|Do boardrooms crack the disaster recovery puzzle?|
The top find for ‘disaster’ in Google News, among the 50,755 results at the time of writing this, is the sombre observation by the Railways Minister Mamata Banerjee about the lack of disaster management system in Kolkata. Thankfully, the Railway disaster management team came in from Howrah and Sealdah to assist the trapped people at the Park Street building.
Perhaps, the tragic blaze is one more grim reminder of the indispensability of disaster recovery (DR) readiness. The topic needs to get more boardroom attention and support, agrees Lakshman Narayanaswamy, Co-Founder and VP, Products, Sanovi Technologies, Bangalore ( www.sanovi.com).
Risk management/mitigation gets its due attention and support only when the executive management understands its role and integrates it into the business, he adds, during an email interaction with Business Line.
“A good rule of thumb for executives to gauge their company’s commitment to DR or BCP (business continuity planning) is to ask themselves if they have seen a BCP/DR status update in the last quarter. If they have not, it augurs DR is not getting the boardroom attention it deserves.”
A good way to sensitise the management on the need for DR is to talk to them about impact of downtime and what is acceptable, suggests Lakshman. Often, it is the translation of business outage to financial impact that really brings the focus on the need for investing in DR and giving it the required boardroom attention, he adds.
Excerpts from the interview:
What should be the DR objectives of financial institutions?
Financials institutions in India are mandated by regulatory authorities to have a business continuity and disaster recovery plan for their critical business process. Besides meeting their regulatory obligations, financial institutions also have to reinforce their service commitment to their customers and partners by demonstrating transparency, reliability and trust.
Declaring their commitment to protecting customer information and providing uninterrupted services by investing in disaster recovery readiness are concrete steps that business can take to ameliorate risk. Risk mitigation through DR planning should be a visible step for every financial institution.
Successful DR is the coming together of process, people and technology. Organisations must focus on enabling all three aspects to ensure a successful DR programme. An organisation’s DR needs are best served once it commits to putting the right structure in place; this enables the right level of visibility at the board and management level.
A Chief Risk Officer, who is separate from the IT Head, usually reports to the COO or the CEO. The office of the risk officer is charged with putting in place process and technologies to ensure that the financial institution is aware of the risks the business faces and the appropriate responses to various situations. The risk officer also facilitates the participation of various business units in the DR readiness process.
Where do you find the maximum investments happening, as regards DR preparedness?
Several companies understand the need for disaster recovery for critical IT applications. The immediate and big investment happens for infrastructure, capital expenditure on hardware, software, network and data centre to enable DR readiness. While this is the enabler for DR readiness, one must not stop after putting the hardware and software in place; this would be akin to buying a car and not accounting for the petrol required to utilise it.
Putting together a DR plan that works is similar to assembling a puzzle. One of the common actions IT takes is to invest in a data replication technology and feel that the company has a DR in place. Replication is one piece of the puzzle; after the data are available on the DR site, they still have to consistent and the application should be recoverable.
Do you notice enterprises in the BFSI space often dangerously ignoring a few key pieces of DR?
After the business has approved a DR plan and the required spend for DR infrastructure has been done, there is an alarming gap in how soon business expects IT to recover versus what the operations are able to deliver. This is largely because reporting on DR readiness as an on-going metric has not been funded or accounted for.
DR monitoring and testing are key “last mile” links that make the difference between being able to recover when an outage happens and struggling to recover. Regulation mandates that critical applications be tested at regular intervals. As the number of applications grows, this becomes a herculean task that does not get the resources and the time to do it.
Without regular testing, the DR team does not have the confidence that recovery is meaningful. Without investing in DR management, the DR manager does not have the visibility and the tools to be confident about recovery readiness.
Are you happy with the level of disclosures corporates make about their DR capabilities?
The current level of disclosures and transparency is not adequate for the consumers to feel confident their interests are being taken care of. The banking industry is driven by regulation, so banks have to submit to the RBI their DR readiness status every six months; ideally this information should be available to the consumer also. This directly reflects on the organisation’s commitment to protecting customer information and providing uninterrupted services.
The consumer can then take an informed decision on which organisation they want to transact with.
As companies become more dependent on IT for their critical function, I would ideally like to see companies advertise the recovery metrics that they are committing to, as an example — I want my bank to advertise that they will not lose any information and the bank’s core services will be restored in less than two hours in case they are impacted by an outage.
Any other points of interest.
DR is often perceived by the management as a costly and rarely-used indulgence. A DR plan need not always be based on heavy infrastructure spend. The business must prudently consider all possible risk scenarios and make a conscious decision on which ones the organisation want to respond to immediately, and other risks that it wants to develop a response to as the business grows or as certain business milestones are reached.
A simple DR plan is not necessarily an inadequate plan; instead, not having a plan is inexcusable. As an organisation makes the transition from manual and paper-based business process to IT-enabled business process, it must carefully evaluate which of the processes and related IT systems need to have a DR plan and the potential cost of doing so.
Another viable method of justifying the spend on DR is to use utilise the DR infrastructure to load share as the business grows. A recovery capability that is predictable enables an agile IT organisation. Typically, if the production services go down, IT managers prefer to spend time to fix it rather than invoke recovery on to the DR site to continue services while the root cause of the primary outage is fixed.
Rather than spend time on fixing the primary problem with a recovery plan that is predictable, IT managers can start services on the DR, get the business going and then spend their effort on fixing issues on the primary side.
There are several creative ways of planning and implementing a recovery strategy that meets business goals and budget needs. The important first step is to commit to enabling DR capability for the organisation.
The next time the opportunity presents, ask your IT head or COO the following questions to gauge you organisation’s DR readiness: Do we have a DR plan? When was the last time we tested the plan? If some or all of our core business process/IT systems go down, do we understand their impact to the business?