The Infrastructure Strategies 2005 survey shows that barely
a third of Indian enterprises have invested in Disaster Recovery. Companies
should do more to thwart or at least mitigate disasters. by Soutiman Das
It is not enough to have DR solutions if you're not
trained and ready to be up and running during a disaster
Only 32 percent of respondents have invested in Disaster Recovery
(DR) solutions. Insufficient attention to DR processes is tantamount to courting
Vice President, NSE.IT
"In terms of readiness in the event of a disaster, the
figure (32 percent) will be much less than this. It is certainly not enough
to simply have DR solutions if you're not trained and ready to be up and running
during a disaster," says C Kajwadkar, Vice President, NSE.IT.
|Taking cognisance of disaster
It's important for enterprises
to be serious about the possibility of disaster striking. They must put
DRP practices in place. 32 percent of respondents that have deployed DR
processes, have DRP teams. Many have warm sites and simulate disasters.
Although many organisations
have put DRP teams and procedures in place, their readiness levels are
questionable. Few companies test and revise their DRP procedures.
On a positive note, investments in DR/Business Continuity
(BC) are projected to rise by 10 percent in this fiscal. This is the only technology
area where enterprises intend to spend more in 2005-06, as technology investments
in all other areas are coming down.
Building DRP teams
Building a Disaster Recovery Planning (DRP) team is the first step in creating
a well-defined DR practice. Among those who have invested in DR, half of them
have DR planning (DRP) teams in place. It is a positive sign, showing that Indian
enterprises are becoming serious about DR.
Epicenter, a large BPO service provider based in Mumbai has three operational
facilities in Mumbai and an elaborate IT infrastructure.
Chief Technology Officer, Epicenter
Its Chief Technology Officer, Himanshu Vaish says, "We
had created a BCP/DR team right from the time we commenced operations. The team
has both operational and business heads."
Kajwadkar feels that a BCP/DRP team should have two layers.
People in the lower layer should identify preventive measures, conduct health
checks, ensure that the DR site is up and running, and ensure readiness of DR
initiatives. In case of a disaster the team should spring into action and activate
the DR site.
The upper layer will consist of senior executives. This layer
will declare a state of disaster, sanction the activation of job functions from
the DR site and approve necessary financial measures. They should also be able
to manage the perceptions that a meltdown creates in the minds of the external
stakeholders (investors, suppliers and shareholders).
- Only 32 percent of the surveyed companies
have invested in DR
- Investments made by enterprises on DR/BC
will rise by 10 percent
- 65 percent of companies with DR/BC have
business impact analysis mechanisms
- Only 12 percent have a hot site in place
- 76 percent of organisations with DR/BC
in place simulate disaster scenarios
An important requirement to help an organisation put DR and
BC systems in place is a Business Impact Analysis (BIA). Around 65 percent of
companies that invested in DR have carried out a BIA. See graph: Incidents of
impact analysis. Companies in the services vertical have been especially diligent
in carrying out BIAs (89 percent).
It is imperative that more companies adopt a BIA analysis for effective DR/BC.
For this the CIO has to adopt a BIA process that will identify the needs of
the business for up-to-date data and availability (data recovery point objectives).
This involves assessing and determining the financial and consequential aggregate
loss exposures for each business unit caused by IT-related service interruptions
(infrastructure, voice, data). "You can look at your processes and separate
them into critical and non-critical areas. This can help look at the impact
of business downtime and also gauge the extent of any penalties and legal implications,"
It is important to establish business-unit IT/infrastructure and services' recovery
time objectives. Proper understanding of the underlying IT and business residual
risks is required for this. At this point the CIO should concentrate on soliciting
LOB (line of business) management's expectations and tolerance. This is essential
to achieve IT risk acceptance in the business.
The next step is to determine existing IT risks and mitigate
them, wherever possible, with cost-effective controls. Determination of DR life
cycle costs (both ITO and LOB) and levels of ITO/LOB risk acceptance/tolerance
also has to be performed. Funding of appropriate IT controls, DR contingencies,
and recovery plans also have to be done. These should be based on the business
exposures, IT recovery requirements, and costs versus exposures (financial,
legal, regulatory, market).
Warm and hot sites
Out of the companies that have put a DRP team in place, only 12 percent have
a hot site. See graph: Option in the event of disaster striking business.
A hot site is a backup site that's fully-equipped and ready to take over data
processing operations at short notice. It contains fully configured equipment
and communications links, and data is frequently replicated from a live site
to a hot site.
Processes should be separated into critical and non-critical
areas to gauge the impact of business downtime and legal implications
Hot sites provide very high DR protection, but they're expensive.
That's probably why 64 percent of respondents have a warm site with dedicated
or shared servers. A warm site typically contains data links and preconfigured
equipment necessary to rapidly start operations, but it lacks live data. Commencing
operations at a warm site will (at a minimum) require the restoration of current
data from backups.
Picking a warm or hot site depends on factors such as business criticality and
cost savings required. Many outsourcing service providers offer DR services
at competitive rates, as a benefit for enterprises that do not want to save
costs on equipment purchase and manpower.
Simulation and testing
Putting DR in place is one thing. Testing it to ensure
that it works smoothly when it is needed is quite another. You should
test critical restore procedures in a simulated environment with the participation
of your end-users.
Putting DR in place is one thing. Testing it to ensure that
it works smoothly when it is needed is quite another. You should test critical
restore procedures in a simulated environment with the participation of your
end-users. While backup is a mundane component of operations, restoration can
be harrowing when archived data has to go back into production.
76 percent of companies with a DRP team, simulate disasters regularly. All companies
in FMCG/retail, auto & auto components, and oil/power conduct simulations,
and 90 percent of IT/ITeS companies do so as well.
69 percent of companies test and revise their DRP procedures, of these only
38 percent do so frequently. 22 percent never test or revise DRP.
The testing and revision of DRP procedures should ideally
be done periodically. Companies that carry out these activities are bound to
be more successful when the crunch comes.
- More Indian enterprises should get serious
about BC/DR planning
- Investing in DR isn't enough. Companies
should conduct drills and be prepared
- A DRP team should have members from business
functions and IT. It should ideally be headed by a executive from a
- Impact analysis ensures better preparedness
- Testing and revision of DRP processes
should be done periodically
Soutiman Das Gupta can be reached at firstname.lastname@example.org