In March 2023 Inoni won a competitive tender to provide IT Service Impact Analysis (IT SIA) and resilience consultancy to a reputable UK city University with over 40,000 students and 5,000 staff.
They needed help to establish a full set of IT DR-related metrics for the 400+ key systems and services identified in the University’s IT Service Catalogue. A secondary objective was to provide a gap analysis of IT-related continuity and resilience documentation, with a view to aligning with best practice standards, including ISO 22301 and 22316.
What were the drivers for the project?
What our client said: "We wanted to understand the true, accurate visualisation of the BIA and understanding the impacts both upstream and downstream from every asset taking into consideration a full risk assessment over time whilst understanding how that maps to our service catalogue.
It was very obvious from onset of the tender process, that Inoni had the expertise, understanding and tooling required to undertake the contracted work within the required timescale. This was in addition that the consultants whom were to undertake the work all held at a minimum, the professional grade of MBCI from the Business Continuity Institute, this demonstrated a depth of knowledge and understanding that they could hit the ground running in complex projects and environments."
Inevitably, the IT analysis inherited the University’s overall continuity priorities and deadlines, so our first step was to confirm the University’s tolerance to disruption of its critical products and services, asking senior managers for their relevant opinions and judgement. We asked them about the business continuity scenarios the University might face and for which IT would need to deliver a reliable timely response. We modelled this, inferring the expected pattern of IT service disruption arising from each business scenario, taking account of seasonal variation and incident severity.
We then used IT’s risk register to expand the scenario list to include other significant IT failure modes that business would not necessarily be aware of but that would require a dedicated IT response or runbook. These included individual and collective IT service failures with potential to exceed the University’s impact tolerance.
Our next step was to interview the heads of each IT function and identify all critical IT processes, skills, applications, information, sub-systems, resources, equipment, infrastructure, and suppliers. We added these to the Map, automatically calculating self-consistent MTPDs and risk for each asset, adding RTOs and RPOs, and recording its recovery-responsible owner. Automatic validation of the resulting dependency network provided the basis for the resilience improvement programme.
We completed the work by delivering a final presentation to IT senior management summarising what we found and providing specific recommendations for improvement. We also provided a detailed 60+ page IT Services Impact Analysis Report, with sections covering impact profile, impact analysis, risk assessment, scenarios, improvements, resilience, and documentation gap analysis.
What was your impression of our approach and delivery?
What our client said: "Inoni set out from onset, their expected requirements from ourselves, this permitted uninterrupted schedules of work to take place, minimising cost and time. In particular, the consultant's understanding and depth of knowledge allowed the information gathered, to map directly into the Inoni toolset and evidencing the BIA documentation and associated plans etc.
Inoni, suggested and agreed to undertake set payment milestones within the project, demonstrating their ability to deliver expectations on time and to budget. Weekly reviews, ensured the project remained on target and to plan."
Our key findings and recommendations related to the effects of documentation (or its absence) on resilience, business options to improve IT resilience value, technology architecture design and implications, skills sufficiency, supply chain due diligence, and confidence in IT through testing. Our recommended next steps included mitigating impact and risk hotspots, developing runbooks for IT scenarios (planning), and assuring claimed capability (testing).
To what extent have your objectives been satisfied?
What our client said: "The work undertaken has permitted us to map our recovery requirements (service catalogue) to our recovery capability through a service & product BIA and fully understand areas of the estate that require investment and development. We are also now in a position to overlay qualitive and quantitative risk modelling to the upstream and downstream impacts of every in-scope asset."
The programme was scheduled to complete within 12 weeks, and completed in budget and slightly earlier than planned, with a highly successful outcome. The University has now adopted the Inoni methodology and software for its continued internal use.
What benefits have you seen following the completion of the project?
What our client said: "We have been able to fully realise our recovery requirements of the service catalogue to our actual recovery capability, in readiness to fully deploy ISO22301 Sect. 8.5 exercise & testing in conjunction with a training and skill analysis to further develop our resilience model and metrics.
We can now deploy security and resilience by design from concept to implementation and now resilience management in our daily operations."