Service continuity management: ITIL 4 Practice Guide

It is split into five main sections, covering:

• general information about the practice
• the practice’s processes and activities and their roles in the service value chain
• the organizations and people involved in the practice
• the information and technology supporting the practice
• considerations for partners and suppliers for the practice

1.1 ITIL® 4 Qualification scheme

Selected content of this document is examinable as a part of the following syllabus:

• ITIL Specialist High-Velocity IT

Please refer to the relevant syllabus document for details.

2.1 Purpose and description

The service continuity management practice helps to ensure a service provider’s readiness to respond to high-impact incidents which disrupt the organization’s core activities and/or credibility.

Ensuring service continuity is becoming more important and difficult. The service continuity management practice is increasingly important in the context of digital transformation, because the role of digital services is growing across industries. Major outages of services may have disastrous effects on organizations that, in the past, focused on non-technological disasters.

Wider use of cloud solutions and wider integration with partners’ and service consumers’ digital services are creating new critical dependencies that are more difficult to control. Partners and service consumers usually invest in high-availability and high-continuity solutions, but a lack of integration and consistency between organizations creates new vulnerabilities that need to be understood and addressed.

The service continuity management practice, in conjunction with other practices (including the availability management, capacity and performance management, information security management, risk management, service design, relationship management, architecture management, and supplier management practices, among others), ensures that the organization’s services are resilient and prepared for disastrous events.

The concept of risk is central to the service continuity management practice. This practice usually mitigates high-impact, low-probability risks which cannot be totally prevented (because some risk factors are not under the organization’s control, such as natural disasters).

In the simplest terms, this practice is much like the incident management practice, except that the potential for damage is much higher and it may threaten the service provider’s ability to create value.

The service continuity management practice is closely related to, and in some context may be merged with, the availability management practice within the service value system (SVS). It is also closely related to, and may be incorporated into, the business continuity management practice in a corporate context.

In a service economy, every organization’s business is service-driven and digitally enabled. This may lead to a full integration of the disciplines because the business continuity management practice is concerned with the continuity of digital services and service management. This integration is possible and useful where digital transformation has led to the removal of the borders between ‘IT management’ and ‘business management’ (see ITIL® 4: High-Velocity IT for more on this topic).

2.2 Terms and concepts

For internal service providers, the main objective of the service continuity management practice is to support the overall business continuity management practice by ensuring that, through managing the risks that could affect IT services, the service provider can always provide the relevant agreed service levels.

For external service providers, service continuity management equals business continuity management.

Business continuity professionals are also interested in dealing with such business crises as adverse media attention or disruptive market events. However, in this practice guide, the scope of the service continuity management practice is limited to operational risks.

2.2.1 Disaster (or disruptive incident or crisis)

ISO defines a disaster as ‘a situation with a high level of uncertainty that disrupts the core activities and/or credibility of an organization and requires urgent action’¹.

It is usually a good idea to explicitly define the list of events which are considered to be disasters. Doing so helps when developing a proper set of service continuity plans, which ensures organizational readiness for disruptive events.

A list of disasters generally includes:

• cyber attacks
• electricity outages
• failures of strategic partners
• fires
• floods
• key personnel unavailability
• large-scale IT infrastructure failures (such as data-centre failures)
• natural disasters.

Defining those events which are not disasters is equally important. Usually, the service continuity management practice does not cover:

• Minor failures. Failures should be considered minor or major based on business impact. It is important to consider factors such as the service actions that are affected, the scale of failure, time of failure, and so on².
• Strategic, political, market, or industry events.

To successfully recover from a disaster, a service provider should define the service continuity requirements. Service continuity requirements include:

• recovery time objective (RTO)
• recovery point objective (RPO)
• minimum service continuity levels (see Figure 2.1).

2.2.2 Recovery time objective

The main factors that should be considered in estimating the RTO are:

• the reduction in a service provider’s ability to deliver services and the costs associated with this reduction
• Service level agreement fines and regulatory judgments
• losses associated with diminished competitive advantage and reputation.

