Professional Documents
Culture Documents
Prof. Sunil Rai PDF
Prof. Sunil Rai PDF
THESIS
By
2007
BIRLA INSTITUTE OF TECHNOLOGY & SCIENCE
PILANI RAJASTHAN
CERTIFICATE
and submitted by Sunil Kumar Rai ID No. 2002PHXF424 for award of Ph.D.
supervision.
Signature in full of
the Supervisor:
Name in capital
DR. LAKSHMI MOHAN
block letters:
Chapter 1 Introduction
1.0 Preamble 1
1.1 Growth of Banking in India 2
1.1.1 Deployment of IT in Banks in India 3
1.1.2 ICT drives Indian baking to International standards 4
1.1.3 Business Continuity practice in Indian Banks 5
1.2 BCM Experiences of US & Europe 6
1.3 Elements of BCM Plan 8
1.4 Gaps 9
1.4.1 Knowledge about BCM centered around western experiences 9
1.4.2 Framework for BCM in Banks not comprehensive 9
1.4.3 Absence of metrics to measure BCM effectiveness 9
1.4.4 Shortfalls in BCM implementation by Banks in India 10
1.5 Objectives of Research 10
1.5.1 Comprehensive BCM framework 10
1.5.2 Status of BCM implementation by Banks in India 11
1.5.3 Development of metrics to measure BCM effectiveness 11
1.5.4 Deliverables for management in banks 11
1.5.5 Improve business continuity for small and medium banks 11
1.6 Scope of Work 11
1.6.1 Development of BCM Implementation Framework 11
1.6.2 Focus on Operational and infrastructural issues 11
1.6.3 Metrics to measure BCM effectiveness 12
1.6.4 Support to small banks 12
1.6.5 Focus on softer issues 12
1.6.6 Mumbai as the sample of study 12
1.7 Hypothesis of the study 13
i
1.8 Research Methodology 13
1.8.1 Phase 1: Review of Literature 13
1.8.2 Phase 2: Development of BCM Implementation Framework 13
1.8.3 Phase 3: Primary Research to Evaluate Framework 13
1.8.4 Phase 4: Development of BCM Model and Metrics 14
1.8.5 Phase 5: Application of Model to Banks 14
1.8.6 Phase 6: Recommendations for BCM implementation in Banks 14
1.8.7 Phase 7: Scope for Future Work 14
1.9 Research Deliverables 15
1.9.1 BCM Implementation framework 15
1.9.2 BCM Reality Check Metrics 18
1.10 Organization of Chapters 20
1.10.1 Chapter 2 Review of Literature 20
1.10.2 Chapter 3 – Research Methodology 20
1.10.3 Chapter 4 - BCM Survey in Indian Banks 21
1.10.4 Chapter 5 - BCM reality check Model for Banks in India 21
1.10.5 Chapter 6 - Recommended BCM model and evaluation metrics for
SMBs in India 22
1.10.6 Chapter 7 – The way ahead 22
ii
2.3.3 Emerging Challenges in Internet banking 38
2.4 Current Trends of BCM Preparedness in International Banks 38
2.4.1 Increased redundancy & multiple Data Center sites 39
2.4.2 Increased collaboration with third-party partners 39
2.4.3 Well documented and communicated alternate processes 40
2.4.4 High availability of Solutions and Productivity of employees 40
2.4.5 Computerized document management 40
2.4.6 Continuous contact with employees during disasters 41
2.4.7 Brand value and Customer Confidence 41
2.4.8 Appropriateness of BCM in social and economic context 41
2.5 Business Continuity Management in Banks in India 42
2.5.1 Implementation of Business Continuity Planning in Banks 43
2.5.2 Preparedness status of banks in India 43
2.6 Gaps in BCM Implementation in Banks in India 44
2.6.1 Customer focus 44
2.6.2 Small banks face bigger challenge 45
2.6.3 Higher operating costs 45
2.6.4 BCM is IT Focus and not comprehensive 45
2.6.5 Conformity to International standards 46
2.6.6 Portfolio of products and services 46
2.6.7 Deployment of IT in running processes (Banking and non Banking) 46
2.6.8 Availability of state of the art infrastructure in terms of facilities in IT 46
2.6.9 Management of outsourced services 47
2.6.10 Lack of Documentation 47
2.7 BCM Implementation Planning 47
2.7.1 BCM Implementation Challenges 47
2.7.2 Greater need to implement BCM in banks 48
2.7.3 The importance of Implementing BCM 50
2.7.4 BCM Planning 51
2.7.5 The BCM Plan 52
2.7.6 Elements of BCM Plans 58
2.8 BCM Implementation Framework and Disaster Management 61
2.8.1 Embarking on a BCM project 64
2.8.2 Managing BCM Implementation project 64
2.8.3 Disaster Management 66
2.9 Summary of Findings 67
iii
2.9.1 Banking scenario in India 67
2.9.2 BCM implementation scene in banks in India 68
2.9.3 BCM Planning and Implementation 69
2.10 Conclusion 70
iv
Chapter 4 BCM Survey in Indian Banks
4.0 Introduction 91
4.1 Objectives of Survey of Banks 91
4.2 The Research Methodology 92
4.2.2 The Study Plan 93
4.2.3 Bank wise Summary of Study 94
4.3 Essential Ingredients of Successful BCM Implementation in Banks 94
4.3.1 Strategic 95
4.3.2 Operational 98
4.3.3 Technological 102
4.4 Learnings from Case Study 106
4.4.1 People and Procedures 106
4.4.2 IT infrastructure 107
4.4.3 DR organization 107
4.5 Status of BCM Essentials in Banks – A Snapshot 107
4.5.1 Strategic 108
4.5.2 Operational 109
4.5.3 Technological 110
4.6 Summary of Findings 111
4.6.1 Strategic 111
4.6.2 Operational 112
4.6.3 Technological 113
4.7 Conclusion 114
v
5.4 The Business Continuity Reality Check 124
5.4.1 Application of the Metrics 127
5.4.2 Data Analysis and Findings 128
5.5 Conclusion 130
Exhibit5.1 The BCM Reality Check Metrics 132
vi
6.5.3 People 156
6.5.4 Technology 157
6.5.5 Facilities 158
6.5.6 Recommendations to MSRB’s to address vulnerabilities 158
6.6 Summary of Critical Factors 166
6.6.1 Overall Comparative Status 166
6.6.2 Management comprehension of BCM 166
6.6.3 Critical Success Factors for BCM in Small banks 167
6.6.4 Recommendations for successful BCM in Small banks 169
6.7 Conclusion 170
Exhibit 6.1 Cluster-Wise Details of BCM Parameters 172
Exhibit 6.2 Resilience Indicator and Vulnerability Index 177
Exhibit 6.3 Strength/Preparedness & Vulnerability Factor Summary 187
Exhibit 6.4 Survey of Large and Medium & Small Retail Banks (MSRBs) 192
Exhibit 6.5 Classification of Factors for BCM Implementation 198
vii
Annexure 5 BCM in Operation – Experience of a Large Bank 314
References 334
List of Publications A-1
Biography of Candidate A-2
Biography of Supervisor A-3
viii
ACKNOWLEDGEMENTS
I wish to express deep sense of gratitude and sincere thanks to my thesis supervisor
Dr.Lakshmi Mohan for her able guidance, encouragement and suggestions throughout the
period of this research work. It has been a privilege for me to work under her guidance.
Much appreciation is expressed to Prof. Arya Kumar, Group Leader, Economics & Finance
Group, and Dr. Niranjan Swain who were the members of Doctoral Advisory Committee
(DAC), for their kind suggestions, moral support and assistance.
Gratitude is also accorded to BITS, Pilani for providing all the necessary guidance to
complete the research work. My revered thanks to Dr. L. K. Maheshwari, Vice Chancellor for
being a symbol of encouragement and wisdom to enable me undertake the doctoral work. I
wish to express sincere thanks and gratitude to Dr.M.L.Shrikant, Dean, S. P. Jain Institute of
Management and Research (SPJIMR), who is my ideal and inspiration.
I express my gratitude for the kind and affectionate enquiries about the work and the
encouragement given by Dr. Ravi Prakash, Dean, Research and Consultancy Division, Dr.
S.P. Regella, Dr.S.S. Deshmukh, Mr. Sanjay D. Pohekar of the same Division for their timely
and proper advice. My special thanks to Dr. Dr.Dinesh, In-charge Ph D Programme
Monitoring for giving me an opportunity to do research at the Institute.
The encouragement and unflinching support provided by my colleagues – Ms. Priti Miranda
and Ms. Lakshmi Narayan has been a pillar of strength in accomplishing the research data-
gathering task. I am thankful to Ms. Deepa Shetty in providing support in organizing the
resources for data collection and analysis. I express sincere thanks to my friends Mr. Rajesh
S, Mr. Bharat Mishra, Mr. Ravi Gurnani, Mr. Rishish Chandra, Mr.Karthikeya Rathore, Mr.
Rakesh Menon, Ms. Navneet Kaur Nayyar, Ms. Dipali Manjrekar, Ms. Pooja Ahuja and Ms.
Jayashree Thampi for their support.
ix
The professionals from Banking and Consulting who have immensely provided their
guidance and arranging contacts to undertake research have made me indebted to them. Note
worthy amongst them are Mr. V. S. Girish, Mr. Shri Narain, Mr. S. S. Purohit, Mr. Dinesh
Pandey, Ms. Nayna Phanse, Mr. Kalyana Sundaram, Ms. Bhavna Ugrankar, Mr. B. T. Pillai,
Mr. Surendra Shetty, Mr. Ajit Rath, Mr. Ashok Menon, Mr. Srinivasan G, Mr. A. Ganesh,
Mr. T. Prabhakar, Mr. Harish Shetty and Mr. Bondaiah Adepu.
x
LIST OF FIGURES
1.1 Elements of BCM Implementation 8
xi
A5.1 Corporate Organization 327
xii
LIST OF TABLES
1.1 BCM Metrics Model 18
xiii
6.8 Cluster wise recommendations to MSRBs 159
6.12 Survey of Large and Medium & Small Retail Banks (MSRBs) 192
xiv
LIST OF ABBREVIATIONS
AGM Assistant General Manager
B2B Business-to-Business
B2C Business-to-Customer
BC Business Continuity
BM Branch Manager
CA Certification Authority
xv
CFMS Centralized Funds Management System
D2D2T Disk-to-Disk-to-Tape
DD Demand Draft
DR Disaster Recovery
xvi
ECS Electronic Clearing Services
FI Financial Institutions
GM General Manager
HO Head Office
HP Hewlett-Packard
HR Human Resource
HW Hardware
xvii
IDM Intelligent Data Mapper
IS Information System
IT Information Technology
xviii
NAS Network Attached Storage
xix
PSU Public Sector Undertaking
RA Registration Authority
RI Resilience Indicator
RO Regional Office
xx
SPAID Split Path Acceleration of Independent Data Streams
SW Software
Telco Telecommunications
VI Vulnerability Index
xxi
BUSINESS CONTINUITY MODEL FOR MEDIUM & SMALL RETAIL BANKS IN INDIA
The banking sector in India has evolved as a great economic force from its inception in
mid- nineteenth century till date and has contributed immensely to the economic growth.
The upsurge in banking activity is largely due to changing mind-set of Indian society and
increase in competition mainly coming from Foreign banks post liberalization and
globalization. There is increased dependence on technology for delivering multiple
products and services to a wide range of customers using multiple channels. This has
brought in more challenges to the banks to ensure higher level of continuity. The banks
world-over particularly in US and Europe have incorporated Systems and Processes on
highly reliable and dependable world class ICT infrastructure. These banks have been
challenged by disastrous events of all kinds including financial disasters, terrorism and
unrest and natural calamities. The stories of their success and failure in ensuring
sustained business continuity presented in literature provide valuable insights in
implementing successful Business Continuity Management (BCM).
