Business Continuity Planning in Indian Perspective

Journal of Advances in Computational Research: An International Journal Vol. 1 No. 1-2 (January-December, 2012) Business Continuity Planning in Indian Perspective Preetish Ranjan Indian Institute of Information Technology, Allahabad rs105@iiita.ac.in Prabhat Kumar National Institute of Technology Patna, India prabhat@nit.ac.in Abstract Kumar Abhishek National Institute of Technology Patna, India kumar.abhishek@nitp.ac.in Disasters never ring a bell before its arrival; it just arrives and destroys everything that comes in its way. Whether it is natural (Earthquakes, Cyclone) or manmade (System Failures, War), it doesn t matter. For a growing economy like India where the various sectors of Industry are giving stiff competition to their global counterparts, it becomes a necessity for the Indian companies to be ready for any unforeseen eventuality. The global clients wants that today s companies must have not only a secure data backup plan but also a workable and efficient Business Continuity Plan in place. In such a scenario, it is an essential requirement for all globally competing organizations, interested in safeguarding their data, to pay extra attention to have a Business Continuity Plan in place. In Indian perspective, where probability of both types of disasters are same whether it is natural or manmade (e.g. recent Bihar floods and Mumbai terrorists attack), the necessity for implementing a business continuity plan is increasing day-by-day. The inauspicious event like 26/11 gives a wakeup call to Indian business community. At present different organizations are implementing DR plans and BC plans for their smooth and uninterrupted services in case of such types of disasters. There are five major sectors operating in India Banking, FSI (Financial services and insurance), TMT (Technology, Media and Telecommunications), Manufacturing and Others (includes Educational Institutions, Non- Government Organizations and Research Institutes etc). The work done here focuses on a comparative analysis of all these sectors based on several surveys conducted by different groups. On the basis of this analysis, a methodology for effective Business Continuity Management is developed. The paper discusses on the need for BCM and a model is presented to design, implement, operationalize and asses Business Continuity Plan along with its Outsourcing Issues. Key words: Business Continuity, Disasters, Vulnerability, Resilience, Outsourcing Issues 1. Introduction: Business Continuity Planning is associated with identifying, acquiring, developing and documenting along with conducting a testing for resources and procedures so that it ensures the key or critical operations of an organization in case of a disaster or any such event. Successful business continuity planning creating plans that allow an organization to perform its critical business processes during and after a disaster relies more upon human nature and less upon technical knowledge and rigor than many people realize. Utilities tend to be highly technical environments given both the nature of the business and the nature of people who have come up through the ranks of those organizations. [1] Business Continuity can simply be defined as: i) To identify critical business operations ii) To identify risk associated with those operations iii) To identify ways to mitigate or avert the risk iv) A plan to proceed business operations in event of emergency or disaster v) A plan to rejuvenate business again as soon as possible 1.1 What does a Critical Function in an organization means? Critical function is the functions which an organization must perform in order to continue its business. This can also be termed as different things to different organizations. If the primary function of business is to produce microchips which generate income for the organization then any interruption in microchips production can put the business at risk. There might be other concerns like account, customers or even IT concerns like software support but the primary function is to produce microchips. If for any reason production unit is down, resources are not utilized in an efficient way or shipment problem of finished goods, the company may shut down. So for such organizations production