Business continuity professionals also use the term ‘maximum tolerable period of disruption/maximum acceptable outage (MAO)’ and distinguish them from the RTO.

ISO 22301:2012 provides the following definitions:

• MAO The time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable.
• RTO The period of time following an incident within which a product or an activity must be resumed, or resources must be recovered.

Following this logic, the RTO should be less than the MAO by an amount which accounts for the organizational risk appetite³. The MAO should be identified during business impact analysis. RTO should be defined during the development of service continuity plans.

2.2.3 Recovery point objective

RPO defines the period of time of acceptable data loss. If the RPO is 30 minutes, there should be at least one backup 30 minutes prior to a disruptive event so that, when the service is recovered, the data from the time 30 minutes or less prior to the disruptive event will be available when service delivery is resumed.

The main factors that should be considered in estimating the RPO are:

• criticality of the service that used the data
• criticality of the data
• data-production rate.

For example, an online shop takes 100 orders per hour. Executives say that losing 200 orders would be unacceptable. Therefore, the RPO is 2 hours.

The RPO defines the requirement for backup frequency. Backup management must ensure the availability of recent backup copy in case of disaster.

2.2.4 Minimum target service level

While recovering from a disaster, a service provider should usually provide the service at some minimum target service level. Even though there are no specific requirements from the customer, achieving a minimum service level can help to minimize losses.

The minimum target service level is usually defined in terms of:

• list of specific service actions and functionality points that should available to the users during a disruption
• limited number of users or specific group of users who should have access to the service during a disruption
• limited number of transactions per time period that users should be able to process during a disruption.

2.2.5 Business impact analysis

Business impact analysis (BIA) is a process of analysing activities and the effect that a disruption might have on them⁵.

According ISO 22301, business impact analysis should include:

• identifying activities that support the provision of products and services
• assessing the impacts over time of not performing these activities
• setting prioritized timeframes for resuming these activities at a specified minimum acceptable levels, considering the time within which the impacts of not resuming them would become unacceptable
• identifying dependencies and supporting resources for these activities, including suppliers, outsource partners, and other relevant interested parties.

2.2.6 Service continuity/disaster recovery plans

Service continuity plans guide the service provider when responding, recovering, and restoring a service to normal levels following disruption.

Service continuity plans usually include:

• Response plan This defines how the service provider initially reacts to a disruptive event in order to prevent damage, such as in cases of fire or cyber-attack.
• Recovery plan This defines how the service provider recovers the service in order to achieve the RTO and RPO.
• Plan of returning to normal operations This defines how the service provider resumes normal operations following recovery. For example, if an alternative data centre has been in use, then this phase will bring the primary data centre back into operation and restore the ability to invoke IT service continuity plans again.

In many a case, there is also a need for business continuity planning. Business continuity plans may include:

• emergency response to interface with all emergency services and activities
• evacuation plan to ensure the safety of personnel
• crisis management and public relations plan plans for the command and control of different crises and the management of the media and public relations
• security plan showing how all aspects of security will be managed on all home sites and recovery sites
• communication plan showing how all aspects of communication will be handled and managed with all relevant areas and parties involved during a major incident.

These plans are usually developed as part of the business continuity management practice.

2.3 Scope

The service continuity management practice includes the following areas:

• performing BIA to quantify the impact of service unavailability to the service provider and service consumers
• developing service continuity strategies (and integrating them into the business continuity management strategy, if relevant). This should include elements of risk mitigation measures as well as the selection of appropriate, comprehensive recovery options
• developing and managing service continuity plans (and providing a clear interface to business continuity plans, if relevant)
• performing exercises and testing the service continuity plans invocation in case of disaster.

There are several activities and areas of responsibility that are not included in the service continuity management practice, although they are still closely related to service continuity management. These are listed in Table 2.1, along with references to the practices in which they can be found. It is important to remember that ITIL practices are merely collections of tools to use in the context of value streams; they should be combined as necessary, depending on the situation.