The learnings from literature survey and the fifty-three parameters that were brought out
by primary data survey in banks were used to develop a BCM Metrics in consultation
with experts from Banking and Business Consulting disciplines. The metrics enables
banks to measure their BCM effectiveness at four levels – Corporate, Tactical,
xxii
Operational and Review. It comprises of One Hundred and Seven parameters grouped
into five clusters - Organizational, Procedural, People, Technology and Facility. Each
parameters in the metrics can be assessed by concerned managers of appropriate level
and designation, to measure four criteria of BCM effectiveness - Strength / Preparedness
(P) and Threats / Challenges (R) (on a scale of 0-5) and Vulnerability (V) and
Upgradation Factor (T) (on a scale of 0-1). The analysis of comparative Strengths /
Preparedness against Vulnerability for the bank can be carried out by comparing the
following two Indicators: Resilience Indicator: RI = P * T and Vulnerability Index: VI
= R * V.
The Resiliency and Vulnerability Indicators can then be used to take appropriate actions
at macro level for the cluster (people, technology etc) and at individual levels for each
parameter to take functional level actions. The BCM model was applied to select banks in
Mumbai involving about eighty respondents at three levels of management (Top, Middle
and Functional). The data was normalized to smoothen stray responses due to incomplete
knowledge or lack of understanding the genesis of the parameter in question and was
tested statistically to ascertain the degree of confidence. On the whole, large banks were
found to be less vulnerable on account of technology and facilities but the smaller banks
were more resilient on this account. Large banks however, are more vulnerable to
discontinuity on account of Organizational issues as compared to Facilities and
Technology. Small banks are more vulnerable with respect to Facilities and Technology
in comparison to large banks.
Most banks have put together organizational and technology infrastructure to address
Business Continuity issues comprehensively. The smaller banks however, need to put
these together by entering into collaborative arrangements with other banks and large
providers. The entire banking sector in India need to address the softer issues related to
Business Continuity more comprehensively and pay increased attention to issues related
to bank’s image, scale and scope of services and products being delivered supported on
state-of-the-art technology.
xxiii
CHAPTER 1
INTRODUCTION
1.0 Preamble
The banking in India has been synonymous with the economic growth in India and is
currently facing challenges in relation to competition and rising customer expectations.
The banking system in west, particularly US and Europe has been challenged by major
disruptions that have forced them to implement dependable business continuity
management (BCM) solutions. Consultants have recorded these experiences as
organization specific frameworks that are peculiar to the geography and markets being
served. These frameworks have not been applied to Indian conditions hence their
applicability and efficacy cannot be ascertained. There is no standard framework or
metrics to measure effectiveness of BCM solutions. The gaps in implementation of BCM
in West and India and in India between large and small banks have to be understood and
approach to bridge the same to ensure higher continuity of banking operations in India
has to be worked out. This study is a humble attempt to begin that journey
1
1.1 Growth of Banking in India
Banks are drivers of economic growth in India and function through banking system
under the umbrella of RBI, which is the regulatory and central bank, and operate through
three categories Commercial, Regional and Co-operative1 (Balachandran, 2006). The
shape of banking has seen changes from Inception (1870) to pre-nationalization (1949) to
nationalization (1966) which has rewritten the rules of banking (Srivastav 1999& Prabhu
2001).2 Development of technology has challenged traditional banking practices and
service delivery (Hoeing 1998)3. Liberalization / deregulation has resulted into entry of
foreign and large private sector banks 4 (Yodmani et al, 2001). The numbers of banks of
all categories Public, Private and Foreign, have grown phenomenally. The percentage
presence of private sector banks is higher in urban and semi urban areas and that public
sector banks is higher in rural areas5. This gap is narrowing with increased opportunities
in micro financing6.
The huge expansion for banks in India is owing to growing population of bankable
households and increased propensity of urban to take credit and opportunities for retail
financing for housing loans7 (Jalan, 2006). There is an increased focus on retail loans and
diversification of credit base8. Indian banks have posted higher ‘Net Profits’ and ‘Return
on Assets’ during the last few years and have improved efficiency of operations
significantly. As per Jalan (2006), the average cost of operations in Indian Banking,
however, is higher in comparison to International Standards9.
1
M. Balachandran, CMD, Bank of India, Seminar on “Indian Banking Shaping and Economic Powerhouse”,
Mumbai, 18th July 2006.
2
Pradeep Srivastav, Department of Banking surveillance, RBI, “Computerization, efficiency and Financial reforms”
a report published by RBI, September 1999.
Prabhu Giridhar G., Achal Industries, Mangalore, Paper presented at Symposium on Privatization of
Nationalized Banks – Corporation Bank Officers’ Organization (R), Mangalore on 21st July, 2001.
3
Hoenig Thomas M., President, Federal Reserve Bank of Kansas City, Kansas City, Missouri, Financial
Modernization: Implications for the Safety Net Conference on Deposit Insurance, , Washington, D.C., January
29, 1998.
4
Dr. Suvit Yodmani and Dr. David Hollister, Disasters and Communication Technology: Perspectives from Asia,
Presented at the Second Tampere Conference on Disaster Communications, 28-30 May 2001.
5
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 97.
6
Mr. Deepak Ghaisas, CEO iflex, remarked during his speech at SPJIMR auditorium during “NIMITT” conference
held on 17 Jul 2006 speaking on “Innovations in banking”.
7
M.Balachandran, CMD, Bank of India, Seminar on “Indian Banking Shaping and Economic
Powerhouse”,Mumbai, 18th July 2006.
8
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 67 & 70.
9
A comparative analysis indicates that average operating costs of bank in India as a percentage of assets is 2.7% as
compared to progressive economies such as USA and Japan is at 1.7 percent – Jalan (Aug 2006).
2
1.1.1 Deployment of IT in Banks in India
Indian banking is in the midst of IT revolution. The increase in volume of banking
transactions with speedy inter branch reconciliation accelerated the computerization of
accounts and other banking services like remittances10 (Khanna, 2003). Today all private
& foreign banks and almost 80 % of PSBs are fully computerized with higher percentage
of them having implemented Core Banking Solutions11. RBI has created necessary
infrastructure and processes through Institute for Development And Research In Banking
Technology (IDRBT) to provide safe and secure integrated payment settlement systems
using secure channels and encryption12 (Reddy, 2003). The setting up of network and
systems such as BANKNET, INFINET and SWIFT by RBI has facilitated electronic fund
transfers, debits and clearances, reporting and settlement systems. These networks have
proved to be the catalyst in implementation of Real Time Gross Settlement Systems
(RTGS), National Settlement Systems (NSS) and Central Funds Management Systems
(CFMS)13 (Seokumar, 2005). The use of electronic mode of payment has increased, both
in terms of volume and value as a result of unprecedented success of RTGS. The overall
turnover through the various payment and settlement systems has risen by almost 300
percent. This has been mainly due to higher usage of retail payment in the form of
electronic clearing services (ECS), Magnetic Ink Character recognition (MICR) and Non-
MICR14.
Private and foreign banks rely heavily on technology and operate with increasing
efficiencies but the public sector banks enjoy advantage of great reach, size and access to
low cost deposits15 (Kamesam, 2003). Private and Foreign banks have high degree of IT
deployment which is supported on state of the art IT Infrastructure bringing about new
dimensions in Banking services with products like “anywhere banking”, “tele-banking”,
“internet-banking”, “web-banking” etc.16(Muntes, 2005). Banks are increasingly using
10
Khanna Anurag, MD & CEO, Banknet India, Developments in Banking & Banking Technology, Banknet
Directory 2002-03.
11
RBI report on “Trend and Progress of Banking in India 05-06” published on 30th June 2006.
12
RBI measures - Payment Systems, Extract from the Inaugural Address by Dr. Y. V. Reddy Governor, Reserve
Bank of India at Twenty-Fifth Bank Economists’ Conference (BECON- 2003) on December 11, 2003.
13
Seokumar, Emergence of eBanking, 2005, http://www.1888articles.com/emergence-of-ebanking-0bo443i67a.html
14
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 98.
15
Kamesam Vepa, Deputy Governor, Reserve Bank of India, Excerpt from Address Delivered at Central Bank of
Sri Lanka, Colombo, August 20, 2003.
16
Sumint Muntes, Chief Operating Officer, HSBC, “Disaster Recovery and Business continuity in banks”, Bank
Tech Summit, Taj Lands End Mumbai, 22 Sep 2005.
3
advance technology to implement “Customer Centered Applications” and with high-end
functionality such as Risk Management, Credit Monitoring etc.17 (Rao et..al, 2003).
Growing customer awareness, higher demand for low cost electronic services,
convenience and integration of banking services with e-commerce have resulted in highly
competitive internet banking market and those banks who don’t offer modern banking
will become marginalized22 (Shore, 2002). Banks in India are compelled to align with
International best practices23 (Reddy 2004). The measures of deregulation and increased
competition has lead to a situation where the survival of those banks who do not attain
higher levels of operations in continuity (Kamesan, 2003). Competition forcing banks to
offer multiple products and services24 (Jalan 2006).
17
Rao Gurram Ramachandra and Prathima Kasula, Internet Banking in India, Mondaq Business Briefing, April 11,
2003.
18
Report “India Banking 2010” submitted by McKinsey Consulting to RBI that was included in RBI Report on
Trend and Progress on Banking in India 2005-2006, RBI Publication, June 30,2006
19
Shah Shilpa, Executive, Banknet India, Mumbai, Indian banks moving towards electronic payment systems-
Banknet India, Third Annual Conference on Payment Systems in Banks", 10th January 2007
20
Uchil V. M, Chairman, Nextstep Infotech Pvt Ltd, Interview in July 2005
21
S. Balasubramanya, IT wave breaks over banking, The City, Aug - Sept 2002,
http://www.tcs.com/0_features/articles/it_banking_industry.htm
22
Shore Dave, “Web-based solutions can ensure business continuity”, Tech Republic, 20 May 2002,
http://techrepublic.com.com/5100-10878_11-1048802.
23
Reddy Amarender, Banking Sector Liberalization and Efficiency of Indian Banks, The ICFAI Journal of Bank
Management, Volume II May 2, 2004, P 37-53
24
Bimal Jalan, Governor, Reserve Bank of India, India’s economy in the new millennium, VBS Publishers Pvt. Ltd,
New Delhi, Aug 2006.
4
1.1.3 Business Continuity practice in Indian Banks
Banks need Business Continuity planning (BCP) and robust information risk
management system for minimizing the adverse effects of one of the important areas of
operational risk i.e. business disruption and system failures. They must thoroughly test
BCP to verify its full capability against the changing scenario and assumptions at
frequent intervals25 (Maiwald et al., 2002). The responsibility in respect of BCP rests
with the Board of directors and the top management to provide clear policy guidance and
direction26 (Parthasarthi, 2005). Constant technological change demands banks to
continually upgrade human resource skills and instill the necessary attitudes and work
culture27 (Yodmani et al, 2001) to ensure higher degree of continuity.
RBI, in recognition of increase in eventualities that might even throw banks out of
business, has issued detailed guidelines directing commercial banks to put in place
business continuity measures with lower cost of BCM programs to retain competitive
advantage total cost of BCM programs low to retain competitive advantage. These
programs are to implement by carrying out comprehensive risk assessment, establishing
infrastructure, organization and processes to ensure realization of targeted Recovery
Point Objectives (RPOs) and Recovery Time Objectives (RTOs). Given the complexity
and scale of operations it is necessary that these plans be supported by getting into
agreements with trusted and reliable agencies (Parthasarthy, 2005).
Reserve Bank has asked banks to adopt dual strategy for Disaster Recovery System
(DRS) / BCP - one for mission critical applications and the other for other applications.
The approach towards Business Continuity is to ensure that in case of any contingency,
operations are resumed within a minimal time gap of two hours in the case of mission
critical applications and within a day in the case of others. The IT resources and assets
are recommended to be consolidated in the form of Data Centres both at the Primary Site
and at the Recovery and Continuity sites28 (Das Gupta, 2002). RBI has advised banks to
review and upgrade BCM periodically and resort to insurance as risk mitigation strategy
25
Maiwald Eric & Seiglein William, Security Planning and Disaster Recovery, McGraw-Hill Professional, Osborne,
USA, Jan 2002, P 235 – 249.
26
Parthasarathi P., Chief General Manager, RBI, letter Ref. RBI/2004-05/420 DBS.CO.IS Audit.No.
