rapidly and automatically as the market changes. To help organizations understand and manage the process of becoming resilient, IBM has developed an object-oriented framework and transforma-tion lifecycle. Borrowing from the concept of an object-oriented database, IBM has created a business resilience framework that is designed to help you identify the object layers that make up your company ranging from the strategic overlay, all the way down to the nuts-and-bolts technologies and facilities. Within each layer, the objects are assigned specific attributes that Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page Highlightshelp manage the risks associated with each object. Once you understand these objects, their attributes and the relationships among them, you can begin to identify areas for improvement. IBM can take you through the business resil-ience transformation lifecycle to help you:" Determine which risks may affect your organization" Calculate the potential impact that these risks could have on your organization" Plan for how the objects in your current infrastructure could respond to these risks" Design or update your infrastructure to mitigate these risks and to leverage any opportunities that might arise from market changes" Execute your strategy for improving your business resilience" Implement the changes to each object layer" Test your overall resilience" Manage your resilience program to incorporate improvements and changes in technology.This white paper explores the business and technical advantages of an object-oriented framework and transformation lifecycle for business resilience. Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page HighlightsCoping with continuous changeAs you know, fluctuating business conditions are a double-edged sword. Almost any risk whether it comes in the form of an opportunity or a threat requires a response from your business. If you respond inappropriately or too slowly, you could lose ground to your competitors. For example, while too much success may not sound like a threat to your business, it can become one if you re not prepared to handle a surge in customer demand. When Victoria s Secret televised a fashion show during the 1997 American football Super Bowl, the company was unable to scale to meet the ensuing demand for access to its Web site, resulting in signifi-cant performance degradation and customer dissatisfaction. On the other hand, a disruption in business operations and services, whether from a natural disaster, a terrorist strike, a cyber attack or a simple malfunc-tion, can seriously reduce your revenues and even do long-term damage to your brand. Industry estimates indicate that upwards of 40 percent of organi-zations without business continuity and recovery plans will go out of business within a few years of a major disaster.The best response to the threat of disaster is to combine several disparate risk management strategies into a single, integrated resilience strategy that will allow your organization to adapt and respond rapidly to opportunities, regulations and risks in order to maintain highly secure continuous business operations, be a more trusted partner and enable growth. Because such an approach addresses both the positive and negative ramifications of risk, IBM uses the term business resilience to distinguish between this comprehensive strategy and narrower approaches, such as disaster recovery, high availability, security and business continuity.Combining several disparate risk management strategies into a single, integrated resilience strategy is the best response to the threat of disaster.Any risk, whether opportunity or threat, requires a response from your business.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 5What business resilience means some basic requirements In worldwide studies conducted by The FactPoint Group, a Silicon Valley-based research company, for IBM in both 2004 and 2005,1 CEOs highlighted the six key areas that a business resilience framework should address:" Continuity of business operations become more anticipatory, adaptive and robust, from IT through all business processes" Regulatory compliance comply with new and changing government rules and regulations more quickly and cost-effectively" Integrated risk management to reduce costs stay competitive by managing risk more efficiently and cost-effectively" Security, privacy and data protection protect against internal and external threats, and help develop a critical information management policy" Access to expertise and skills (via outsourcing or training) develop the infrastructure to support the easy acquisition and management of expert assistance in maintaining continuous business operations " Market readiness anticipate and respond to changing market conditions and accelerating research and development as necessary to get the right products to the right buyers at the right time.In the past, businesses typically have addressed these concerns separately. However, many companies now recognize that it s more cost-effective to combine them into a single, integrated strategy. A holistic approach can help minimize risks, maximize opportunities and address compliance needs all at the same time. But how do you perform a holistic risk assessment of your entire enterprise without missing any critical element? IBM has found that an object-oriented framework can help you model your total business infrastruc-ture and clearly identify issues that must be addressed to make your business more resilient. HighlightsA holistic approach to a business resilience strategy can help you minimize risks, maximize opportunities and address compliance needs simultaneously.A business resilience framework should address six key areas.