A Must Have for Business

DQI Bureau
New Update

Consider this hypothetical situation: Its November 10 and the clock shows 11

am in New Delhi. A series of explosions rock a prestigious office complex in the

central business district. Offices of several large national and multinational

companies are badly damaged while stranded employees scramble to escape the fire

that engulfs the building. While most employees manage to escape with minor

injuries, the IT equipment in the offices is completely destroyed.


The incident mentioned above, obviously, is fictitious, but the possibility

of a disaster happening remains a very real one. But is India Inc geared up to

face such eventualies? Do Indian enterprises have a business continuity plan in


The recent attacks in the heart of New York’s financial district sent shock

waves around the world. Besides massive loss of human life, several office

complexes turned into rubble, and the IT infrastructure of companies that had

their offices there was completely wiped out. It was interesting, however, to

observe the vibrancy of financial entities like Nasdaq, Citibank and Morgan

Stanley. Within days, in some case even hours, all these financial giants were

back in business. And it was all thanks to their well-chalked-out disaster

management proceses.

But a disaster need not stem from just a terrorist attack, it could stem from

different reasons which could be of generic nature such as an earthquake, fire,

flooding or an IT-related one such as a virus attack, network failure, or

hardware-software failure.


Why DM & BPC?

Threat Classification

IT Threats
  • Hardware Failure
  • Software Failure
  • Virus Attack
  • Network Penetration/Hacking
  • Denial of Service
  • Vendor Support Failure
  • Failure of Network/Communication Links

Generic Threats

  • Bombing
  • Bomb Hoax
  • Civil Disorder/Riots
  • Fire/Explosion
  • Earthquake
  • Local Flooding
  • Lightning/Storms
  • Power Outage
  • Theft
  • Air-conditioning Failure

Source: PriceWaterhouseCoopers

Research firm Gartner estimates that 40% of the firms struck by a disaster

would go out of business within five years. Having a disaster management (DM)

and business process continuity (BPC) plan is necessary for any business. It is

like having an insurance policy, for one would be able to realize the benefits

of such a plan soon after any disastrous event has occurred, by getting their

systems in place soon and having the procedures all mapped out. Business

continuity deals not with recovery, but with the ability to manage and ensure

the constant availability of information across a computing enterprise. IT

infrastructure implemented should be robust enough to ensure that events caused

by natural disaster, or non-productive interruptions occurring behind the

scenes, do not affect or interrupt revenue generating applications.


Neel Ratan, head of Global Risk Management Solutions, says: "Business

process continuity spans a far wider suite, of which DM is the tech component.

Technology is just an enabler in the business process."

The driver of this whole process has to be the top management. When disaster

strikes, one should focus on proper execution of the BPC plan instead of

starting to plan at that moment. Besides IT, people and business processes are

also important. Defining a chain of command, ensuring dispersal of key staff,

keeping the master plan in multiple locations too fall within the gamut of

contingency planning. The decision-makers must involve, besides the CIO, the

CEO, CFO and the heads of different units within any given organization.

Ask Arun Rawtani, country SE manager at EMC about this, and he says:

"The bottomline is that everyone needs to protect their information in one

or more locations to ensure business continuance."


More than an IT  issue

Disaster management, however, is not just an IT issue, it’s also a business

issue. Avijit Basu, marketing manager at HP India says," Any contingency

plan being drawn out cannot be static. It needs to be reviewed on a periodic


DM and BPC solutions would require mission-critical data, information,

applications and databases, and all of these to be available at any given point

in time. At the lower end, there’s the daily back-up, while high-end options

would mean having a "hot site" or a data center where data can be

replicated in real time. The cost of the solution may, however, vary depending

on the need. While a low-end solution like DLT would cost a few thousand rupees,

high-end solutions like SAN and NAS can cost between a few lakh to a crore of



Owais Khan, business manager for enterprise storage at Compaq India,

identifies the three main components involved–technology, service and the



is among the most important components of a disaster management plan, as

everything is centered around data," says Khan. Back-up, mirroring,

clustering and replication are some technologies that are a step towards a

disaster management plan. It could be something as simple as writing the data

from a server onto a tape such as DLT and sending it off to a remote location.

The process is manual and does not need the sophistication of a full-fledged

automated disaster recovery site. This DR site could have redundancy built in at

every point. The steps involve identifying all critical and non-critical

components of business and associating a weighted average with them. After that,

one needs to determine what are the affordable outages in each component and

then applying the proper back-up mechanism with it. Adds Khan, "There is a

trade-off that has to occur between time and money invested in such a solution

and the benefits accrued."


