Does your internal IT and Business agree on what IT applications matter the most?

It is IT security month, and we are all flooded with reminders on phishing e-mails, fake web pages, password tips, and so much more. It’s a marvellous initiative, allowing us all to participate in building better IT security.

But have you thought about what to do if you get hacked, and everything goes down? Do you agree with the business on prioritisation? Are you prepared for a critical business continuity situation?

We asked the Director of Software & Solutions at Arribatec EA & BPM, Terje Haugland, for his thoughts on the matter:

Is your IT department aligned with the rest of the business?

Haugland claims most companies forget to have an explicit agreement with IT regarding which IT applications matter the most in case of disaster.

– Over the last few years, I have asked many major Norwegian companies – and what I find is typically something like this:

• Many do not have an updated list of all IT applications they have.
• Some have a list of IT applications set to critical in case you get hacked and must bring everything up again.
• Few have discussed the above list with the business, meaning IT has to decide on this themselves.
• Almost none have checked this list against the critical work that the company must be able to perform in a disaster case.
• If the company gets hacked and everything goes down, the management will look for IT to fix it while the rest are in panic mode.

Haugland encourages you to ask your IT department about disaster recovery and if they have tested it.

What can you do about it?

Here is a simple list of things most companies can do:

1. Gather the list of IT applications in use in the company
   • Note! Excel sheets used as IT applications, named Power BIs used for critical decision making etc., should be included in the list!
2. Group them on a high level of their usage area
   • Often a company is functional-oriented, so do that. One list/map for HR, one for Finance etc.
3. Gather WHAT the area is doing
   • If your company has a management system, gather the business process list grouped with the same areas.
   • If you have an enterprise architecture gather the Business Capability list.
   • If none of the above – go to APQC and get a list for your industry and draw the line at the level 
4. Build one map showing the processes/capabilities together with the business area and ask them:
   • If we get hacked, and everything goes down, can you set red (giant impact), yellow (some impact), green (little impact) or grey (Not essential) when it comes to business continuity?
   • Business continuity here means what will have the most negative impact on our business continuity if we are not able to do this work
   • In HR, you will likely find that they say they need to pay people their salaries, but is it not very important to be able to do recruitment?
5. Ask the business for the red and yellow processes/capabilities
   • What are the most critical IT applications to be able to perform that work?

Now you have a list that IT and Business can agree on. Great!

Then what? Is a list enough?

For sure not. Now IT & Business have some jobs to do:

For IT:

1. Find the critical relationships needed for the necessary IT applications to work.
2. Check the IT security and if you need to take action to improve it – do it!
   • Typically, many will take action by moving to Saas IT applications or moving them to the cloud.
   • Secure the Excel sheets or remove them if they are critical for decision-making.
   • Get business ownership of IT applications – someone must represent the business! (Else you are back to IT talking to themselves).
3. Plan for disaster recovery
   • Do you need to have the same IT application set up somewhere else in a safe zone so you can start working straight away?
   • Can you have a backup plan that is not dependent on your AD?

For Business:

1. Work with IT on the disaster recovery plan
2. Work on your own disaster recovery plan by
   • Find out what work can be done manually.
   • Find other IT applications it would not be problematic to start using (ex SaaS options).
   • Create a “cut the crap” backup version of the business process to work as a guide for anything that MUST be done in case of disaster – and include what you have automated today that the missing IT application can no longer do.

Long term:

This above-mentioned is a project the first time around. But as you know – the world changes continuously. The market changes, but so do the internal priorities of a company (what is critical work), what becomes critical IT applications, and what becomes the necessary backup and disaster recovery plan. This should at least be updated once per year, but the best is to have this as a regular task.

Suppose the business changes the IT applications they use (or makes a new brilliant excel sheet). In that case, they need to take responsibility from the business end and initiate a plan with IT. This is called collaboration – and you cannot live without it.

We have done this before

Arribatec EA & BPM have done this before, and we discuss and help companies make IT and Business work together instead of in their silos.

Did you know that you can model the application perspective in our system QualiWare, giving you a complete overview of your IT applications? 

We provide your company with the tools needed (offered as SaaS, of course!) and Business Consultants that will guide you through. It is always fun to invent the wheel all over again – but this is where you don’t want to do that. Just find something that already works. Get in touch for a free demo.