19/31.02.03/2004-05 dated April 15, 2005 to All Chairmen / Managing Directors / Chief Executive Officers of
all Scheduled Commercial Banks
27
Dr.Suvit Yodmani and Dr.David Hollister, Disasters and Communication Technology: Perspectives from Asia,
Presented at the Second Tampere Conference on Disaster Communications, 28-30 May 2001
28
Das Gupta Soutiman, Banking on business continuance, BCP Stratégies, Network Magazine, August 2002
5
for externalizing risks to third party by reducing financial exposure during disruptions29
(Mani, 2003).
Most progressive banks in western countries have BCM plans that are designed to protect
them against any disruptions, man-made or natural, catastrophic or relatively minor30
(Ambrosio, 2001) and are comprehensive enough to cover all consequences from large
scale disasters to certain trivial discontinuities like absence of key staff31 (O’Neil, 2005).
The BCM exercise undertaken by them are led by banks’ senior management with the
right level of experience and with their whole hearted support must for it to be effective
and not a mere corporate nuisance32 (Oltsik, 2004). Business units have driven their BCM
effort based on the interrelationships between the core department and other units in
bank and make recovery plan for processes that actually need them33 (Herbane et al,
1997).
Implementation of BCM has enabled the banks to survive as a legal and financial entity
by addressing entire key assets that are necessary to continue operations – process,
technology, people and facilities34 (Bleiberg, 2005). The success of the BCM plans,
where achieved is attributed to sound execution by the designated teams in the face of
disaster35 (Howarth, 2004). BCM of banks that have focused too much on technology
protection without effective development and deployment of policies and procedures to
react in minimizing damage and recovery have been found to be dysfunctional (O’Neil,
2005).
29
Rahul Neel Mani, Indian IT industry shies from investing in BCM initiatives,
http://www.expresscomputeronline.com/20030707/indtrend1.shtml, 7th July 2003.
30
Ambrosio Johanna, The Information Archirect: Disaster recovery: Know what you really need, Published:
10/25/2001.
31
O'Neill Shane, Senior News Writer, DR plans stuck on, 02 Feb 2005.
32
Oltsik Jon, Hot spots: So much can go wrong with disaster recovery. What can you do to ensure all goes well?
Published: Jun 2004, http://storagemagazine.techtarget.com/magItem/1,291266,sid35_gci969972,00.html.
33
Brahim Herbane, Dominic Elliott and Ethne Swartz ( Leicester Business School, UK), Contingency and continua,
Achieving Excellence through Business continuity planning, Business Horizons, December 1997.
34
Bleiberg Ron, SmartAdvice: Planning Ahead Means A Disaster Needn't Wipe Out Your Business, Aug. 22, 2005.
35
Howarth Fran, Business continuity planning: will your plans save you? Published: 12th January 2004,
http://www.it-director.com/article.php?articleid=11564.
6
Banks that have realized greater effectiveness of BCM have identified core processes that
need to be kept running to keep the business continuous together with key personnel and
technology infrastructure involved36 (Sharp, 2003). They have defined these processes
well, after collecting data from all stakeholders involved, documented well and stored
electronically37 (Smith, 2002). They have carried out detailed risk assessment of critical
assets and systems, for all core processes, that need protection against all potential threats
that can interrupt operations to deploy right alternate processes and technologies mostly
with support of external agencies to ensure business integrity (Oltsik, 2004).
Banks in US & Europe have faced large-scale disasters and hence have augmented their
BCM approach. They have increased redundancy of key resources and switched to
multiple Data Center sites operation by collaborating with third-party partners who have
multi site and multi platform capabilities supported on dependable communication
network38 (Coles, 2006). Banks have devised alternate processes that covers all critical
business functions including those of key outsourcers which they have well documented
and communicated. They have disseminated the information on alternate procedures
elaborately to all stakeholders and customers thereby increased their confidence in banks’
ability to provide normal services during disruptions39 (Watanagase, 2007).
Banks are implementing document management and imaging systems using modern tools
to house their loan documents40 (King, 2006 ). They have endeavored to ensure high
availability of solutions and productivity of employees while top management is focusing
on improving communication with customers and employees during disruptions to
customer confidence, brand value, market position 41 (Ryods, 2007). The common feature
of all the well-executed BCM plans is that they are simple and regularly updated with
systematic reviews proactively to ensure they remain current and effective42 (Kirkpatrick,
36
Sharp John, Business Continuity Management & The Duties Under Civil Contingencies Act, Continuity Forum,
April 2003, http://www.bristol.gov.uk/ccm/cms-service/download/asset/?asset_id=12781050.
37
Smith Laura, The new face of disaster recovery, Published: Mar 2002.
38
Warren Coles, Executive Vice President, PULSE EFT Association, Houstan USA comments in his interview with
Bank systems & Technology, Planning for Continuity, Feb 27, 2006.
http://www.banktech.com/showArticle.jhtml?articleID=181400621.
39
Mrs. Tarisa Watanagase, Governor, Bank of Thailand. BOT Notification No. 118-2550 (23-01-07),Jan 23, 2007
40
Jason King, Director of financial services, Hyland Software's Vendor's OnBase content management firm, Ohio,
USA comments in his interview with Bank systems & Technology, Planning for Continuity, Feb 27, 2006
http://www.banktech.com/showArticle.jhtml?articleID=181400621
41
James Ryods, founding partner of InfoSec Associates and past Chairman of Information Security & BS7799
Survive - The Future of Business Continuity Management, Credit Control, House of Words Ltd, Jan 2007.
42
Kirkpatrick ,Terry A remarked in report published in CIO Insight in 2002.
7
2002). Banks test the BCM plans with a battery of potential scenarios with total
participation of staff as even the best-laid plans did encounter unexpected challenges43
(Amato-McCoy et..al, 2006).
1.3 Elements of BCM Plan
The literature survey brought out elements of successful BCM Implementation that are
depicted in Fig 1.1 below. It also enabled working out of Research Hypothesis and
parameters for assessing effectiveness of BCM solutions that were used for module
development.
PROCEDURE
• Alternate Processes and Roles
• Multiple Site Operations
• Backup Site and Relocation
• Documentation of Procedures
• Culture of Empowerment and Innovation
FACILITIES PEOPLE
• Redundant physical space • Communications Planning
Elements of BCM
• Data Centres Implementation • Transportation
• Commercial Power • Involvement
• Access Controls • Training
TECHNOLOGY
• Security
• Servers and Storage Platforms
• Information and Data Backup
• Data Protection Technologies
• Network and Bandwidth
43
Amato-McCoy Deena M., Planning for Continuity, Bank Systems & Technology, February 27, 2006,
http://www.banktech.com/showArticle.jhtml?articleID=181400621
8
1.4 Gaps
The literature survey, primary research of BCM Practices in Indian Banks and focused
interactions with experts and consultants have brought to light following gaps in the
BCM Practice in Banks in India, particularly in small and medium banks.
9
1.4.4 Shortfalls in BCM implementation by Banks in India
There are following gaps in BCM Implementation in Banks in India as compared to their
western counterparts:
Higher average cost of operations in comparison to International standards
Lower level of commitment to customers and customer service standards
BCM planning is mostly focused on IT set-up not so much in case of organization
and alternate support systems.
Lack of conformity to International standards and norms.
Inability to provide wider range of product and services through multiple delivery
channels.
Small banks are unable to offer wide range of products at reasonable price due to
inhibition in their ability to spend in technology.
Lack of documentation and communication of alternate processes
Non-availability of state of the art infrastructure and facilities
Non-deployment of IT in running banks internal processes
Lack of appropriate management of outsourced services and non-comprehensive
Service Level Agreements
10
1.5.2 Status of BCM implementation by Banks in India
The state of BCM effectiveness of banks in India is to be ascertained using the
framework deduced from western experiences and gaps in improving BCM effectiveness
and continuity to be identified.
11
parameters identified. The study does not look at banking and financial risk and focuses
only on banking operations as regards continuity.
12
1.7 Hypothesis of the study
The following are the hypothesis of the study:
a. Higher the level of state-of-the-art IT infrastructure more is the reliability of the BC
practice and organizational strength, especially for banks that support multiple
products and services delivered through multiple channels.
b. The success in the implementation of BC practices as envisaged in enhanced image
and reputation of the bank depends on the softer aspects of Operations such as
employee awareness, readiness, empowerment, culture of innovation and
adaptability and Adherence to International Quality Standards.
c. Small banks are less resilient to meet major disruptions as compared to large banks
on account of technology and facilities due to their inability to invest in state-of-the-
art IT infrastructure and establish reliable and communicated procedures for
alternate operations.
13
1.8.3 Phase 3: Primary Research to Evaluate Framework
Primary research was undertaken in selected banks in Mumbai who have implemented
BCM to evaluate the theoretical framework as regards completeness and effectiveness.
Interviewing corporate managers, bank unit heads and junior executives carried out the
study. Questionnaires (that were progressively evolved by testing on samples, on spot
observations and discussion with subject matter experts) were administered to various
levels for identification of factors that are responsible to create and implement successful
BCM. The learnings enabled identification of parameters, clustered in groups:
Organizational, Process, People, IT Infrastructure and Facilities, to measure effectiveness
of BCM Implementation in banks.
14
1.9 Research Deliverables
The managements in banks in India are presented with two deliverables that are the
outcome of this study, to enhance their business continuity:
BCM Implementation framework
BCM Reality Check Metrics
Project Initiation
Maintaining and
Updating the BCM
Designing and developing a BCP
Implementation
44
Disaster Recovery Institute Canada, http://www.dri.com and http://www.incident response.org;
http://www.drii.org, July 2002
15
1.9.1.1 Why must banks invest in BCM
Banks need to invest in BCM by creating appropriate organization and infrastructure so
as to maintain their market position, preserve confidence of customers, governments &
shareholders and prevent losses to business and liabilities towards employees,
shareholders and customer claims (Herbane et al, 1997). Effective BCM ensures
prevention of discontinuities, quick response if they occur, speedy resumption of critical
tasks, early recovery of other non-critical processes and smooth restoration to normalcy45
(MacSweeny, 2003)
45
Greg MacSweeny, Redefining Best BC Practice, Insurance & Technology, Aug 2003
46
Michael Gallagher, What is the worst that could happen, Financial Times, Printece Hall, May 2003
47
Richard Gondek, (Internetworking Practice Lead, Greenwich Technology Partners) Journal of Business Strategy,
Aug 2002
48
Kon Karakasidis, (KPMG Information Technology Consulting Division, Melbourne, Australia) A project
planning process for business continuity, Information Management & Computer Security, Vol. 5 , No. 2, Aug 1997
49
Susan Rodetis, Can your business survive the unexpected, Journal of Accountancy, Feb 1999
16
c. Designing and Developing a BCP -Feasible, realistic and workable BCM plans
aligned with organizational strategy, business objectives and priorities that can
effectively counteract interruptions to business activities and protect critical
business processes from the effects of major failures or disasters are to be drawn
out (Gallagher, 2003). Recovery system alternatives must have emphasis on the
importance of human factor, alternate emergency operations and processes using
technology components and the drill to rebuild the state of normal operations50
(Morganti, 2001). A Business continuity planning framework comprising of three
sections is suggested:
One - Sequence of resumption / recovery
Two - Steps to operationalize plan
Three - Maintenance Schedule & upgradation
d. Implementation - Banks must establish trained and committed teams to lead
manage and direct the organization through the crisis and provide necessary
technical, operational and administrative support to move to alternate scheme
during discontinuities and recover to normal scheme once crisis is over.
(Morganti, 2001) Agreement must be entered into with appropriate vendors for
delivery of replacement service/support within critical time frames. Allocation of
responsibilities, systems and processes must be worked out and communicated to
all concerned. (Rodetis, 1999)
e. Testing - BCM Plan and operating scheme needs to be tested for efficiency and
relevance from annually or after major organizational changes or an incident.
