Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
-
Issue of August 2002 
[an error occurred while processing this directive]
-
  -  
 
 Home > Cover Story
 Print Friendly Page ||  Email this story

Cover Story: CIO’s views on Business Continuity
BCP for the enterprise

Everyone is dead serious about Business Continuity. But how many have a Business Continuity Plan in place and to what extent have they implemented it? by Brian Pereira

A little more than a year back, few heard about the term 'Business Continuity.' But IT departments have always been addressing Business Continuity (BC) and Disaster Recovery (DR). It was only after the World Trade Center disaster that BC moved forefront in an IT manager's mind. 9/11 and the threat of an Indo-Pak nuclear war did generate paranoia and even got CEOs talking about BC. Another reason for the increased level of seriousness/awareness is corporate India's move to the global playing field. International businesses looking to outsource operations will have nothing to do with a company that doesn't have a documented Business Continuity Plan (BCP).

Large businesses and multi-nationals are now dead serious about Business Continuity. Organizations, especially from the Banking & Finance and Manufacturing sectors have started implementing BCP. Even the SMEs are getting real serious about it. So how far have Indian enterprises progressed in this area and what is the attitude towards BCP? We spoke to five IT managers in different verticals to find out.

Satish Naralkar, CEO, NSE.IT catches us by surprise when he says that some of the large stock exchanges in India do not have an extensive business continuity plan. "People take shortcuts and just take backups using some tools and technologies they're contended with this half cooked BCP. The companies who have implemented BCP extensively are those that have mission critical, real-time applications."

NSE.IT is a 100 percent owned company of the National Stock Exchange. It has just implement an extensive BCP for its stock exchange and is now offering consultancy services to other companies.

Says Savio Furtado, Sr. VP-Technology, GTL Ltd, "Everyone is aware about DR and BC. But when it comes to implementation, the volume of business is considered. It has to justify the scale to which you implement BC and DR. You need to invest (heavily) in this and the funding has to come out of the business volume it generates."

GTL (Global Telesystems Ltd.) has a call center in Mumbai called eCMS.

Jitendra Israni, CTO, Cyquator Technologies Ltd has a similar view. He says BCP is mandatory for bigger institutions such as banks, which have nationwide operations. "So far as big companies such as banks and multinational companies go, they are either mandated by their head offices or have those necessary business requirements. These companies have a security plan in place and are actually executing a security strategy." Cyquator has a datacenter in Mumbai.

The SMEs too are getting real serious about it. But setting up a complete DR site (at another location) may be beyond reach for such companies. For them, BCP and DR may be limited to creating backups and providing redundancies for certain systems.

Adds Israni, "Indian SMEs have become more aware about BCP now. However, for them cost is a deterrent or they don't have the necessary manpower, or they don't really know how to go about it. They are trying to find out on their own, by hiring consultants, etc. Everyone is serious but actual execution is happening in the larger Indian companies, by financial institutions and by multinationals."

Click on image for larger view

FEASIBILITY FACTOR
While a separate DR site is a possibility for companies that have multiple sites, the huge costs for setting up a new site purely for DR does not make sense. The DR site remains on standby until a major disaster actually happens, and then, one questions the probability and frequency of natural disasters. To make optimal use of the DR site, some companies plan to use the site for productive tasks like software development. An example is GTL, which is currently building a DR site in Pune.

"We can't afford to have a pure cold site," says GTL's Furtado. "So we will do business out of that site, perhaps a software business, and will build in capacities so both sites serve as redundant sites to each other. In case of a disaster we will operate on a reduced scale.

We don't want to provide 100 percent redundancy and leave capacity idle."

At its datacenter in Mumbai, Cyquator hosts client servers, applications and data, effectively functioning as a cold site. Cyquator's Israni says the smaller companies cannot afford hot sites and instead use the datacenter for backing up data.

"There aren't too many hot sites. Because of the huge costs and the complexities involved, hot sites are only being considered by large enterprises like financial institutions, multinationals, and organizations with country-wide presence," says Israni. "The smaller companies engage the shared services of datacenters, for a cold site. They are backing up their data over the Internet or over ISDN or leased lines. They request the datacenter to keep their data in a SAN or NAS environment, and also take copies on tape and ship it to another location."

