SESSION 706 Friday, November 4, 9:00 AM - 10:00 AM

Track: Security, Risk, and Vulnerability

Risk-Based Capacity Planning

Michael Costigan Service Manager,CSRA costiganmd@verizon.net

Session Description

Truly proactive capacity management eludes many organizations. Modern service and performance management tools collect and present a plethora of data, but how can you effectively use that data? This session will provide mid- and upper-IT management with methods for translating service and component utilization and performance data into actionable capacity plans. You’ll explore how to develop risk-based patterns of business activity (PBAs) and use these PBAs to make proactive, risk-aligned capacity decisions. (Experience Level: Intermediate)

Speaker Background Michael Costigan is an ITIL Expert, trainer, and ITSM consultant. He currently serves as the capacity manager at the Federal Deposit Insurance Corporation, where, as CSRA’s ITIL fireman, he’s called upon to solve the most difficult ITSM challenges. Over the past eight years, Michael has supported more than fifteen commercial and US federal customers.

Risk-Based Capacity Planning

Michael Costigan

How is your Capacity Planning?

• Do you seldom have enough capacity for your IT services?

• Are you unsure about how much capacity you really need?

• Are you having trouble justifying your capacity needs?

• Do you over-provision just to “make sure” you have enough capacity?

• Do your vendors penalize you for last minute capacity surges?

If you answered “yes” to any of these questions, then taking a risk-based approach to your capacity planning can help.

Learning Objectives

By the end of this session, you should be able to• Compare and contrast traditional vs. risk-based capacity planning

• Understand statistical and risk management principles behind risk-based capacity planning

• Apply risk tolerance in capacity planning

• Understand the challenges of implementing risk-based capacity planning

These objectives are interwoven throughout the presentation

Capacity Management

• Ensures capacity of IT services and infrastructure meets agreed capacity- and performance-related requirements timely and cost-effectively• Business Capacity Management

• Service Capacity Management

• Component Capacity Management

• Works closely with Demand Management• Capacity-Demand belt

• Leverages Patterns of Business Activity

• Many organizations combine Capacity and Demand Management

Capacity Planning Approaches

Traditional

• Trend analysis of raw utilization (or performance) data, projected forward• Sometimes averaged• Sometimes taking max values

• Some use of patterns of business activity (PBAs), usually at macro-level

• Some organizations consider business demand, most do not

Risk-Based

• Uses simple statistics (mean, standard deviation)

• Uses PBAs with probability distributions, projected forward

• Considers risk tolerance

• Enables easier identification and integration of business demand patterns

Traditional Utilization Trend Analysis

• Good place to start

• Trends (average) utilization data

• Most tools summarize aging data – can give false impression of growth

• Good for identifying overall trends and “seasonal” and other cyclical patterns

• Need to analyze “seasonal” and cyclical patterns separately

• Poor for identifying true capacity requirements

Seasonal pattern

Cyclical pattern

Risk Management

• Risk• Uncertainty of an outcome

• Expressed as a probability – usually as a percentage

• Can have a positive or negative impact – best described in money

• Risk exposure = probability x impact

• Risk mitigations• Actions taken to reduce the risk probability or impact (or both)

• Trade cost of mitigation against risk exposure

• E.g., Is it worth buying more capacity now versus the risk of having insufficient capacity?

Simple Statistics

• Basic Statistics• Mean (average) - µ

• Standard Deviation – σ

• Enables integration of risk

34.1%

13.6%

1σ

34.1%

2σ 3σ-1σ-2σ-3σ

13.6%2.1% 2.1%

0.1% 0.1%

µ

Approximate percentages under the curve for each standard deviation band.

~99.9% confidence that a data point will be less than 3σ above the mean

~0.1% risk

Risk-Based Capacity Planning

• Expands upon typical Patterns of Business Activity (PBAs) of average utilization (or performance)

• Adds one or more standard deviations to average utilization – takes into account organization’s risk tolerance

• Compares risk-adjusted PBAs to available capacity to estimate capacity needs – these are more easily justified