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page The business resilience framework an object-oriented approachIBM has spent years analyzing what is necessary to ensure business resil-ience. In the process, IBM has identified a collection of components called objects that together can be used to model your entire business infrastruc-ture. Inspired by the concept of database objects, these components have attributes that help define them in terms of their ability to address the six basic requirements of business resilience. Objects can share similar attributes, and these shared attributes, in turn, help define the relationships among objects. And objects with shared attributes can be grouped into object classes. Compa-nies can then use these classes to understand common issues and to speed the deployment of improvements and upgrades designed to promote resilience. ResiliencelayerObjectclassObjectAttributeValueMaturityvalueAttributerelationshipsMaturity levels1 = No owner 2 = Multiple owners 3 = Primary owner defined, no backup 4 = Primary and secondary owner defined5 = Primary and secondary owner with defined authoritiesProcessIT processProblemmanagementOwnerJohn SmithCommon primary owner with changemanagement, with no secondary ortertiary owner defined3ChangemanagementOwnerJohn Smith3Common primary owner with problemmanagement, with no secondary ortertiary owner definedTable 1. Sample objects and attributesHighlightsIBM has identified a collection of components, called objects, that together can be used to model an entire business infrastructure.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page HighlightsAs Table 1 demonstrates, two or more separate objects can exist within a class and share multiple attributes as well in this case, the attributes of owner and documentation. As values are assigned to each attribute, you can see whether each of these objects has, for example, the same owner. If, indeed, they do share an owner, for example, John Smith, you can begin to understand the consequences for your organization of losing John Smith. In the table, the attribute John Smith affects both change and problem management, so the ability of your business to continue operations in the face of such a loss could be restricted. The same type of analysis may also be applied throughout the organization, so you can assess whether you have undue risk associated with any indi-vidual, technology or business process. Once you identify these single points of failure, you can then develop failover techniques and redundancies for certain types of object attributes. At the same time, you may also learn that some objects have attributes that can be consolidated for more efficient risk management. For example, under change management, you could find that you have multiple values for owner and control attributes. While this may be sound from a redundancy standpoint, it can introduce unnecessary confu-sion into your resilience program. Instead, it may be more efficient to assign primary and secondary owner attributes, so it s clear who will take over if the primary owner is unavailable. In any case, an object-oriented framework for business resilience is a useful tool for understanding the strengths and vulnerabilities of your existing infrastructure. Identifying single points of failure can help develop failover techniques and redundancies for certain types of object attributes.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page HighlightsClearly, an organization will identify many objects in the process of creat-ing a comprehensive model of its business resilience capacities. To simplify what would otherwise be an unwieldy list of objects, IBM created a super-set of object classes, which IBM refers to as layers within the business resilience framework. Not surprisingly, they echo the layers of most business organiza-tions. These layers are:" Strategy objects related to the strategies used by the business to complete day-to-day activities while ensuring continuous operations. Examples include financial, manufacturing and disaster recovery strategies." Organization objects related to the structure, skills, communications and responsibilities of your employees. Examples include human resources, train-ing, and internal and external communications." Applications and data objects related to the software necessary to enable business operations, as well as the method used to develop that software. Examples include customer relationship management (CRM) applications, enterprise resource planning (ERP) applications, databases and transaction processors." Processes objects related to the critical business processes necessary to run the business, as well as the IT processes used to ensure smooth operations. Examples include accounts receivable, accounts payable, change manage-ment and problem management. " Technology objects related to the systems, network and industry-specific technology necessary to enable your applications and data. Examples include host systems, workstations and Internet Protocol (IP) networks. " Facilities objects related to the buildings, factories and offices necessary to house your organization and your production or service technologies. Exam-ples include data centers, office buildings and physical security operations. IBM has identified six layers within the business resilience framework strategy, organization, applications and data, processes, technology and facilities.An object-oriented framework for business resilience is a useful tool for understanding the strengths and weaknesses of your company s infrastructure.