When disaster strikes, banks must get back into operation as fast as possible. That is where business continuity planning comes in, says Wendy Atkins.

Most people think data is dull. Even among CEOs of leading corporations, the subject of data storage is hardly going to involve charged debate. Scratch a little deeper, however, and the importance of data to every sector – especially the banking world – surfaces. Without good data, modern businesses cannot function effectively. And with new challenges to the business environment, data storage and business continuity are real tests that require actions as much as words.

Danger could come from a terrorist attack, a computer hacker, a natural disaster or a staff error. What is important is that the business continues to operate soon after disaster strikes. Statistics from a Gartner Research Note of March 6, 2002 reveal how important business continuity is: it says two out of every five enterprises that experience a disaster will go out of business within five years of the event. Add to this figures from Hitachi Data Systems (HDS) which estimate that the cost of service interruption for a typical financial institution today is between E60,000 and E250,000 per minute, and that the cost of the average bank computer loss is approximately E1.5m (European Storage Index, February 2003) and it becomes clear that the financial sector should be taking the issue of business continuity very seriously.

And it is not just the cost of overtime bills, agency staff, specialist fees and damage limitation PR that have to be considered. If a perception of organisational instability begins to emerge, then a bank could face serious problems.

The good news is that many banks in the Europe, Middle East and Africa (EMEA) region do take business continuity seriously. “European and UK banks lead the way in understanding the importance of business continuity for historical reasons, as countries such as the UK, France and Spain have suffered terrorism for some time,” says Roger Turner, director, mid-range and NAS products, EMEA, at HDS. “In London, the bomb attack on the Baltic Exchange in 1992 took out a large chunk of infrastructure but businesses had good continuity plans in place, so were operational very quickly after the attack. This compares with the scenario following the first bomb attack on the World Trade Center in the 1990s, when 70% of businesses affected by the attack went out of business because they lost large amounts of data.”

Business continuity is also receiving a significant level of interest from the Russian financial sector, where the industry is recognising and building on best practice. In particular, banks in this market are conscious of the problems caused by power consumption, power surges and criminal fraternities. Meanwhile, in Africa, banks are starting to examine their approach to business continuity more seriously, with many financial organisations focused on a modular storage approach rather than high-end solutions.

Back up, storage and testing

The key to successful business continuity is good data storage. This is a process requiring not only the archiving of information, but also the management of data throughout its lifecycle.

For data to be used successfully following a disaster, it needs to be stored in a location at a reasonable distance from a company’s main buildings. Most European organisations now consider an acceptable distance for storage to be 10km-15km from a company’s main offices.

Remote data storage is only part of the challenge: organisations need to be certain that operational processes work. This requires regular planning and testing of processes to ensure a rapid recovery after system failure.

How much is enough?

Business continuity is an ongoing strategic activity; it needs to be monitored continuously, taking into account economic cycles, issues in the macro-environment and the deployment of major new business applications. In particular, banks need a data system that is capable of recovery, rather than having experts who know how to recover it.

To establish the level of resources that should be devoted to business continuity, banks need to understand whether they have any applications that would generate a loss if they were not working for a significant amount of time. Likewise, they need to understand what value applications deliver to their business and understand their unique risks and exposure – a financial institution in Tel Aviv may be exposed to different risks from those of a Scandinavian bank.

“Expenditure of business continuity should be related to how much the company would lose should a disaster strike,” says Tony Reid, director of enterprise solutions at HDS. “These are moving targets, as there is always something that you can do. Key to this is the concept of evaluating risk and attempting to quantify that risk.”

During 2003, HDS conducted the Hitachi Data Systems Storage Index, Autumn/Winter 2003, a third-party research, commissioned and owned by HDS. The findings are based on 630 interviews with IT directors that covered businesses from a range of sectors in the EMEA region. Among those interviewed were 25 from UK financial services organisations. The survey reveals that the top disaster recovery/ business continuity concerns (from each IT director being asked to pick their top three concerns) were fire, terrorism and downtime (see table).

Interviewees were asked: “When was the disaster recovery/business continuity system last tested?” About 53% replied “within the last three months” and 27% said “three to six months”. A spokesperson for HDS reports: “This means that the majority are testing at least every six months – which is better than for the IT industry as a whole.”

Regulatory issues

In addition to the commercial impetus for disaster recovery, regulations such as Securities Exchange Commission regulation 17a and Basel II are in place. Basel II forces banks to show how they are managing their risks and will allow them to offset a proportion of their operational risk with insurance. In turn, insurers will insist that sufficient precautions are in place to mitigate against potential crises.

These regulations mark a recognition that banking is critical for a country’s infrastructure and that a country can be brought to its knees if safeguards are not in place. “In one African country, a government-owned bank pays the army on a monthly basis,” says Mr Turner. “If anything goes wrong and the bank doesn’t pay the army on time, you could realistically be looking at a civil war. That’s how serious business continuity is to the banking sector.”

Business Continuity Concerns Index*

Fire - 67% Terrorism - 53% Down time - 40% Criminal attacks/hacking - 40% Flood - 33% Virus attack - 27% Human/manual error - 20% Rioting - 7%

Source: HDS

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter