A Must Have for Business

Consider this hypothetical situation: Its November 10 and the clock shows 11
am in New Delhi. A series of explosions rock a prestigious office complex in the
central business district. Offices of several large national and multinational
companies are badly damaged while stranded employees scramble to escape the fire
that engulfs the building. While most employees manage to escape with minor
injuries, the IT equipment in the offices is completely destroyed.

The incident mentioned above, obviously, is fictitious, but the possibility
of a disaster happening remains a very real one. But is India Inc geared up to
face such eventualies? Do Indian enterprises have a business continuity plan in
place?

The recent attacks in the heart of New York’s financial district sent shock
waves around the world. Besides massive loss of human life, several office
complexes turned into rubble, and the IT infrastructure of companies that had
their offices there was completely wiped out. It was interesting, however, to
observe the vibrancy of financial entities like Nasdaq, Citibank and Morgan
Stanley. Within days, in some case even hours, all these financial giants were
back in business. And it was all thanks to their well-chalked-out disaster
management proceses.

But a disaster need not stem from just a terrorist attack, it could stem from
different reasons which could be of generic nature such as an earthquake, fire,
flooding or an IT-related one such as a virus attack, network failure, or
hardware-software failure.

Why DM & BPC?

Research firm Gartner estimates that 40% of the firms struck by a disaster
would go out of business within five years. Having a disaster management (DM)
and business process continuity (BPC) plan is necessary for any business. It is
like having an insurance policy, for one would be able to realize the benefits
of such a plan soon after any disastrous event has occurred, by getting their
systems in place soon and having the procedures all mapped out. Business
continuity deals not with recovery, but with the ability to manage and ensure
the constant availability of information across a computing enterprise. IT
infrastructure implemented should be robust enough to ensure that events caused
by natural disaster, or non-productive interruptions occurring behind the
scenes, do not affect or interrupt revenue generating applications.

Neel Ratan, head of Global Risk Management Solutions, says: "Business
process continuity spans a far wider suite, of which DM is the tech component.
Technology is just an enabler in the business process."

The driver of this whole process has to be the top management. When disaster
strikes, one should focus on proper execution of the BPC plan instead of
starting to plan at that moment. Besides IT, people and business processes are
also important. Defining a chain of command, ensuring dispersal of key staff,
keeping the master plan in multiple locations too fall within the gamut of
contingency planning. The decision-makers must involve, besides the CIO, the
CEO, CFO and the heads of different units within any given organization.

Ask Arun Rawtani, country SE manager at EMC about this, and he says:
"The bottomline is that everyone needs to protect their information in one
or more locations to ensure business continuance."

More than an IT  issue

Disaster management, however, is not just an IT issue, it’s also a business
issue. Avijit Basu, marketing manager at HP India says," Any contingency
plan being drawn out cannot be static. It needs to be reviewed on a periodic
basis."

DM and BPC solutions would require mission-critical data, information,
applications and databases, and all of these to be available at any given point
in time. At the lower end, there’s the daily back-up, while high-end options
would mean having a "hot site" or a data center where data can be
replicated in real time. The cost of the solution may, however, vary depending
on the need. While a low-end solution like DLT would cost a few thousand rupees,
high-end solutions like SAN and NAS can cost between a few lakh to a crore of
rupees.

Owais Khan, business manager for enterprise storage at Compaq India,
identifies the three main components involved–technology, service and the
processes.

"Storage
is among the most important components of a disaster management plan, as
everything is centered around data," says Khan. Back-up, mirroring,
clustering and replication are some technologies that are a step towards a
disaster management plan. It could be something as simple as writing the data
from a server onto a tape such as DLT and sending it off to a remote location.

The process is manual and does not need the sophistication of a full-fledged
automated disaster recovery site. This DR site could have redundancy built in at
every point. The steps involve identifying all critical and non-critical
components of business and associating a weighted average with them. After that,
one needs to determine what are the affordable outages in each component and
then applying the proper back-up mechanism with it. Adds Khan, "There is a
trade-off that has to occur between time and money invested in such a solution
and the benefits accrued."

Besides, there’s also the issue of who takes the call to declare an event
to be a "disaster". This has also to be defined in the business
continuity plan where management personnel are identified. The first step toward
a good DM plan is to be clear about the criticality of data. There needs to be
an understanding about the nature and functionality of data available and the
impact of a loss of data of a particular business unit. Only then would the
back-up strategy be decided.

Binod Kumar Panda, country manager for Apara Enterprise Solutions, says,
"Technologies include data mirroring (taking a copy of the data as it is
created in real-time, such as with RAID), hot back-up (copying real-time data
and storing it on a server at a different facility) or taking a snapshot at
intervals of every five minutes, every hour, or every 24 hours." One could
choose from synchronous, asynchronous and adaptive replication technologies.

Rawtani of EMC says, "A successful BPC should consider and pro-actively
address any and all possible disruptions to an organization’s information
flow. The choice of storage solution in a company is usually made by the CIO or
CTO, basically the person who is the caretaker of all the information
infrastructure in the enterprise."

Indian enterprises: Traditionally late to adapt

The concept of both business process continuity and disaster management is
not new to Indian enterprises. While there has been some degree of awareness on
this front, action taken on the ground is another thing altogether. While most
Indian companies have planned to address this issue, the manner of
implementation in most cases is manual and very basic in nature. With major
Indian cities located in areas vulnerable to hazards like earthquakes and
floods, it is surprising that most businesses are still adopting the chalta hai
approach believing "It won’t happen to me".

In developed markets like the US and Europe, businesses have been more
proactive on this front. But even within these markets, it is banking, finance
and telecom companies that have invested heavily on DM and BPC. Adds Panda,
"Traditionally, Indian companies have started consolidating since the last
two years or so, and one will witness a larger requirement for DM and BPC in the
coming months only."

Businesses generally adopt a reactive measure, as these processes can end up
costing a lot of money and manpower. While some plans presented by CIOs to the
top management may be pro-active, they often get shot down because of the costs
involved. With the recent incidents across the world, realization has dawned on
the effect of the loss of data on business. This has highlighted the need for
having a business continuity plan. A steady shift in the mindset of businesses
is taking place and they are willing to learn more on topics like back-up,
restoration and outage sites.

Alwin Ow, regional SE manager at Veritas, says, "The disaster management
plan not only includes the obvious back-up of data, it also provides for
contingencies like security access to the data and staff to manage the data. If
a disaster recovery plan is in place and executed effectively, all
business-critical data should be recovered with minimal or no business impact,
if the system at the primary location is lost."

CP Gurnani, chief operating officer of HCL Perot Systems, says, "The
major role of IT in DM and BPC is the efficiency with which IT can help in
ensuring seamless business continuity with the least possible disruptions in
case of breakdowns of IT-dependent processes. It is imperative that the
organization establishes the importance of availability, security and
retrievability of information within the least possible timeframe in order to
ensure minimum adverse impact on existing business and its reputation."

Sathyan Gopalan, national manager for storage solutions at Computer
Associates, has this to say: "Planning for disaster management and business
process continuity depends on the maturity of the organization in the IT
planning process, the criticality and dependence of IT in the business and the
ability of the organization to invest the required resources."

Unplanned response: Disastrous results

Disaster recovery planning is essential to ensure continuity of business
operations even after being hit by a disaster resulting in catastrophic data
loss. Sanjiv Pande, country manager (ITS) at IBM India, says, "The losses
could be multi-fold for organizations without business continuity plans. This
was seen in India after the Gujarat earthquake. Companies that had invested in
disaster sites were able to return to near normal operations soon after."

For businesses having an existing plan in place, it is imperative that the
plan be constantly reviewed and trials undertaken randomly. In many instances,
the trial run is often announced in advance, causing a sense of complacency in
the team. This beats the purpose of seeing the reaction of employees when they
are caught unawares. Also, having a back-up site in the same location may not be
enough. An organization that has a back-up in the basement of the same building
could lose all data–in the case of the building being damaged in a disaster.

