Enterprises, especially banks, should work out a strategy to deal with disasters and maintain business continuity with minimum operational breaks. A study of BCP will help. by Mohan Bhatia

A disaster in a company can be an event, consequence of which inflicts extra costs to the company. Disaster can be as small as power failure in the office or as large as the September 11 terrorist attack on the WTC in USA.

Any disaster is likely to inflict the following types of damage on an organization (especially banks):

• Inability to operate and do business
• Financial loss due to damage to property
• Loss of credibility in the market
• Loss of data/applications

How can an organization deal with disasters? The answer lies in BCP (Business Continuity Planning).

BCP
A BCP is a documented description of actions to be taken, resources to be used, and procedures to be followed before, during, and after an event that severely disrupts all or part of the business operations. The main objectives of a BCP are to ensure recovery and operationalization of vital business functions within the acceptable timeframe.

BCP is also known as business recovery planning, contingency planning, and disaster recovery plan. It's more important if an organization does any of the following:

• Stores information electronically
• Has a concentration of data and information at one place
• Keeps data in a machine read form only
• Has an IT network and is dependant on telecommunication
• Stores mission critical information

The purpose of BCP is to maintain continuity of business. Its objective is to give assurance to different stakeholders especially to customers and partners that services shall be available as and when they need them. It's a form of self-insurance against the risks that conventional insurance cannot or does not cover. It ensures that businesses will restart within a short time following a disaster.

Fallacies

Some organizations do not have a BCP because of a few fallacies. I've listed some of the common ones.

Our staff can handle the situation: This cannot always be the case. BCP trains the team in disaster recovery processes. A formal document plan requires an organization put in place the risk mitigation and contingency systems so that disaster can be avoided. And if the disaster does occur, contingency systems help in faster recovery.

It costs too much: The cost is not much when seen in context of business and financial loss in the event of a disaster.

It won't happen to me: Everyone thinks so. September 11 is a case in point. People were not ready to believe it even after it happened. But sadly it was reality and more than 5000 people lost their lives and billions of dollars of property was lost. However, the top investment firms in the WTC were able to restart their business within 3 days because of their BCPs.

BCP steps
BCP can be implemented through the following steps.

Impact analysis: Possible disasters and disruptions are identified, probability is assigned, and the risk estimated. Impact analysis is done for each of the information systems resources like data, application, technology, facilities, and personnel.

The next step is to determine the criticality of each resource for the business. The criticality depends on the impact of non-availability of the resource on the business. The third step is to identify the critical functions and the time frame within which it needs to recover. The fourth step is setting up the priorities.

Recovery strategies: Different disruptions and disaster scenarios that can impact banks need to be built. Once the scenarios are built, a backup of information resources needs to be created.

There are four types of backup. They are backup of data, backup of a part of the hardware or software, backup of full hardware and software, and the full backup of the site. Backup is also divided as a hot site backup and a cold site backup. A hot site has everything at the site while a cold site is a site without information systems but things like telecommunication and electricity still available.

Full backup of personnel is generally not done. The level of backup or redundancy depends upon the impact on the business objectives.

Establish the disaster recovery process: A process is necessary for each of the following steps:

• Detection of the disaster condition
• Declaration of disaster and notification to the persons responsible for recovery
• Activation of emergency response and recovery operations
• Public relation and crisis co-ordination
• Activation of backup sites
• Restoration of systems and network at backup site
• Restoration of application at backup site
• Starting the business function

Implementation of BCP: BCP for information systems needs to be implemented within a specified time and budget with a focused and coordinated approach.

Testing of BCP: This includes periodic testing of emergency response and recovery operations. It encompasses:

• Development of testing processes to maintain the currency of BCP
• Testing of the plan
• Documentation of the result
• Evaluation of results
• Updation of plan
• Reporting results to the top management

Creation of awareness and organise training: This includes regular drills to test level of preparedness to information system disasters. Some of them can be restoration of data, application, technology, or activation of backup sites.

Plan audit: Organizations need to get the plan audited from their information systems auditor for:

• Adequacy of risk analysis
• dequacy and efficacy of backup facilities
• Completeness of the BCP document
• Adequacy of preparedness
• Testing of plan
• Awareness creation

Writing a BCP plan
Writing the plan requires expertise in technology, awareness about the likely disaster, and knowledge about the cost-effective solutions available in the market. Generally banks do not write the BCP on its own. By outsourcing BCP writing services, banks are able to plan and implement BCP efficiently and effectively.

It takes help from firms who are experts in technology, impact analysis, likely scenario generation, available solutions, and CoBIT framework. CoBIT is a framework from Information Systems Audit and Control Association which requires controls to be built into the bank. These controls ensure the business requirements to make IT services available and to ensure that minimum business impact in the event of a major disruption are met.

BCP contents
This varies with the complexities of business and information systems in a bank. However BCPs broadly cover the following:

• Introduction
• Impact analysis
• Organisation structure during disaster recovery
• Data backup and restoration
• Recovery of output services and channels
• Interfaces with branches, partners and customers
• Maintenance schedule

Mohan Bhatia works with i-flex solutions limited, Mumbai as a senior consultant on international projects in the areas of Risk Management, Payment Systems and Security & Assurance.