Wednesday, March 5, 2014
Tuesday, November 6, 2012
Disaster recovery and business continuity planning tools: A guide to selecting the best product
If you're faced with developing a business continuity (BC) plan and/or a disaster recovery (DR) plan, plenty of help is available. You can ask an experienced consultant to develop the plan. You can also use one of dozens of disaster recovery planning software packages or other business continuity planning tools that can facilitate nearly any level of plan development you like.
Products are also available for just about any degree of sophistication, from ready-to-use disaster recovery templates (click here to download SearchDisasterRecovery's free downloadable disaster recovery templates) to powerful, automated business continuity tools that use relational databases and contain multiple functions, such as a risk assessment module, a business impact analysis (BIA) module and an exercising module. Depending on the finished product you desire, your programming skills, your time line and your budget, you can find a solution for nearly any requirement.
DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING TOOLS: TABLE OF CONTENTS
>> Disaster recovery planning software
>> Using the Software Development Life Cycle for disaster recovery planning
>> Tips for selecting disaster recovery and business continuity tools
>> Popular business continuity planning software packages
>> Disaster recovery planning software
>> Using the Software Development Life Cycle for disaster recovery planning
>> Tips for selecting disaster recovery and business continuity tools
>> Popular business continuity planning software packages
Early disaster recovery planning software came in several forms: fill-in-the-blank templates, checklists or automated systems using a common database structure. But many of these templates and checklists provided little guidance and were difficult to use. Today the content and capabilities of disaster recovery plan development tools have been significantly enhanced. Specialized products designed for complex activities like business impact analyses are also available. Some products boast compliance with industry standards, such as the British Standards Institute's BS 25999. At the end of this article, we'll provide a list of products for your review (see "A partial listing of vendors and business continuity planning tools").
When you start the business continuity/disaster recovery process, it's not a bad idea to use the Software Development Life Cycle (SDLC) model as a guide to all stages of the process. The following table depicts the SDLC with business continuity/disaster recovery as the topic area.
| Software Development Life Cycle Phase | Activities |
| Feasibility |
|
| Requirements |
|
| Design |
|
| Selection |
|
| Development |
|
| Configuration |
|
| Implementation |
|
| Post-implementation |
|
Use the following list of tips as part of your selection process when evaluating a business continuity tool. Many choices are available for you, which is good, but it also means that finding the optimum product will require some legwork.
- Determine which BC/DR activity you wish to perform. If it's a basic business continuity/disaster recovery plan for a single location or system, a template-based product may be sufficient. If you want to perform all traditional business continuity/disaster recovery activities (e.g., risk assessment, BIA, plans, exercises, incident response plans, maintenance), a more sophisticated database-oriented product may be advisable.
- Build a business case. As the investment in a package may be considerable, it's essential to build a strong benefits-oriented case for a particular product.
- Research options carefully. Rothstein Associates Inc. and TAMP Systems have a large selection of software products available, plus books and publications on all aspects of the BC/DR process. Research your options and be well informed before you begin.
- Speak to other users. Identify users of software packages through contacts you can make in associations like the Association of Contingency Planners (ACP) or from the vendors themselves. But be careful, many vendors offer their most supportive customers, and you may get a one-sided view of a product.
- Evaluate demos and live systems. Most vendors have demonstration versions of their systems, which may focus on the highlights of their systems, instead of on your specific needs. If at all possible, spend time with a live production system so you can see it in its "normal" operation.
- Evaluate training options. As the new system will probably be unfamiliar to you and your team, make sure the vendor offers on-site training (preferred), distance learning, or guided instructions using self-help programs embedded within the system. If your team isn't comfortable with the system, they won't use it.
- Make sure you have documentation. Most systems will have embedded help functions and possibly also wizards to help understand how the system works. Be sure the vendor has formal documentation about the system, how to set it up, build the database, complete the various templates, produce reports, plan and facilitate exercises, complete plans and maintain them.
- Check company's viability. Check the prospective vendor carefully, including its financial status, previous or current litigation, customer base, willingness to adapt their system to your needs, warranties available, maintenance plans, availability of technical support, and support for service-level agreements (SLAs).
- Know the product's history. If the product is brand new, decide whether it's in your organization's best interest to be an early adopter. If it's an established product, get information about its history, previous problems, previous releases, vendor plans for future updates, the cost of future updates, and evolution of vendor support (e.g., training, documentation, technical support).