Testing proves that BCP is feasible and demonstrates the ability of the
organization to recover. (Gondek, 2002)
f. Maintenance and Updating the Plan - The BCM organization and practice must
be updated at least annually or after major organizational changes,
implementation of new systems, networks and hardware or changes in market
conditions / staff levels. (MacSweeny, 2003)
50
Michael Morganti, A business continuity plan keeps you in business, Record – The magazine of Property
Conservation, September 2001
17
1.9.1.4 Disaster Management
Disaster management is effected in the four distinct phases namely, mitigation,
preparedness, response and recovery (Yodmani et al 2001). As per DR Institute, Canada
outlines the priority in which disaster situation needs to be responded is safety and
prevention of injury to personnel on site first, prevention or limiting damage to facilities
and equipment second and keeping critical business functions operational next. Crisis
once triggered and not responded to appropriately can expand. A credible spokesperson
must lead the Media and provide Information to avoid speculations (Herbane et al, 1997).
Measures
Parameters
P T RI R V VI
Organization (O) P1-n(O) T1-n(O) P1-n(O) * T1-n(O) R1-n(O) V1-n(O) R1-n(O) * V1-n(O)
Procedure (P) P1-n(P) T1-n(P) P1-n(P) * T1-n(P) R1-n(P) V1-n(P) R1-n(P) * V1-n(P)
People (H) P1-n(H) T1-n(H) P1-n(H) * T1-n(H) R1-n(H) V1-n(H) R1-n(H) * V1-n(H)
Technology (T) P1-n(T) T1-n(T) P1-n(T) * T1-n(T) R1-n(T) V1-n(T) R1-n(T) * V1-n(T)
Facilities (F) P1-n(F) T1-n(F) P1-n(F) * T1-n(F) R1-n(F) V1-n(F) R1-n(F) * V1-n(F)
18
The state of preparedness or vulnerability of BCM in target bank can be inferred by
application of the metrics by calculating two factors:
Resilience indicator (RI)= P*T
Vulnerability Index (VI) = R*V.
These two factors indicate the levels of strength and vulnerability of the bank from BCM
perspective from each of the parameter in the clusters. The summations of these two
indicators for clusters indicate the status at the cluster level.
Resilience
(Provided by Banks)
Continuity
Vulnerability
(Posed by Environment)
The test results of the metrics indicate that large banks are more resilient and less
vulnerable. The small banks are highly vulnerable on account of technology and
facilities. Both categories of banks are equally vulnerable from the perspective of
organizational readiness and thus merit more management definition on softer issues of
customer service and image.
19
The BCM reality check metrics model51 has been published under the title “Business
Continuity Model: A Reality Check for Banks in India” in the Journal of Internet
Banking and Commerce, August 2006. The paper is placed at Annexure 1 in this report.
The model has been appreciated and is in the process of incorporation as reference by
Banking Association of India to serve as BCM reality check framework by member
banks. This has been discussed during the bankers meet in April 2007 at La Meridian
Mumbai, organized by Banking Frontiers magazine.
51
Prof. Sunil Rai, Joint Director, S. P. Jain Institute of Management & Research, Mumbai, India and Dr. Lakshmi
Mohan, Information Technology Management Faculty, School of Business, University at Albany, State
University of New York, “Business Continuity Model: A Reality Check for Banks in India” in the Journal of
Internet Banking and Commerce, August 2006, vol. 11, no.2 (http://www.arraydev.com/commerce/jibc/)
20
1.10.3 Chapter 4 - BCM Survey in Indian Banks
The chapter elaborates the survey and findings conducted on major banks in Mumbai.
The survey was designed to validate the theoretical framework of BCM Implementation
developed based on the literature survey. The parameters that can be used to measure the
effectiveness of BCM Solutions based on experiences of select banks that have
implemented BCM were identified. This formed input to development of BCM Metrics
model described in the next chapter. This chapter also presents a case study about
successful implementation of BCM by a leading bank that was proved in the face of a
disaster. A paper entitled52 “Business Continuity Management in Banks – The Indian
Experience”, has been published by the researcher in “Journal of Internet Banking and
Commerce, August 2006” which is based on the primary data survey enumerated in this
chapter. This paper is available on http://www.arraydev.com/commerce/jibc/.
1.10.5 Chapter 6 - Recommended BCM model and evaluation metrics for SMBs in India
This chapter details the application of the BCM model to eight large, six medium and
eight small banks in Mumbai at various levels of management involving close to 100
52
Prof. Sunil Rai, Joint Director, S. P. Jain Institute of Management & Research, Mumbai, India & Dr. Lakshmi
Mohan, Information Technology Management Faculty, School of Business, University at Albany, State
University of New York, “Business Continuity Management in Banks – The Indian Experience”, Journal of
Internet Banking and Commerce, August 2006, vol. 11, no.2
(http://www.arraydev.com/commerce/jibc/)
53
Prof. Sunil Rai, Joint Director, S. P. Jain Institute of Management & Research, Mumbai, India & Dr. Lakshmi
Mohan, Information Technology Management Faculty, School of Business, University at Albany, State
University of New York, “Business Continuity Management in Banks – The Indian Experience”, Journal of
Internet Banking and Commerce, August 2006, vol. 11, no.2
(http://www.arraydev.com/commerce/jibc/)
21
respondents. The collated data was normalized and analyzed iteratively to draw
comparison amongst target banks and recommend steps of successful and reliable BCM
implementation in SMBs. The critical success factors and steps recommended to SMBs,
to improve their resilience and counter vulnerability from continuity perspective while
planning and implementing reliable BCM Organization & Infrastructure and its operation
& maintenance, are enumerated.
22
CHAPTER 2
REVIEW OF LITERATURE
Jalan (2006) believes that intense competitive pressure on the financial system has
generated a variety of products and services to meet the specialized needs of millions
of customers. The impact of these changes in the international financial system
resulted in initiation of the process of integrating Indian economy with the global
economic order2. This ushered in the phase of financial sector reform that primarily
aimed at aligning the Indian banking system to the international best practices
(Reddy, 2004). The Indian financial system is presently undergoing a major phase of
metamorphosis3.
As per Jalan (2006), banking has become the major partner in growth and
development of any nation or society. This is particularly the case with fast
developing economies such as India. The disruptions in banking activity can pose a
major threat to this cause. Dell ( et al 2004) state that the continuity of banking system
1
M.Balachandran, CMD, Bank of India, Seminar on “Indian Banking Shaping and Economic
Powerhouse”,Mumbai, 18th July 2006.
2
Bimal Jalan, Governor, Reserve Bank of India, Indias economy in the new millennium, VBS Publishers Pvt.
Ltd, New Delhi, Aug 2006.
3
Reddy Amarender, Banking Sector Liberalization and Efficiency of Indian Banks, The ICFAI Journal of Bank
Management, Volume II May 2, 2004, P 37-53
23
can be enhanced and crisis during disruptions can be better managed by collaborative
efforts of legal, regulatory and the banking system.4
In 1955, RBI acquired control of the Imperial Bank of India, which was renamed as
State Bank of India (SBI). The RBI enforced compulsory merger of weak banks with
the strong ones reduced the number of banks from 566 in 1951 to 85 in 1969. The
government of India nationalized 14 major banks and acquired 6 large banks to ensure
that banks play role of catalytic agents for economic growth. The Narsimham
Committee report suggested wide ranging reforms for the banking sector in 1992 to
introduce internationally accepted banking practices.
4
Dell’Ariccia Giovanni, Detragiache Enrica and Rajan Raghuram, Executives IMF, The Real Effect of Banking
Crises, October 2004
5
Pradeep Srivastav, Department of Banking surveillance, RBI, “Computerization, efficiency and Financial
reforms” a report published by RBI, September 1999
6
Prabhu Giridhar G., Achal Industries, Mangalore, Paper presented at Symposium on Privatization of
Nationalized Banks – Corporation Bank Officers’ Organization (R), Mangalore on 21st July, 2001
24
2.1.3 Liberalization: Financial and Banking Sector reforms (1992 onwards)
Liberalization and deregulation witnessed in the Indian markets in the 1990s resulted
in a spurt in banking activity in India which was further accelerated due to advances
in communication technology enabling banks to expand their reach, both in terms of
geography covered as well as new products introduced (Yodmani et al, 2001)7. This
period saw increased competition in wholesale banking due to the entry of foreign
banks and new private sector banks. Reddy (2004) observes that competition from
multinational banks and entry of new private sector banks has rewritten the rules of
the retail lending business in India. The Indian retail lending market is relatively
unexplored with the per-capita usage of retail product offerings as compared to Asian
peers. The relative size of the Indian market, backed by factors such as a growing
population of bankable households, low penetration rate for retail finance products
and the increased propensity of the urban populace to take credit, offers scope for
expansion (Jalan, 2004).
7
Dr.Suvit Yodmani and Dr.David Hollister, Disasters and Communication Technology: Perspectives from Asia,
Presented at the Second Tampere Conference on Disaster Communications, 28-30 May 2001.
8
Hoenig Thomas M., President, Federal Reserve Bank of Kansas City, Kansas City, Missouri, Financial
Modernization: Implications for the Safety Net Conference on Deposit Insurance, , Washington, D.C.,
January 29, 1998
9
Kamesam Vepa, Deputy Governor, Reserve Bank of India, Excerpt from Address Delivered at Central Bank of
Sri Lanka, Colombo, August 20, 2003
25
Table 2.1 - Number of Branches of Scheduled Commercial Banks10
As per Djankov (et al, 2005), Indian banks, under favorable macroeconomic
environment, have improved their asset quality and risk management practices using
10
Courtesy: RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 97.
26
more vigorous systems and scoring models for identifying credit risks.11 There is an
increased focus on retail loans and diversification of credit base. The percentage of
retail loans to total loans and retail portfolio of banks is given in tables 2.1 and 2.2
respectively below.
Retail 22 24 26
Housing 10 12 14
Consumer Durable 1 1 1
Others 10 11 13
Outstanding as at end
March (in Billion Rs.) Percentage
Item
Variation
2005 2006
11
Djankov, S. C. McLiesh and A. Shleifer (2005), Private credit in 129 countries, NBER Working Paper 11078,
January 2005.
12
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 67.
13
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 70.
27
2.1.5 Banking Functions and Processes
Banks are custodians of public money and promote lending or deposits. A list of
activities undertaken by the banks is given below:14
a. Fixed Deposits
b. Savings Accounts
c. Current Account
14
Banking Regulation Act of India, 1949 and Negotiable Instruments Act 1881
28
2.1.5.5 Global Lending
The funding avenues potentially open to a borrower in the global capital markets can
be categorized as follows:
a. Bonds (Straight Bonds, Floating Rate Notes , Zero-coupon and deep discount
bonds, Bonds with a variety of option features embedded in them)
b. Syndicated Credit (usually at floating rate of interest)
c. Committed Underwritten Facilities (buyers' and suppliers' credits)
d. Project Finance
29
2.2 Technology deployment in Indian Banking Industry
Indian banking industry, today is in the midst of an IT revolution. Khanna (2003)
believes that a combination of regulatory and competitive reasons have led to
increasing importance of total banking automation in the Indian Banking Industry. 15
15
Khanna Anurag, MD & CEO, Banknet India, Developments in Banking & Banking Technology, Banknet
Directory 2002-03
16
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 98
30
RBI undertook massive drive in end 1980s to speed up Information Technology (IT)
deployment in Indian banks by issuing explicit and exhaustive instructions and
guidelines to hasten the pace automation of operations in the banking sector in a
phased and planned manner (Kesavam, 2003)17. The focus by this implementation
(justifiably) was on customer service and automation of operations in other areas like
funds transfer, electronic mail and ATMs etc. While most Private Sector and MNC
Banks have achieved higher degree of computerization by implementing modern
technological solutions, the Public Sector banks are now making investments in this
regard (Balachandran, 2006). The extent of computerization achieved in Public Sector
Banks18 is given below:
Table 2.5 Extent of Computerization of Branches PSBs (as on March 31, 2006)
5 More than 80 22
17
The high level committee formed under the chairmanship of Dr. C Rangarajan, then Governor of the Reserve
Bank of India, drew up a phased plan for computerization and automation in the Banking Industry over a
five year time frame of 1985-89
18
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 97
31
one will become increasingly difficult. Services and products like "Anywhere
Banking" "Tele-Banking" "Internet banking" "Web Banking" , e-banking, e-
commerce, e-business etc. have become the buzzwords of the day and the banks that
are trying to cope with the competition are offering innovative and attractively
packaged technology-based services to their customers19.