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page HighlightsWhile these object layers can help you conceptualize and identify the compo-nents of your company s business resilience, it s possible to obtain a view that s even more granular. Attributes, too, can be classed according to common traits that may enable an object to respond to risks and opportunities. There are five major attribute classes associated with improved business resilience:" Control and comply the attributes necessary to anticipate, evaluate and control risks associated with complying with industry and government regulations, as well as those risks associated with environmental, social, technical and economic factors " Predict and detect the attributes necessary to predict, detect, estimate, measure and report events to ensure security, privacy and protection of critical data, enabling the business to respond to any threats that may jeop-ardize business operationsSTRATEGYPEOPLEPROCESSAPPLICATIONS & DATATECHNOLOGYFACILITIESDeflect and solidifyProtect and prl and complyFive major attribute classes are associated with improved business resilience control and comply, predict and detect, deflect and solidify, adapt and optimize, and protect and preserve.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 10Highlights" Deflect and solidify the attributes necessary to create a solid physical and logical topology to deflect problems and ensure continuity of operations through reliability, redundancy and failover " Adapt and optimize the attributes necessary to ensure adaptable, efficient and flexible integrated risk mitigation strategies, technologies and processes" Protect and preserve the attributes necessary to ensure that the business is preserved and protected against accidental and intentional damage, alteration or misuse." Employee ID" Department ID" Job title" Job role" Location IDOwnerAvailability management strategy" System ID" System description" Location ID" Failover system ID" Documentation locationProblem managementSystemChange managementBuilding" Primary owner ID: John Smith" Policies associated with" Monitoring method" Reporting frequency" Documentation location" Testing procedures" Process tool system ID" Secondary owner ID" Escalation period" Building ID" Building name" Address" City" State" Postal code" Country" Power protection ID" HVAC definition ID" Primary owner ID: John Smith" Policies associated with" Documentation location" Reporting frequency" Process tool system ID" Monitoring method" Process ID" Secondary owner ID" Testing scriptFigure 1. Using the object-oriented business resilience framework to model your enterpriseUntitled DocumentBeyond disaster recovery: becoming a resilient business.Page 11HighlightsUsing these attribute classes as points of reference can help you ensure that each object can address the basic requirements of business resilience. IBM utilizes its business resilience framework as a logical representation that provides an examination of your business that is both comprehensive and modular. The six object layers expand into more than 140 objects that can be examined through the lens of the five attribute classes for a complete analysis of your resilience capabilities. However, there are two aspects to the process of becoming a resilient business. The first, as discussed, is to gain an under-standing of where you are today and where you need to go. The framework was designed to address those questions. The second aspect is more complex. It involves actually transforming your business into one that s truly resilient. This transformation is typically more challenging for companies. Having a concrete roadmap for the process is critical. Figure 2. The business resilience transformation lifecycle moves you through the assess, plan, design, implement and run phases of a typical lifecycle.ASSESSDeterminepotentialrisksImplement the architecturePlan forbusinessresilienceDesign a resilientarchitectureEvaluatecurrent resiliencycapabilitiesPrioritizebusiness impactby riskManage toresilienceobjectivesValidate theresilient architectureIt s critical to have a concrete roadmap for the process of transforming your business into one that s truly resilient.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 12HighlightsThe business resilience transformation lifecycle a roadmap for becoming a stronger, more responsive businessResilience needs are not the same across all industries, or even across compa-nies within a given industry. As a result, the process of becoming a resilient business is highly individualized, but the complexity of the task demands a methodical approach. While the business resilience framework evaluates each component of your business for its resilience factors, the business resilience transformation lifecycle actually maps your transformation journey. It s a step-by-step process designed to help ensure that all the objects in your enterprise are appropriately restructured to mitigate risk and enhance your ability to exploit opportunities. Phase one: determine risk exposureThe transformation lifecycle begins when you identify the risks that are unique to your organization. These could include the risk of natural disasters, but should also include civil unrest, technical failures, regulatory compliance, sudden changes in demand, operational requirements and any other risks that may interrupt normal business activity. As discussed in the previous section of this paper, it s important to include opportunities in the assessment as well such as sudden spikes in transaction volumes, new acquisitions or mergers, or highly effective marketing campaigns. Companies tend to perform these types of assessments infrequently, in response to regulatory requirements or Many organizations now appreciate the value of moving to a more structured, scheduled approach to analyzing their risk profiles.The business resilience transform-ation lifecycle, composed of five phases, is designed to help ensure that all the objects in your enter-prise are appropriately restructured to mitigate risk and enhance your ability to exploit opportunities.