Cover Story: Business Continuity
Implementing a Business Continuity Plan

When business is heavily dependent on IT infrastructure, all risks and threats need to be considered. A well documented Business Continuity Plan ensures that your data and infrastructure are covered. by Brian Pereira

NEXT month marks the first anniversary of the September 11 terrorist attacks on key sites in the US. While those events shook the world, and threw security forces into a state of high alert, it also impacted the corporate world. IT managers (even CEOs) are now dead serious about securing their prized assets data and infrastructure. While concepts like Disaster Recovery (DR) aren't new, the issue of Business Continuity (BC) has suddenly gained importance.

Business Continuity is the ability of a business to continue its operations with minimal disruption or downtime in the advent of natural or intentional disasters. BC begins with a plan that addresses all risks and secures systems that are vital to business operations.

It's imperative for companies that are heavily dependent on IT infrastructure to design and implement a Business Continuity Plan (BCP). So how prepared are Indian enterprises to counter disasters?

The Information Risk Management (IRM) practice of KPMG-India recently conducted a survey to check the preparedness of Indian industry. The results of the survey were shocking:

• 79 percent of the respondents do not have a documented and tested BCM (Business Continuity Management) plan.
• Among the respondents highly dependent on IT, 64 percent do not have a corporate-wide BCM plan in place to address business disruption risks.

The survey covers more than 100 private and public sector organizations spread across various industry segments. (See box on page 26 for a snapshot of the survey results).

According to the META Group, 80 percent of Global 2000 organizations have some form of disaster recovery or business continuity plan in place, but only 60 percent of these plans are reasonably complete and actionable i.e. they adequately address sufficient coverage of resources and can be successfully executed by the owning organizations.

A Gartner Research report titled 'What is Crisis Management' indicates something similar. Gartner says 85 percent of Global 2000 enterprises have established a disaster recovery plan for core technology and infrastructure, but only 15 percent have a full-fledged business continuity plan. In another report Gartner projects that by 2005 more than 70 percent of large enterprises will have invested in business continuity planning compared to fewer than 25 percent today.

The need for a Plan
While everyone stresses the importance of BCP and DRP, few Indian organizations actually get down to documenting, implementing and testing it.

"India is a fairly risk-prone country. We've had natural disasters but we've always recovered from these. This attitude has been the same in the corporate world. In the past there has been minimal interest in Business Continuity," says Sanjay Dhawan, Executive Director-IRM practice, KPMG.

Dhawan says it is now imperative for Indian businesses to have business continuity plans. "Global businesses are not interested in getting into a relationship (with Indian businesses) unless these service providers are prepared for recovering from a disaster. Also, global businesses fear that a war (or a war like situation) could break out in India, and therefore they need increasing assurance on the continuity and availability of its business associations in India."

Many organizations are heavily dependent on IT infrastructure. So if disaster strikes and these organizations cannot recover quickly enough, the consequences could affect business along the entire value chain. Business revenue drops, brand equity takes a beating; there's loss of customers (who choose alternatives) and permanent loss of shareholder value.

Disasters, both natural and intentional, are unpredictable. Natural disasters could be earthquakes, floods, hurricanes, or fire. Intentional disasters are caused by disgruntled humans and range from virus/hacker attacks to nuclear attacks. Then there are other causes for business disruption like hardware and communications failure.

A business continuity plan is insurance against such disasters and ensures that key (if not all), business functions continue.

Designing the plan
A BCP necessitates the provisioning for redundancies at all levels. That includes not just servers, storage, networking equipment and connectivity links, but also other infrastructure like air-conditioning and power supplies. The plan should cover all risks that could possibly affect your business.

According to KPMG, a BCP must factor in all the risks, and should ensure continued availability, reliability, and recoverability of resources. It should balance the costs of risk management with the opportunity cost of not taking appropriate action.

"A business continuity plan should provide an enterprise-wide risk-based approach, covering People, Processes, Technology and Extended Enterprise to ensure continuing availability of business support systems and minimize disruption risks," says Dhawan.