CORRECT APPROACH
While it may not be feasible for most businesses to provide redundancy for every single system and create hot sites, businesses can take a cautious approach and devise various strategies to address business continuity (See box: What CIOs should consider for BCP).

According to Neeraj Bhai, CTO, IDBI Bank, earlier DR planning was technology driven a CIO/CTO would initiate a DR plan within the IT department. "In my view this is not the right approach the correct approach is BCP where businesses need to take a call," says Neeraj. "They need to consider how critical a particular application is to their business; what kind of downtimes can they play with. Essentially, I am talking about business perception with respect to what kind of downtimes they can take."

Neeraj says this perception cannot come from the IT department it should come from top management. He says when the sentiment for BCP is realized at all levels in the organization, then everyone will think about protecting systems it will also expedite spending on business continuity solutions.

What CIOs should consider for BCP

1. Attitude - The sentiment for BCP should come from top management. Executives at all levels must understand why it's necessary to have BCP.

2. Criticality - Identify the most critical systems and provide redundancy.

3. Risk Evaluation - What kind of risks are you trying to mitigate through BCP? Determine the risks and the probability of such risks taking place.

4. Investment - Will the investment towards certain systems be beneficial? For instance, does it make sense to give importance to redundant power conditioning equipment in a state where power failures are a unique occurrence?
5. Downtime - What kind of downtime can you afford for various systems?
6. Recovery - In the advent of disaster, can you recover operations using printed documents and backup tapes?

7. Implementation - A steering group has to be formed to take BCP forward. This group will include auditors.

Courtesy: Neeraj Bhai, CTO, IDBI Bank

 

PLAN
At this moment most companies are either designing a BCP or implementing the first phase of the 'project.' Because of the complexities and huge investment, BCP is considered as a project and implemented in a phased manner. Typically, the final phase involves the rollout of a DR site that provides redundancy for most systems. In the first phase, companies identify critical systems (like links and storage) and make these redundant.

Harsh Kumar, Advisor-IT, Hindustan Petroleum Corporation Ltd (HPCL), says the extent of BCP depends on the size of the company and the processes that are online. "BCP for a stock exchange will be so extensive, that even if the building goes up in flames, that institution will be able to continue operations."

That may be hard to accept, but the fact is it is mandatory for such institutions to provide for such high availability. The National Stock Exchange is one institution with this capability.

Harsh Kumar says BCP will have a different meaning for businesses that are not online. "DR is a very simple job for companies that do not have online systems. Most systems are manual, they have print-outs and even if their computers are down for three days, their business suffers minimal disruption."

INVESTMENT
The extent to which businesses are willing to go may be constrained by budget. When all five IT managers were asked what percentage of their IT budget was allocated for BCP, they could not arrive at a figure. The general opinion is, "As much as it takes, for the most critical systems." And of course the spending will be spread over phases of the project.

For GTL's Savio Furtado, investment is based on actuals. "We have implemented redundancy based on business growth. That's happened with our links, for instance," he says.

Says Harsh Kumar of HPCL, "Presently, we cannot allocate a definite percentage (of the IT budget) for BCP. We are setting up the plan so we will spend whatever it takes. Of course, it's not going to exceed the budget. We will purchase whatever is necessary to backup our critical online systems."

Israni of Cyquator Technologies prioritizes purchase of critical equipment.

Naralkar of NSE.IT says the National Stock Exchange invests heavily in IT. "If we think we'll get a 20 percent increase in the capacity of the trading system, we'll just go ahead and invest in the technology."

And Neeraj of IDBI Bank says the BCP will determine what kind of investment he needs to make. "We did put an arbitrary number which was one-third of the IT budget, but we realized our mistake. We think we can only arrive at this figure after putting the BC plan in place."

In the months ahead, IT managers will push for investments to secure their most critical systems. But management will proceed in a highly cautious manner, determining what will be the real benefit out of that investment.

Brian Pereira can be reached at brianp@networkmagazineindia.com

 
     
- <Back to Top>-  

© Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD