Indian IT industry shies from investing in BCM initiatives

Almost two years have passed since the corporate world witnessed a terrible disaster in terms of data and business loss—the 9/11 incident. And while companies in the US and Europe have learned the importance of business continuity planning, the same cannot be said about Indian companies, discovers Rahul Neel Mani

Colossal damage can be wreaked on businesses due to data loss and the importance of having a foolproof business continuity plan in place cannot be overstated. While companies in the US have already gone about implementing disaster recovery (DR) and business continuity (BC) solutions, unfortunately back home in India, things are still not very convincing. In fact, a survey conducted by KPMG for two consecutive years reveals that not much has changed, despite the fact that the segments covered in both the surveys were different.

According to Sunil Mehta, top-notch companies surveyed had better BCM plans than their customers

While the 2002 survey involved a cross-section of industries, including companies from the ICE (Information, Communication and Entertain-ment) segment, the 2003 survey represented players from the information technology services (ITS) and IT-enabled services (ITES) industry segments.

The only positive finding, common to both the surveys, is that companies are giving serious thought to business continuity management (BCM) planning. The banking, finance and insurance sector (BFSI), along with the ITS and ITES sectors, tops the list of those who are aware and are almost ready to deploy a fully tested corporate-wide disaster recovery plan.

Drivers for BCM planning

KPMG’s 2002 survey revealed that corporate compliance was the biggest driving factor that made companies opt for a BCM plan, followed closely by the criticality of business. 39 percent of respondents in the cross-industry survey of 2002 saw BCM as a critical business need, essential for survival. Factors like corporate image, shareholder’s protection and past experiences also influenced a BCM deployment.

Findings of the 2003 survey that zeroed on the ITS and ITES sectors were no different from that of the cross-section survey. In this survey, a majority of companies said that criticality of business is the most compelling reason for deploying a BCM plan. 78 percent of respondents felt that business core process risks is one of the key reasons to have a BCM strategy—making it clear that in ITS and ITES businesses, retaining the client is a crucial factor and there can be great business loss if operations fail at any point of time. 95 percent of respondents have expressed a strong opinion in favour of continuous BCM planning, irrespective of the fact that they have a BCM plan in place.

Nasscom and KPMG conducted a preliminary survey to assess BCM preparedness of the Indian software and services sector. The sample size of 70 corporates represented players from ITS and ITES industry segments, with 77 percent of respondents belonging to ITS, 13 percent to the ITES sector and 10 percent of respondents operating in both. The key aspects covered in the survey were: Level of business dependence on IT and awareness of need for understanding of BCM within the organisation; business disruption experiences; organisational support for business continuity initiatives and current policies, procedures and mechanisms to ensure continuity of business.

BCM is an enterprise-wide risk-based approach to develop proactive measures for ensuring continuing availability of business support systems and mitigation of disruption risks. BCM helps maximise availability, reliability and recoverability of business systems through effective management of people, processes and technology.

The report also indicates a huge need for manpower in BCM. Nearly three-fourth of the respondents reported absence of dedicated resources for BCM deployment. With an increasing realisation of importance of disaster preparedness by companies and their customers, the demand for skilled manpower for business continuity is bound to be high.

Says Sanjay Dhawan, executive director, Information Risk Management, KPMG, "The survey was done on a personal interview basis where KPMG consultants directly interviewed IT heads or BCM managers of these 70 companies. We found that there is some level of preparedness which these companies have done, but overall the response was not too good." Dhawan says that in India some companies are still sceptical about the need for business continuity and what it actually entails. "KPMG did a study a year ago on BCM planning of Indian industry as a whole, and the results were not very encouraging," he says.

Sunil Mehta, vice president of Nasscom shares a different opinion. "The industry wasn’t really caught unawares, but yes the degree of readiness among individual companies does vary. Some top-notch companies surveyed had better BCM plans than their customers," says Mehta. Most companies are either in the process of implementing a BCM plan or in initial stages of preparing an implementation plan.

According to Manoj Kunklenkar, most Indian banks and insurance companies have strong central databases and centralised systems for varied disaster recovery methods

In Dhawan’s estimate, nearly 84 percent of respondents surveyed agreed that the demand for BCM has increased manifold, an indication of the increasing awareness level in the industry. However, a meagre 29 percent, have a documented, corporate-wide and tested BCM plan in place, whereas 71 percent do not have one. This indicates that even after experiencing vulnerabilities like 9/11, there are few takers for BCM in India. As Dhawan said, scepticism still abounds.

The 2002 survey by KPMG also revealed that 79 percent of respondents did not have a fully documented and tested BCM plan. Amongst the respondents highly dependent on IT, 64 percent did not have corporate-wide BCM plan in place to address business disruption risk. After one year is there any improvement? Have companies given serious thought to BCM initiatives. The 2003 survey shows that a majority have not. Mehta mentions Wipro Spectramind, which conducted a real-time BCM activity, where 300 odd employees were flown to Mumbai from Delhi to see whether the company could actually handle a disaster of that magnitude. That means those companies who have a sizeable chunk of business coming in dollars are aware of the need for BCM planning.

A look at some companies (mix of ITS, ITES, manufacturing and BFSI sectors) that Express Computer spoke to for BCM planning shows interesting results. The respondents were found to be quite aware of BCP but level of preparedness varied. As the survey has also suggested 95 percent of respondents have given serious thought to BCM planning in their IT set-up.