The following chart provides a listing of popular vendors and tools to consider when looking for software for developing your disaster recovery or business continuity plan.
A partial listing of vendors and business continuity planning tools
| Vendor | Product | Type of Product |
| Archer Technologies | Archer BCM | Full complement of business continuity/disaster recovery activities, Web-based |
| Avalution Consulting | The Planning Portal | Full complement of business continuity/disaster recovery activities, Web-based |
| Brellion Continuity Ltd. | ImpactAware | Full complement of business continuity/disaster recovery activities, Web-based |
| Business Protection Systems International | Business Protector | Full complement of business continuity/disaster recovery activities, Web-based |
| Contingenz Corp. | IMCD | Full complement of business continuity/disaster recovery activities, Web-based |
| Controll-IT, GmbH | Alive-IT | Full complement of business continuity/disaster recovery activities, Web-based |
| COOP Systems | myCOOP | Full complement of business continuity/disaster recovery activities, Web-based |
| eBRP Solutions | Toolkit BCM | Full complement of business continuity/disaster recovery activities, Web-based |
| Evergreen Data Continuity | Mitigator, EverSafe | Full complement of business continuity/disaster recovery activities, Web-based |
| Flexas Ltd. | Disaster Recovery Manager | Online, subscription-based DR plan management |
| Global Magnitude | recoverEASE Risk Mitigator | Enterprise risk management and BCM integrated |
| IBM Corp. | Recovery Express | Data center recovery for small- to medium-sized businesses (SMBs) |
| INONI Ltd. (U.K.) | BCM Pro | Full complement of business continuity/disaster recovery activities |
| Logix Corp. | ErLogix BCM System | Full complement of business continuity/disaster recovery activities, Web-based |
| Paradigm Solutions | OpsPlanner | Full complement of business continuity/disaster recovery activities, Web-based |
| Rothstein Catalog | BCP- A Step-by Step Guide | Templates |
| Rothstein Catalog | Comprehensive BCM Program | Templates |
| Rothstein Catalog | BCM Framework | Templates |
| Rothstein Catalog | School Crisis Continuity Template | Templates designed for educational institutions |
| Rothstein Catalog | BCP for Manufacturing and Distributing | Templates designed for manufacturing |
| Rothstein Catalog | Plan AHEAD Exercise Software | Exercise planning software |
| Rothstein Catalog | Go.Recover Data Center | Data center disaster recovery plan |
| Rothstein Catalog | Business Impact Analysis Template | Business impact analysis planning tool |
| Rothstein Catalog | Pandemic Prep and Response Plan | Pandemic plan templates |
| Strategic BCP | ResilienceONE | Full complement of business continuity/disaster recovery activities, Web-based |
| SunGard Availability Services | LDRPS | Full complement of business continuity/disaster recovery activities, Web-based, PC-based, server-based |
| TAMP Systems | Disaster Recovery System | Full complement of business continuity/disaster recovery activities |
| Virtual Corp. | Sustainable Planner | Full complement of business continuity/disaster recovery activities, Web-based |
| Waypoint Advisory Services | Web Planner Express | Full complement of business continuity/disaster recovery activities, Web-based |
| Note: If you have a business continuity planning tool and would like to be included in this chart, email the editors at SearchDisasterRecovery. | ||
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.
Planning BCP approaches: Stages and guidelines
First of all, let us be clear that disaster recovery (DR) and business continuity planning (BCP) are totally different concepts. This understanding is critical while planning BCP. DR is the process by which we resume business after a disruptive event. BCP suggests a more comprehensive approach to ensure that we continue 'business as usual'—not only after a technology disruption or a natural calamity, but also in the event of smaller disruptions, including illness or the departure of key staff.
BCP is more proactive. It focuses on avoiding or mitigating risks and maintaining minimal services while restoring an organization to 'business as usual.' BCP is best implemented on an enterprise level, instead of being a set or subset of equipment or service. Some organizations require a business continuity plan to meet fiduciary demands, while others need it for regulatory and compliance purposes. However, all organizations must have a viable business continuity plan if they expect the organization to survive a disaster and recover in the shortest possible time.
There are five stages, through which planning of BCP takes place.