Table 2.1 Activities related to the service continuity management practice described in other practice guides

2.3.1 The line between availability and continuity

The line between the service continuity and availability management practices is subtle. Both practices involve the concept of risk and work to identify and prepare for events that threaten to disable services. For both practices, either an understanding of VBFs and risk assessments or a BIA of service failures is required. Ultimately, both practices ensure the organization's resistance to failures.

Some organizations prefer not to separate the management of availability and continuity. However, there are some differences between the two practices, outlined in Table 2.2, that should be considered when designing a service management system.

Table 2.2 Distinction between Availability Management and Service continuity management

The service continuity management practice does not cover minor or short-term failures that do not seriously impact the organization. It focuses on risks associated with significant damage, regardless of how likely or unlikely they are to occur. Often, these are emergency situations: fires, floods, power outages, data centre failures, and so on. Although the availability management practice does not ignore the negative impacts of failures on the service provider and consumer, minor interruptions of individual components are also considered in the process.

There is a tension between the objectives of the practices. The availability management practice works with statistics and analyses trends; continuity management is concerned with how to respond to disruptive events.

Availability planning focuses on fulfilling current and future agreed requirements and avoiding deviations. The availability management practice finds and eliminates single points of failure; the countermeasures that are implemented are generally proactive and they reduce the likelihood of unwanted events. The service continuity management practice focuses on planning to manage the serious consequences of disruptive events. Backup sites, transitioning to alternative methods of service provision, and recovery procedures all reduce damage, but generally do not impact the probability of an incident.

2.3.2 Incident management

The activities of the incident management practice are very similar to those of the service continuity management practice. However, the incident management practice focuses on failures which do not threaten the organization’s resilience, whereas the service continuity management practice focuses on high-impact failures which can prevent the organization from resuming service delivery.

Again, the line between these two practices is subtle and should be clearly defined in terms of impact to the service provider and service consumers. At the same time, in some cases (usually in small, single-site service providers) service continuity activities may be performed as a part of major incident management.

When service continuity plans are in place and managed separately from incident management activities, there should be a clear criterion for triggering service continuity procedures. When assessing the business impacts of an incident, support specialists should determine whether the major incident may lead to a disaster and inform the crisis management group so that they can make a decision about invocation.

2.3.3 The role of the service continuity practice when managing risks

The concept of risk is central to the service continuity management practice. This practice generally focuses on mitigating high-impact, low-probability risks which cannot be totally prevented.

In order to mitigate risks, this practice focuses on minimizing expected losses so that, when disasters happen, they do not cause significant damage.

To ensure readiness regarding disruptive events, the service continuity management practice needs information about risks, which can be obtained through the risk management practice.

An effective service continuity management practice can contribute significantly to the organization’s risk management. A large number of risk-mitigation measures are related in some way to service-continuity options.

2.4 Practice success factors

A practice success factor (PSF) is more than a task or activity, as it includes components of all four dimensions of service management. The nature of the activities and resources of PSFs within a practice may differ, but together they ensure that the practice is effective.

The service continuity management practice includes the following PSFs:

• developing and managing service continuity plans
• mitigating service continuity risks
• ensuring awareness and readiness.

2.4.1 Developing and managing service continuity plans

To effectively respond to and recover from disasters, a service provider needs service continuity plans, which should reflect the chosen service continuity strategies. The service continuity strategies should be selected with respect to the service continuity requirements, which are identified during BIA.

Therefore, in order to develop and manage service continuity plans, the service provider should first perform BIA, then select the proper set of service continuity requirements, then define the service continuity strategy.

