The 'e' in 'e-business' appears also in 'threat', 'disaster' and 'downtime', as businesses that depend increasingly on their online activities are finding. Computer problems that once might have affected only back-office operations now threaten e-businesses' all-important online presence and their communication with customers. Furthermore, business in cyberspace is also vulnerable in new ways.
"Value chains are dividing into two interdependent streams, one consisting of processes in the physical world, and the other made up of information flows in the virtual realm," according to Felipe Alonso of KPMG's Risk and Advisory Services.
"Organisations increasingly operate in multiple locations and depend on information systems. Business processes are carried out in real time, so a disruption has consequences along an entire value chain. The effects of downtime are measured in hours or even minutes, instead of days." The total cost to business of unplanned downtime is estimated by KPMG as US$1.6 trillion, in lost revenues alone, worldwide during 2000.
The more an organisation relies on e-business, the heavier the impact of downtime is. Last year, a survey commissioned by HP on Silicon.com showed that more than a third of the companies polled were already generating more than 10% of their revenue online; by 2003, three quarters of them expected to be in the same position. A few were already earning more than half their revenue from online sources.
Yet nearly all had experienced downtime. Nine out of ten of them had experienced more than an hour's loss of systems in the previous year, while one in seven had suffered downtime of more than 36 hours. According to separate KPMG research, that is potentially crippling, as 24% of organisations say more than two hours of downtime is unacceptable, while an additional 48% say that more than 24 hours is intolerable
Alarmingly, though, it appears that few organisations have sufficient resilience to escape these interruptions unscathed. Although roughly two thirds of companies do have corporate-wide disaster recovery plans in place, according to KPMG, about the same proportion admit that they failed to fully meet their disaster-recovery objectives the last time trouble struck.
The effects can be incalculable. IT downtime is "a catastrophe," as one manager in the HP/Silicon.com survey put it. "We lose money and, just as important as money, our customers lose faith with us. They insist on a fast reliable professional service, just as we do when contacting other businesses on a day-to-day basis."
Among the effects cited were:
Moreover, in an e-business where online presence is an integral part of the organisation's image and function, downtime problems can damage the brand and ultimately decrease shareholder value.
Know your e-enemy
The first step toward protection is to define the problem. The events of September 11 last year have focused attention on large-scale catastrophes, but any IT manager knows that the devil is often in the detail: hardware failure, malfunctioning sprinkler systems, even an accidentally pulled plug. E-business also has its particular dangers, such as hacking, viruses, and denial of service (DoS) attacks, where systems are intentionally flooded with so much electronic communication that they can't cope and seize up.
Add to that grim list the risks beyond the organisation's direct control. These may be problems in other areas of the internet, affecting routers, domain name servers, or the 'pipes' that carry large parts of the net's traffic. Although the internet's precursors were designed to be super-resilient, rerouting communications to avoid problems, many e-businesses find that a massive slowdown in connections is equivalent to a complete cut-off.
To exacerbate the problem, traffic to a web site may actually increase during well-publicised emergencies, as customers try to find out what is going on, points out InterOPS Management Solutions, which provides monitoring and management services for e-business.
Experts agree that e-businesses' utter dependence on IT, and the new threats they face, call for responses which go further than the old-fashioned disaster recovery plan. Says Alonso: "A capabilities gap has developed, and is widening, between the cost of downtime and the effectiveness of traditional response mechanisms. The key question for leaders is no longer 'How do I respond in the event of a crisis?' Rather, organisations have to ask 'How do I manage risk so that I'm always there for my customers and stakeholders?'"
In other words, plan around outcomes, not specific threats. Instead of pondering 'what would we do if there was a fire in the data centre?', consider 'how can we ensure that the web site is up 99.99% of the time?' - an exacting demand, but one now often made for critical infrastructure.
The first step is to assess current recovery capabilities, allowing managers to see clearly the value that alternative strategies will add, the commitment they call for, and the potential cost of not pursuing them.
Vendors and consultants stress that solutions must, of course, suit businesses' individual situations. If an organisation can survive 24 hours or longer without a particular system (unlikely in an e-business), a simple reaction plan, focused on overcoming the effects of a single catastrophe, may suffice. However, such a plan takes no account of the cumulative effects of smaller periods of downtime - the loss of customer confidence in a periodically inaccessible web site, for example.
Act, don't respond
Where a business cannot tolerate more than a few hours of downtime, it is necessary to proactively control the availability of systems. And, even within a single organisation, different systems call for different responses. 'An application used to create internal memorandums or system documentation could afford to be offline for a period of time, while a content management system serving dynamic content to an e-commerce server would require and possibly mandate zero downtime,' points out a white paper from Documentum, a provider of content-management software.
At the core of most e-business continuity plans is the concept of redundancy: provide more computing power, more connectivity and so on than is actually required day by day, so if some is lost the remainder can take up the slack.
New twists are also emerging on the traditional safeguards of secure backups, duplicated data centres and so forth. Take, for example, distributed computing in its various manifestations, such as grid computing, or utility computing. This is a notion developed not simply for business continuity, but to help exploit the reservoirs of untapped computing power that lie within any organisation. According to some estimates, as little as 10% of a system's potential may actually be used.
In response to this wastage, advocates of distributed computing say that all the IT power in an organisation should be pooled and treated as a common resource, much like electricity in a national grid system. From a business continuity perspective, the increased failure tolerance of such a setup is obvious.
Growing interest in Internet Protocol (IP) networks, which use the same basic technology as the internet for an organisation's own internal network, may also help. IP networks can 'compete more effectively in terms of recovery and continuity,' according to AT&T.
System management, as well as performance, is also a continuity issue. Automated management of servers and applications can help detect e-business problems before they become critical, for example by capturing user sessions.
Moreover, "In addition to protecting e-business applications and infrastructure, attention must be given to protecting [their] management," argues InterOPS, pointing out that system management may be at a separate facility, and must be able to continue if operations are relocated in an emergency. There is little point in restoring operations if systems are going to fall over again because they can't be controlled.
The broader picture
Continuity considerations extend beyond the e-business itself. 'To cope, organisations that depend on collaboration with third parties should extend business continuity capabilities to these components of their value chains,' says InterOPS. 'In addition to improving the stability of a value chain, the benefits can include improved customer service, marketplace responsiveness, and mutual trust.'
Indeed, threats beyond an organisation's firewall are ignored at your peril. Security solutions provider Vigilinx, in a study of one retailer's e-commerce environment, found that 'the retailer's partners created security exposure.'
Solutions that improve continuity can also have other positive benefits, helping to sell them to boards ever-conscious of the return on e-business investment. For example, where data is replicated, some demanding tasks, such as data mining can be run on the replicas without affecting the performance of customer-facing systems.
Naturally, few benefits come without a downside, but, whatever the challenges, e-businesses cannot afford to ignore worst-case scenarios.
Barnaby Page is a freelance journalist