Does your internal IT and Business agree on what IT applications matter the most? And do you have a plan?.

It is the IT security month, and we are all flooded with reminders on phishing e-mails, fake webpages, password tips and so much more. Great – this is something we all can participate in to have better IT Security.

But have you thought about what do to if you get hacked and everything goes down? Do you agree with business on prioritisation? Are you prepared for a critical business continuity situation?

We asked our Director of Software & Solutions at Arribatec EA & BPM, Terje Haugland, thoughts on the matter: 

I claim most companies have forgotten to have an agreement between IT and the Business when it comes to what IT applications matter the most in case of disaster! I bet your company is not in a good position either. How can I say that? Over the last few years, I have asked many major Norwegian companies – and what I find is typically something like this:

  • Many do not have an updated list of IT applications the business have & use.
  • Some have a list of what IT applications are set to critical in case you get hacked and must bring everything up again.
  • Few have discussed the above list with the business (meaning IT has come up with this themselves) so have an agreement.
  • Almost none have checked this list against the critical work that the company must be able to perform in a disaster case.
  • If you dare – ask your IT about disaster recovery and if they have tested it.

It is true that if you get hacked and everything goes down your whole company will pray and look for IT to fix it while the rest are in panic mode.


What can you do about it?

Here is a simple list of things most companies can do:

  1. Gather the list of IT applications in use in the company
    • Note! Excel sheets used as IT applications, named Power BIs used for important decision making etc. should be included in the list!

  2.  Group them on a high level of their usage area
    • Often a company is functional oriented, so do that. One list / map for HR, one for Finance etc.

  3. Gather WHAT the area is doing
    • If your company has a management system gather the business process list grouped with the same areas.
    • If you have an enterprise architecture gather the Business Capability list.
    • If none of the above – go to APQC and get a list for your industry and draw the line at level 3.

  4. Build one map showing the processes / capabilities together with the business area and ask them:
    • If we get hacked and everything goes down, can you set red (big impact), yellow (some impact), green (little impact) or grey (Not important) when it comes to business continuity?
    • Business continuity here means what will have the most negative impact on our business continuity if we are not able to do this work
    • In HR you most likely will find that they say they need to be able to pay people their salaries, but is it not very important to be able to do recruitment.

  5. Ask the business then for the red and yellow processes / capabilities
    • What are the most critical IT applications to be able to perform that work?

Now you have a list that IT and Business can agree on. Great!

Then what? Is a list enough?

For sure not. Now IT and Business have some job to do

For IT:
  1. Find the critical relationships needed for the critical IT applications to work.

  2. Check the IT security and if you need to take action to improve it – do it!
    • Typically, many will take action by moving to Saas IT applications or move them to the cloud.
    • Secure the Excel sheets or get rid of them if they are critical for decision making.

    • Get business ownership of IT applications – someone must represent the business! (Else you are back to IT talking to themselves).

  3. Plan for disaster recovery
    • Ex. Do you need to have the same IT application setup somewhere else in a safe zone so you can start working straight away?
    • Ex. Can you have a backup plan where you are not dependent on your AD?
For Business:
  1. Work with IT on the disaster recovery plan

  2. Also work on your own disaster recovery plan by

    • Finding out what work can be done manually.
    • Finding other IT applications – it would not be problematic to start using (ex SaaS options).
    • Create a “cut the crap” backup version of the business process so that it works as a guide for anything that MUST absolutely be done in case of disaster – and include what you have automated today that can no longer be done by the missing IT application.
Long term:

This above mentioned is a project first time around. But as you know – the world changes continuously. The market changes, but so does the internal prioritizations of a company (what is critical work), what becomes critical IT applications, what becomes the critical backup and disaster recovery plan. This should at least be updated once pr year, but the best is to have this as a regular task to be done.

If the Business changes the IT applications they use (or make a new brilliant excel sheet) they need to take the responsibility from the business end and initiate a plan with IT.

This is called collaboration – and you cannot live without it!

We have done this before

We at Arribatec EA & BPM have done this before and we discuss and help companies making IT and Business work together instead of their own silos.

Did you for instance know that you can model the application perspective in QualiWare, giving you full overview of your IT-applications?

We provide your company with the tools needed (offered as SaaS of course!) and Business Consultants that will guide you through this! Of course, it is always fun to invent the wheel all over again – but is this the place you really want to do that – or just take something that works?

Want to know more about how you can prepare and how we can help? Contact us today


More news from Arribatec ^