Quantifying the Risk of ERP Downtime & the Quest for Operational Resiliency

How do you define downtime? In the world of IT, downtime is defined as “time during which a machine, especially a computer, is out of action or unavailable for use.”

In a pre-cloud or pre-SAAS era, that definition provided an acceptable description of what actually took place, and the responsibility of “fixing” was often placed upon internal resources or contractors under contract with the organization. When it came to understanding the cost of downtime, it was a rather straightforward exercise for most organizations. Thus, measuring risk and potential availability impacts of making changes could be a mathematical formula to aid in decision making.

Then, everything changed. Cloud-first strategies were adopted, third-party service level agreements (SLAs) became incredibly important and cost models shifted from CAPEX (capital expenditure) planning to OPEX (operational expenditure) planning. Downtime is now an outage, and the costs and risks are much harder to calculate. Thus some applications, such as ERP technologies, have lagged behind other applications due to their importance within the organization—they can’t risk these mission-critical applications going offline.

Balancing Transformation, Change and Availability

The cloud mindset around ERP is evolving. As ERP technologies go through their own digital and cloud transformations, understanding how to handle change, risk, downtime, and outages present new challenges for all CISOs and CIOs to consider. One thing is certain – no matter what the strategy, change is constant, even in the world of ERP, and with each change, you risk downtime and/or an outage.

The cost of overlooking these types of changes can be financially devastating or even result in litigation for the end organizations in litigations. An article published by CIO Magazine in March of 2020 detailing 16 examples of where ERP change events took place and, due to poor planning, left the organization paying millions.

Many of these change issues occur because of data conversion and migration issues. Most organizations have mature change management processes, so why does this still happen? The simple answer is that unlike most applications, ERP lacks strong impact analysis tools that allow them to avoid downtime events.

Quantifying ERP Downtime and Risk

As a provider of ERP technologies and solutions, I see the value in providing a cost or score behind these types of outages or downtime events so the multiple organizations that leverage these systems can learn and iterate as necessary. At Onapsis, we began our journey by looking at one critical metric of change—vulnerability management and cybersecurity risk. As our knowledge of our customers and industries increases so, in fact, does that ability to provide a rating based on other factors of your ERP posture. We now look at not only the organization’s cybersecurity risk, but have expanded to code development and SAP change management. 

We are taking a deeper look into what an actual outage is within the context of business. Certainly, the total loss of an application has a drastic impact on an organization. Realistically though, it doesn’t need to be that extreme. The fact of the matter is if a business function relies on even just one program within the ERP ecosystem, it is costing the company time and money if it goes offline. These situations can be caused by a variety of factors. During our examinations we look at several, for example:

  • Change import errors
  • Application Downgrade Events
  • Data Downgrade Events 
  • Table Conversions 
  • Application Offline Events

Recently, Onapsis put together new offerings to help shine a light on these issues and to allow organizations to understand how they can better avoid downtime. The Operational Resiliency Assessment gives you an understanding of where you are today and what changes you can implement to ensure you maintain service levels and always-on applications. 
This assessment is complementary and run remotely. It takes less than two hours to complete and does not require installation of any software or access to production systems. Learn more or request an assessment of your environment here
As mentioned above, we know change management and operational resiliency are only one aspect of protecting your mission-critical applications. We also offer assessments on Audit Efficiency to help you eliminate resource-consuming manual audit processes, and Cyber Risk to help reduce vulnerabilities and misconfigurations within your SAP and Oracle EBS applications.

View Onapsis Resources