unit is a Critical Function and any risk related to production is a point of concern for the planner. 1.2 Models and Methodologies There are various BC planning models and methodologies. Most of the models include the following phases of the BCP: i) Analysis ii) Solution Design iii) Implementation iv) Testing & Acceptance v) Maintenance Figure1: BCP Life Cycle 2. Literature Survey Natural and man-made disasters whether it is Mumbai floods that happens almost every year, Tsunami in Tamil Nadu or recent Mumbai terrorist attack are increasing day by day in the last few years. Almost every organization now realize the devastating effect of such disasters caused by weather, terrorist attacks as well as Pandemic diseases ( like 2006-Dengue outbreak, 2009- Gujarat Hepatitis outbreak, 2009-Swine Flu).In fact a new Oxfam report (an international aid agency), Rethinking Disasters [2] states that, by 2010, the GDP of India will suffer up to 9-13 per cent loss due to climatic disasters and will work as a key factor in preventing the economic growth in South Asia. According to Asian Development Bank (ADB) assessment report on 2004 Tsunami, total loss in India were about US$ 575 million along with a productivity loss of about US$ 450 million. Reconstruction estimates for such damages were even higher. Figure 2: Climatic Disaster The furious commotion resulting from such disasters have babbled through the supply chain jolted various industries and making its impact on customers, employees and partners. According to Small Business Administration, the most vulnerable industries in India are the small and mid-size businesses. Small Scale Industries in India is the second largest employment provider next only to agriculture and contributes 45% - of total export from India (by Ministry of Micro, Small and Medium Enterprises, Govt. of India) [3]. Due to the critical role of MSME in Indian economy, any sort of business disturbance caused by a disaster could bring a situation of mayhem on Indian economy as was the case with Tsunami. In addition to this, infrastructural and communicational damages can proved to be another area of great concern. During a disaster, communication lines (like mobile phones, landline or other communication channel) might be destroyed. In such cases organizations might not be able to locate its employees to share critical information. This makes the situation more complex indeed. The question that arises - Are we prepared for such type of disasters so that it should not make an impact on Indian business community as well as on Indian economy? An answer to this question could be a Business Continuity Plan. Whenever there is a disaster, a BC plan comes into action which ensures that the critical functioning of the organization could be resumed ASAP to avoid the impact of disruption on its working. 3. Problem Definition The possibility of a disaster cannot be denied and we cannot stop it from happening but the only thing which we can do is to mitigate the effect of such disaster to an extent that could possibly create no or very less effect on the business process. To do so, we have to come up with a plan that can perform the task more effectively and efficiently. For this purpose, we have designed a model in this paper which will cover all the basic tasks in order to build a time and cost effective business continuity plan. Basel II also defines business continuity management as an essential requirement for the organizations especially for the financial sectors. Principle 7 of Basel II also emphasize on conducting a business continuity management review by financial authorities for the ongoing assessment of financial industry participants for which they are responsible. Reserve bank of India and Basel committee emphasizes on having a Business Continuity Management implementation in organizations to make it more resilient especially the financial sector. Many organizations believe that they are resilient but there are no formal attempts made to infer the real thinking behind the concept of business continuity and resiliency. With the unfortunate event like Tsunami and 26/11, the need for having a Business Continuity Management strategy is now asking for more attention then ever. It could be taken as a wakeup call for

implementing a proper BCM strategy in each and every organization of every sector working in India. 4. Basel II: Providing a base for Business Continuity Management Basel II is the guidelines provided to the banks in order to defend them from operational and financial risks that they can face. Basel committee also issued documentation i.e. Sound Practices for Management & Supervision of Operational Risk to incorporate sound practices in different areas related to Operational Risk. One such area is Business Continuity. There are certain principles in this documentation which provide the guidelines perform analysis & potential impact of risks that can take place. Not all the principles but some strictly emphasize on such parameters: Principle 1: Awareness of Board of Director regarding operational risk Principle 3: Senior management responsibility for operational risk management framework implementation, generating awareness and policy development " Clear strategies and oversight by the board of directors and senior management is all crucial elements of an effective operational risk management framework for banks of any size and scope [7]." Principle 7: The focus is on contingency planning and business continuity planning: Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption [7]. " Principle 9: Management's role in evaluating operational risk management policies, procedures, and practices [4] The reason to include these principles here is that there is a relation between Operational Risk and Business Continuity. Basel committee defines operational risk as: The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.basel committee also specifies seven specific risk event categories. Among these seven categories, three directly relates to business continuity: Employment practices and workplace safety Damage to physical assets, caused by environmental and man-made events Business disruption and system failures (caused by hardware, software, network and utility issues). The main purpose of defining Basel II is that if Basel II guidelines can be implemented to Banking and Financial sector and if it is working effectively in these sectors then why not implementing these guidelines in other sectors as well to incorporate Business Continuity Management in organizations?? Figure 3- Structure of the proposed model This model can be used to operate on each phase of Business Continuity Plan more specifically and it can be more efficient too because it covers almost each & every aspect of the organization s BC planning. Figure 4--Tier- 1: Requirement Analysis Figure 5 -Tier- 2: Design & Development Figure 6-Tier- 3: Implementation & Testing 5. Proposed Model: Figure 7- Tier- 4: Update & Maintenance

