On January 29, 2009, CSO Pakistan organized a closed door, Round Table event on Disaster Management and Business Continuity. Experts from a number of fields and verticals were invited and only a limited number of registered participants were granted access to the event.
The event was moderated by Faisal Khan, CEO of NetAccess Communications (Pvt) Limited, and the panelists included: Dr. Aamir Matin, Country General Manager of Cisco Systems Pakistan, Jehan Ara, President P@SHA, Salman Ansari, CEO of SATC, Raja Mahboob, Senior Vice President Sales & Marketing at CubeXS Weatherly, Asher Faisal Khan, CEO CommTel, Khurram Rahat, Managing Director, Teradata Pakistan, Kamran Meer, CISO Habib Bank Limited, Javed Edhi, CIO of Saudi Pak Bank and Farooq Wahab, IS Security Head at Dubai Islamic Bank.
The audience consisted of senior IT and Business Development heads of various organizations who are exploring BC and DR strategies for their own organization. The objective of the 3-hour discussion was to highlight the various BC challenges companies are faced with and how to increase the learning from the expertise that is already available to us.
Salman Ansari, CEO SATC: The Marriott blast that took place, shook the Evacuee Trust Complex. It is amazing how things came back online, and those lessons are critical for us to learn from. Those companies who had integrated Disaster Recovery planning in place and rehearsed, coupled with the fact that Fiber To The Home, which enabled communications and helped to realize the “anywhere office”, helped with recovery.
One of the things my company does is planning of intelligent buildings. Every building now wants to put up a Data Center and while it might be expensive, the ROI can be realized quickly. I do believe there is a business model which exists and it’s not only the big guys, the know how and benefit does come down to the little guys. The optical fiber systems that exist in Pakistan has given companies a huge amount of redundant capacity across the country where Enterprise Network spanned cities can be integrated at very low cost. All the physics and infrastructure is already in place and if we can have our planning in place, get the consultants and companies match-made with the people.
These points and the fact that the skill and know how exists in Pakistan, helps to make this country a good, reliable destination to handle the outsourcing. An example I simply have to quote is that of LMKR, where when the media was portraying images of a blast-struck Islamabad, when companies opened up for business in the US, they found they were functioning with LMKR at the back end, at 100%.
Javed Edhi, CIO Saudi Pak Bank: At least in the banking sector, the awareness is there. Even before 9/11, financial institutions have been looking into these solutions. I do think, however, that the Business Continuity or Disaster Management only works if you have a strong paper-based plan to work from.
What I think we lack is consistency. When you are a growing organization, you keep prioritizing tasks. The task of having a Business Continuity plan in place has usually been found somewhere at the bottom of the run. However, with the recent efforts and regulations outlined by the State Bank of Pakistan, they have been trying to ensure that BC is in place and banks and all other organizations have to decide the level of resilience that they can employ. They might not be able to implement the maximum level, but they will be able to decide one some level.
Every bank is ready to implement DR and BC and centralized data center, provided the right company comes along and guarantees the uptime and minimal points of failure. We have very few companies, especially locally, who are able to provide the bank with the confidence of having an end-to-end solution in place and guarantee uptime.
Dr. Aamir Matin, General Manager Cisco Systems, Pakistan: We were actually one of the companies in the Evacuee Trust, but interestingly enough, we didn’t miss a second. The reason for that isn’t that we had done something great that the others had not. It was purely and simple the fact that we have been given a set of guidelines by Cisco, which is followed by all Cisco offices around the world. There is a very clear blueprint of what needs to be done to ensure that our businesses can remain up and running without any disruption. And the most important thing is that this is enforced. Prevention is better than cure. If you have guidelines and blueprints and they are actually being implemented, you can move on. Regardless of the vertical you are in, if you have your processes identified and organized, you shouldn’t have to worry about starting from scratch.
