Consistent preparation is key

Safeguarding business continuity has become significantly more complex and difficult now that supply chains stretch around the globe, and the digital revolution requires companies to commit to consistent and ongoing preparation for both physical and technology disruptions.

Today, the ability to identify and respond to unexpected events and disruptions has become increasingly critical across so many dimensions—reputational, financial, regulatory, legal, health, and safety—that it has risen at many organizations to the top of the corporate agenda.

While there are implications and dependencies across the enterprise, Chief Information Officers and Chief Technology Officers have a foundational responsibility to build a resilient technology stack and IT operating model that can help their organization weather unexpected challenges to business continuity.

Easier said than done, of course, but following are seven concrete steps CIOs can take to make sure their tech stack and IT operating model have the resilience needed to perform under duress:

  1. Start by identifying those services and systems critical to the business and its customers—as well as the people, locations, and vendors that support those services and systems.
  2. With that map in hand, identify and assess for risk all data elements, both at rest and in transit, required to keep the organization’s critical business operations humming. Data, and the assets that handle them like applications, infrastructure, etc., must be carefully managed to an acceptable level of risk by committing necessary resources to sustain Recovery Point Objectives (RPOs) and Recovery Time Objective (RTOs). Resources should come from across the enterprise, and not just from the technology organization.
  3. Plan for complex and sophisticated attacks. Plan, for example, for a ransomware attack in which data security is threatened, and large-scale recovery and restoration efforts may be needed, or for geopolitical developments that could disrupt a key vendor’s ability to deliver on its service level agreements. Leaders should model and discuss impacts of threats to technology and all areas of the enterprise.
  4. In developing the IT operating model, ensure that resilience is a foundational consideration during the planning, development, delivery, enhancement, and maintenance of any new applications or systems introduced into the technology stack. This model should bring diverse parts of the enterprise— business, legal, risk and compliance, and all aspects of the IT organization, including cybersecurity—together with well-defined roles and responsibilities and clear handoff and escalation paths.
  5. Digitize and automate resilience processes through contemporary, market- leading platforms to improve recovery consistency and efficiency. For example, the IT organization may want to standardize recovery plan documentation and store it in a location or system accessible during an outage. Automate recovery testing, infrastructure, and application recovery using scripting and tools. Use artificial intelligence for anomaly monitoring and detection. Secure support for such efforts widely in the enterprise, and to help ensure people are aware of residual responsibilities they may have in making effective use of the technology – and to ask for ideas to help improve.
  6. Regularly test resilience and recovery systems and processes to validate they can be relied upon. Training exercises should be frequent and robust, escalating in complexity as the organization matures, and scenario driven—and not always announced ahead of time. These efforts should always include an inspection of lessons learned that develop into action plans that address findings to a level of acceptable risk.
  7. Include resilience requirements in the company’s vendor management program, and hold critical vendors, including cloud service providers, to a higher standard of availability and recovery than less critical partners. Negotiating these levels should be done in close alignment with business objectives.

As KPMG professionals work with clients across industries, we see a number of areas where organizations often stumble in their efforts to build a resilient technology stack and IT operating model.

One common mistake is to treat the challenge solely as a technology problem. By bringing their peers in the business into the planning process, CIOs can develop a resilience strategy that protects what is most important to the enterprise—without veering down digital alleys and byways that can sap resources and momentum. This at times may include the use of new systems or applications on an interim basis that require additional IT considerations.

In the same vein, organizations sometimes look to a specific tool as the solution to resilience. But individual tools—especially off-the-shelf varieties that can’t be highly tailored to your organization—may struggle to deliver what your business needs. Indeed, retrofitting existing platforms with bolt-on tools often fails to yield optimal results. CIOs can sidestep this problem by performing requirements gathering for a tool, ranking features from “must have” to “good to have” to “expendable,” and then performing a market scan to identify the tools that can best meet those requirements.

Finally, too many organizations are not testing their recovery processes with enough rigor to prove that value chains can be quickly restarted following a disruption. A robust testing routine is one of the only ways to make sure resilience measures that make sense on paper can truly be relied upon in the field.

If you’re concerned that your organization’s tech stack and IT operating model aren’t sufficiently resilient, take some time over the next few months to get answers. Define the risks to your business and the gaps in your current capabilities. Then, start building and executing against a delivery strategy to reduce resilience risk to an acceptable level.

At KPMG, we apply our extensive experience and deep domain knowledge every day to helping CIOs build modern IT organizations fit for tomorrow. To learn more about how KPMG firms could help your business create a more resilient technology stack and IT operating model, please contact us.


Get in touch

Connect with us