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 1 Highlightsother changes to the business model. However, many organizations are now appreciating the value of moving to a more structured, scheduled approach to analyzing their risk profiles in the face of rapid global changes in business conditions. In any risk analysis, the following steps are critical:" Rank threats based upon past occurrences, the amount of potential revenue loss, damage to your brand, compliance risks and single points of failure" Prioritize your safeguards" Conduct a cost-benefit analysis if you are performing a quantitative risk assessment" Determine your next steps based upon the severity of the threat, the selected safeguards, and the cost and ease of implementing those safeguards.Phase two: rank the risks according to potential business impactThe second step is to rank the risks you identified in phase one according to the way in which they will affect your business. Identify and prioritize your business services, functions or processes according to how your finances would be affected if the risks to these areas were realized. It s important to go beyond a simple business impact analysis here, which can make every part of the business seem critical, requiring every object to be resilient. Most busi-nesses have just a few truly key functions or processes. You can target your resources more effectively by understanding not only which areas of your Phase two of the transformation lifecycle involves ranking risks identified in phase one according to how they will affect your business.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 1 Highlightsbusiness are most important, but also what the exact requirements of those areas are. In the event of a disruption, how much uptime would you actually need to restore each critical function? The process of analyzing the business impact of the risks your business faces should include the following steps:" Identify all critical business functions and processes" Link business processes to the applications and data that support them" Establish appropriate availability and recovery strategies by ranking each process in terms of the length of time it can operate without its supporting infrastructure" Establish appropriate security levels by classifying data by its importance to your business" Identify critical physical recovery resources and vital records, as well as the time frame within which they must be available for recovery efforts. Enterprises typically consider business impact in light of two measures: recov-ery time objectives (RTOs) and recovery point objectives (RPOs). An RTO specifies the amount of downtime a business can tolerate. Worldwide, accept-able RTOs are fast approaching zero. In some industries, such as financial services or credit card processing, downtime can cost millions of U.S. dollars per hour. An RPO specifies the amount of unrecoverable transactions or data that the company can tolerate. It, too, is converging on zero. Many companies have come to see the cost of any downtime as unacceptable; but, it is impor-tant to analyze that cost if you are to devise a targeted, cost-effective strategy for minimizing or eliminating it. Enterprises consider business impact with two measures recovery time objectives (RTO) and recovery point objectives (RPO).Analyzing the business impact of the risks your business faces involves five important steps.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 15HighlightsPhase three: evaluate your resilience capabilitiesOnce you have created a risk profile for your critical business services, func-tions or processes, you need to perform a gap analysis of your needs and capabilities. To help you reduce the time and resources you need to complete this assessment and focus on areas that may need a more stringent analysis, it s helpful to break this phase into two steps. The first step entails performing a high-level review of your company s ability to meet the basic requirements of resilience. To revisit them, they include:" Maintaining continuous business operations" Achieving regulatory compliance and meeting industry standards" Integrating risk strategies to optimize resources" Ensuring data protection, privacy and security" Obtaining the knowledge and skills necessary to achieve and maintain resilience" Maintaining market readiness.Such a review allows you to focus on the areas of most concern. In the second step, IBM can help you use its business resilience framework to delve deeper into these areas. Each of the 140 objects in the framework can be analyzed to determine how it will perform in reference to your company s risk profile and A gap analysis entails performing a high-level review of your company s ability to meet the basic requirements of resilience.