Besides, there’s also the issue of who takes the call to declare an event

to be a "disaster". This has also to be defined in the business

continuity plan where management personnel are identified. The first step toward

a good DM plan is to be clear about the criticality of data. There needs to be

an understanding about the nature and functionality of data available and the

impact of a loss of data of a particular business unit. Only then would the

back-up strategy be decided.

Binod Kumar Panda, country manager for Apara Enterprise Solutions, says,

"Technologies include data mirroring (taking a copy of the data as it is

created in real-time, such as with RAID), hot back-up (copying real-time data

and storing it on a server at a different facility) or taking a snapshot at

intervals of every five minutes, every hour, or every 24 hours." One could

choose from synchronous, asynchronous and adaptive replication technologies.

Rawtani of EMC says, "A successful BPC should consider and pro-actively

address any and all possible disruptions to an organization’s information

flow. The choice of storage solution in a company is usually made by the CIO or

CTO, basically the person who is the caretaker of all the information

infrastructure in the enterprise."


Indian enterprises: Traditionally late to adapt

The concept of both business process continuity and disaster management is

not new to Indian enterprises. While there has been some degree of awareness on

this front, action taken on the ground is another thing altogether. While most

Indian companies have planned to address this issue, the manner of

implementation in most cases is manual and very basic in nature. With major

Indian cities located in areas vulnerable to hazards like earthquakes and

floods, it is surprising that most businesses are still adopting the chalta hai

approach believing "It won’t happen to me".

In developed markets like the US and Europe, businesses have been more

proactive on this front. But even within these markets, it is banking, finance

and telecom companies that have invested heavily on DM and BPC. Adds Panda,

"Traditionally, Indian companies have started consolidating since the last

two years or so, and one will witness a larger requirement for DM and BPC in the

coming months only."

Businesses generally adopt a reactive measure, as these processes can end up

costing a lot of money and manpower. While some plans presented by CIOs to the

top management may be pro-active, they often get shot down because of the costs

involved. With the recent incidents across the world, realization has dawned on

the effect of the loss of data on business. This has highlighted the need for

having a business continuity plan. A steady shift in the mindset of businesses

is taking place and they are willing to learn more on topics like back-up,

restoration and outage sites.

Alwin Ow, regional SE manager at Veritas, says, "The disaster management

plan not only includes the obvious back-up of data, it also provides for

contingencies like security access to the data and staff to manage the data. If

a disaster recovery plan is in place and executed effectively, all

business-critical data should be recovered with minimal or no business impact,

if the system at the primary location is lost."

CP Gurnani, chief operating officer of HCL Perot Systems, says, "The

major role of IT in DM and BPC is the efficiency with which IT can help in

ensuring seamless business continuity with the least possible disruptions in

case of breakdowns of IT-dependent processes. It is imperative that the

organization establishes the importance of availability, security and

retrievability of information within the least possible timeframe in order to

ensure minimum adverse impact on existing business and its reputation."

Sathyan Gopalan, national manager for storage solutions at Computer

Associates, has this to say: "Planning for disaster management and business

process continuity depends on the maturity of the organization in the IT

planning process, the criticality and dependence of IT in the business and the

ability of the organization to invest the required resources."

Unplanned response: Disastrous results

Disaster recovery planning is essential to ensure continuity of business

operations even after being hit by a disaster resulting in catastrophic data

loss. Sanjiv Pande, country manager (ITS) at IBM India, says, "The losses

could be multi-fold for organizations without business continuity plans. This

was seen in India after the Gujarat earthquake. Companies that had invested in

disaster sites were able to return to near normal operations soon after."

Processes Involved...

BPC is a phased and iterative process consisting of five main steps:
  1. Understanding your business: Business impact and risk assessment tools are used to identify critical deliverables and enablers in your business, evaluating recovery priorities and assessing the risks which could lead to business interruption and/or damage to your organization’s reputation.
  2. Exercising and plan maintenance: Periodic testing audits and change management of the business continuity plan, and its processes.
  3. Establishing the continuity culture: Introduction of the BPC process by education and awareness of all stakeholders, including employees, customers, suppliers, and shareholders. 
  4. Continuity strategies: Determine the selection of alternative strategies available to mitigate loss, assessing the relative merits of these against the business environment and their likely effectiveness in maintaining the organization’s critical functions.
  5. Continuously updating response: Updating risk profile through improvement to operational procedures and practices, practicing alternative business strategies using risk financing measures (including insurance) and periodically updating Business Continuity Plans.

