The Business of Continuity

Disasters can strike anytime, anywhere. Natural disasters such as an
earthquake or a tsunami can change the lives of millions of people for the
worse. Nonetheless, terrorist attacks leave brutal scars on the face of the
nations that bear the brunt. Unfortunately, the 21st century has witnessed it
all-the Gujarat earthquake, the tsunami, and the blood-soaked 9/11. These
apart, small-scale disasters such as fire, computer system crashes due to
viruses, and hacker attacks are a common occurrence at enterprises around the
globe.

Both in the public and private sector, enterprises must have contingency
plans in place to deal with both natural disasters and technological calamities.
Failure to do so, may cost the organizations dearly. This is where business
continuity and disaster recovery comes in. The primary objective of business
continuity planning (BCP) and disaster recovery (DR) is to keep businesses
running uninterrupted under any circumstance.

It was 9/11 that raised alarm, and made Indian enterprises and its CIO's
take a more serious look at business continuity. Says PK Gupta, director of
product marketing, APJ and Korea at EMC, “Before 9/11, the industry as a whole
wanted to avoid the term disaster.” According to an Infosys spokesperson,
“Today, a robust BCP helps global companies such as Infosys prepare for all
contingencies.” Says Pronish Prakash Jain, manager, Business Resiliency and
Continuity Services, India, IBM Global Technology Services, “Regulatory
measures such as SOX, BASEL II, SEBI Clause 49 are making companies look
seriously in the direction of BCP and DR.”

The Always Available Model 

Business continuance management (BCM) has been growing in importance
over the last few years. From the IT side, this is closely connected with the
rise in operational risk.

Crisis management is an enterprise's first response to an event that could
change the way business operations are normally conducted. A well-managed
approach to such an event will ensure that employees, customers, partners,
investors and the general public continue to hold confidence in the financial
viability of the enterprise. Says CR Narayanan, ITC director, Alstom India,
“Business continuity is not a generic process but a business-led activity,
primarily driven by the need for internal controls and mandatory
requirements.”

All enterprises today have a BCP team in place. There can be multiple teams
as well, depending on the number of SBUs and the diversity in the nature of
businesses that these SBUs handle. Separate risk assessment is done for each of
the business operations under the give circumstances.

Recovering Your IT Infrastructure

Disaster recovery, the basic stage in the business continuity plan,
primarily encompasses the IT infrastructure of an enterprise. The main objective
of DR is to ensure the continuity of mission-critical applications and is
focused on site or component outages. For example, fire at a data center, server
failure etc, are typical disasters that come into the purview of DR. The
solution is to have a recovery site at a different location.

Disaster recovery is defined as recovering the failed infrastructure and site
following a disaster. This includes rebuilding the IT infrastructure, restoring
data and restarting applications and networks to support business operations.
Recovery can take anywhere from hours to days, depending on the intensity of
destruction, and the scope of recovery. This process may also include
non-infrastructure-specific recovery steps, including establishing a new data
center site, training personnel, and so forth.

On the other hand, business continuance is defined as running the business
while the infrastructure is being recovered. Says Gupta of EMC, “Put simply,
DR can be referred to as a subset of business continuity.” Adds Narayanan,
“I would divide DR into three levels. The first and the minimum step is data
backup and restoration. The second is IT disaster recovery that would include
your server, network, PCs, notebooks. The next level would take into account the
premises, skillsets and people.”

Like a BCP, a disaster recovery plan is also subjective in nature. Says Jain,
“The key question is what kind of an outage a customer is trying to
mitigate.” Agrees Narayanan, “Any crisis, whether a server crash or a fire
or a war can be a disaster for an enterprise.” Typically, outages are
classified into categories such as component- or individual-level outage;
datacenter- or partial building-level, district- or campus-level, city-level or
country level outage.

 Most enterprises today plan
their DR sites at different seismic zones. ITC, for example, has two data
centers, one each at Bangalore and Kolkata that house the common IT
infrastructure of the company and act as disaster recovery sites for each other.
Infosys on the other hand, has its DR center at Mauritius.

In addition to business reasons, operational reasons too play a key role in
the formulation of a DR strategy for the enterprise today. Says Arindam Bose,
head of IT at LG Electronics, “We operate in a totally online environment with
a single-window interface. Our primary considerations were that data loss should
be insignificant or next to nil; turnaround time should be less than 1 hour and
the DR site should be able to cater to at least 50% of business load.”
Business impact analysis (BIA) plays a critical role to zero in on the exact
deliverables. Says Jain, “BIA is a must before a DR strategy or BCP is put in
place, as such initiatives require huge investments.” Two more issues that
companies should look at are recovery time objective (RTO), that is the time
within which a function or business unit must be restored; and recovery point
objective (RPO), that is the the point to which data must be restored.