5.1 Business Impact Analysis One of the primary duties of a Security Professional in an organization is to ensure that their information system and data can survive even in case of a disaster. In order to achieve this, these professionals identify critical information systems, tasks and processes and also define the priority of one over another so as to identify which order these processes must be recovered after the disaster. A key requirement to identify such critical functions of organization is to conduct an effective Business Impact Analysis. A BIA is conducted to find the maximum tolerable outage [5] for each & every business process of an organization. It tells an organization, for each of its business process, the maximum time duration the organization can tolerate being without the process before its absence makes a significant impact on the business [5]. There are various methods for conducting BIA. The most elementary steps required to conduct a BIA is shown below: Figure 3: BIA Process After performing a Business Impact Analysis, the next vital step in a business continuity planning is to use the information that is collected in BIA as an input for selecting the strategy to recover critical business processes. But before selecting the strategy, one should recognize the preventive controls that exist in the organization. These controls can save money as well as effort while pursuing BCP strategy. Different types of preventive controls include: Information Security Control Environmental Security Physical Security Disaster Recovery Plans Awareness Program 6. Cost Benefit Analysis: 6.1 Single Loss Expectancy It is the expected monitory loss every time a risk occurs: SLE=AV*EF where AV = Asset Value and EF = Exposure Factor This is a very important factor in determining the loss of an organization because it also helps in determining the Annual Loss Expectancy of an organization for an asset. Note: Asset Value may vary with market change; inflation etc & Exposure Factor can be minimized by using preventive controls 6.2 Annual Loss Expectancy It is the expected monetary loss every time a risk occurs. ALE = SLE *ARO where ARO = Annualized Rate of Occurrence An important feature of ALE is that it can be used to perform Cost Benefit Analysis because if for a risk, ALE is Rs. 10000 then we should not implement a security measure of worth Rs.20000 per year to eliminate it. 7. Indian Scenario Till now we have come across to know the answers of some basic question like: What are critical functions of an organization? What is the impact of those functions on the organizations if disrupted? How we will overcome those disruptions? But when it comes to Indian perspective, there are certain questions that arise here: Are we really prepared or capable of handling such situation? What is the level of awareness and management involvement for BCP in India? What are the key factors for BCP in India? There are five major sectors operating in India i.e. Banking, TMT (Technology, Media and Telecommunication), FSI (Financial Services & Insurance), Manufacturing and Others (includes Educational Institutions, Non-Government Organizations, Research Institutes etc). According to a survey conducted by Business Continuity Institute, UK in collaboration with Deloitte Touche Tohmatsu India Private Limited (DTTIPL), a company established under the Indian Companies Act 1956, some important facts were determined. [6] The above table shows a comparison of some of the key factors between all the five sectors. It clearly reflects that the key drivers for initiating a BCM program is the Corporate Governance or Business Strategy and the BCM ownership is taken by Information Technology or some Administrative Authority. A satisfying fact is that Senior Management is getting involved in almost all the sectors. 7.1 BCM Preparedness This indicates that in spite of being defined by regulatory authorities to have a BCM in place only 1/3 rd of Banking Sector are fully prepared and rest are either partially prepared or not prepared at all. TMT sector proved to be a better sector than all others where almost 2/3 rd of the organizations are fully prepared with a BCM plan in place.

Level of BCM Preparedness 7.3 IT Disaster Recovery Plan 10 9 8 7 4 3 2 1 4% 7% 1 12% 24% 64% 52% 55% 32% 41% 66% 33% 33% Most of the organizations showed a high concern towards IT Disaster Recovery Plan. But these organizations except Banking Sectors previously confirmed that they don t have a fully prepared BCM plan. It means they are showing a greater concern towards DRP rather than BCM program. It shows the misconception that most of the organizations believe that having a DR plan in place is same as having a BCM program in place. IT Disaster Recovery Plan Fully Prepared Partially Prepared Not Prepared Figure 4-Level of BCM Preparedness This indicates that in spite of being defined by regulatory authorities to have a BCM in place only 1/3 rd of Banking Sector are fully prepared and rest are either partially prepared or not prepared at all. TMT sector proved to be a better sector than all others where almost 2/3 rd of the organizations are fully prepared with a BCM plan in place. 7.2 Comprehensiveness of BCM Plan Majority of organizations that participated in survey confirmed that they had a comprehensive BCM program in place. But at the same time as depicted by figure 5 that most of the organizations are partially prepared BCM program in place which raises the question about real BCM preparedness. 10 9 8 7 4 3 2 1 4% 11% 1 96% 89% 9 22% 78% Yes No Don t Know Figure 6-- IT Disaster Recovery Plan 7.4 BCM Staffing Levels 33% This graph describes why there are problems regarding BCM program in India. Only 1/3 rd of the organizations have adequate number of employees for BCM activities and rest has either inadequate work force or no work force. A BCM program with lack of dedicated staff for such activities can only provide false sense of security not actual security. This is the reason why there are problems in this area because organizations are not considering it to be an integral part of them in order to continue their business smoothly and efficiently. Figure 5- Comprehensive BCM