The Business Continuity Institute (BCI) defines the following continuity strategies⁶:

• diversification
• replication
• standby
• post-incident acquisition
• do nothing
• subcontracting

These are not one-time activities, so long as the service continuity requirements and the context of the service provider are changing; for example, when a service provider begins delivering their service to a new consumer. This event is a trigger for re-performing the BIA and updating the service continuity strategies. If there are no significant changes for a long period, BIA is generally performed once or twice a year and synchronized with risk assessment cycles. For more detail on BIA, refer to section 3.2.2.

2.4.1.1 Continuity plans

BCI introduces three levels in the response and recovery planning structure: strategic, tactical, and operational⁷, as shown in Table 2.3.

Table 2.3 Levels in the response and recovery planning structure

Depending on the scale of the organization and whether the service provider is internal or external, there may be different solutions for structuring the plans; the responsible body may also vary.

Depending on the type of service provider and the scale of the organization, the structure of the service continuity plans may be more or less complex. Some common structures are outlined in Table 2.4.

Table 2.4 Continuity plans structure options

Service continuity plans should cover the stages outlined in Table 2.5 following a disaster.

Table 2.5 Stages of response and recovery

Plans should be clear, concise, and action oriented. Generally, they should exclude information that does not directly apply to the recovery teams that use them. Procedures should be time-based and include information about possible delays and interrelations between plans and teams.

For details about the organizational structure of response and recovery, see section 4.2.

Plans should be clear, concise, and action oriented. Generally, they should exclude information that does not directly apply to the recovery teams that use them. Procedures should be time-based and include information about possible delays and interrelations between plans and teams.

For details about the organizational structure of response and recovery, see section 4.2.

2.4.2 Mitigating service continuity risks

The service continuity management practice includes the definition and management of controls to manage a wide range of risks. For this, it is used in conjunction with the risk management practice and other risk-focused practices (such as the capacity and performance management, availability management, and information security management practices). Agreed availability controls should be implemented through the service design, software development and management, and infrastructure and platform management practices⁸.

The service continuity options outlined in Table 2.6 may be designed and implemented as a part of the overall risk mitigation plan.

Table 2.6 The four dimensions of the service continuity management practice

If BIA of a service indicates an earlier and higher impact, more preventive measures need to be adopted. If the initial impact is lower and develops slowly, a more economically effective approach is to invest in continuity and recovery countermeasures.

When choosing service continuity measures, the effectiveness and efficiency of each option should be assessed⁹. It is also important to continually control and validate their ongoing effectiveness and efficiency.

• Effectiveness According to risk management principles, the effects of a service continuity measure should be assessed and compared to the expected losses of the disruptive event.
• Efficiency The cost of the service continuity measure should be assessed and compared to the benefit. The benefit is calculated by estimating the reduction in the probability of the disruptive event occurring after the measure is implemented and multiplying it by the expected impact to the service provider and customers if the event occurs. This value, in terms of cost, should be compared to the cost of the measure’s implementation. Cost benefit analysis can be used here.

2.4.3 Ensuring awareness and readiness

Recovery plans that have not been tested, often do not work as intended, if at all. Testing is therefore a critical part of service continuity management and the only way of ensuring that the selected strategy, implemented measures, and plans are actually working.

Testing service continuity plans is the way to check and increase readiness. By regularly revising the plans and procedures, recovery teams discover flaws and inefficiencies, then update the service continuity plans in order to reflect their findings.

BCI defines the following types of exercises¹⁰:

• walkthrough
• table-top exercises
• command-post exercises
• live
• test

The key characteristics and the purpose of each type, according the BCI Good practice Guidelines 2013, are outlined in Table 2.7.

Table 2.7 Exercise types

Exercises should be conducted at planned intervals and when there are significant changes which may impact the recovery. The higher the possible impact of service outage, the higher the frequency of exercising should be.

Exercising is not only a way of ensuring readiness, it is an improvement opportunity. So it is generally a good idea to analyse the findings made during the testing and overall recovery team performance, then produce exercise reports that include findings and recommendations.