Most corporates today outsource support functions and rely on third-party support for non-core business operations (like logistics). So the plan should also extend to external entities like customers, partners and suppliers. BCP must also address business risks like:

• Customer end risks
• Supplier end risks
• IT hardware and software risks
• Business core process risks
• Business partner risks

Snapshots of the KPMG survey on Business Continuity Management 79 percent of the respondents do not have a documented and tested Business Continuity Management plan. Among the respondents highly dependent on IT, 64 percent do not have a corporate -wide BCM plan in place to address business disruption risks. 21 percent of the organizations surveyed store entire data backups at onsite locations only. Among the respondents taking backups, 32 percent did not test the backups for reliability. 44 percent of the respondents have faced some form of a disaster in the past two years. Though 75 percent claimed that they were able to recover within the maximum permissible downtime during these disasters, 91 percent of these had not actually estimated the maximum permissible downtime for various processes. While 35 percent of respondents have a corporate-wide BCM plan in place, 28 percent of these do not have a formal mechanism to declare disaster. 64 percent of the organizations surveyed have not envisaged any kind of alternative facility to ensure continuity of business in case of a major disaster. Of the respondents having a BCM plan, 65 percent have never tested it. Courtsey: KPMG-India BCP considerations for Business Continuity 1. Asset Identification & classification It is very important for the organization to identify and value its assets. Not all the assets are critical to business operations. In the event of a disaster, the available resources should be directed towards ensuring the safety of assets that are most valuable. 2. Risk Analysis and Management All the potential risks along with their impact on the business need to be analyzed. There must be a mitigation strategy that identifies the potential threats and puts appropriate controls in place to reduce the vulnerabilities. The organization needs to define the "acceptable risk" it is prepared to take. 3. Emergency Response Mechanism There must be a plan and detailed procedures in place to respond in cases of emergencies. Responsibilities, resources and process must be defined in detail and communicated. Pre and Post disaster activities must be clearly identified and addressed. 4. Communication & Review The business continuity plans have to be shared with all the stakeholders, including employees and partners, to be effective. There must also be periodic reviews to align the plans with changing business needs and objectives. Courtesy: Infosys

Implementation scenario
According to KPMG the highest level of seriousness for business continuity is reflected in the banking and finance sector. The manufacturing sector is also serious about it, followed by the infocom and entertainment sectors (see charts). Companies particularly in the IT services sector, are increasingly working towards business continuity management, in order to meet the security requirements of their global clients. An example is Infosys Technologies.

Infosys is putting together a disaster recovery plan to ensure that its large global customers continue to get round-the-clock support, even if the subcontinent goes to war. It will set up disaster recovery sites in Singapore and Canada. The plan is to move employees to these sites and resume operations in the advent of an emergency.

Incidentally, Infosys' Bhuba-neshwar facility was affected by the cyclone that hit Orissa in October 1999. But it was able to restore facilities within 60 hours because it had a well-defined BCP and procedures.

Other large corporations that have successfully implemented full-scale business continuity plans are now leveraging on their experience to offer consulting services to other companies. NSE for instance has a division called NSE.IT, which offers consulting services for business continuity to companies like BPCL and Clearing Corporation of India. Incidentally, NSE shifted its recovery site from Pune to Chennai because Chennai is in another state and another seismic zone. According to Satish Naralkar, CEO, NSE.IT, if the National Stock Exchange Building in Mumbai is hit by a disaster, business will resume within 24 hours at the recovery site in Chennai.

Datacenters like Cyquator Technologies and Global Telesystems Ltd (GTL) offer shared infrastructure for enterprises who want to set up hot sites. These datacenters have provided redundancy at all levels, replicating everything from servers and switches to power supplies. Some are also setting up disaster recovery sites in other cities.

Barriers
When implementing BCP an IT manager is confronted with all types of obstacles, the primary one being investment.

But industry analysts advise companies to identify key risks first and give priority to systems that are most critical to business. Of course, the ultimate objective is to create redundancies for almost all systems and set up a hot site at another location.

While the cost of setting up a hot site may be exorbitant for smaller companies, there are other innovative alternatives. For instance, organizations with similar infrastructure could have reciprocal arrangements to act as backup/recovery sites for each other. One could also outsource this to Network Operations Centers or datacenters.

The other impediment is attitude. Disaster Recovery has traditionally been considered a technical issue, and the purview of the IT department. But analysts say this is more than a technical issue and it concerns even the highest levels of management.

"I don't think BCP is just a CIO's problem it's a business issue," says Sameer Kapoor, Executive Director, PricewaterhouseCoopers. "Whatever decisions are going to be taken, have to be taken with the business interest in mind. I think the decision making at times goes wrong because people look at only the short-term benefits the immediate profitability or impact on business. They do not look at the larger issue of sustainability or survivability of the organization in a competitive environment."

Naralkar of NSE.IT compares this to the Y2K situation. He says the main barrier now is convincing top management. "Chairmen of various companies were aware about the implications of Y2K and had given a mandate that preparatory steps must be taken. Once a mandate like this comes from that office, they also monitor it."

Naralkar says an IT Head (CIO/CTO) has to sell to top management, what impact a disaster will have on business in the absence of a BCP.

Once management is convinced, the investment and commitment will follow. Then the challenge is to design a plan and implement it in phases.

Brian Pereira can be reached at brianp@networkmagazineindia.com