The use of electronic mode of payment has increased, both in terms of volume and
value, during 2005-06 compared with the previous year. The share of electronic
transactions constitutes 46.7 per cent in terms of volume and 51.2 per cent in terms of
value in 2006 of the total transaction. Table 2.6 below shows the increase of
19
G Padmanabhan, Chief General Manager, Dept of IT, RBI, “Business Continuity – a new priority for banks”,
Bank Tech Summit, Taj Lands End Mumbai, 22 Sep 2005
20
Sumint Muntes, Chief Operating Officer, HSBC, “Disaster Recovery and Business continuity in banks”, Bank
Tech Summit, Taj Lands End Mumbai, 22 Sep 2005.
32
electronic transactions as compared to paper based transactions in the last four years
showing the wide spread use of technology by banks in India. Reddy (2006) believes
that the increase in electronic banking is a result of unprecedented success of RTGS,
operationalized on March 26, 2004. The number of RTGS branches reached about
23,000 and the volume crossed 200,000 transactions by March 2006. This has resulted
in higher speed and efficiency of inter-bank funds transfer and customer transactions.
As per RBI report on “Trend and Progress on Banking in India 2005-2006”, published
June 30, 2006 large number of Banks in India have implemented Core Banking
Systems and have adapted electronic Payment and Settlement and systems22.
This revolution in ICT sweeping the nation and the world has resulted in phenomenal
improvement of communication infrastructure and the Internet technologies that has
allowed branches to network at a relatively low and affordable cost with a high degree
of reliability (Shah, 2007)23 .RBI has been instrumental in setting different levels of
networked systems, which have collectively become the backbone for
interconnectivity among banks/ branches enabling automation of areas like funds
transfer, electronic mail etc (Seokumar,2005). The networks and systems that form
the mainstay of e-banking in India listed below:
21
Courtesy: RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 98.
22
The overall turnover through the various payment and settlement systems has risen by almost 300 percent.
This has been mainly due to higher usage of retail payment in the form of electronic clearing services
(ECS), Magnetic Ink Character recognition (MICR) and Non-MICR – RBI report June 2006.
23
Shah Shilpa, Executive, Banknet India, Mumbai, Indian banks moving towards electronic payment systems-
Banknet India, Third Annual Conference on Payment Systems in Banks",10th January 2007.
33
2.2.3.1 BANKNET
A communication network backbone connecting, at present, seven centres viz.
Mumbai, Delhi, Calcutta, Madras, Nagpur, Bangalore and Hyderabad. Set up in 1991
by the RBI, this backbone is meant to facilitate transfer of inter-bank (and inter-
branch) messages within India by Public Sector banks who are members of this
network.
2.2.3.3 S.W.I.F.T
Eight Indian banks are part of the international financial messages communication
network, namely, Society for Worldwide Inter-bank Financial Telecommunication
(S.W.I.F.T). It provides reliable and expeditious telecommunication facilities for
exchange of financial message all over the world. The gateway is in Mumbai and
efforts are on to other cities through leased lines/public data network.
34
2.2.3.6 MICR (Magnetic Ink Character Recognition) Clearing
The MICR cheque pre-printed with the bank-branch code and account type in MICR
strip are read by high-speed readers and sorters at Service Branches of member banks
and the National Clearing Centres at Metros / Clearing Houses ensuring speeding up
of clearing work.
24
RBI plans national settlement system, BS Banking Bureau in Mumbai, May 04, 2005.
25
Modernizing Payment Systems is a Top Priority for Indian Banks, Banknet India’s Conference on Payment
Systems in Banks, Mumbai, January 17, 2006.
35
2.2.3.12 Certification and Digital Signatures
IDRBT is designated as the Controller of Certifying Authorities by the Government of
India for digital signatures. Consequently, the process of setting up of Registration
Authorities (RA) under the CA has commenced at various banks. In addition to the
Negotiated Dealing System (NDS), the ECS and EFT are also being enhanced in
terms of security by means of implementation of PKI and digital signatures using the
facilities offered by the CA.
26
RBI measures - Payment Systems, Extract from the Inaugural Address by Dr. Y. V. Reddy Governor, Reserve
Bank of India at Twenty-Fifth Bank Economists’ Conference (BECON- 2003) on December 11, 2003.
36
2.3 Internet Banking in India
According to Mishra (2005), the Indian Banking industry has come a long way and
the journey ahead, promises to be exciting and eventful. Developments and changes in
Indian economy during the last decade have created an entirely new set of
challenges27. According to Rao (et al, 2003) the application areas for the newer
technology in banks can be by and large divided in two categories28:
37
a. Throughout the country, the Internet Banking is in the nascent stage of
development (only 50 banks are offering varied kind of Internet banking services)
b. In general, these Internet sites offer only the most basic services. 55% are so
called 'entry level' sites, offering little more than company information and basic
marketing materials. Only 8% offer 'advanced transactions' such as online funds
transfer, transactions & cash management services
c. Foreign & Private banks are much advanced in terms of the number of sites &
their level of development.
29
Shore Dave, “Web-based solutions can ensure business continuity”, Tech Republic, 20 May 2002,
http://techrepublic.com.com/5100-10878_11-1048802.
38
2.4.1 Increased redundancy & multiple Data Center sites
Herring (et al 2002) says banks in US are cautious about increase in operational risk
arising out of use of more highly automated technology, large-scale mergers and
acquisitions, demand of providing large-volumes, increased prevalence of outsourcing
and the greater use of financing techniques.30 They tackle this risk by providing
redundancy for business continuity planning at the level of bank, industry and global
environment facing the danger of cyber-terrorism to the entire financial system.
Increasing disruptions faced by banks have revealed their lack of immunity in event
of disasters and is forcing them to re-evaluate the strength of their backup plans,
renew their focus on preparedness as they rethink their risk management strategies
and bolster their business continuity plans else they face the danger of even getting
extinct, believes Ryods (2007)31. As per him banks are supporting their BCM
structure on hot sites, web-based communications networks and modern imaging
solutions as tools needed to survive a catastrophe. Massaro (2003) enumerates that
recovery within target time during a wide scale disruption requires an appropriate
level of diversity between sites. Back up sites should not rely on same components of
infrastructure such as location, transportation, telecommunications, electricity and
water.32
30 Richard J. Herring and Frank Diebold, Operational Risk Poses Challenges to Financial Institutions and
Regulators, Published: July 03, 2002 in Knowledge@Wharton, Wharton School at the University of
Pennsylvania.
31
James Royds, founding partner of InfoSec Associates and past Chairman of Information Security & BS7799
Survive - The Future of Business Continuity Management, Credit Control, House of Words Ltd, Jan 2007.
32
Kerry Massaro, Mapping out BCP guidelines, Wall street Technology magazine, June 2003, pages 21 to 22.
33
Warren Coles, Executive Vice President, PULSE EFT Association, Houstan USA comments in his interview
with Bank systems & Technology, Planning for Continuity, Feb 27, 2006.
http://www.banktech.com/showArticle.jhtml?articleID=181400621
39
2.4.3 Well documented and communicated alternate processes
Watanagase (2007) states that banks in Thailand have ensured that their BCP covers
all critical business functions including those of key outsourcers and provide for
detailed procedures to recover operations within specified timeframe after disruption
with provision for alternate resources for operations such as headcounts, IT &
communication systems, office equipment, contracts, insurance policy and ‘Sites”. 34
Alternate Sites are located at a distance which would not be impacted by same mishap
and does not utilize the same sources of utilities. Banks provide regular BCP trainings
for employees and those concerned in operating using alternate processes and
resources. They disseminate information on alternate procedures elaborately to
establish customer relations procedures and methods in the event of a disruption to
reinforce confidence among stakeholders their ability to continue to provide normal
services.
34
Mrs. Tarisa Watanagase, Governor, Bank of Thailand. BOT Notification No. 118-2550 (23-01-07),Jan 23,
2007
35
John Kelly & David Stark Presented at the Reginald H. Jones Center’s 3rd Annual conference on the Internet
and Strategy- “The Internet and the 21st Century Firm” April 12, 2002(WP 2003-02).
36
Soutiman Das Gupta, “BCP Strategies – Banking in Business continuance”, Network magazine, Express
Computer group, Indian Express, Aug 2002.
40
‘anywhere anytime’ access to data ensuring high degree of continuity from customer
perspective during business disruptions.37
37
Jason King, Director of financial services, Hyland Software's Vendor's OnBase content management firm,
Ohio, USA comments in his interview with Bank systems & Technology, Planning for Continuity, Feb 27,
2006, http://www.banktech.com/showArticle.jhtml?articleID=181400621.
38
Pat Martin, Vice President, Corporate Communications, Regions Bank, Birmingham, USA comments in his
interview with Bank systems & Technology, Planning for Continuity, Feb 27, 2006
http://www.banktech.com/showArticle.jhtml?article ID=181400621
41
2.5 Business Continuity Management in Banks in India
There can be no doubt about the immense potential and unbound opportunities offered
by advances in Banking practices and use of technology39. However, there are pre-
requisites and preparations, which have to be made before the full benefits of the tech
economy, can be harvested. The Disaster Recovery (DR) management and Business
Continuity Plans (BCP) have gained significance after the events of September 11,
2001. Considerable emphasis is placed on regular review, updating and testing of
disaster recovery and business continuity plans.
Kamesam (2003) highlighted the use of technology for ensuring continuity in banks
by planning for disaster. He believes that the use of technology in manifold areas of
operations by banks and other institutions have made processes and functions
increasingly reliant on technology that has opened up vistas of operational risks,
which need to be addressed, and disasters planned for if the use of information
technology is to be prevented from backfiring. 40 Herring (et al, 2002) emphasizes that
payment failures and consequent financial disruption could be ignited by technical
failures thereby adding a new dimension of ‘operational risk’ to the existing array and
credit, liquidity, settlement and price risks, which operators, overseers and
participants of payment and settlement systems have to deal with41. All of this places
greater onus on bankers to take appropriate measures against such system failures,
including injecting additional liquidity to troubled institutions and/or systems to avoid
a technical failure from disrupting the entire system42. Kamesam (2003) asserts that
the dimension of technology risk has assumed critical importance post September 11
and RBI has taken BCP very seriously directing banks to implement two sets of
standby arrangements for each of the systems.
As per Das Gupta (2002), RBI has adopted a dual strategy for its Disaster Recovery
System (DRS) / BCP - one for mission critical applications and the other for other
applications so as to ensure that in case of any contingency, operations are resumed
within a minimal time gap of two hours in the case of mission critical applications and
within a day in the case of others43. While both the applications are planned to have
39
European banking industry attitudes towards IT continuity explored, 18th Jan 2006,
http://continuitycentral.com/news02296.htm
40
Kamesam Vepa, Deputy Governor, Reserve Bank of India, Excerpt from Address Delivered at Central Bank
of Sri Lanka, Colombo, August 20, 2003
41
Richard J. Herring and Frank Diebold, Operational Risk Poses Challenges to Financial Institutions and
Regulators, Published: July 03, 2002 in Knowledge@Wharton, Wharton School at the University of
Pennsylvania
42
Core Banking Infrastructure - Sustenance and Deployment, Special Report, Indian Bank’s Association, March
2006, http://www.iba.org.in/iba_ibs.asp#
43
Das Gupta Soutiman, Banking on business continuance, BCP Stratégies, Network Magazine, August 2002
42
off-city recovery and business continuity site/s, the mission critical applications are to
have on-city recovery and continuity site as well. Reddy (2003) indicates that the IT
resources and assets of banks are to be consolidated in the form of Data Centres both
at the Primary Site and at the Recovery and Continuity site/s. Data processing
requirements of the Central Office Departments (CODs) would be provided by the
systems at the Data Centre. Normal day-to-day operations of the Regional Office
(RO) applications and other locations would work independently, i.e., independent of
the Data Centres but would provide means to upload daily transactions to these Data
Centres. In case of an emergency, the affected COD/RO would operate the computer
systems from the Data Centre/s either remotely from the affected location or from its
application from any of the two Data Centres, asserts Das Gupta (2002).