    Source: HCL Perot Systems

For businesses having an existing plan in place, it is imperative that the

plan be constantly reviewed and trials undertaken randomly. In many instances,

the trial run is often announced in advance, causing a sense of complacency in

the team. This beats the purpose of seeing the reaction of employees when they

are caught unawares. Also, having a back-up site in the same location may not be

enough. An organization that has a back-up in the basement of the same building

could lose all data–in the case of the building being damaged in a disaster.

For a mobile operator, having a network down even for a few minutes would

render its users helpless and besides, the revenue loss would damage brand


To take a case study, the National Stock Exchange (NSE) had a contingency

plan in place with hot sites, but did not factor in the connectivity element.

When the Insat 2D satellite failed a few years back, it caused the trading

network to be down for three days. A stoppage in trading activity, with an

average turnover of about Rs 1,520 crore per day, would have meant colossal

losses. "We worked around the clock and completed the job in three days’

flat. Everyone in the market was pleasantly surprised. This received a lot of

appreciation from the broking community and the public in general,"

reminisces Satish Naralkar, NSE’s chief information officer.

According to Neel Ratan of PwC, "Disasters may result in disruption of

enablers to processes, even if the actual process is not disturbed. For

instance, for a telecom operator, though the billing process would not be

halted, the people involved in the process could be lost along with the

database." Adds Panda, "The implications could range from ones as

small as losing a few files which can be regenerated, to as crippling as losing

valuable data that has been built up over a period of years. This could result

in disruption of business, loss of transactional data, disturbance in continuing

customer relationships and thus customer dissatisfaction."

According to Gurnani, "Without a proper DR policy in place, enterprises

stand a risk of irrecoverable loss of data, information and business knowledge,

leading to a possible threat of total disruption."

Organizations could end up losing their competitive edge altogether in this

age–where time is crucial. For certain specific industries like software, the

lack of BPC and DM plans could result in loss of costly man-hours and delayed

projects. For large banks, the cost of service interruption has been estimated

at between $60,000 and $250,000 a minute, according to industry sources, and the

average bank computer loss has been estimated at $1.5 million. SMEs make up

another segment that is being educated on the imperatives of having a disaster

management plan in place. While it may not be practical for SMEs to put up

massive infrastructure, there are solutions available depending on the nature of

business. Back-ups and clustering are among the most common ones used.

Banking, insurance and telecom: Active verticals

Though awareness about the need for a BPC and DM may be present across

verticals, it seems to be the strongest in those verticals that heavily depend

on IT for their business operations. Banking and relecom, as expected, are more

proactive on this front, with many of them having a business continuity and

disaster recovery plan already in place. These industries have to manage huge

amounts of data and need end-to-end storage solutions.

According to Panda, "Any business that is online or is an OLTP

application would demand DM and BPC since even small downtime will cause huge


Private banks seem to be better prepared for eventualities as compared to

their peers in the public sector. Says Vijay Sharma, head (consulting) at iFlex,

"Though RBI guidelines make it mandatory for banks to have a continuity

plan in place, this approach varies from bank to bank." Banks that are more

automated generally remain proactive on this front.

In the 1993 Mumbai bomb blasts, Citibank had a data center in the Air-India

building. Despite the building suffering massive damage, the presence of a hot

site in Chennai enabled Citibank to resume its operations without any glitches

or delay. Private players like HDFC Bank, ICICI Bank and Global Trust Bank have

gone ahead and installed with their own hot sites where data is replicated on a

24X7 basis.

CN Ram, head of IT at HDFC Bank, says, "The approach to disaster

management is a block-by-block approach and depends entirely upon the amount of

downtime that is acceptable. Minimal downtime would entail substantial

investments in high redundancy systems." iFlex Solutions handled the HDFC

Bank project, while HP consulted ICICI Bank on its disaster recovery plan in

Mumbai. Compaq handled GTB’s disaster management plan by having a hot site in

Mumbai, while the centralized operations of the bank are in Hyderabad.

Other verticals like energy also have plans of disaster management but these

are more on the safety continuity front and not as evolved as those in the

banking vertical.

Clearly, it’s high time that Indian enterprises wake up and realize the

need of having a comprehensive business continuity plan. After all, their very

survival may depend on this.

Amit Sarkar in New Delhi