10 9 8 7 4 3 2 1 BCM Staffing Level 14% 11% 25% 26% 1 7% 38% 32% 44% 36% 3 38% 33% 33% business. Updating & maintenance can be done at regular intervals e.g. half yearly or annually. 10 8 4 2 25% Maintenance of BCM Plan 7% 4% 5% 18% 18% 19% 78% 76% 44% Between 4-10 Between 1-3 7.5 Training Figure 7--- BCM Staffing Levels Figure 9-- Maintenance of BCM Plan Training is a critical aspect for any process to effectively get involved in an organization s culture. With the exception of FSI and TMT sectors, all other sectors lack in an effective BCM specific training program. There are some reputed institutes which are working in this area and they also offer such BCM specific training. Services can be acquired from such institutes in order to create and execute an effective BCM program in any organization or any sector. 10 8 4 2 54% 29% BCM Specific Training 44% 24% 76% 44% Yes No Don t Know Figure 8- BCM Specific Training 7.6 Maintenance Plan for BCM 83% With the exception of FSI & TMT sectors, all other sectors are not paying attention or not considering the importance of maintaining their BCM program at regular intervals. As technology changes with time and there is always possibility of new emerging threats and risks, so the BCM program of an organization should also be updated and maintained with the changing time so as to mitigate the risk of any new kind of disruption to the 8. Conclusion It is evident that there is growing awareness of Business Continuity Management in India but the only problem is the lack of understanding about what a BCM program is and what it can imply. Another important thing is that there is lack of resources for implementing BCM program. It is mainly due to inadequate man power designated for such a key area. People are having misconception regarding a BCM and a DRP. So there is a need to increase awareness and branding in BCM to make it more effective. We must remember that A journey of a thousand miles begins with a single step and we probably are already a few miles on the road! References [1] T. Butler, N. Meshkati and K. Pelling, Nuclear Safety Culture and Electric Deregulation: Challenges and Potentials, in B. Wilpert, N. Itoigawa, Eds., SAFETY CULTURE IN NUCLEAR POWER OPERATIONS, (New York: Taylor & Francis, 2001), at 93 112.) [2]http://www.oxfam.org.uk/resources/policy/conflict_di sasters/downloads/oxfam_india_rethinking_disasters.pdf [3] http://dcmsme.gov.in/ssiindia/performance.htm#export [4] Basel Committee on Banking Supervision: Sound Practices for the Management and Supervision of Operational Risk [5] Peltier, Fundamentals of Information Security [6] Survey by Deloitte (Deloitte Touche Tohmatsu India Private Limited (DTTIPL)) in association with The Business Continuity Institute, UK ('The BCI') [7] Eric Tompkins Manage Operational Risk Like a Bank!, 2009 [8] http://www.continuityinsights.com/articles/basel-iiand-business-continuity

[9] http://mthink.com/affiliate-performancemarketing/eight-tips-take-your-client-relationshipsnext-level [10] Sunil Rai, Lakshmi Mohan Business Continuity Model: A Reality Check for Banks, India Journal of Internet Banking and Commerce, August 2006, vol. 11, no.2 [11] Al Berman Examining the regulatory landscape, Bostan agency of Regulatory Planners October 2008 TABLE 1 PREVENTIVE CONTROL STRATEGY Preventive Controls Data Sought Interview Areas Information Security Information Security Policies, Information security management, Procedures & Standards internal audit, IT management Environmental Security Facilities Plans and Environmental Facilities management, risk Control Diagrams management, physical security management, data centre management, internal audit Physical Security Physical Security Policies Facility management, physical security management, internal audit Disaster Recovery Plans Existing Recovery Plans, Plan Test Recovery plan management, data Information Security Awareness Reports Awareness Plans & Status Reports, Awareness Materials/Resources centre management, internal audit Information security management, IT management, internal audit, individual business unit management TABLE II COMPARISON Banking FSI TMT Manufacturing Others Comprehensiveness of BCM 54% 85% 86% 78% Key Drivers Regulatory Corporate Governance/Business Strategy Inadequate Budget 46% 41% 23% 22% Average full time BCM Employees 0-3 Employees Third Party BCM Evaluation 32% 44% 29% 33% Senior Management Involvement Medium High High Medium Low Corporate Governance BCM Ownership IT IT/Others Administration/ No One