44
James Royds, founding partner of InfoSec Associates and past Chairman of Information Security & BS7799
Survive - The Future of Business Continuity Management, Credit Control, House of Words Ltd, Jan 2007
43
International Standards45. This calls for reorganization of structure and processes
supported on sound ICT Infrastructure.
Reddy (2006) indicates that in the last five years, banks witnessed a significant
growth, as a result of which the share of off-balance sheet exposures in total assets
increased sharply to 152.5 per cent at end-March 2006 from 57.7 per cent at end-
March 2002, reflecting the impact of deregulation, risk management operations,
diversification of income and new business opportunities thrown up by advances in
information technology.46 Net profits of public, old private sector and foreign banks
increased by 17.3 per cent during 2005-06 as against the decline of 5.9 per cent last
year. Net profits of new private sector banks declined as compared with the previous
year. The Return on assets (RoA), which is an indicator of efficiency with which
banks deploy their assets, remained almost unchanged. 3.66. Return on equity (RoE),
an indicator of efficiency of banking institutions in using its capital, declined further
to 12.7 per cent in 2005-06, reflecting mainly the impact of a higher capital (Reddy,
2006).47
45
A comparative analysis indicates that average operating costs of bank in India as a percentage of assets is
2.7% as compared to progressive economies such as USA and Japan is at 1.7 percent – Jalan (Aug 2006).
46 Y.V. Reddy , Governor RBI, Report on trend and progress of banking in India 2005-06 June 30, 2006, Page
77 submitted to the Central Government in terms of Section 36(2) of the Banking Regulation Act, 1949
47 RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 84
44
2.6.2 Small banks face bigger challenge
Balachandran (2006), believes that small banks face inhibitors such as ability to spend
in technology and offering wide range of products at reasonable price as they do not
get advantage of economies of scale48. Resorting to consolidation of existing
infrastructure and resources can reduce this limitation to begin with. Joseph (2003),
based on research conducted by Peripheral concepts infers that most large banks have
comprehensive BCM solutions in place but small banks do not have even plans in
place49.
48
M.Balachandran, CMD, Bank of India, Seminar on “Indian Banking Shaping and Economic Powerhouse”,
Mumbai, 18th July 2006.
49
Kovar, Joseph F, Helping SMBs to weather the storm, CMP Media LLC quotes research conducted by Farid
Neema, President, Peripheral Concepts, Santa Barbara , www.CRN.com, pages 56, 57, 28 July 2003
50
Bimal Jalan, Governor, Reserve Bank of India, Indias economy in the new millennium, VBS Publishers Pvt.
Ltd, New Delhi, Aug 2006.
51 Financial Times, June 2005, Business Continuity and Disaster Recovery.
52
Dhawan, Consultant KPMG, comment in the article “Indian IT industry shies from investing in BCM
initiatives”, 7th July 2003, Express computers. Indian Express Group.
45
2.6.5 Conformity to International standards
Various measures initiated by RBI have brought about refinement in regulatory norms
and supervisory process, while providing increased operational flexibility to financial
institutions. Reddy (2006) informs that RBI endeavours to implement best prudential
risk management practices comparable to global standards through a transparent and
consultative process.
46
2.6.9 Management of outsourced services
Pereira (2002), believes that the complexity involved in rendering the reliable
technology based solutions leave banks with no choice but to outsource most of their
support activities that are backed by comprehensive Service Level Agreements
(SLA’s)53. Mani (2003) believes that the level of dependence on service providers is
very significant and hence service providers’ health is equally responsible for the
success of BCM plan. The entire supply chain including Service providers like rail,
road, air transport, telecom infrastructure providers, etc has to be fully prepared to
handle crisis so as to support business continuity management. Large banks have
most of their support processes outsourced to reliable agencies who are big and
reputed. These are also backed by comprehensive SLAs that are professionally
managed. Smaller banks have outsourced non-banking activities but to small time
players where both quality and reliability are below par.
Before September 11, 2001 organizations had inherent resistance to fund BCM
Projects. Shore (2002) indicates that the tragic events of September 11, 2001, hit the
financial sector particularly hard with respect to technology and business interruption.
It has been estimated that 30,000 securities positions (defined as trading, sales,
research, and operations positions) were lost in the seven WTC buildings, and another
15,000 to 20,000 positions in the adjacent buildings. It is estimated that it will cost
53
Brian Periera, implementing a Business continuity plan, network magazine, issue of Aug 2002.
54 Rahul Neel Mani, quotes KPMG survey in his article “Indian IT industry shies from investing in BCM
initiatives”, 7th July 2003, Express computers. Indian Express Group.
47
$3.2 billion to replace technology at the affected securities firms.55 As per Shore
(2002), these losses taught hard lessons to companies across the world about the need
for solid disaster recovery (DR) and business continuity (BC) planning. 56
55
Tower Group, a research and advisory firm, study 2002.
56
Shore Dave, Web-based solutions can ensure business continuity, Published: 5/20/02.
57
John Webster, a senior analyst at Illuminata Inc. in Nashua, N.H., Disaster Recovery Journal, September
2002.
58
Ambrosio Johanna, THE INFORMATION ARCHITECT: Disaster recovery: Know what you really need,
Published: 10/25/2001
59
Deloitte & Touché LLP and CPM Global Assurance conducted a survey of 200 corporate and IT managers
from various industries. Fifty percent of respondents said that they have a 20% increase over levels that
were five years ago in 2005.
60
O'Neill Shane, Senior News Writer, DR plans stuck on, 02 Feb 2005
61
Bleiberg Ron, SmartAdvice: Planning Ahead Means A Disaster Needn't Wipe Out Your Business, Aug. 22,
2005
62
Michael Croy, Director of business continuity for Forsythe Solutions Group Bank systems & Technology,
Planning for Continuity, Feb 27, 2006.
URL: http://www.banktech.com/showArticle.jhtml?articleID=181400621
48
Croy (2005) predicts that 90 percent of unprepared companies that suffer 10 days of
data center downtime for any reason will be out of business within a year.
Reddy (2006) emphasizes in his remark in RBI Report 2006 that it is imperative for
banks to prepare for business disruptions and system failures and ensure continuity of
operations. Such plans would provide resilience to banks to tide over natural
calamities. The unprecedented floods in recent times in a few cities and the resultant
reports of electronic delivery channels of some of the banks being affected has further
reinforced the need for robust business continuity plan (BCP) in banks. In recognition
of such eventualities, detailed guidelines were issued by the Reserve Bank in April
2005 requiring commercial banks to put in place business continuity measures within
63
a fixed time frame.
Reddy (2006) advises that banks while maintaining or increasing the level of
protection are to keep the total cost of BCM programs low to retain competitive
advantage. Emphasis must be laid on replicating those processes that enhance
meaningful Business Continuity by ensuring greater value to customers. Pereira
(2002) recommends that BCM plans cover the entire value chain of banking to ensure
that in no condition there is a loss to stake holder value and brand equity. Kapoor
(2005) asserts that BCP must be looked at from the perspective of larger issue of
sustainability or survivability of organizations and not at immediate profitability or
impact64.
Reddy (2006) quoting Mckinsy Consulting65 has advised banks to accelerate the
process of creating of world class supporting infrastructure and adopt alternative
approaches to win the “race for the customer” and build a value-creating customer
franchise. Banks, particularly PSBs have been instructed to fundamentally strengthen
institutional skill levels especially in sales and marketing, service operations, risk
management, the overall organizational performance, ethics and strengthen human
capital to remain ‘continuous and competitive’ from global perspective.
63
Courtesy: RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 189.
64 Sameer Kapoor, Executive Director, PWC comments in interview to Financial Times, June 2005 on
“Business Continuity and Disaster Recovery”.
65
Report “India Banking 2010” submitted by McKinsey Consulting to RBI that was included in RBI Report on
Trend and Progress on Banking in India 2005-2006, RBI Publication, June 30,2006.
49
2.7.3 The importance of Implementing BCM
Ninety four percent of businesses that suffer large data losses go out of business
within 2 years. Forty three percent of them never reopen and 51% close down within
two years being unable to sustain business losses66. Herbane (et al 1997) suggested
that banks need to invest in Business Continuity Planning by creating an organization
and infrastructure, to ensure:
66
Disaster Recovery Journal (Volume 15, No.3, Summer 2002).
50
MacSweeny (2003) lists the objectives of a good BCM system:
i. Effectiveness
ii. Efficiency
iii. Ease of implementation
iv. Good Documentation
v. Tested (frequent checks)
vi. Scalability
vii. Well Communicated
viii. Comprehensive – covering critical business operation
BCM Plan
51
2.7.5 The BCM Plan
Developing a BCM involves exhaustive planning that requires top management
support and buy-in of the entire organization. The succeeding paragraphs enumerate
67
Parthasarathi P., Chief General Manager, RBI, letter Ref. RBI/2004-05/420 DBS.CO.IS Audit.No.
19/31.02.03/2004-05 dated April 15, 2005 to All Chairmen / Managing Directors / Chief Executive
Officers of all Scheduled Commercial Banks
52
o. Having specific contingency plans for each outsourcing arrangement based on the
degree of materiality of the outsourced activity to the bank's business
p. Ensuring service providers for critical operations have BCPs in place and also
periodically test the same
q. Compatibility and co-ordination of contingency plans at both the bank and its
service providers
r. Action plans, practical manuals and testing procedures
s. Independent audit and review of the BCP and test results
t. Periodic updating to absorb changes in the institution or its service providers
2.7.5.2 Policy
No matter how good the technology protection that one puts in place, the onus is on
the effective development of policies that will allow organizations to react in
minimizing damage. A plan that is not enforced is not worth the paper that it is
written on.
a. Comprehensiveness of BCM plans
As per a report published in Security magazine, post the September 2001
incidence most large companies have put in place new company wide procedures
to improve their ability to deal with disasters of all kind even though the spending
on business continuity hasn't consistently increased 68. O’Neill (2005), says
“Companies that focus too much on technology have to realize that they are not a
computer center; they are running a business. Replication technologies from
storage vendors are improving, but successful business continuity starts with IT
and business units agreeing on how technology drives the business”.
68
Security magazine, New York : Rethinking Risk, Published: September 16, 2002
69
Ted DeZabala, principal and national security services leader of Deloitte & Touché, conducted a survey on
large number of companies in UK, commented Financial Services Technology September, 2002.
53
RBI has issued policy guidelines for all banks to maintain appropriate
organizations & structures to deal with major disruptions arising out of natural
calamities.70 As per Killawala, (2006), banks have a duty to provide customers
with uninterrupted access to bank accounts and must facilitate the opening of new
accounts by persons affected by natural disasters; especially so that people can
quickly receive relief and aid given by the Indian government and other agencies.
c. Processes
Changing business processes (internally to the institution and externally among
interdependent financial service providers) and new threat scenarios require
maintenance of viable BCPs. An effective BCP should take into account the
potential for wide-area disasters that impact an entire region and for the resulting
loss or inaccessibility of staff. It should also consider and address
interdependencies, both market-based and geographic, among financial system
participants as well as infrastructure service providers. Maiwald (et al, 2002)
observe that in most cases, Recovery Time Objectives (RTO) are now much
shorter than they were even a few years ago. It is, therefore, pertinent that banks
put in place a BCP including robust information risk management system and
thoroughly test it to verify its full capability against the changing scenario and
assumptions at frequent intervals.
Howarth (2004) in his study of banks in UK found that most of them were ill
prepared to deal with crises caused by physical or electronic disasters. Many of
them had a business continuity plan in place, only just over one-third of those had
suffered an IT disaster over the last five years. Only 50% of them used the
measures that they had put in place in the business continuity plan to solve the
problem.71 The inability to execute well-planned BCM impacts most organizations
that have structured BCM Practice implemented.
70
Reserve Bank of India provides business continuity instructions to banks, August 11, 2006
71
Compass Management Consulting, Survey Carried out in 2004
54
systems are to be eliminated and the potential of computerization fully realized.
