Building technology resilience: aspects and actions This blog post was authored by Damon Owen - Managing Director, Technology Risk and Resilience and Dave Cozzens - Associate Director, Technology Risk and Resilience on Protiviti's technology insights blog.This is the second in a two- part series exploring the benefits of technology resilience , its aspects and the steps involved to implement a technology resilience program. This post describes aspects of a successful technology resilience program and the steps to implementing one, either with external help or using an organisation’s own resources.Building technology resilience is a continuous process. Technology resilience programs call for diligent monitoring, constant adaptation to evolving threats and continual evolution to respond to a shifting threat landscape. To begin with, they require a strong business case and well-articulated benefits to secure executive commitment and program funding. Then, continuous advancement of technology resilience capabilities is crucial to maintaining robust, secure infrastructure. Topics Technology Enablement Technology resilience encompasses practices that maintain technology service availability even when normal operating conditions are disrupted. Its fundamentals include systems architecture that considers operational requirements and impact tolerances, anticipates failures and integrates countermeasures in its design. Essentials encompass monitoring and operational awareness to detect impending disruptions, delivering dashboards and reports to track resilience capabilities and trends as well as establishing automated scripts designed to respond to failure scenarios. Automated scripts can address failure identification and relocation, restoration and reconfiguration of systems; applications and database architectures many of which are designed to be self-healing. Technology resilience programs rely on retrospective analysis to restore system configurations to their normal operating states, determine causes underlying events and propose improvements to systems while also analysing health metrics to continuously improve resilience. Image Aspects of the technology resilience programExploring aspects of a sound technology resilience program helps leaders appreciate the scope of the effort and informs the implementation approach for future success:StrategicDeveloping a holistic strategy to align technology resilience with the organisation’s goals and objectives.Fostering cross-functional collaboration among information technology, security, operations and business departments to ensure the technology resilience strategy encompasses all interests.Extending resilience practices to include third-party risk management (TPRM) to ensure vulnerabilities do not spread from others. Contract language and third- and fourth-party capabilities must ensure trading partners can and will deliver required resilience features.Building in redundancy: components and systems that will provide automated failover capability.Investing in technology solutions such as advanced monitoring, artificial intelligence-driven analytics, and predictive modeling to mitigate effects of threats.Distributing systems across a diverse infrastructure encompassing multiple locations — and providers. This practice will reduce the impact of any single point of failure or local disruption.Integrating robust cybersecurity measures to prepare for and protect against breaches and attacks.Attesting, validating, simulating: testing technology resilience plans and capabilities regularly. These tests should include scenario-based simulations to ensure constant readiness.Providing ongoing training, skill development and awareness activities so resources know their roles and responsibilities regarding technology resilience. Aligning with risk and compliance efforts to inform teams about emerging threats. Establishing annual training in crisis management, business continuity and disaster recovery.OperationsConducting regular, comprehensive risk assessments to identify vulnerabilities and help prioritise mitigation strategies and technology resilience efforts.Enhancing crisis management and incident response plans to deliver rapid, effective action when disruptions occur. Include communication with internal and external stakeholders, public and private authorities and emergency response organisations in these plans.Automating routine tasks, incident response and system recovery. Automation helps ensure rapid recovery and also delivers a consistent approach.Enabling resilience mechanisms that switch to backups when primary systems fail. Even better: enabling workload mobility and transaction portability so no such failover is ever needed.Implementing storage replication and database recovery tools to ensure data availability and consistency, while minimising any lost transactions and data.Performing regular backups to secure and isolated (off-line, “air gapped”) locations to protect data from encryption, corruption, destruction and loss. Enabling restoration of clean data to predetermined points in time.Implementing load balancing across multiple servers. Not only will this practice prevent overload and maintain system performance, but it will also result in a more resilient architecture.Employing monitoring and alerting tools to provide insights into system health in real-time and to signal anomalies and failures.Establishing technology resilience program metrics and reporting