2.5 Key metrics

The effectiveness and performance of the ITIL practices should be assessed within the context of the value streams to which each practice contributes. As with the performance of any tool, the practice’s performance can only be assessed within the context of its application. However, tools can differ greatly in design and quality, and these differences define a tool’s potential or capability to be effective when used according to its purpose. Further guidance on metrics, key performance indicators (KPIs), and other tools that can assist with this can be found in the measurement and reporting practice guide.

Key metrics for the service continuity management practice are mapped to its PSFs. They can be used as KPIs in the context of value streams to assess the contribution of the practice to the effectiveness and efficiency of those value streams. Some examples of key metrics are given in Table 2.8.

Table 2.8 Example metrics for practice success factors

The correct aggregation of metrics into complex indicators will make it easier to use the data for the ongoing management of value streams, and for the periodic assessment and continual improvement of the service continuity management practice. There is no single best solution. Metrics will be based on the overall service strategy and priorities of an organization, as well as on the goals of the value streams to which the practice contributes.

3.1 Value stream contribution

Like any other ITIL management practice, service continuity management contributes to multiple value streams. It is important to remember that a value stream is never formed from a single practice. The service continuity management practice combines with other practices to provide high-quality services to consumers. The main value chain activities to which the practice contributes are:

• deliver and support
• design and transition
• improve
• obtain/build
• plan

The contribution of the service continuity management practice to the service value chain is shown in Figure 3.1.

Figure 3.1 Heat map of the contribution of the service continuity management practice to value chain activities

3.2 Processes

Each practice may include one or more processes and activities that may be necessary to fulfil the purpose of that practice.

Service continuity management activities form five processes:

• governance of service continuity management
• business impact analysis
• developing and maintaining service continuity plans
• testing service continuity plans
• response and recovery.

3.2.1 Governance of service continuity management

This process includes the activities listed in Table 3.1 and transforms the inputs into outputs.

Table 3.1 Input, activities, and outputs of the governance of service continuity management

Figure 3.2 shows a workflow diagram of the process.

Figure 3.2 Workflow for the governance of service continuity management

These activities may be carried out with varying levels of formality by many people in the organization. Table 3.2 describes these activities further.

Table 3.2 Activities of service continuity management

3.2.2 Business impact analysis

This process includes the activities listed in Table 3.3 and transforms the inputs into outputs.

Table 3.3 Inputs, activities, and outputs of the business impact analysis process

Figure 3.3 shows a workflow diagram of the process

Figure 3.3 Workflow of the business impact analysis process

These activities may be carried out with varying levels of formality by many people in the organization. Table 3.4 outlines these activities further.

Table 3.4 Activities of the business impact analysis process

3.2.3 Developing and maintaining service continuity plans

This process includes the activities listed in Table 3.5 and transforms the inputs into outputs.

Table 3.5 Inputs, activities, and outputs of the developing and maintaining service continuity plans process

Figure 3.4 shows a workflow diagram of the process.­­­

Figure 3.4 Workflow of the developing and maintaining service continuity plans process

These activities may be carried out with varying levels of formality by many people in the organization. Table 3.6 outlines these activities further.

Table 3.6 Activities of the developing and maintaining service continuity plans process

3.2.4 Testing service continuity plans

This process includes the activities listed in Table 3.7 and transforms the inputs into outputs.

Table 3.7 Inputs, activities, and outputs of the testing service continuity plans process

Figure 3.5 shows a workflow diagram of the process.

Figure 3.5 Workflow of the testing service continuity plans process

These activities may be carried out with varying levels of formality by many people in the organization. Table 3.8 outlines these activities further.

Table 3.8 Activities of the testing service continuity plans process

3.2.5 Response and recovery

This process includes the activities described in Table 3.9 and transforms inputs into outputs.

Table 3.9 Inputs, activities, and outputs of the response and recovery process

Figure 3.6 shows a workflow diagram of the process.

Figure 3.6 Workflow of the response and recovery process.

These activities may be carried out with varying levels of formality by many people in the organization. Table 3.10 outlines these activities further.

