Banks Wake Up to Need for Disaster Recovery
Byline: Heather McKenzie
A decade ago disaster recovery plans were the exception rather than the rule among financial institutions. During the Irish Republican Army's (IRA) bombing campaign on mainland Britain in the early 1990s institutions in the City of London relied on the cosy idea of the City as a community. If the bombers disrupted operations at their dealing rooms they could camp out at another bank's offices until alternative accommodation could be found.Ten years on, it would be rare to find an institution anywhere in the world that does not have a disaster recovery plan. Regulatory pressure as well as the events of September 11, 2001 have driven the adoption of business continuity strategies.
The UK's Financial Services Authority said in a consultation paper on operational risk management, published in July 2003: "A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness."
Terrorist attacks and widespread power black-outs, such as those that occurred last year in the US and Europe, are rare. Mundane events, including hardware and software failure or burst water mains, are more likely to disrupt business.
Robin Gaddum, senior consultant at IBM UK Business Continuity and Recovery Services, said incompetent plumbers pose more of a threat than terrorists to many businesses. "During the IRA bombing campaign, the disaster recovery company I worked for surveyed financial institutions, asking them what was the biggest source of interruption to their businesses. Terrorism was low on the scale - about 2% or 3%. We found that plumbers were 30 times more disruptive than terrorists."
Gaddum said water flooding through a dealing room or computer facility can be devastating. However, the cause of a disruption to a business is irrelevant. The main concern is getting operations up and running again as soon as possible.
Business continuity does not come cheap. Plans can involve the operation of "hot" disaster recovery sites where the systems and applications running in the main site are replicated and data is backed up online. Euroclear, the international central securities depository, announced in October last year that it would spend [euro]100m ($125m) on a business continuity programme that would enable each of its businesses to resume technical operations within one hour of a disaster.
To organise their spending, most firms apply a grading system roughly dividing systems and processes into high, medium and low priority. The higher the priority, the faster the system must come back online.
Allocating priority is usually done through a business impact analysis, where the operational risk of a loss of continuity is assessed. Jeff Kuhn, senior vice-president of business continuity planning at the Bank of New York (BNY), said: "The bank classifies every business and technology piece within its operations. …