is dead serious about Business Continuity. But how many
have a Business Continuity Plan in place and to what
extent have they implemented it? by Brian Pereira
little more than a year back, few heard about the term
'Business Continuity.' But IT departments have always
been addressing Business Continuity (BC) and Disaster
Recovery (DR). It was only after the World Trade Center
disaster that BC moved forefront in an IT manager's
mind. 9/11 and the threat of an Indo-Pak nuclear war
did generate paranoia and even got CEOs talking about
BC. Another reason for the increased level of seriousness/awareness
is corporate India's move to the global playing field.
International businesses looking to outsource operations
will have nothing to do with a company that doesn't
have a documented Business Continuity Plan (BCP).
Large businesses and multi-nationals are now dead serious
about Business Continuity. Organizations, especially
from the Banking & Finance and Manufacturing sectors
have started implementing BCP. Even the SMEs are getting
real serious about it. So how far have Indian enterprises
progressed in this area and what is the attitude towards
BCP? We spoke to five IT managers in different verticals
to find out.
Satish Naralkar, CEO, NSE.IT catches us by surprise
when he says that some of the large stock exchanges
in India do not have an extensive business continuity
plan. "People take shortcuts and just take backups
using some tools and technologies they're contended
with this half cooked BCP. The companies who have implemented
BCP extensively are those that have mission
critical, real-time applications."
is a 100 percent owned company of the National Stock
Exchange. It has just implement an extensive BCP for
its stock exchange and is now offering consultancy
services to other companies.
Says Savio Furtado, Sr. VP-Technology, GTL Ltd, "Everyone
is aware about DR and BC. But when it comes to implementation,
the volume of business is considered. It has to justify
the scale to which you implement BC and DR. You need
to invest (heavily) in this and the funding has to come
out of the business volume it generates."
GTL (Global Telesystems Ltd.) has a call center in Mumbai
Israni, CTO, Cyquator Technologies Ltd has a similar
view. He says BCP is mandatory for bigger institutions
such as banks, which have nationwide operations. "So
far as big companies such as banks and multinational
companies go, they are either mandated by their head
offices or have those necessary business requirements.
These companies have a security plan in place and are
actually executing a security strategy." Cyquator
has a datacenter in Mumbai.
SMEs too are getting real serious about it. But setting
up a complete DR site (at another location) may be beyond
reach for such companies. For them, BCP and DR may be
limited to creating backups and providing redundancies
for certain systems.
Adds Israni, "Indian SMEs have become more aware
about BCP now. However, for them cost is a deterrent
or they don't have the necessary manpower, or they don't
really know how to go about it. They are trying to find
out on their own, by hiring consultants, etc. Everyone
is serious but actual execution is happening in the
larger Indian companies, by financial institutions and
on image for larger view
While a separate DR site is a possibility for companies
that have multiple sites, the huge costs for setting
up a new site purely for DR does not make sense. The
DR site remains on standby until a major disaster actually
happens, and then, one questions the probability and
frequency of natural disasters. To make optimal use
of the DR site, some companies plan to use the site
for productive tasks like software development. An example
is GTL, which is currently building a DR site in Pune.
can't afford to have a pure cold site," says GTL's
Furtado. "So we will do business out of that site,
perhaps a software business, and will build in capacities
so both sites serve as redundant sites to each other.
In case of a disaster we will operate on a reduced scale.
We don't want to provide 100 percent
redundancy and leave capacity idle."
At its datacenter in Mumbai, Cyquator hosts client servers,
applications and data, effectively functioning as a
cold site. Cyquator's Israni says the smaller companies
cannot afford hot sites and instead use the datacenter
for backing up data.
aren't too many hot sites. Because of the huge costs
and the complexities involved, hot sites are only being
considered by large enterprises like financial institutions,
multinationals, and organizations with country-wide
presence," says Israni. "The smaller companies
engage the shared services of datacenters, for a cold
site. They are backing up their data over the Internet
or over ISDN or leased lines. They request the datacenter
to keep their data in a SAN or NAS environment, and
also take copies on tape and ship it to another location."