Example: Creating Weekly PBA

Overlay data Overlay data

Sun Mon Tue Wed Thu Fri Sat

Example: Creating Weekly PBA

• Continue to overlay data – use enough for statistical significance

• Identify distinct patterns

Sun Mon Tue Wed Thu Fri Sat

Example: Creating Weekly PBA

• Completing the utilization overlay with 20 weeks of data

• Each hour has ~10 utilization polling periods

• ~200 data points per hour

Example: Creating Weekly PBA

• Average utilization in each hour time period to create basic PBA

• Calculate standard deviation in each hour time period

• Retain the maximum value from each hour time period (optional, but useful)

Example: Applying Risk Tolerance

• Add one or more standard deviations to account for risk• 1σ = ~14% risk

• 2σ = ~2.2% risk

• 3σ = ~0.1% risk

• As alternative, use fractional standard deviations to “dial a risk”

Average

+ 1σ

+ 2σ

+ 3σ

Using Fractional Standard DeviationConfidence

interval

Proportion within (+/- Zσ)

Proportion below (+ Zσ)

Proportion above (+ Zσ)(Risk tolerance)

Percentage Percentage Percentage0.674490σ 50% 75% 25%0.994458σ 68% 84% 16%1σ 68.2689492% 84% 15.8655254%

1.281552σ 80% 90% 10%1.644854σ 90% 95% 5%1.959964σ 95% 97.5% 2.5%2σ 95.4499736% 97.7249868% 2.2750132%

2.326348σ 98% 99% 1%2.575829σ 99% 99.5% 0.5%3σ 99.7300204% 99.8650102% 0.1349898%3.090232σ 99.8% 99.9% 0.1%

3.290527σ 99.9% 99.95% 0.05%3.719016σ 99.98% 99.99% 0.01%3.890592σ 99.99% 99.995% 0.005%

4σ 99.993666% 99.996833% 0.003167%4.264891σ 99.998% 99.999% 0.001%4.417173σ 99.999% 99.9995% 0.0005%4.753424σ 99.9998% 99.9999% 0.0001%

5σ 99.9999426697% 99.99997133485% 0.0000286652%6σ 99.9999998027% 99.99999990135% 0.00000009865%7σ 99.999999999744% 99.999999999872% 0.000000000128%

• In Excel, use NORM.S.INV(P) function to determine number of σ (Z-value) given a proportion below a given probability (P)

• E.g., For a 1 percent risk tolerance, 99 percent of the data values will likely be below that point. Using P=0.99 Z=2.326, so to calculate the 1 percent risk “curve,” add 2.326 standard deviations to the mean value.

Determine Risk Tradeoffs

• Compare risk-based utilization (or performance) against available capacity

• What is cost of running out of capacity?• Penalties for over-use• Costs of short notice capacity expansions• Cost of capacity- and performance-related incidents, including impact to business

processes and lost business

• How much does additional capacity cost?

• What are the organization’s decision cycles?• Budgeting• Contracting/procurement• Business cases/cost of money

Other Uses of Risk-Based Capacity Planning

• Shown with a component-level example (network capacity)

• Can also apply risk-based approach to • Trends – use to identify growth in variability over time

• Other component-level capacity (storage, computing)

• Performance prediction – finite resource situation

• Service-level capacity – concurrent users over time

• Bridge gap to business capacity management• Analyze season variations to identify distinct business patterns

• Add difference between normal PBA and seasonal PBA at appropriate time periods or events – makes strong case for elastic contract provisions (e.g., cloud computing)

Challenges

• Data collection• Granularity – be careful of how collection tools gather and roll-up data• Longitudinal period (resist leadership pressure for answers “now”)

• Isolate seasonal variances• Provide statistical significance• Ongoing – new data every day• Data volume

• Data analysis• Many tools do trends• Few tools do statistical analysis• Resistance to changing analysis techniques

• Analysis distribution• Static vs. dynamic reports• Providing access while protecting data

Summary

• Risk-based approach• Collect enough data of sufficient granularity

• Overlay data after separating out seasonal variations

• Use simple statistics to develop PBAs

• Identify and apply your risk tolerance Risk-adjusted PBAs

• Compare to available capacity adjust capacity plan as needed

• Risk-based capacity planning helps• Fill the gaps in traditional capacity analysis techniques

• Assure you plan for enough, but not too much capacity (less over-provisioning)

• Provide defensible information to justify your capacity requirements

• Establish a stronger negotiating position for elastic capacity

Questions?

Thank you for attending this session.

Please don’t forget to complete an evaluation for this session!

Evaluation forms can be completed electronically on the

FUSION 16 Conference App.