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 1 Highlightsto identify its potential for improvement. Such an analysis can help produce an assessment of each object s maturity level. The following maturity levels can be used to assess an object:" Basic These capabilities range from physical and systems security to awareness programs regarding company policies and emergency procedures, as well as communications, privacy, governance and compliance programs. They may also include comprehensive continuity planning and are the backbone of an ad hoc approach to mitigating risks as they arise. " Managed These capabilities focus on process and policy compliance and the fundamental automation tools necessary to manage a disruption or opportunity when it occurs. Management plays a strong role here to ensure that employees understand their responsibilities and follow policies. " Predictive These capabilities are centered on establishing thresholds and advanced warning systems that allow the company to take preemptive actions to prevent disruption. The ability to monitor current performance and determine out-of-bounds conditions and behaviors for specific components is critical. The company still manually mitigates the risks as they are identified." Adaptive These capabilities focus on the organization s ability to sense and respond to unforeseen circumstances by using contingency plans and On Demand Business resources to maintain operations. Responses to situations must be defined in advance, but the system has the ability to adapt auto-matically to prevent a loss to the business.Five maturity levels basic, managed, predictive, adaptive and autonomic can be used to assess an object.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 1 Highlights" Autonomic These capabilities focus on the business model itself and lever-age the innovation, optimization and capacity management characteristics of an On Demand Operating Environment. These capabilities respond dynamically to changes in the marketplace, so you can anticipate and exploit opportunities faster than competitors. The idea is to actively foster business growth through a resilient business and IT infrastructure, rather than merely reacting to threats. Phase four: design a resilience strategy The next step is to incorporate your view of the maturity of your existing objects into a design for a resilient architecture that can mitigate the identified risks. You can adjust the attributes for any object, to improve its capabilities and overall maturity level. However, it can be dangerous to undertake this without a comprehensive plan. If you over-engineer your business resilience architecture, you could spend scarce resources increasing the maturity levels of some objects unnecessarily. But under-engineering your architecture could leave your orga-nization at risk and worse, leave you with a false sense of security. You must determine your desired level of maturity for each object, and then, again, analyze the gaps between your current and desired states. You may find that only a few changes need to be made to your architecture. However, it s important to remember that not all the changes will be IT-related. Some may require business service, function or process adjustments, as well. In fact, a resilience-oriented architecture could easily fail if the needs of business and In phase four, you need to incorporate your view of the maturity of your existing objects into a design for a resilient architecture that can mitigate the identified risks.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 1 HighlightsIT are addressed separately. Aligning the two must be part of the process from the beginning. As a first step, you need to create a conceptual design of the new architecture that aligns business and IT objectives in the following areas:" Confirm resilience objectives" Analyze the interdependencies of objects" Develop guidelines and principles" Confirm current configurations on systems, networks, databases, storage and applications" Document and design the solution for the baseline infrastructure" Create a preliminary investment analysis.After the business and IT sides of your business create and agree to the con-ceptual design, you then need to create a solution design that can guide them through the following steps:" Develop an architecture for business resilience" Define resilience strategies for systems, networks, applications and data" Build the design specifications" Create functional descriptions for the solutions" Define test requirements" Build a roadmap for implementation" Finalize the investment analysis.It s helpful to create a conceptual design of your new architecture that aligns business and IT objectives.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 1 HighlightsPhase five: develop resilience plans and procedures The architecture provides the structure for improving your business resil-ience, but you still need plans and procedures for managing and maintaining it. Such a plan should include an initial implementation strategy as well as alternatives that allow for changing business conditions. Each procedure should be defined with respect to:" Its benefits and limitations" The dependencies among business services, functions or processes" The characteristics of the alternative strategies, such as recovery times, acceptable annual minutes or hours of outage, or security level" The high-level cost model for the selected strategy, with recommendations for implementing technologies, processes, tools and staffing including critical-path items such as technology delivery times, business process reen-gineering requirements and organizational considerations" A high-level implementation plan that delineates key tasks and milestones for the selected strategy.Plans and procedures for managing and maintaining your architecture should include an initial implementation strategy as well as alternatives that allow for changing business conditions.