• Business impact analysis
• Strategy selection
• Detailed plan
• Plan testing
• Plan maintenance
Under the business impact analysis stage of planning BCP, you have to take care of:
• Data collection and fact finding
• Critical functions and recovery timescales
• Resource identification for critical functions
• Threat assessment and risk reduction measures
• Disaster scenarios
Under strategy selection phase of planning BCP, you have to see to:
• Minimum recovery resources
• Recovery locations
• Vital records identification
• Backup strategies
• Recovery strategies with costs
Under the detailed plan part of planning BCP, you have to take care of:
• Plan development
• Identification of a command center
• Business recovery team organization
• Assignment of team personnel
• Team procedures
• Preparation & documentation of the plan
Under the plan testing stage of planning BCP, you have to see to the:
• Selection of testing methodology, whether active or passive
• Briefing of your own personnel or third parties, and then execution of a test
When it comes to planning BCP under the plan maintenance stage, you need to see to the:
• Nomination of a BCP officer
• Monitoring of business and IT strategy
• Periodical review of operational risks
• Updation of all documentation and changes
• Review of third-party contracts
• Review of the adequacy of insurance cover
• Distribution of copies to all concerned
• Conduct of regular drills
• Documentation of all that failed in the drills, and initiation of corrective action
There are certain standards formulated for planning BCP. These include:
• BS 25999-1, which is a code of practice for guidance and recommendations. It establishes the processes, principles and terminology of BCP, as well as provides a basis for understanding, developing and implementing business continuity.
• BS 25999-2, which specifies the process for achieving the certification.
Now, is there a simple mantra to keep in mind while planning BCP? Yes, the mantra is that BCP should be achievable, comprehensive, current and readily available.
About the author: Ashish Dandekar is the CIO of Power Exchange India. He is a certified Business Continuity professional and a Lead Auditor (ISO25999). He is also an ISMS implementer (ISO27001) and has a Quality Management Certification (ISO9001).
BCP is more proactive. It focuses on avoiding or mitigating risks and maintaining minimal services while restoring an organization to 'business as usual.' BCP is best implemented on an enterprise level, instead of being a set or subset of equipment or service. Some organizations require a business continuity plan to meet fiduciary demands, while others need it for regulatory and compliance purposes. However, all organizations must have a viable business continuity plan if they expect the organization to survive a disaster and recover in the shortest possible time.
There are five stages, through which planning of BCP takes place.
• Business impact analysis
• Strategy selection
• Detailed plan
• Plan testing
• Plan maintenance
Under the business impact analysis stage of planning BCP, you have to take care of:
• Data collection and fact finding
• Critical functions and recovery timescales
• Resource identification for critical functions
• Threat assessment and risk reduction measures
• Disaster scenarios
Under strategy selection phase of planning BCP, you have to see to:
• Minimum recovery resources
• Recovery locations
• Vital records identification
• Backup strategies
• Recovery strategies with costs
Under the detailed plan part of planning BCP, you have to take care of:
• Plan development
• Identification of a command center
• Business recovery team organization
• Assignment of team personnel
• Team procedures
• Preparation & documentation of the plan
Under the plan testing stage of planning BCP, you have to see to the:
• Selection of testing methodology, whether active or passive
• Briefing of your own personnel or third parties, and then execution of a test
When it comes to planning BCP under the plan maintenance stage, you need to see to the:
• Nomination of a BCP officer
• Monitoring of business and IT strategy
• Periodical review of operational risks
• Updation of all documentation and changes
• Review of third-party contracts
• Review of the adequacy of insurance cover
• Distribution of copies to all concerned
• Conduct of regular drills
• Documentation of all that failed in the drills, and initiation of corrective action
There are certain standards formulated for planning BCP. These include:
• BS 25999-1, which is a code of practice for guidance and recommendations. It establishes the processes, principles and terminology of BCP, as well as provides a basis for understanding, developing and implementing business continuity.
• BS 25999-2, which specifies the process for achieving the certification.
Now, is there a simple mantra to keep in mind while planning BCP? Yes, the mantra is that BCP should be achievable, comprehensive, current and readily available.
About the author: Ashish Dandekar is the CIO of Power Exchange India. He is a certified Business Continuity professional and a Lead Auditor (ISO25999). He is also an ISMS implementer (ISO27001) and has a Quality Management Certification (ISO9001).
Implementing BS 25999 standard for BCP
There is an increased awareness amongst organizations in relation to their approach towards disaster recovery (DR) and business continuity planning (BCP). A very thin line differentiates these two concepts. While DR is undertaken for systems in the data center, BCP is reserved for business processes.