to gauge effectiveness of efforts and report progress. Consider key performance indicators (KPI) like impact tolerance, recovery time objectives (RTO) and recovery point objectives (RPO) versus actuals, issue management and others.Maintaining clear, up-to-date documentation on system configurations, operational processes, recovery procedures and dependencies among business functions, applications, systems and services.Steps to implement and operate an effective technology resilience programLeaders must consider these key ten steps when implementing and enhancing technology resilience programs:Identify technology risks and assess their significance to the organisation.Validate technology resilience drivers like regulations, reputation, customers and stakeholders.Develop the value proposition and calculate the program’s return on investment.Develop a proactive approach to technology risk and its impact on organisational resilience .Identify the leader accountable for the program, including communication about goals, responsibilities, and progress metrics and reporting.Establish all roles and responsibilities involved in the program as the basis for performance assessment.Work with lines of business to gain adoption. Consider using playbooks and performance evaluation processes as tools to promote adoption.Develop consistent communication. Maintain the program’s visibility, renew executive commitment and conduct operational evaluations.Strengthen the technology resilience program through periodic reevaluation, drills and testing and reporting against performance metrics including key performance indicators (KPI) and key risk indicators (KRI).Mature the technology resilience program through continuous improvement and analysis of the evolving risk landscape.Adapting to an increasingly disruptive threat landscapeTechnology resilience programs enable organisations to adapt to an ever evolving and increasingly disruptive threat landscape. These programs call for continuous advancement of technology resilience capabilities that maintain robust and secure infrastructures. Understanding the aspects of a quality technology resilience program and the actions needed to develop one are key to realising technology resilience benefits.To learn more about our technology resilience solutions, contact us or download our Guide to Business Continuity and Resilience and refer to Achieving Resilience Starts at the Top. Find out more about our solutions: Technology Consulting Services Whether you are looking to automate, modernise, or embark on an end-to-end transformation journey, our technology consulting solutions can help. Our services range from strategy, design, and development through implementation, risk management, and managed services. Cybersecurity Consulting From the speed of innovation, digital transformation, and economic expectations to evolving cyber threats, the talent gap, and a dynamic regulatory landscape, technology leaders are expected to effectively respond to and manage these competing priorities. Data Privacy Consulting Protiviti’s data privacy consulting team understands the risks and challenges companies face in developing and maintaining effective privacy and data protection programs. Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Adam Johnston Adam is the country market lead for Hong Kong. With over 15 years’ experience, he has spent much of his career consulting to Fortune 500 organisations, helping them solve complex transformation, and resourcing programs and projects. Adam’s specialisation is ... Learn More Featured insights IN FOCUS Will CrowdStrike serve as a reboot on tech resiliency? Global IT systems are still in reboot and recovery after a software update by cybersecurity vendor CrowdStrike caused a massive worldwide outage of Windows computers. Global businesses, governments and organisations were impacted across several... WHITEPAPER Building Resilience in the Cloud In 2019, AFME published its first paper on the adoption of public cloud in capital markets[1]. Since then, the adoption of cloud has continued to progress, along with focus from policymakers and regulators. Though the use of cloud and Cloud... WHITEPAPER Understanding Changes in Resilience Risks from Technology Advancements How resilient is our organisation? How do we track our organisation’s change in resilience? Those are two of the most common questions posed by boards on the topic of resilience. The proper responses to these seemingly abstract questions require a... WHITEPAPER How Firms Can Tackle Technology Risk Blind Spots to Build Resilience Contrary to popular belief, criminals — insiders or outsiders — are not the most common cause of major operational failures. Technology is the biggest culprit. The rapid adoption of artificial intelligence (AI), blockchain, robotic process... BLOGS Know the Business Continuity Risks and Solutions When Investing in SaaS We often hear our clients ask what steps to take to develop a Software as a Service (SaaS) strategy for IT environments. Both the CIO and business owners recognise the benefits of SaaS solutions, which are readily available and often focused on a... BLOGS Drive success with emerging technology like gen AI While the various forms of artificial intelligence (AI) have captured the imagination of nearly everyone in the business world, generative AI (GenAI) is rapidly becoming the hottest new kid on the block. We’ve seen the terms AI and GenAI being used... Button Button