A Plan in Place

As the number of unforeseen natural and manmade incidents
increase, enterprises across the world are beginning to realize the importance
of having a disaster recovery (DR) plan. To continue running their business
critical applications and provide efficient services without any disruption, is
becoming the biggest challenge for enterprises. Disruptions are resulting in
loss of precious business, which is indirectly giving an edge to better-prepared
competitors.

Who can forget the graphic images of the floods in Mumbai being
played over and over again on television screens across India and the world.
While it helped increase TRPs for television stations, it was bad news for many
of the businesses, which were badly disrupted. It was bad PR for many companies
who had to shut down for several days.

Given these uncertain times, the role, responsibility and
challenges for a CIO are increasing. As the supply chain stretches across the
globe, companies are becoming highly vulnerable to uncertainties ranging from
natural disasters to manmade disasters, or civil unrest.

Strategic DR

DR was earlier treated more as a technological challenge than a business one
due to complexities involved in creating, managing and maintaining a DR site.
That was then. Of late, DR is becoming an integral part of the overall business
plan, rather than an afterthought. However, technological challenges continue to
remain.

According to Anand Padmanabhan, VP, Technology Integration
Services, Wipro Infotech, "The disaster recovery plan is more of a business
challenge than a technological one. Technology works, but the DR plan is mostly
dependant on people and processes. It has been seen that even when technology
works, the plan fails because of the failure of people and processes. And, to
make these work is a major business challenge for most organizations."

However, according to Ravi Raman, chief risk officer, Infosys
BPO, "It is neither a business nor a technology challenge, it is part of a
company's overall business delivery strategy. Continuity management as a
separate activity loses focus. It is about how processes are going to be
executed keeping the customer in mind. We do it at the strategic planning level.
DR is not about what you do when failure happens. It is about anticipating
failures and minimizing damages. Another important thing is how fast one can
recover." (Infosys has its DR site in Mauritius.)

Best Practices

Different companies adopt different strategies, but the goal is the same-remain
up and running, whatever the situation might be. According to CN Ram, head, IT,
HDFC, which has its DR site in Bangalore, "We started by securing data that
needs to be protected in the event of a disaster, as it is the most logical
point. Once that was done, we got our operations' persons write all the
processes involved, while the data center moved to the DR point. The rest of the
organization has to fall in place. It does no good to just make data available;
you also need to be able to continue with life as it was before the
disaster."

The crux of the matter, according to Ram, is the ability to
first transfer the data, on an ongoing basis, to safety. And then, to make
recovery possible so that operations can continue as usual. To put it simply, he
says, "The usual way of planning DR is that you have contingency-you plan
for things that disrupt the data center activities without invoking a disaster
scenario. A disaster is when nothing is possible in the original data center. So
we create contingencies by creating redundancies. Things such as alternative
power supply, a backup hard disk, a backup system, etc. It is usually primary,
secondary, and then DR. On being asked for any major outages on account of
disaster, Ram says, "Luckily for us at HDFC bank, till now we did not have
to invoke a DR scenario, and we have managed with the kind of redundancies that
we have built into our systems."

Disaster recovery is still an evolving field, and best practices
are still evolving and maturing. Internationally, there are two institutes
driving best practices in the field of disaster recovery: The Business
Continuity Institute (BCI) based out of UK, and the Disaster Recovery Institute
International (DRII) based out of the US. In India, the DRII methodology is more
popular because of the initiative launched by the Disaster Recovery Institute
Asia based out of Singapore, which is a partner of DRII in Asia. DRII gives
ABCP,CBCP and MBCP certifications to the practitioners in the field of Disaster
Recovery," says Padmanabhan.