Pre-requisites for BS 25999 standard
The BS 25999 standard is a code of practice for guidance and recommendations. It establishes the processes, principles and terminologies of BCP. It also provides a basis for understanding, developing and implementing business continuity. There are two approaches (or rather situations), in which this standard could be implemented. The first approach comprises of implementing BS 25999 standard in a stable business environment, where one is aware of different processes. In the second instance, business is new, and one is not aware of how the processes will change.
It is ideal to implement BS 25999 standard for BCP only after some of the business processes have stabilized. Once the processes are in place, only then should you look at their continuity. This is a proven and conventional approach.
When BS 25999 standard is implemented in a new business, one can nominate a person who is an expert on the subject matter and look at stabilizing different processes. Out of ten processes, at least two or three processes would always have to be available, irrespective of anything.
Step-by-step execution
BS 25999 is a BCP standard; hence, it is better to first analyze the business processes in an organization and streamline them. Do not look at isolated silos of processes.
For the successful implementation of BS 25999 standard, it is important to break up activities into smaller functions and induct the right people. BCP involves making certain predictions, based on which norms have to be followed. The success of BS 25999 standard also hinges on the top management and how convinced it is about going forward with the execution
Implementing BS 25999 standard involves cost, strategy, and time. If you look at implementing BCP on day one, it is only going to be a cost implication for the organization without any profit.
Another standard that can be implemented along with BS 25999 is BS 25777. It is a new standard that talks about having internal DR for processes. It can be implemented after the BS 25999 standard to give a holistic IT approach to business.
About the author: Ashish Dandekar has served as the chief information officer of Power Exchange India. He is a certified business continuity professional and a lead auditor (ISO 25999). Dandekar is also an information security management system implementer (ISO 27001) and holds a Quality Management Certification (ISO 9001).
HDFC Bank’s BS 25999 certification journey: An exploration
At a time when the banking and financial players in India started to warm up to the idea of business continuity, it’s interesting to note that financial major HDFC Bank’s BCP team had been working on a strategy for over five years. This puts the bank far ahead of the curve, according to Vishal Salvi, the CISO at HDFC Bank. A full year ahead of the Reserve Bank of India (RBI) mandate, HDFC Bank achieved BS 25999 from BSI (in March 2011) for its entire operations. The bank completed its first annual surveillance audit in May 2012.
Post BS 25999 certification, all HDFC Bank processes—technology (DR and infrastructure), business and crisis management processes— are now BS 25999 compliant. These include the operations spread over 3000 branches. HDFC Bank has been working on its IT infrastructure, awareness, policies and frameworks over the last five years, says Salvi. The business continuity office was started under the information security team in 2008. It binds the DR initiative, business continuity, business operations and the crisis management team.
The key players
HDFC Bank’s hierarchy follows a pattern where the program management comes under information security. The IT stack and technology for DR falls under IT’s auspices. HDFC Bank operates three data centers with around 250 applications; nearly 50 of these applications are classed as critical. The primary DR site is located at Bengaluru.
Salvi’s Mumbai-based BCP team is responsible for internally driving the BCP agenda. HDFC Bank’s business continuity management (BCM) office is headed by Asmita Gada, who reports to Salvi. This full-fledged independent position deals only with business continuity management. The office is also in charge of framing guidelines, policies and design for the organization-wide template.
Post design, there are governing processes in the form of steering committees (comprising of the senior management, group heads and business heads). The committees meet every six months to decide strategy and business continuity processes. The bank also has a monthly IT steering committee meeting to address tactical and operational challenges in terms of managing and improving infrastructure.
Paving the way - Risk assessment, BIA
HDFC Bank used the BS 25999 risk framework for risk assessment to develop a tailored risk/threat matrix. Business processes were dissected for determination of linked applications to be included into the BCP’s scope. After identification of applications, different local/wide-spread disaster scenarios were considered.
Beyond technology, HDFC Bank had to look at critical buildings and processes. Plans were formulated for relocating affected departments in case of a disaster, covering the people aspect. On the process side, HDFC Bank put multi-site centralization in place, in which processes working out of different cities serve as hot standbys for each other during disasters.
A typical business impact analysis (BIA) report highlights the applications and processes which have requirements like near site and far site recovery, says Salvi. Based on the designated recovery time objective (RTO) and recovery point objective (RPO), the need for hot stand-by systems or high availability systems is determined, in addition to whether the DR requirement is local or far site.