Constant technological change poses a great challenge for human resource
development. Yodmani (et al, 2001) believes that advances in information and
communications technology has implications, in some cases radical implications,
for human resource functioning, attitudes and skill sets. There is a need for
considerable and continuous up gradation of human resource skills and fine tuning
of human resource management strategies with a view to enhancing the level of
knowledge, sharpening skills and also to instill the necessary attitudes and work
culture. 72
a. Planning
Business Continuity planning is a key pre-requisite for minimizing the adverse
effects of one of the important areas of operational risk – business disruption and
system failures (Maiwald et al., 2002)75. It is imperative that all banks have BCPs
in place to be in readiness to tackle serious business disruptions. As per
Parthasarthi (2005), the responsibility in respect of BCP rests with the Board of
directors and the top management to provide clear policy guidance and direction,
prioritizing critical business functions, allocating sufficient resources, reviewing
test results and ensuring maintenance and periodic updating.
72
Trivedy Ravi, Partner KPMG and Girish. V., BFSI Consultant, Excerpts from meeting held on August 22,
2005 and September 19, 2005 respectively.
73
Hidden threats to enterprise: will your business continuity go according to plan? Report published in Financial
Services Technology June 2003.
74
Romir Bosu, CEO for CompuShare (South Coast Metro, Calif.), a provider of information technology
consulting and solutions for the financial services industry.
75
Maiwald Eric & Seiglein William, Security Planning and Disaster Recovery, McGraw-Hill Professional,
Osborne, USA, Jan 2002, P 235 – 249.
55
b. Planning Process
For financial services organizations, successful contingency plans need to
establish how to provide continued access to business processes while maintaining
security and confidentiality in the event of an incident. It is important to remember
that BCM is concerned with defining a set of business consequences 76
During this phase of a BCM plan, the project team must define business processes
and collect supporting data. Sharp (2003), explains that some BCM planners may
get lost trying to understand complex business processes and trying to put them
into the right context for the plan while others may understand the processes, but
are stymied by poor document management. Many of the snags described here are
due to poor preparation during the project planning process. As per Olstick
(2004), a thorough effort at the beginning of the project will quickly uncover any
areas where data gathering may require some detective work.
76
Hidden threats to enterprise: will your business continuity go according to plan? Report published in Financial
Services Technology June 2003.
56
attack, the FBI discovered that the only copies of some vital paper documents (for
specific investigations) were destroyed with its office in the World Trade Center.
Staff work related documents such as ‘Human Resource’ (HR) records (most of
which remain paper based) are always at point of vulnerability. As per Smith
(2002), organizations must make concerted efforts to move from paper to
electronic documents that are either supported by strong backup and recovery
systems or managed by a service provider.77
RBI has issued policy guidelines for all banks to maintain appropriate
organizations & structures to deal with major disruptions arising out of natural
calamities.80 As per Killawala, (2006), banks have a duty to provide customers
77
Smith Laura, The new face of disaster recovery, Published: Mar 2002.
78
Donna Scott of the Gartner Group, Stamford, CT. comments in “Leading Companies Revive Focus on Best
Practices to Bolster Profits in Recessionary Climate”, February 26, 2002.
79
Security magazine, New York : Rethinking Risk, Published: September 16, 2002
80
Reserve Bank of India provides business continuity instructions to banks, August 11, 2006
57
with uninterrupted access to bank accounts and must facilitate the opening of new
accounts by persons affected by natural disasters; especially so that people can
quickly receive relief and aid given by the Indian government and other agencies.
f. Evaluating Plans
Mani (2003) recommends that BCP should take into account the project
management procedures, change management process, data center process,
backup and recovery process based on a sound methodology. The plan needs to be
continuously evaluated and revised whenever the bank forays into new business
tools and areas, either as part of a re-engineering process or for introducing new
products and services. As per Mani (2003), the relevant portion of the BCP
adopted ought to be disseminated to all concerned, including the customers, so
that the awareness would enable them to react positively and in consonance with
the BCP81. The part of the plan kept in the public domain should normally be
confined to information relating to the general readiness of the banks in this
regard.
g. Cost
BCP involves cost implications. While banks may consider cost-effective
strategies of BCP, the strategies considered should provide an adequate level of
comfort and assurance in tackling serious disruptions. Moreover, the mitigating
solution should be commensurate with the nature and complexity of their business
operations. Mani (2003) assets that banks should consider insurance as a risk
mitigation strategy for externalizing risks to a third party so as to reduce financial
exposure in the event of disruptions. However, diligence needs to be exercised in
regard to the nature of insurance and the certainty of payments.
81
Rahul Neel Mani, Indian IT industry shies from investing in BCM initiatives,
http://www.expresscomputeronline.com/20030707/indtrend1.shtml, 7th July 2003
58
2.7.6.1 Procedures
All types of threats and vulnerabilities are identified to reduce risk or Impact of
discontinuity and keep business in operation with minimal disruption and ensure
safety of personnel & equipment, protection of assets and minimize confusion and
uncertainty, quick rebuilding and return to normal processing and re-establishing
market share and customer Confidence. Banks must learn from the incidence and
document actions that can be taken in future82 (Mawson, 2003). Technology and
Procedures under the control of BCM recovery team must be comprehensively
documented giving all details of operating with alternate systems and connecting
application data to recovery servers and systems83 (Brooks, 2003). Banks deploying
comprehensive BCM practice multiple site operations. They mirror their primary sites
to a nearby local site (hot site) in some kind of load balancing configuration. Another
site that is situated much farther away, asynchronous, and possibly maintained by a
managed service provider serves as a cold site. This protection is costly and it usually
means some degree of downtime as BCM teams emulate corporate systems in remote
data centers (Oltsik, 2004). Each site is a source for one other and a target for other,
providing a round-robin sort of high availability, while not wasting any resources on
passive mirroring84 (Ferguson, 2002)
The growing threats and increasing need of secure electronic exchange has
necessitated enforcement of security procedures and encryption to combat cyber
terrorism85 (Boulton, 2005). Banks with higher level of BCM have tightened security
procedures, decentralized computing and storage systems and relocated data centres
ensuring physical separation of technology and business processes to meet RTO
objectives during disruptions86 (Fucito, 2004). Banks are putting together
comprehensive security policy encompassing all organizational assets and IT Systems
with proper assessment of vulnerabilities backed by appropriate technology to protect
them87 (Luft, 2005). They have established relationships with outsourcers that provide
disaster-recovery hot sites given the increasing vulnerability of data centers to
physical damage and ensure continuity by relocating data centers, or moving to a
more distributed data processing or storage architecture (Bleiberg, (2005)
82
Thomas Mawson, Executive Director, DRI international, Virginia, Risk evaluation & Control, Security
Magazine, May 2003
83
Brooks Darryl, Best Practices, Published: Nov 2003,
http://storageMagazine.techtarget.com/magItem/1,291266,sid35_gci935908,00.html
84
Donald Ferguson, an enterprise storage consultant, from EMC, Hopkinton, MA, USA provided his views of
“Configurations in Future” to Smith Laura, in her article “The new face of disaster recovery”, Mar 2002.
85
Boulton Clint, Bank Data Leak Jumpstarts Encryption Talk, March 2, 2005,
http://www.internetnews.com/storage/article.php/3486786
86
Fucito Robert, BNP Paribas, Business Continuity report (2004)
87
Luft David, Proactive plans thwart SMB threats, Published: 15 Jun 2005
59
2.7.6.2 People
Successful BCM Implementation relies on effective use of Key Personnel who
empowered and motivated individuals with good understanding of business processes.
In order to perform during major disasters, banks have accessible detailed
organization chart showing lines of succession with job descriptions for every
position and training levels / certifications for each employee to enable manning of
key positions quickly, should some personnel be unable to perform their tasks after an
event (Bleiberg, 2005). They have well spelt out plan for deploying people to back up
sites in distant remote locations by having alternate transportation arrangement88
(Hunt, 2004). Key people are be assigned to each alternate role to form teams who
will be available and possess wherewithal to perform with speed and efficiency during
a discontinuity89 (Kelly et..al, 2002).
People have been found to perform during disaster situation if they possessed high
stress-tolerance levels and are assured of safety and welfare of their family90 (Barnes,
2005). Communications have played vital role in ensuring business continuity while
operating from remote alternate location, to enable key personnel make contact and
report their locations (O’Neil 2005). Banks must ensure that all appropriate staff is
trained for their respective plan components and be aware of details such as the
locations of emergency power off switches, fire suppressant and alternate power
supply systems, etc to be resilient. (Hunt, 2004)
2.7.6.3 Technology
Technology is a core component for banks for delivery of their services effectively.
Banks that have attained high reliability of systems have deployed dispersed and
distributed IT Infrastructure comprising of n-tier client-server systems, networked
storages and portable data storage platforms of appropriate technology. Their BCM
strategy incorporates applications running on multiple platforms with mirroring and
replication of data with automatic fallback capabilities supported on variety of options
provided by telecom providers to ensure greater reliability and higher continuity.
88
Hunt Hal, commented on “Lesson of Hurricane Hugo” on ECT News Network, at 6:00 AM on May 08, 2004
89
John Kelly & David Stark Presented at the Reginald H. Jones Center’s 3rd Annual conference on the Internet
and Strategy- “The Internet and the 21st Century Firm” April 12, 2002(WP 2003-02)
90
Barnes Peter, FBCI, Planning for people, March 18, 2005, http://www.continuitycentral.com/feature0186.htm
60
and Replication all provide highest possible levels of RTO & RPO Four principal
hardware delivery platforms deployed to affect BCM infrastructures are: Storage
array, General-purpose server, Purpose-built Storage Appliance and Intelligent
storage-networking switch. The choice of platforms is based on expected levels of
reliability and total cost of ownership. The technologies, products and SLA
requirements and compliance regulations must be reviewed and updated periodically.
The growing threats and increasing need of secure electronic exchange has
necessitated enforcement of security procedures and encryption to combat cyber
terrorism. Banks need to have comprehensive security policy encompassing all
organizational assets and IT Systems with proper assessment of vulnerabilities backed
by appropriate technology to protect them. Many banks have tightened security
procedures, decentralized computing and storage systems and relocated data centres
ensuring physical separation of technology and business processes to meet RTO
Objectives during disruptions.
2.7.6.4 Facilities
Banks must have physical facility protection agreements in place for occupying other
locations from which business can be conducted for an extended period of time
(Bleiberg, 2005). Decision to provide either limited or comprehensive recovery
facilities depends on cost and strength of the service provider in making “redundant”
office space ready to use in case of an incident. BCM site is equally expensive and
complicated, especially when the temporary site has to be maintained to the same
level as the real work environment. This extra cost can be offset somewhat with new
products that exploit Internet based solution provided to staff / partners on their
desktops to possibly allow them to continue working from home locations (Shore,
2002). Availability of electrical power is prime factor in ensuring business continuity
as has been amply established during major disasters experienced by banks in
Mumbai.
61
well known consulting firms in India. A brief schematic is depicted in figure 2.2 and
enumerated in detail in Annexure 1.
62
Preparing to implement a BCM
Formation of BCM Implementation team – Bank
officials and Consultants
Formulation of BCM Budget (One time, Annual
maintenance and Updating costs
Risk Identification (Threats & Vulnerabilities)
Project Initiation
Mission Statement & Objectives
Details of resource requirements
Steering Committee &Reporting Process
63
BCM Implementation relies heavily on effective use of Key Personnel who are
empowered and motivated individuals with good understanding of business processes.
It must ensure safety of personnel & equipment, protection of assets and minimize
confusion and uncertainty, quick rebuilding and return to normal processing and re-
establishing market share and customer Confidence. Banks must learn from the
incidence and document actions that can be taken in future.
a. Project Initiation
Supported by Senior Management objectives must be drawn and project plans
prepared. The plan is to enumerate budget giving details of resource requirements
and reporting process.
64
c. Designing and Developing a BCP
Business continuity strategy must be in line with organizational strategy and
consistent with agreed business objectives and priorities. The plan must be
feasible, realistic and workable and should be able to effectively counteract
interruptions to business activities and to protect critical business processes from
the effects of major failures or disasters.
A Business continuity planning framework comprising of three sections is
suggested:
One - Sequence of resumption / recovery
Two - Steps to operationalize plan
Three - Maintenance Schedule & upgradation
d. Implementation
Banks must establish trained and committed teams to lead, manage and direct the
organization through the crisis and provide necessary technical, operational and
administrative support to move to alternate scheme during discontinuities and
recover to normal scheme once crisis is over. Agreement must be entered into
with appropriate vendors for delivery of replacement service/support within
critical time frames. Allocation of responsibilities, systems and processes must be
worked out and communicated to all concerned.
e. Testing
BCM Plan and operating scheme needs to be tested for efficiency and relevance
from annually or after major organizational changes or an incident. Testing proves
that BCP is feasible and demonstrates the ability of the organization to recover.