For a mobile operator, having a network down even for a few minutes would
render its users helpless and besides, the revenue loss would damage brand
equity.

To take a case study, the National Stock Exchange (NSE) had a contingency
plan in place with hot sites, but did not factor in the connectivity element.
When the Insat 2D satellite failed a few years back, it caused the trading
network to be down for three days. A stoppage in trading activity, with an
average turnover of about Rs 1,520 crore per day, would have meant colossal
losses. "We worked around the clock and completed the job in three days’
flat. Everyone in the market was pleasantly surprised. This received a lot of
appreciation from the broking community and the public in general,"
reminisces Satish Naralkar, NSE’s chief information officer.

According to Neel Ratan of PwC, "Disasters may result in disruption of
enablers to processes, even if the actual process is not disturbed. For
instance, for a telecom operator, though the billing process would not be
halted, the people involved in the process could be lost along with the
database." Adds Panda, "The implications could range from ones as
small as losing a few files which can be regenerated, to as crippling as losing
valuable data that has been built up over a period of years. This could result
in disruption of business, loss of transactional data, disturbance in continuing
customer relationships and thus customer dissatisfaction."

According to Gurnani, "Without a proper DR policy in place, enterprises
stand a risk of irrecoverable loss of data, information and business knowledge,
leading to a possible threat of total disruption."

Organizations could end up losing their competitive edge altogether in this
age–where time is crucial. For certain specific industries like software, the
lack of BPC and DM plans could result in loss of costly man-hours and delayed
projects. For large banks, the cost of service interruption has been estimated
at between $60,000 and $250,000 a minute, according to industry sources, and the
average bank computer loss has been estimated at $1.5 million. SMEs make up
another segment that is being educated on the imperatives of having a disaster
management plan in place. While it may not be practical for SMEs to put up
massive infrastructure, there are solutions available depending on the nature of
business. Back-ups and clustering are among the most common ones used.

Banking, insurance and telecom: Active verticals

Though awareness about the need for a BPC and DM may be present across
verticals, it seems to be the strongest in those verticals that heavily depend
on IT for their business operations. Banking and relecom, as expected, are more
proactive on this front, with many of them having a business continuity and
disaster recovery plan already in place. These industries have to manage huge
amounts of data and need end-to-end storage solutions.

According to Panda, "Any business that is online or is an OLTP
application would demand DM and BPC since even small downtime will cause huge
losses."

Private banks seem to be better prepared for eventualities as compared to
their peers in the public sector. Says Vijay Sharma, head (consulting) at iFlex,
"Though RBI guidelines make it mandatory for banks to have a continuity
plan in place, this approach varies from bank to bank." Banks that are more
automated generally remain proactive on this front.

In the 1993 Mumbai bomb blasts, Citibank had a data center in the Air-India
building. Despite the building suffering massive damage, the presence of a hot
site in Chennai enabled Citibank to resume its operations without any glitches
or delay. Private players like HDFC Bank, ICICI Bank and Global Trust Bank have
gone ahead and installed with their own hot sites where data is replicated on a
24X7 basis.

CN Ram, head of IT at HDFC Bank, says, "The approach to disaster
management is a block-by-block approach and depends entirely upon the amount of
downtime that is acceptable. Minimal downtime would entail substantial
investments in high redundancy systems." iFlex Solutions handled the HDFC
Bank project, while HP consulted ICICI Bank on its disaster recovery plan in
Mumbai. Compaq handled GTB’s disaster management plan by having a hot site in
Mumbai, while the centralized operations of the bank are in Hyderabad.

Other verticals like energy also have plans of disaster management but these
are more on the safety continuity front and not as evolved as those in the
banking vertical.

Clearly, it’s high time that Indian enterprises wake up and realize the
need of having a comprehensive business continuity plan. After all, their very
survival may depend on this.

Amit Sarkar in New Delhi