In addition, HDFC Bank performed a business strategic risk assessment exercise via a workshop conducted by BSI auditors with key senior stakeholders. The final step documented all cognizable scenarios before planning their campaign to overcome these difficulties, and put the BCP in place in the shortest timeframe. The final DR requirement was based on risk and criticality.
Implementing BS 25999
The usual practice is to hire a consultant and ensure compliance before going for certification. In HDFC Bank’s case, Salvi and his team took the in-house approach. The bank went for a pre-audit before the certification audit; both performed by BSI.
The pre-audit identified changes needed in the existing setup. According to Salvi, the audit process itself was very comprehensive, involving multiple auditors across different locations. This involved branch visits across India and HDFC Bank’s DR site. The same approach was adopted for the recent surveillance audit.
According to Salvi, employees and stakeholders had a fair level of awareness due to the earlier change management and awareness activities. During the audits, BSI auditors met with various department heads and stakeholders to determine how BS 25999 requirements were met.
With its BS 25999 certification, HDFC Bank claims to have achieved “zero RPO” on certain processes through online replication from the primary site to the DR site. Its RPOs range from 0-15 minutes on an average, with a maximum of 30 minutes.
Though the RTO can stretch into days, it’s a function of how prioritization takes place, explains Salvi. This helps prioritize system need in case of total disruption. Salvi reasons that during a disaster, resources are assumed to be limited. It’s unreasonable to assume that all applications be brought online. A priority (or triage) framework is a must for planning how to invoke recovery.
The road ahead
Salvi sees the certification as a validation of the bank’s efforts. According to Salvi, BSI has attested to the fact that HDFC Bank was the first Indian bank to comply with BS 25999across all its functions, including processes, branches and datacenters. He believes that this milestone gives assurance and confidence about the bank’s robust business continuity measures to stakeholders.
Salvi’s team conducts training programs across HDFC Bank through mediums like video to create awareness towards DR planning, especially for the emergency response teams. The bank’s BCP plan includes tabletop exercises held to simulate disaster scenarios using role play. By exposing people to these situations, Salvi identifies and eliminates inadequacies in the current plan. The bank now conducts unplanned drills, where designated applications are selected for invoking of DR.
Plans are underway at HDFC Bank to conform to the new ISO 22301 business continuity standard (slated to replace BS 25999). Once this is official, the bank intends to undergo compliance validation. The bank has also implemented in-house monitoring tools which will be integrated into the IT GRC project in 2013.
BCM certification roadmap for the data center pro
As more business gets outsourced to India, organizations that can continue to deliver services at the agreed levels (continuity) and without fail (repeatability) will continue to thrive. This is why many of these companies are now looking for experienced people withbusiness continuity management (BCM) certification.
In India, it is the MNCs which mostly hire such BCM certified professionals, since the parent company demands compliance with standards and customer requirements. "BCM is the solution for organizations that want to continue delivering their key products and services even during a disaster, and survive thereafter. This gives rise to the demand for certified professionals," explains R Vaidhyanathan, the practice head of BCM at Business Continuity Management Institute (BCMI).
In India, it is the MNCs which mostly hire such BCM certified professionals, since the parent company demands compliance with standards and customer requirements. "BCM is the solution for organizations that want to continue delivering their key products and services even during a disaster, and survive thereafter. This gives rise to the demand for certified professionals," explains R Vaidhyanathan, the practice head of BCM at Business Continuity Management Institute (BCMI).
|  | ||||||||||||||||
| |||||||||||||||||
As in any other field, BCM also demands that employers distinguish between different levels of experience and types of specialist skills. "For those who want to make a career in BCM, having a recognized professional qualification in the form of a BCM certification will certainly help," says Arnab Mukherjee, the business continuity planning manager at Colt Technology Services, a Fidelity International group company. Mukherjee is a Certified Business Continuity Professional (CBCP), and an Associate Member of the Business Continuity Institute (AMBCI).
Institutes offering BCM certification
At the moment, there are just a couple of options when it comes to BCM certifications. "You need to be associated with the Disaster Recovery Institute International (DRII) or Business Continuity Institute (BCI) to qualify as a professional in BCM," says Mukherjee. BCMI is yet another option that you can look at. However, Mukherjee points out the fact that BCMI does not have global recognition.
