business is heavily dependent on IT infrastructure,
all risks and threats need to be considered. A well
documented Business Continuity Plan ensures that your
data and infrastructure are covered. by Brian Pereira
month marks the first anniversary of the September 11
terrorist attacks on key sites in the US. While those
events shook the world, and threw security forces into
a state of high alert, it also impacted the corporate
world. IT managers (even CEOs) are now dead serious
about securing their prized assets data and infrastructure.
While concepts like Disaster Recovery (DR) aren't new,
the issue of Business Continuity (BC) has suddenly gained
Business Continuity is the ability of a business to
continue its operations with minimal disruption or downtime
in the advent of natural or intentional disasters. BC
begins with a plan that addresses all risks and secures
systems that are vital to business operations.
imperative for companies that are heavily dependent
on IT infrastructure to design and implement a Business
Continuity Plan (BCP). So how prepared are Indian enterprises
to counter disasters?
The Information Risk Management (IRM) practice of KPMG-India
recently conducted a survey to check the preparedness
of Indian industry. The results of the survey were shocking:
79 percent of the respondents do not have a documented
and tested BCM (Business Continuity Management) plan.
Among the respondents highly dependent on IT, 64 percent
do not have a corporate-wide BCM plan in place to
address business disruption risks.
The survey covers more than 100 private and public sector
organizations spread across various industry segments.
(See box on page 26 for a snapshot of the survey results).
According to the META Group, 80 percent of Global 2000
organizations have some form of disaster recovery or
business continuity plan in place, but only 60 percent
of these plans are reasonably complete and actionable
i.e. they adequately address sufficient coverage of
resources and can be successfully executed by the owning
A Gartner Research report titled 'What is Crisis Management'
indicates something similar. Gartner says 85 percent
of Global 2000 enterprises have established a disaster
recovery plan for core technology and infrastructure,
but only 15 percent have a full-fledged business continuity
plan. In another report Gartner projects that by 2005
more than 70 percent of large enterprises will have
invested in business continuity planning compared to
fewer than 25 percent today.
need for a Plan
While everyone stresses the importance of BCP and DRP,
few Indian organizations actually get down to documenting,
implementing and testing it.
is a fairly risk-prone country. We've had natural disasters
but we've always recovered from these. This attitude
has been the same in the corporate world. In the past
there has been minimal interest in Business Continuity,"
says Sanjay Dhawan, Executive Director-IRM practice,
says it is now imperative for Indian businesses to have
business continuity plans. "Global businesses are
not interested in getting into a relationship (with
Indian businesses) unless these service providers are
prepared for recovering
from a disaster. Also, global businesses fear that a
war (or a war like situation) could break
out in India, and therefore they need increasing assurance
the continuity and availability of its business associations
organizations are heavily dependent on IT infrastructure.
So if disaster strikes and these organizations cannot
recover quickly enough, the consequences could affect
business along the entire value chain. Business revenue
drops, brand equity takes a beating; there's loss of
customers (who choose alternatives) and permanent loss
of shareholder value.
Disasters, both natural and intentional, are unpredictable.
Natural disasters could be earthquakes, floods, hurricanes,
or fire. Intentional disasters are caused by disgruntled
humans and range from virus/hacker attacks to nuclear
attacks. Then there are other causes for business disruption
like hardware and communications failure.
A business continuity plan is insurance against such
disasters and ensures that key (if not all), business
Designing the plan
A BCP necessitates the provisioning for redundancies
at all levels. That includes not just servers, storage,
networking equipment and connectivity links, but also
other infrastructure like air-conditioning and power
supplies. The plan should cover all risks that could
possibly affect your business.
to KPMG, a BCP must factor in all the risks, and should
ensure continued availability, reliability, and recoverability
of resources. It should balance the costs of risk management
with the opportunity cost of not taking appropriate
business continuity plan should provide an enterprise-wide
risk-based approach, covering People, Processes, Technology
and Extended Enterprise to ensure continuing availability
of business support systems and minimize disruption
risks," says Dhawan.
Most corporates today outsource support functions and
rely on third-party support for non-core business operations
(like logistics). So the plan should also extend to
external entities like customers, partners and suppliers.
BCP must also address business risks like:
Customer end risks
Supplier end risks
IT hardware and software risks
Business core process risks
Business partner risks
of the KPMG survey on Business Continuity
79 percent of the respondents do not have
a documented and tested Business Continuity
Among the respondents highly dependent
on IT, 64 percent do not have a corporate
-wide BCM plan in place to address business
21 percent of the organizations surveyed
store entire data backups at onsite locations
Among the respondents taking backups,
32 percent did not test the backups for
44 percent of the respondents have faced
some form of a disaster in the past two
years. Though 75 percent claimed that
they were able to recover within the maximum
permissible downtime during these disasters,
91 percent of these had not actually estimated
the maximum permissible downtime for various
While 35 percent of respondents have a
corporate-wide BCM plan in place, 28 percent
of these do not have a formal mechanism
to declare disaster.