Geographic dispersion also acts as a driver, particularly for IT companies in
the offshore services business. According to Ravi Srinivasan, co-founder and
senior VP, Client and Technology Solutions, OfficeTiger “Maintaining
operations in multiple, separate locations is operationally challenging and
expensive for any firm. However, the scale of operations of the additional
locations need not always be large. Efficiently using existing technology and
resources for live backup sites allows these sites both to generate some revenue
and serve as a fail-over site.” OfficeTiger is a New York based KPO firm with
offices in Colombo, Manila, and Chennai. It has sales offices in London and
Frankfurt.

For offshore service providers, there is also a need to put in place a BCP
strategy that complements the customers' business continuity plan. Adds
Srinivasan, “A thorough understanding of the customer's existing business
processes and how they manage BCP themselves helps in identification of services
that have a higher risk priority (perhaps since the customer has outsourced it
entirely) and helps us customize our BCP in accordance to that.”

Formulating Your DR Strategy

A disaster recovery plan covers both the hardware and software required to
run critical business applications and the associated processes to transition
smoothly in the event of a disaster. Says Jain, “Various researches reveal
that in any enterprise, only 30% data and business processes are
mission-critical. So a DR strategy should focus on these mission-critical
data/processes first.”

For large enterprises that comprise several SBUs, there would be an
organization-wide DR plan as well as unit-specific plans. While separate
business units would require separate plans, a large plan would be common as a
number of applications would be common to all business units. Says Narayanan,
“Around 50-60% of the applications would be common and would require similar
disaster recovery plans.” The rest can be augmented according to business
needs.

Enterprises today have put in place a high-level process flow for disaster
recovery. Says Narayanan, “The analysis should cover suppliers and customers,
the impact on operations, and disruption on key business processes.” 

Post identification, the first step is to identify the planning group to
manage the development and implementation of the disaster recovery strategy and
plan. Key people from each business unit or operational area should be members
of the team, responsible for all disaster recovery activities, planning, and
providing regular monthly reports to senior management.

'Regulatory measures are making companies look seriously in the direction of BCP and DR' -Pronish Prakash Jain, manager, Business Resiliency and Continuity Services, India, IBM Global Technology Services

To create the disaster recovery plan, the group should thoroughly understand
the business and its processes, technology, networks, systems, and services. The
disaster recovery planning group should prepare a risk analysis and business
impact analysis that includes at least the top ten potential disasters. The risk
analysis should include the worst-case scenario of completely damaged facilities
and destroyed resources. It should address geographic situations, current
design, lead-times of services, and existing service contracts. Each analysis
should also include an estimate on the financial impact of replacing damaged
equipment, drafting additional resources, and setting up extra service
contracts. Says Jain, “Business impact analysis of IT systems determine the
need for business continuity planning.” This is followed by setting up
priorities for the network and applications by segregating network and
applications into mission-critical, important and minor categories. Finally, the
resiliency design and recovery strategy is prepared. 

Performance indicators provide the mechanism by which one can measure the
success of the disaster recovery process and plan. Performance indicators for
disaster recovery are somewhat different from those used to measure network
performance, because they are a combination of project status and test runs of
infrastructure. 

The BC-DR Connect

According to Gartner, the process of business continuity can be divided into
five components---disaster recovery, business recovery, business resumption,
contingency planning and finally crisis management of the overall disaster. Says
Gupta, “While BC and DR are tightly integrated, DR is actually subset of
BC.”

While disaster recovery facilitates the recovery of the failed IT
infrastructure and site, the actual recovery process may also include
non-infrastructure-specific recovery steps, including establishing a new data
center site, training personnel, and so on. In contrast, business continuance is
defined as running the business while the infrastructure is being recovered. In
other words, establishing a temporary operational site known as a “hot-site”
or “warm-site” that can be used to host business operations while the
original site is recovered. 

A combination of both disaster recovery and business continuance provides
comprehensive protection. And, for each, it's important to consider both
protection of data and applications, since the business needs both to operate. A
significant proportion of the Indian enterprises today have equipped themselves
with a robust DR plan. They are now looking to move to the next level, which is
business continuity.

Says Narayanan, “Our IT disaster recovery will be complete by September
this year. We expect to put the BC strategy in place by the same time next time.
According to Bose, “Currently Phase I of our full BCP strategy is completed.
So the Pune site is in DR mode and not full BCP mode. The WAN traffic part is
still not taken care of.” Whatever the current status, there is little doubt
that Indian enterprises have taken off on a fast track to DR and business
continuity.  

Bhaswati Chakravorty

bhaswatic@cybermedia.co.in