DRII, a US-based organization, offers BCM certifications such as Associate Business Continuity Professional (ABCP), CBCP, and Master Business Continuity Professional (MBCP). It also offers a BCM certification for vendors, the Certified Business Continuity Vendor (CBCV). The BCI, a UK-based organization, offers BCM certifications such as AMBCI, Specialist Member of the Business Continuity Institute (SBCI), and Member of the Business Continuity Institute (MBCI). "Both DRII and BCI cover the same domains, but there is a slight change in the sequencing of activities. Generally, it is seen that DRII certifications are more sought after," says Rajesh R Nair, Vice President, Business Continuity, Credit Suisse India. On the same front, BCMI (headquartered in Singapore), offers BC Certified Planner (BCCP), BC Certified Specialist (BCCS), BC Certified Expert (BCCE), DR Certified Specialist (DRCS), DR Certified Expert (DRCE), BC Certified Auditor (BCCA) and BC Certified Lead Auditor (BCCLA).
How to get a BCM certification
The 10domains covered in a BCM certification are program initiation and management, risk evaluation and control, business impact analysis, business continuity strategies, emergency response and operations, business continuity plans, awareness and training programs, business continuity plan exercises, audit and maintenance, and crisis communications and coordination with external agencies.
A BCM certification from DRII requires eligibility using the following criteria.
- ABCP certification requires that you show entry-level proficiency in professional practices with less than two years' experience in the field. This is the entry-level certification. To progress to a higher offering, you must complete an application for certification. An additional exam is not needed.
- CBCP necessitates that you demonstrate knowledge and working experience of more than two years. You must be able to demonstrate practical experience in five of the professional practice subject matter areas.
- The MBCP is reserved for individuals who have demonstrated knowledge and working experience of more than five years. They must be able to demonstrate practical experience in seven of the professional practice subject matter areas.
- For the CBCV you must demonstrate knowledge of professional practices, and have more than two years' experience as a vendor in the field.
To get a BCM certification from the BCI, the following eligibility criteria should be met.
- AMBCI requires that you hold a BCI Certificate (CBCI) and demonstrate one year's experience working within BCM.
- The SBCI requires that you hold CBCI at 'Pass' or 'Pass with Merit' level, and demonstrate two years' full-time experience as a specialist practitioner either in BCM or a related discipline. You must also be able to prove professional membership of or certification by a relevant professional body in an associated discipline.
- For the MBCI, in addition to holding a CBCI at the 'Pass with Merit' level, you need to demonstrate practical application of your knowledge by submitting a further professional application form which will be scored by a panel of peers appointed by the BCI's membership council. You will also have to show three years' full-time experience as a business continuity practitioner.
OtherBCM certifications include the BS 25999 Lead Auditor and BS 25999 Lead Implementer certifications based on the BS 25999 standard which is a British standard for business continuity. The standard is popular since it allows an organization to certify itself to it. "Many organizations in India have already got themselves certified as BS 25999-compliant, hence there's demand for professionals who are BS 25999 Lead Auditors and Implementers. These professionals play a critical role to guide and implement this standard within the organization," says Nair.
Remuneration after getting a BCM certification
The compensation package for a BCM certification holder depends on the person's experience and his role in the organization. For instance, a business continuity planning (BCP) manager who has more than 10 years of experience as well as BCM certifications, will be a real-time crisis manager. He will help the organization to recover from a real incident and co-ordinate with various cross-functional teams. His starting salary is typically in the range between Rs 15 lakh and Rs 25 lakh. A certified BCP team member who plays a role in aspects like documentation and audits will draw starting salaries between Rs 8 lakh and Rs 15 lakh.
IDBI’s unique BS 25999 certified BCM model a first among PSU banks
A relatively new banking player, Industrial Development Bank of India (IDBI) strives to segment itself from other domestic players. IDBI’s BS 25999 certified BCM initiative which encompasses key products and services is the latest on that front. According to IDBI, this effort makes it the first Indian public sector bank to get BS 25999 certification.
Initiated in 2007, IDBI’s branch-level BCM project was seen as a strategy for differentiation from competitors says Anirudh Behera, IDBI Bank’s general manager for operational risk. With over 1000 branches, IDBI’s enterprise-wide BCM program faced many challenges. On September 6, 2012 the bank achieved BS 25999 certification for all Indian branches, as well as a majority of its critical business and support functions.
Long road to certification
According to Behera, IDBI’s initial objective was uninterrupted customer service, since branches regularly faced downtime. Apart from branches, external interfaces like IDBI’s trade-finance and credit departments witnessed business disruption.
