especially banks, should work out a strategy to deal with
disasters and maintain business continuity with minimum operational
breaks. A study of BCP will help. by Mohan Bhatia
disaster in a company can be an event, consequence of which
inflicts extra costs to the company. Disaster can be as small
as power failure in the office or as large as the September
11 terrorist attack on the WTC in USA.
Any disaster is likely to inflict the following types of damage
on an organization (especially banks):
Inability to operate and do business
Financial loss due to damage to property
Loss of credibility in the market
Loss of data/applications
How can an organization deal with disasters? The answer lies
in BCP (Business Continuity Planning).
BCP is a documented description of actions to be taken, resources
to be used, and procedures to be followed before, during,
and after an event that severely disrupts all or part of the
business operations. The main objectives of a BCP are to ensure
recovery and operationalization of vital business functions
within the acceptable timeframe.
BCP is also known as business recovery planning, contingency
planning, and disaster recovery plan. It's more important
if an organization does any of the following:
Stores information electronically
Has a concentration of data and information at one place
Keeps data in a machine read form only
Has an IT network and is dependant on telecommunication
Stores mission critical information
The purpose of BCP is to maintain continuity of business.
Its objective is to give assurance to different stakeholders
especially to customers and partners that services shall be
available as and when they need them. It's a form of self-insurance
against the risks that conventional insurance cannot or does
not cover. It ensures that businesses will restart within
a short time following a disaster.
Some organizations do not have a BCP because of a few fallacies.
I've listed some of the common ones.
Our staff can handle the situation: This cannot always be
the case. BCP trains the team in disaster recovery processes.
A formal document plan requires an organization put in place
the risk mitigation and contingency systems so that disaster
can be avoided. And if the disaster does occur, contingency
systems help in faster recovery.
It costs too much: The cost is not much when seen in
context of business and financial loss in the event of a disaster.
It won't happen to me: Everyone thinks so. September
11 is a case in point. People were not ready to believe it
even after it happened. But sadly it was reality and more
than 5000 people lost their lives and billions of dollars
of property was lost. However, the top investment firms in
the WTC were able to restart their business within 3 days
because of their BCPs.
BCP can be implemented through the following steps.
Impact analysis: Possible disasters and disruptions
are identified, probability is assigned, and the risk estimated.
Impact analysis is done for each of the information systems
resources like data, application, technology, facilities,
next step is to determine the criticality of each resource
for the business. The criticality depends on the impact of
non-availability of the resource on the business. The third
step is to identify the critical functions and the time frame
within which it needs to recover. The fourth step is setting
up the priorities.
Recovery strategies: Different disruptions and disaster scenarios
that can impact banks need to be built. Once the scenarios
are built, a backup of information resources needs to be created.
There are four types of backup. They are backup of data, backup
of a part of the hardware or software, backup of full hardware
and software, and the full backup of the site. Backup is also
divided as a hot site backup and a cold site backup. A hot
site has everything at the site while a cold site is a site
without information systems but things like telecommunication
and electricity still available.
Full backup of personnel is generally not done. The level
of backup or redundancy depends upon the impact on the business
Establish the disaster recovery process: A process
is necessary for each of the following steps:
Detection of the disaster condition
Declaration of disaster and notification to the persons
responsible for recovery
Activation of emergency response and recovery operations
Public relation and crisis co-ordination
Activation of backup sites
Restoration of systems and network at backup site
Restoration of application at backup site
Starting the business function
Implementation of BCP: BCP for information systems
needs to be implemented within a specified time and budget
with a focused and coordinated approach.
Testing of BCP: This includes periodic testing of emergency
response and recovery operations. It encompasses:
Development of testing processes to maintain the currency
Testing of the plan
Documentation of the result
Evaluation of results
Updation of plan
Reporting results to the top management
Creation of awareness and organise training: This includes
regular drills to test level of preparedness to information
system disasters. Some of them can be restoration of data,
application, technology, or activation of backup sites.
Plan audit: Organizations need to get the plan audited
from their information systems auditor for:
Adequacy of risk analysis
dequacy and efficacy of backup facilities
Completeness of the BCP document
Adequacy of preparedness
Testing of plan
Writing a BCP plan
Writing the plan requires expertise in technology, awareness
about the likely disaster, and knowledge about the cost-effective
solutions available in the market. Generally banks do not
write the BCP on its own. By outsourcing BCP writing services,
banks are able to plan and implement BCP efficiently and effectively.
It takes help from firms who are experts in technology, impact
analysis, likely scenario generation, available solutions,
and CoBIT framework. CoBIT is a framework from Information
Systems Audit and Control Association which requires controls
to be built into the bank. These controls ensure the business
requirements to make IT services available and to ensure that
minimum business impact in the event of a major disruption
varies with the complexities of business and information systems
in a bank. However BCPs broadly cover the following:
Organisation structure during disaster recovery
Data backup and restoration
Recovery of output services and channels
Interfaces with branches, partners and customers
Mohan Bhatia works with i-flex solutions limited,
Mumbai as a senior consultant on international projects in
the areas of Risk Management, Payment Systems and Security