While it may not be feasible for most businesses to
provide redundancy for every single system and create
hot sites, businesses can take a cautious approach and
devise various strategies to address business continuity
(See box: What CIOs should consider for BCP).
According to Neeraj Bhai, CTO, IDBI Bank, earlier DR
planning was technology driven a CIO/CTO would initiate
a DR plan within the IT department. "In my view
this is not the right approach the correct approach
is BCP where businesses need to take a call," says
Neeraj. "They need to consider how critical a particular
application is to their business; what kind of downtimes
can they play with. Essentially, I am talking about
business perception with respect to what kind of downtimes
they can take."
Neeraj says this perception cannot come from the IT
department it should come from top management. He says
when the sentiment for BCP is realized at all levels
in the organization, then everyone will think about
protecting systems it will also expedite spending on
business continuity solutions.
CIOs should consider for BCP
- The sentiment for BCP should come from top management.
Executives at all levels must understand why it's
necessary to have BCP.
2. Criticality - Identify the most critical
systems and provide redundancy.
3. Risk Evaluation - What kind of risks
are you trying to mitigate through BCP? Determine
the risks and the probability of such risks taking
4. Investment - Will the investment towards
certain systems be beneficial? For instance, does
it make sense to give importance to redundant
power conditioning equipment in a state where
power failures are a unique occurrence?
Downtime - What kind of downtime can you afford
for various systems?
Recovery - In the advent of disaster, can
you recover operations using printed documents
and backup tapes?
Implementation - A steering group has to be
formed to take BCP forward. This group will include
Courtesy: Neeraj Bhai, CTO, IDBI Bank
At this moment most companies are either designing a
BCP or implementing the first phase of the 'project.'
Because of the complexities and huge investment, BCP
is considered as a project and implemented in a phased
manner. Typically, the final phase involves the rollout
of a DR site that provides redundancy for most systems.
In the first phase, companies identify critical systems
(like links and storage) and make these redundant.
Harsh Kumar, Advisor-IT, Hindustan Petroleum Corporation
Ltd (HPCL), says the extent of BCP depends on the size
of the company and the processes that are online. "BCP
for a stock exchange will be so extensive, that even
if the building goes up in flames, that institution
will be able to continue operations."
That may be hard to accept, but the fact is it is mandatory
for such institutions to provide for such high availability.
The National Stock Exchange is one institution with
Harsh Kumar says BCP will have a different meaning for
businesses that are not online. "DR is a very simple
job for companies that do not have online systems. Most
systems are manual, they have print-outs and even if
their computers are down for three days, their business
suffers minimal disruption."
The extent to which businesses are willing to go may
be constrained by budget. When all five IT managers
were asked what percentage of their IT budget was allocated
for BCP, they could not arrive at a figure. The general
opinion is, "As much as it takes, for the most
critical systems." And of course the spending will
be spread over phases of the project.
For GTL's Savio Furtado, investment is based on actuals.
"We have implemented redundancy based on business
growth. That's happened with our links, for instance,"
Says Harsh Kumar of HPCL, "Presently, we cannot
allocate a definite percentage (of the IT budget) for
BCP. We are setting up the plan so we will spend whatever
it takes. Of course, it's not going to exceed the budget.
We will purchase whatever is necessary to backup our
critical online systems."
Israni of Cyquator Technologies prioritizes purchase
of critical equipment.
Naralkar of NSE.IT says the National Stock Exchange
invests heavily in IT. "If we think we'll get a
20 percent increase in the capacity of the trading system,
we'll just go ahead and invest in the technology."
And Neeraj of IDBI Bank says the BCP will determine
what kind of investment he needs to make. "We did
put an arbitrary number which was one-third of the IT
budget, but we realized our mistake. We think we can
only arrive at this figure after putting the BC plan
In the months ahead, IT managers will push for investments
to secure their most critical systems. But management
will proceed in a highly cautious manner, determining
what will be the real benefit out of that investment.
Brian Pereira can be reached at firstname.lastname@example.org