IDBI’s first BCM policy was drafted in July 2007. A BCP steering committee was formed in September 2007 comprising of the top management, with members from all operational areas. The team determined IDBI’s BCP requirements and benchmarked those against BS 25999. The BCM model is unique to IDBI, asserts Kuntal Biswas, the deputy general manager for IDBI’s operational risk and BCP cell.
IDBI’s BCP plans were approved in March 2010, following which a full-fledged BCM team was formed within the risk department. The core three-member BCM team operates under IDBI’s risk function. The central BCM team drawn from various business functions conceptualized and completed the BCM process. Biswas explains that engaging a consultant would have proved expensive due to the comprehensive scope.
Roll out time
Evaluation of asset/function criticality, business impact analysis (BIA), risk assessment (RA), implementation and testing was performed by respective business units under the BCP cell’s guidance, says Ritesh Kumar, the assistant general manager for IDBI’s operational risk and BCP cell.
BS 25999’s multiple documentation requirements became the BCM team’s focus. The team comprehensively documented BCM plan requirements, starting with separation of IDBI’s various business lines. BCP requirements for each function were extensively documented in consultation with the function. This enabled prioritized grading of plans and processes for function-wise BCP, as well as subsequent BS 25999 certification.
Post documentation, implementation was a straightforward task of defining timelines, personnel, responsibilities, owners and priorities. Recovery time objective (RTO) and recovery point objective (RPO) for critical business applications have been based on BS 25999 standard guidelines. Kumar informs that state-of-the-art DR is in place for data centers. Quarterly DR drills ensure that every critical application (numbering over 100) is covered at least once a year.
The implementation process relied on phase-wise testing. IDBI’s over 1000 branches made this technically impossible to do in one shot, says Biswas. At the time of writing, 200 branches have undergone final BCP testing. Given the unique way in which IDBI’s BCP plan involves branches, each location is tested from another branch. 400 branches have been covered so far, says Kumar.
How it works
Monthly top management meetings discuss and review BCP related issues to evolve BCM in sync with the bank’s needs. Each branch has a well defined BCP hierarchy with a designated BCP invocation authority.
Invoking the BCP involves bringing the business unit’s ‘call tree’ into play. A ‘call tree’ is a layered hierarchical communication model used during a disaster to communicate, coordinate BCP and percolate messages down to all unit layers (See Figure 1). Personnel fall back on prearranged and rehearsed roles as per the unit’s BCP documentation.
Figure 1- Sample call sheet for IDBI's central credit unit
Going the extra mile
According to IDBI, it was the first public sector bank to have its own DR setup (implemented by IBM) in 1991. In its current avatar, IDBI wanted BCM to go beyond IT. Biswas says that innovation was essential to break away from industry standard procedures. In cases where the branch cannot connect to the IDBI’s core banking system due to network failure, deviations from existing systems and procedures (approved by the top management) ensure uninterrupted services.
Biswas asserts that this provision is procedural and not IT related. BCM invokes an alternate location/branch’s services to provide operations. Only critical processes/transactions are expected to run at such times. Each bank has two BCP terminals used by other branches for BCP. The level of additional IT/resource augmentation depends on function and BCP role, says Kumar. For instance, DR for treasury requires subscriptions to wire services and terminals at its designated BCP site.
In addition, certain provisions allow branch staff to work from alternate locations/branches, or workload can be taken up by the alternate branch. IDBI’s each branch/function has a ‘hot standby’ or ‘DR’ at alternate bank locations/branches. IDBI’s treasury has two DR sites equipped with necessary infrastructure in different areas of Mumbai. These sites are located near IDBI’s housing colonies to compensate for transport unavailability during disasters.
Implementation challenges
According to Behera, employee sensitization was the major challenge. The BCP plan’s nitty-gritty had to percolate down to all 16,000 employees. Considerable hand-holding brought branch managers up to par with BCP. “As the first point of interface with customers, branches stood to gain the most. Enthusiastic support followed awareness,” says Behera.
Determining redundancy was a challenge. DR redundancy requirements for functions like treasury and data centers were based on a cost versus criticality valuation, as well as acceptability to the business. A recent power grid failure in north-east India demonstrated the effectiveness of IDBI’s BCP plan – 99% of affected branches continued operations.
Getting BCM certified has brought a great deal of assurance followed by process maturity, says Biswas. He also adds that migration to ISO 22301 maybe a future option.
Subscribe to:
Posts (Atom)