The BFSI sector has the most number of implementations projects on hand currently. HDFC Bank’s senior VP for IT, S R Balasubramanian, says the bank considers its BCM plan as very critical. According to its philosophy, business requirement translates into IT requirement and thus it has suitable back-up strategies in place for everything. It has deployed a DR site at Chennai for replication of data on an online basis to achieve near-zero data loss. Apart from that, the bank also has daily backups stored at a different site in the same city where the main technology service centre is located. "The bank has connected the main centre and DR centre with high-speed links with backup links. It also has trained staff at the Chennai DR centre, which is also manned on a 24x7 basis," says Balasubramanian.

HDFC Bank has employed eight IT professionals on a 24x7 basis at the Chennai DR site. The staff provides regular system updates and interacts with the bank’s main IT centre regularly to understand new applications. It has invested around Rs 30 crore during 2002-03 for setting up the DR site as a part of BCM planning.

Not all companies can afford to be as robust as HDFC Bank in terms of comprehensive business continuity planning. But the rest of the industry has to realise that without concrete BCM planning they are as vulnerable as any small company, which has no DR or BCM plan at all.

Ponnanna Uthappa, country manager for services at Allied Digital Services believes the emphasis on BCM is justified. "Considering that data is the most valuable thing, it is a pre-requisite to have a BCM plan in place. Even when there is a co-hosted and co-located server, there is a clear-cut BCM plan. I believe more companies will be making this switch and budgets are already being allocated on this." Uthappa also says that not many traditional BFSI players opt for BCM as they already had some offline processes in place. "BCM is more than DR in terms of the redundancy which it provides," he says. That shows the mandate is in favour of adopting a strong BCM plan, but this still has a long way to go. For example, Arindam Bose, CIO at LG Electronics India says that each functional area—like logistics, manufacturing, IT, accounts, service—has a clear-cut BCM plan. "We have built infrastructure and entered into alliances with some specific partners to protect loss of data and ensure business continuity for different levels of disasters." Though LG has no dedicated team for its BCM effort, they have identified a team of three persons, one each from infrastructure, database and the security divisions, for this initiative. Bose says that the current investment is to the tune of Rs 25 lakh, but with a turnaround in site and a hot standby site coming up, this is likely to go up to Rs 1 crore.

Getting back to the ITS and ITES sectors, ICICI Infotech, technology arm of ICICI Bank has a promising BCM plan. The company looks at it from two perspectives—technology and processes. "Most Indian banks and insurance companies have strong central databases. They have centralised systems for varied disaster recovery methods," explains Manoj Kunklenkar, executive director and president, ICICI Infotech. He says that BCM has to be done in three phases—first is cost, which is always an issue, second is drafting a policy on areas to be covered and third is testing of all of these processes.

Atul Vashistha, CEO and chairman, neoIT, highlights another noticeable trend i.e. shift in the kind of work coming to Indian shores. "There is lot of high-end work coming in than the earlier transactional work. Considering offshoring of such critical applications, companies cannot afford any downtime," he explains. This means Indian companies need the to make sure that they provide best solutions. Any lack of confidence on the part of the customer can affect the project drastically, and this is where BCM comes in. He adds that customers are not willing to outsource projects if a company does not have BCP. "It is slowly going to be mandatory with people not having a good BCM plans not being able to retain their customers," he says.

Another company in the ITES space, Tracmail, looks fully geared up for any disaster. BCM was incorporated quite early in the company. However, for this, there are certain considerations, which need to be kept in mind. It includes identifying requirements and classifying them (forming a core part of mission-critical applications), managing risk and having an emergency response team (ERT).

"In our case, we have already identified, documented and detailed the plan. In our ERT, we have appointed an ER co-ordinator who co-ordinates with the different heads of each business unit," says Rajesh Kulkarni, senior manager, IT at Tracmail. The company holds a BCM audit every quarter and does evacuation plan testing on a regular basis. "For a BCM plan to be succesful the right attitude needs to be developed within the organisation," he says.

Ranjit Pisharoty, country manager, Vetri Software shares a similar opinion. "In last one and a half years, we have been noticing a significant change while offering solutions. Earlier our pitch used to be the labour advantage (helping cut costs by 30 percent), but slowly we have been finding that the bend is towards BCM." Now Vetri uses DR and BCM preparedness in its presentation to customers. This has led to a lot of change in its security and IT policies.

The findings by KPMG show that the level of awareness is very high, but the level of preparedness is not so much.

As Dhawan points out, government can also play a significant role in increasing BCM awareness and preparedness. The Indian business scenario is still in the evolution stage. Many infrastructure areas are yet to be privatised and improved. "The challenge before the industry is that they cannot create the complete infrastructure on their own and the government, which is the biggest infrastructure provider, has to come to their rescue. "The other relevant question is that we must not confuse business continuity with the internal systems and procedures. That’s not the reality. BCM is also dependent on what happens outside the organisation," says Dhawan.

For example: On the question about the level of dependence on service providers, 39 percent of respondents in the survey said that dependence on the service providers is very significant. So service providers’ health is also equally responsible for the BCM plan that you make. That’s where the government comes into picture. Service providers like rail, road, air transport, telecom infrastructure providers, etc. should also be fully prepared to handle crisises. The entire supply chain has to be ready to support business continuity management.