64 percent of the organizations surveyed
have not envisaged any kind of alternative
facility to ensure continuity of business
in case of a major disaster.
Of the respondents having a BCM plan,
65 percent have never tested it.
considerations for Business Continuity
1. Asset Identification & classification
It is very important for the organization
to identify and value its assets. Not all
the assets are critical to business operations.
In the event of a disaster, the available
resources should be directed towards ensuring
the safety of assets that are most valuable.
2. Risk Analysis and Management
All the potential risks along with
their impact on the business need to be
analyzed. There must be a mitigation strategy
that identifies the potential threats and
puts appropriate controls in place to reduce
the vulnerabilities. The organization needs
to define the "acceptable risk"
it is prepared to take.
3. Emergency Response Mechanism
There must be a plan and detailed procedures
in place to respond in cases of emergencies.
Responsibilities, resources and process
must be defined in detail and communicated.
Pre and Post disaster activities must be
clearly identified and addressed.
4. Communication & Review
The business continuity plans have
to be shared with all the stakeholders,
including employees and partners, to be
effective. There must also be periodic reviews
to align the plans with changing business
needs and objectives.
According to KPMG the highest level of seriousness for
business continuity is reflected in the banking and
finance sector. The manufacturing sector is also serious
about it, followed by the infocom and entertainment
sectors (see charts). Companies particularly in the
IT services sector, are increasingly working towards
business continuity management, in order to meet the
security requirements of their global clients. An example
is Infosys Technologies.
Infosys is putting together a disaster recovery plan
to ensure that its large global customers continue to
get round-the-clock support, even if the subcontinent
goes to war. It will set up disaster recovery sites
in Singapore and Canada. The plan is to move employees
to these sites and resume operations in the advent of
Incidentally, Infosys' Bhuba-neshwar facility was affected
by the cyclone that hit Orissa in October 1999. But
it was able to restore facilities within 60 hours because
it had a well-defined BCP and procedures.
Other large corporations that have successfully implemented
full-scale business continuity plans are now leveraging
on their experience to offer consulting services to
other companies. NSE for instance has a division called
NSE.IT, which offers consulting services for business
continuity to companies like BPCL and Clearing Corporation
of India. Incidentally, NSE shifted its recovery site
from Pune to Chennai because Chennai is in another state
and another seismic zone. According to Satish Naralkar,
CEO, NSE.IT, if the National Stock Exchange Building
in Mumbai is hit by a disaster, business will resume
within 24 hours at the recovery site in Chennai.
Datacenters like Cyquator Technologies and Global Telesystems
Ltd (GTL) offer shared infrastructure for enterprises
who want to set up hot sites. These datacenters have
provided redundancy at all levels, replicating everything
from servers and switches to power supplies. Some are
also setting up disaster recovery sites in other cities.
When implementing BCP an IT manager is confronted with
all types of obstacles, the primary one being investment.
But industry analysts advise companies to identify key
risks first and give priority to systems that are most
critical to business. Of course, the ultimate objective
is to create redundancies for almost all systems and
set up a hot site at another location.
While the cost of setting up a hot site may be exorbitant
for smaller companies, there are other innovative alternatives.
For instance, organizations with similar infrastructure
could have reciprocal arrangements to act as backup/recovery
sites for each other. One could also outsource this
to Network Operations Centers or datacenters.
other impediment is attitude. Disaster Recovery has
traditionally been considered a technical issue, and
the purview of the IT department. But analysts say this
is more than a technical issue and it concerns even
the highest levels of management.
don't think BCP is just a CIO's problem it's a business
issue," says Sameer Kapoor, Executive Director,
PricewaterhouseCoopers. "Whatever decisions are
going to be taken, have to be taken with the business
interest in mind. I think the decision making at times
goes wrong because people look at only the short-term
benefits the immediate profitability or impact on business.
They do not look at the larger issue of sustainability
or survivability of the organization in a competitive
Naralkar of NSE.IT compares this to the Y2K situation.
He says the main barrier now is convincing top management.
"Chairmen of various companies were aware about
the implications of Y2K and had given a mandate that
preparatory steps must be taken. Once a mandate like
this comes from that office, they also monitor it."
Naralkar says an IT Head (CIO/CTO) has to sell to top
management, what impact a disaster will have on business
in the absence of a BCP.
Once management is convinced, the investment and commitment
will follow. Then the challenge is to design a plan
and implement it in phases.
Brian Pereira can be reached at firstname.lastname@example.org