There are an increasing number of services of non-IT businesses who are able to offer their services to the community at-large because of the IT infrastructure. Hence there are literally millions of people who are impacted if a service goes down because of poor infrastructure. The backup and contingency plans must be in place to ensure that the switch over is seamless.
Kamran Meer, CISO Habib Bank: Small and Medium companies have lesser bureaucracy, therefore they should be able to move faster and be farther ahead of the rest of us. I keep getting this message from the discussion that there should be a forum and a formal process that should cover and protect companies of all sizes, but every individual company has its own way of dealing with DR and BC planning. It is very possible that a small company, of course, is hit once, but it is also possible, since disaster is unforeseen and not predicted, that an even smaller company who is completely unprepared, isn’t ever hit. I would suggest that let’s keep this a free market and let whoever is interested in having DR and BC planning in place, to go ahead and do so. There will always be consultants and companies to help.
You also have to understand that banking is a very different animal when it comes to planning. There are a lot of compliance issues that they have to deal with the regulator.
Jehan Ara, President P@SHA — Acceptable downtime for companies used to be 4 to 5 days and companies would only be able to have limited control over their operations or data. Today, with more and more companies coming online, a disruption of even a few minutes is detrimental to the bottom line of the company. No matter how bad the times, organizations have to be prepared. We do have expertise in our own local market in the form of consultants and private organizations that can help with the disaster management planning and deployment. P@SHA is actively working on highlighting these issues and creating a knowledge share within its own member companies.
Khurram Rahat, Managing Director, Teradata Pakistan: This discussion will only work if there is a follow up. Banks are going through changes and investing in their core banking systems, but the question that comes to everyone’s mind is this: while the core banking system is being changed and a disaster strikes — though it is time for cost cutting and smaller budgets, are banks prepared in a proactive manner that they should be? These are considerations to keep in mind.
Raja Mahboob, Senior Vice President, CubeXS: According to SunGuard, there were 556 incidents of hardware problems compared to the 40 created by terrorist activity. I think there is a mismatch. We tend to focus more on disaster recovery since it’s more traumatizing. People saw and recognized that especially after the 9/11. Hardware and electrical actually make up for the majority of the issues, and are also easier to identify and protect against.
You can plan for everything down to the greatest detail, but the knee jerk reaction to certain incidents have to be put into place. But there is certainly going to be an element of uncertainty that is still going to be unforeseen.
Ashar Faisal Khan, CEO of CommTel: There is a lot of local expertise which can be tapped into to further the discussion, but it is no longer something that can be avoided by companies. Critical examples are apparent all around us that constantly remind us that if Pakistan wishes to be any kind of a player in the global outsourcing economy, then it must have relevant business continuity strategies in place. Vendors have the constant challenge of keeping pace with the growing demands of the customers and the changing marketing dynamics. But we do have the expertise needed to make all this happen.
Findings and recommendations:
Have the right definitions in place: You cannot have one BC plan replicated and applied to all companies simply because the needs and requirements are so distinct. Identify what components of your business are needed to be able to maintain your uptime — everything else can then follow. But you must conduct a needs-analysis to actually make sense of the solution you are deploying.
Education and awareness. The moderator and members of the audience pointed out that the small and medium businesses are perhaps neither privy to best practices that are being employed by companies locally neither in a position to hire consultants to outline those. Perhaps a knowledge share for the business community can be formed so that there is a reservoir of data and information that can be shared, of course, not having to indulge ‘trade secrets’.
Kamran Meer, CIO at Habib Bank pointed out that there are already so many mailing lists out there, and joining another passive one that has a lot of hype in the beginning, will not serve the purpose at all. Perhaps a more interactive approach for people who are interested, can be taken.
More focused events. The overall feedback from people was that more focused, niche events should be organized where stakeholders can discuss and voice their perspectives. A lot of the feedback also included that the audience wanted more discussion but focused towards the SMB sector. The justification being that despite the fact that everyone can benefit from discussion, the up and coming SMB companies simply do not have the means to make their own investigations on the subject of BC and DR strategies.