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 20HighlightsPhase six: implement the planOnce the implementation plan has been agreed upon, you re ready to deploy your new architecture and structure your ongoing resilience program. The implementation plan must include the following elements:" Workload division" Hardware alignment and provisioning" Storage strategy" Replication strategy" Recovery and availability strategy" Network connectivity and capacity measures" Shared services and infrastructure components for base operational capabilities" Virtualization alternatives" Systems management mechanisms" Command and control mechanisms" Testing capabilities" Physical and logical security features.The implementation plan by which to deploy your new architecture should include numerous critical elements.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 21HighlightsPhase seven: validate the plans, procedures and architectureThe next step in becoming a more resilient business is to validate the work you have completed in the transformation process. The validation exercise helps ensure that all aspects of your business resilience architecture have been implemented properly and are working effectively to mitigate the risks you identified earlier in the process. Any validation has three parts:" Develop a resilience exercise for the architecture- Verify the resilience requirements, objectives, scope and timelines- Identify the resource requirements and planning tasks- Review the processes and procedures and assess the capability of each to perform the resilience exercise" Review the technical resilience procedures- Review the resilience procedures and record your feedback" Execute the resilience exercise- Provide audit and exercise observations with documented results- Execute the resilience exercise, including the technical recovery procedures- Provide ongoing semiannual audits of resilience plans with documentation of actions to be taken.Validating the work you completed in the transformation process involves three important steps.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 22HighlightsPhase eight: ongoing management of your resilience programIt s important to remember that a resilience exercise is not a static event, but is, instead, part of a concerted management program designed to help ensure continual monitoring, testing and improvement of the infrastructure. A defined business resilience program should be managed so that everyone involved understands and adheres to the resilience principles that underlie the architecture. That architecture ultimately must allow for the following:" Overall management of a total enterprise-wide business resilience program" Communication of program results to the management team" A linkage between business executives and IT-related resources" Thought leadership for future availability, continuity and security initiatives" A blueprint for the establishment and execution of a governance process" Coordination and direction of continuity-related staff among entities, such as your IT organization, consultants and outsourcing providers, or partners" Ownership and direction of all aspects of disaster recovery exercises" Management of the financial plan, with assigned responsibility for the costs of the program" Coordination of third-party relationships that satisfy the needs of the continuity program" Annual review sessions to ensure alignment between business and IT objectives" Qualification of new projects and engagement of solution design and delivery" Communication of strategies, directions and requirements to all relevant employees" Definition of a single point of contact to manage resolution of resilience issues" A change management process to incorporate business and infrastructure changes into the resilience strategy and plan.A resilience exercise is part of a concerted management program designed to help ensure continual monitoring, testing and improvement of your infrastructure.Untitled DocumentBeyond disaster recovery: becoming a resilient business.Page 2 HighlightsIn the end, you ll have a comprehensive, but carefully targeted, resilience program that addresses your company s unique needs and goals. With a well-designed architecture based on an object-oriented framework and a roadmap, you ll know where you need to go and why. You ll also be able to avoid unnec-essary expenditures of time and resources. Why IBM?The IBM Business Resilience Framework and the IBM Business Resilience Transformation Lifecycle are part of a family of IBM offerings designed to make your business stronger and more competitive in the marketplace. Drawing on IBM s long-standing investment in On Demand Business, systems integration and best practices, IBM Business Continuity and Recovery Services offerings run the gamut from business and technology consulting services to technical solutions for implementation, and ongoing management of your business resilience program. Our customized solutions can help you at any stage of the process. IBM applies its unmatched global resources and deep business and technology expertise to your unique business needs.For more informationTo learn more about IBM s business resilience programs and offerings, contact your IBM sales representative, or visit: ibm.com/services/its/resilienceUntitled Document Copyright IBM Corporation 2005 IBM Corporation IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America 10-05 All Rights Reserved IBM, the IBM logo and the On Demand Business logo are trademarks of International Business Machines Corporation in the United States, other countries or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates.1 Gordon, Larry, Business Resilience Study, The FactPoint Group, May 2005.G510-6482-00