"Disaster recovery is still an evolving field. Best practices are still evolving and maturing"		"DR is not about what you do when failure happens. It is about anticipating failures and minimizing damages"
-Anand Padmanabhan, VP, Technology Integration Services, Wipro Infotech		-Ravi Raman, chief risk officer, Infosys BPO

For Akamai, which handles tens of billions of daily Web
interactions for companies like Audi, NBC, and Fujitsu, and organizations like
the US Department of Defense and NASDAQ, business continuity is like lifeblood.
"It starts with saying which parts of my business is critical and can't
ever be down. And then you start looking for answers from inside out. Technology
solutions come later. If your business relies on the Internet, then having a
disaster recovery plan for that is important. Also, one of the key realization
is that a centralized infrastructure can never be disaster- proof, so it's
better to go for distributed systems," says Paul Sagan, CEO, Akamai
Technologies

Raman of Infosys BPO mentions some of the standards which are
more or less followed by Indian enterprises including Infosys, as part of their
DR activities. Some of them include UK standard PAS 56 and TR19.

"One of the key realization is that a centralized infrastructure can never be disaster-proof, so it's better to go for a distributed system"		"It does no good to just make data available; the DR system should let you continue with life as it was before the disaster"		"Even a minute of failure can cost us thousands of dollars. Any disruption in business can have adverse economic implications"
-Paul Sagan, CEO, Akamai Technologies		-CN Ram, head, IT, HDFC		-S Ramasamy, GM, Information Systems, Indian Oil

Taking for example Indian Oil, a Fortune 500 company which has
about $35 bn dollars of business, a failure can have disastrous consequence.
According to S Ramasamy, GM, Information Systems, Indian Oil, "Even a
minute of failure can cost us thousands of dollars. Needless to say, our
business is part of the core sector, hence any disruptions can have adverse
economic implications." He adds, "IOCL's business model relies on
consistent and reliable access to information, and at almost all levels,
especially with respect to a sensitive product like petroleum. If data is
irretrievable, we are faced with an immediate loss in productivity. Downtime and
data loss can have a great effect on the bottom-line of our business. Thus, data
storage and backups form a crucial part of our mission-critical operations that
need to be addressed by an advanced architecture and related support
services."

A Delicate Task

With the emergence of newer threats, managing and maintaining a DR site has
become a delicate task. Thankfully, world-class DR solutions are available from
multiple vendors to make things easier. Most of the large financial institutions
and IT and BPO companies in India have one or more DR sites in place at multiple
locations, even outside India. More and more companies running mission critical
applications are planning similar sites. According to Padmanabhan, "Since
the DR site is an insurance which is invoked and realized only in case of a
disaster, one of the challenges which companies face is the cost of maintenance.
It's a call between capex and opex which companies have to take when deciding
to build their own DR center or outsource it. However, the major challenge that
companies face in maintaining a DR site is to continuously modify and update the
DR plan by conducting regular drills. Since a DR drill is simulation of a
disaster, and effects almost the entire organization, there is a resistance to
conduct them because of fear of failure."

Explaining about the type of DR that Akamai has in place in
India, Sagan says, "We have a highly distributed system that has no single
point of failure. Even if we were to shut down our network operation center, the
network will keep running. We have four NOCs across the globe, including one in
Bangalore. We monitor it but we don't make minute-by-minute decisions. We
serve and deliver content from 3,000 locations; some Akamai node will still
serve our end-users even if one of them is down."

To Outsource or Not to?

There are certain areas of business which some enterprises outsource to
avoid maintenance headache. On being asked whether companies should outsource
their DR activities, opinions are varied. According to Padmanabhan, "A
company should normally try and outsource the complete DR activity right from
setting up of a DR site to its regular maintenance. Today, many organizations
have started with the initiative of total outsourcing. To start with, companies
should at least think about outsourcing/co-locating the physical DR center to
tier-3 level service providers." Raman of Infosys BPO differs and says that
only some portions should be outsourced.

The Outlook

According to an IDC survey, many Asia Pacific businesses are highly
susceptible to disruptions from security breaches or natural disasters. More
than 80% of the organizations surveyed had taken steps to put security measures
in place; few had progressed into the more comprehensive deployment of disaster
recovery solutions. The study also observed that organizations were going beyond
point-security measures to adopt a more holistic approach towards a secure and
available IT infrastructure. Only 36% of respondents had disaster recovery
measures in place. As someone aptly said, "If you can't afford to plan
for disasters, how can you hope to recover from them?"

Sudesh Prasad

sudeshp@cybermedia.co.in