Table 3.10 Activities of the response and recovery process

4.1 Roles, competencies, and responsibilities

The ITIL practice guides do not describe the practice management roles such as practice owner, practice lead, or practice coach. They focus instead on the specialist roles that are specific to each practice. The structure and naming of each role may differ from organization to organization, so any roles defined in ITIL should not be treated as mandatory, or even recommended. Remember, roles are not job titles. One person can take on multiple roles and one role can be assigned to multiple people.

Roles are described in the context of processes and activities. Each role is characterized with a competency profile based on the model shown in Table 4.1.

Table 4.1 Competency codes and profiles

Examples of the roles involved in the service continuity management practice are listed in Table 4.2, together with the associated competency profiles and specific skills.

Table 4.2 Examples of roles with responsibility for service continuity management activities

4.2 Organizational structures and teams

Disasters are high-impact events, so responses must be very quick; the coordination of response and recovery activities requires flexibility. Therefore, the business-as-usual structure is not relevant for disasters.

During the recovery process, the organizational structure is generally based around the levels of continuity plans. The levels of organizational structure for response and recovery are outlined in Table 4.3.

Table 4.3 Organizational structure for response and recovery

5.1 Information exchange, inputs/outputs

The effectiveness of the service continuity management practice is based on the quality of the information used. This information can include:

• consumer’s business processes
• services and their architecture and design
• partners and suppliers and information on the services they provide
• regulatory requirements regarding service continuity
• technology and services available on the market that may be relevant for service continuity arrangements

The key inputs and outputs of the practice are listed in section 3.

Service continuity plans are the core of the practice. They should be up to date and available for all involved parties.

5.2 Automation and tooling

Especially in large-scale organizations, the service continuity practice should be automated. Where this is possible and effective, it may involve the solutions outlined in Table 5.1.

Table 5.1 Automation solutions for service continuity management activities

Very few services are delivered using only an organization’s own resources. Most, if not all, depend on other services, often provided by third parties outside the organization (see section 2.4 of ITIL® Foundation: ITIL 4 Edition for a model of a service relationship). Relationships and dependencies introduced by supporting services are described in the practice guides for service design, architecture management, and supplier management.

Partners and suppliers may provide critical products and service components. The service provider needs to negotiate and agree service continuity requirements with partners and suppliers in order to meet service continuity requirements.

Partners and suppliers may also provide continuity services and solutions, such as backup site, on-demand computing, disaster recovery as a service, and so on. In these cases, they should also be involved in service continuity plan development, testing, and execution.

Most of the content of the practice guides should be taken as a suggestion of areas that an organization might consider when establishing and nurturing their own practices. The practice guides are catalogues of topics that organizations might think about, not a list of answers. When using the content of the practice guides, organizations should always follow the ITIL guiding principles:

• focus on value
• start where you are
• progress iteratively with feedback
• collaborate and promote visibility
• think and work holistically
• keep it simple and practical
• optimize and automate

More information on the guiding principles and their application can be found in section 4.3 of ITIL® Foundation: ITIL 4 Edition.

AXELOS Ltd is grateful to everyone who has contributed to the development of this guidance. These practice guides incorporate an unprecedented level of enthusiasm and feedback from across the ITIL community. In particular, AXELOS would like to thank the following people.

8.1 Authors

Pavel Demin

8.2 Reviewers

Dinara Adyrbai, Roman Jouravlev

References

1. ISO 22300:2012

2. See the availability management practice guide for details.

3. BCI Good practice guidelines 2013

4. ISO 22301:2012

5. BCI Good practice guidelines 2013

6. BCI Good practice guidelines 2013

7. BCI Good practice guidelines 2013

8. Risk management practice

9. For details see Risk management practice.

10. BCI Good practice guidelines 2013

11. An Introduction to Factor Analysis of Information Risk (FAIR)

12. ISO 22301:2012

13. See 4.2 for details