65
2.8.3 Disaster Management
Disaster management is effected in the four distinct phases namely, mitigation,
preparedness, response and recovery As per DR Institute, Canada outlines the priority
in which disaster situation needs to be responded is Safety and prevention of injury to
personnel on site first, prevention or limiting damage to facilities and equipment
second and keeping critical business functions operational next. Crisis once triggered
and not responded to appropriately can expand. This is depicted in figure 2.3 below
and enumerated in Annexure 1.
Disaster Management
Disaster Response
Disaster Declaration
Phases of a Crisis
Pre-existing conditions
Crisis Trigger
Crisis Expansion
Crisis Response
Incident Response Team
Response
Prior to an Incident
During an incident
Following an Incident
Crisis Resolution
Impact on People
Managing Media
The first objective of DR is to limit the damage and restrict crisis expansion. The team
taking charge during a crisis ought to be sensitized to family issues, stress and health
& safety of the fellow employees. Banks must have an approved incident response
66
plan to prevent pressured decisions that may effect fair and balanced response. A
credible spokesperson must lead the Media and provide Information to avoid
speculations.
67
The advancement in Information and Communication technology has revolutionarized
e banking as it allows bank branches to network at a relatively low and affordable cost
with a high degree of reliability. RBI has created necessary infrastructure and
processes through Institute for Development and Research in Banking Technology to
provide safe and secure integrated payment settlement systems using secure channels
and encryption. The setting up of network and systems such as BANKNET,
INFINET, S.W.I.F.T has facilitated electronic fund transfers, debits and clearances,
reporting and settlement systems. These networks have been the catalyst in
implementation of Real Time Gross Settlement Systems, National Settlement Systems
and Central Funds Management Systems. (Seokumar, 2005)
The measures of deregulation and increased competition has lead to a situation where
the survival of those banks who do not attain higher levels of operations in continuity.
Traditional banking in India is facing unprecedented competition from non-traditional
banking institutions, which offer services electronically. Internet banking is changing
banking relationships by providing exceptional savings, low rate credit cards, ease of
applications and 24-hour access. Banks are increasingly using advance technology to
implement “Customer Centered Applications” and with high-end functionality such as
Risk Management, Credit Monitoring etc. Growing customer awareness, higher
demand for low cost electronic services and convenience and integration of banking
services with e-commerce have resulted in highly competitive internet banking market
and those banks who don’t offer modern banking will become marginalized.
RBI has issued detailed guidelines to banks to implement BCP to carry out
comprehensive risk assessment and establish infrastructure, organization and
processes to ensure realization of targeted RPOs and RTOs. The plans have to be
supported by getting into agreements with trusted and reliable agencies. The
responsibility in respect of BCP rests with the Board of directors and the top
68
management to provide clear policy guidance and direction. The BCM must be
reviewed and upgraded periodically. Banks must resort to insurance as risk mitigation
strategy for externalizing risks to third party by reducing financial exposure during
disruptions. Reserve Bank has adopted a dual strategy for its Disaster Recovery
System (DRS) / BCP - one for mission critical applications and the other for other
applications. The approach towards Business Continuity is to ensure that in case of
any contingency, operations are resumed within a minimal time gap of two hours in
the case of mission critical applications and within a day in the case of others. RBI
recommends that the IT resources and assets are to be consolidated in the form of
Data Centres both at the Primary Site and at the Recovery and Continuity sites.
Sound BCM plans are based on four elements: Procedures – to take actions during
disruptions and resumption to normalcy; People – roles and responsibilities of key
personnel who are aptly trained to meet all contingencies are well defined and
communicated; Technology – the systems must operate using state-of-the-art ICT
infrastructure supported on best international practices; Facilities – Data Centres and
Offices to provide continuous operation of business and systems.
69
2.10 Conclusion
The literature survey highlights the experiences of banks, mostly abroad and few in
India, the need for comprehensive BCM plans supported by the entire organization.
The BCM must be operated on reliable and rugged technology infrastructure
supported by well articulated and communicated processes. The importance of people
in successful implementation of BCP has been cited many times. There is evidence of
varying degree of success in achieving continuity through BCM implementation by
various banks.
The salient features of successful BCM implementation have been summarized into
parameters under four clusters of process, people, technology and facilities. These
have to be validated and enhanced by undertaking primary data survey in select
banks. The measures of effectiveness of these parameters in relation to business
continuity need to be worked out.
70
CHAPTER 3
RESEARCH METHODOLOGY
3.0 Preamble
There has been phenomenal multiplication of economic growth in last twenty years in
India fueled by the process of globalization and liberalization. This has led to
increased automation and collaboration of economic activities involving businesses
and banks. This phenomenon has ushered in irreversible socio-economic changes in
terms of consumerism and rising customer expectations as regards speed and quality
of service. Banks are the glue between the demand and supply to effect transactions,
mostly electronically and are therefore depended upon heavily by the society. There
are sweeping changes across the world as regards socio-political changes post cold
war era and realignment of political objectives. This has increased imminence of
terrorist attacks that are becoming too frequent posing severe risks to continuity of
businesses, banks in particular. This situation is worsened by increase in frequency of
natural calamities and disasters probably due to global warming and extensive
mechanization. Business continuity therefore is the very fundamental requirement of
any organization that intends to render continued high performance and sustainable.
Banks in US & Europe have faced large-scale disasters and hence have augmented
their BCM approach. They have increased redundancy of key resources and switched
to multiple Data Center sites operation by collaborating with third-party partners who
have multi site and multi platform capabilities supported on dependable
communication network. Banks have devised alternate processes that covers all
critical business functions including those of key outsourcers which they have well
documented and communicated. They have disseminated the information on alternate
procedures elaborately to all stakeholders and customers thereby increased their
confidence in banks’ ability to provide normal services during disruptions.
71
Banks are implementing document management and imaging systems using modern
tools to house their loan documents. They have endeavored to ensure high availability
of solutions and productivity of employees while top management is focusing on
improving communication with customers and employees during disruptions to
customer confidence, brand value, market position.
RBI, in recognition of increase in eventualities that might even throw banks out of
business, has issued detailed guidelines directing commercial banks to put in place
business continuity measures with lower cost of BCM programs to retain competitive
advantage total cost of BCM programs low to retain competitive advantage. The have
been asked to accelerate the process of developing world class supporting
infrastructure and adopt alternative approaches to serve the customer by creating a
vibrant banking organization orientated to market dynamics providing relevant
interfaces between market demand and delivery capability. Indian banks have posted
higher ‘Net Profits’ and ‘Return on Assets’ during the last few years and have
improved efficiency of operations significantly. The average cost of operations in
Indian Banking, however, is higher in comparison to International Standards.
BCM effectiveness of banks in India can be achieved through BCM Model that are
deduced from experiences of banks in west but are adapted to Indian conditions and
comprehensive metrics to assess the effectiveness, point at gaps and provide
suggestions for improvements. Both these are absent in literature and highly needed
which is the motivation to conduct the research and present desired deliverables that
will serve the cause of achieving high level of continuity in banks particularly in small
and medium category as they support the financial requirement of bulk of the country.
72
3.2 Non-Existence of Framework for Measurement of BCM effectiveness
There is no recognized framework to measure effectiveness of BCM implementation.
Pioneering effort by Financial Services Technology Consortium (FSTC) in USA is
currently underway to device a metrics.
Kelly (et..al 2002) believe that crisis recovery is a response to extreme uncertainty
and view it as a form of innovation and suggest that metrics to measure BCM
preparedness are similar to metrics for innovation. Further, the crucial aspect of being
resilient in meeting discontinuities is not the type or currency of technology but the
interface between people and technology and ability of people having high degree of
‘digital culture’ to make the technology work in face of disaster. Das Gupta (2002)
believes that in times to come their customers investors, employees, fiduciaries,
everybody, counter arties, everyone who looks at a bank’s worthiness banks are going
to value them on their preparedness by to meet discontinuities.
1
Charles Wallen, Managing Executive, FSTC's Business Continuity, Standing Committee and Project Director,
Bank systems & Technology, Resilience You Can Measure, Dec 01, 2006.
URL: http://www.banktech.com/showArticle.jhtml?articleID=196513070
73
3.3 Choice of Mumbai as Representative Sample
Mumbai, popularly known as the financial hub of India, has been chosen as a
representative sample as it possesses scale, scope and comprehensiveness of banking
activities. It has the largest concentration of banks, export units, capital markets and
special attention of the government of India. The salient features of Mumbai as a
representative of banking in India are given below.
2
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 116
74
3.3.3 Concentration of control of banking activity in the country
The regulatory bank RBI and the largest PSB headquarters are situated in Mumbai.
The other prominent banks having their headquarters in Mumbai include Union Bank,
Bank of Baroda, UTI Bank, etc from PSBs group, ICICI bank, HDFC Bank, Kotak
Bank, etc from Private Sector Banks and India headquarters of Citibank, HSBC, ABN
Amro, etc from the Foreign banks. There are Regional offices of almost every bank
in India for the Western Region, which accounts for major share of banking in the
country3. The think tank of designing, ensuring execution and constant upgrades of
BCM practices in most banks in India resides at these offices in Mumbai. This
enables a researcher to get a comprehensive view of BCM policies, organizations,
implementation data and lessons from past from the collective organizational
knowledge being present at Mumbai.
3
Comments of Mr Girish V, Principal Consultant, Banking association of India and editor Banking Frontiers,
magazine.
4
Comments of Dr.R.B.Burman, Executive Director, RBI made to the researcher in special meeting organized in
his office on March 20, 2007
5
Comments of Sundaram Kalyan, General Manager (IT) Bank of Baroda, BKC, Mumbai during the meeting on
12 May 2007.
6
Comments of Trivedy Ravi, Partner KPMG, Banking vertical division, during meeting Apr and 16 May 2007.
75
3.3.6 Presence of Central / Regional Data Centers
Central data centers of SBI, ICICI, HDFC, Bank of Baroda, Union Bank, UTI Bank,
Kotak bank are located at Mumbai. These data centers are most advanced units and
have almost every aspect of technology and practice present. The effect of
discontinuity of operations and the impact on banking has been witnessed by these
data centers, their staff and support agencies. They can provide insight into utilization
of technology, the back bone of modern banking, both in normal and alternate modes
of operations as they have the first hand experience not felt by banking outfits
elsewhere in the country.
Parameters
Clusters
Focus Groups
Validation Parameters
Focus Groups
Model
Figure 3.1 Steps in development of BCM Model
76
3.4.2 Operational and infrastructural issues
Issues related to procedures, policies and infrastructure (IT and facilities) from
operational (organization, processes & people) perspective that are required to ensure
high level of preparedness in Banks to ensure continuity were studied and critical
parameters identified. The study does not look at banking and financial risk and
focuses only on banking operations as regards continuity.
77
3.5 Research Methodology Framework
The state of BCM implementation in Indian Banks and the gaps therein as compared
to the progressive banks in west and absence of comprehensive BCM implementation
and measurement framework the methodology to undertake research has been worked
out. The scheme is given in figure 3.2 below:
Stage 1
Literature Survey
Stage 2
Primary Data Survey in selected
Banks in Mumbai
Parameters for
Finalized BCM Hypothesis partly BCM Model &
Framework tested Metrics Identified
Stage 3
Model Development & Testing
Stage 4
Application of Metrics to select
Banks in Mumbai
Recommendations to
Analysis of Management of Testing of
Findings Banks for High Hypothesis
Business Continuity
78
3.5.1 Survey in select Banks
A survey of select banks in Mumbai was carried out to validate the BCM
implementation framework deduced from literature survey as enumerated in
paragraph 3.2.1 above, test the hypothesis of study and identify parameters that will
form the BCM Model and Metrics of evaluation. The process is enumerated in
succeeding paragraphs.
a. Interviews
Senior officials and supervisor of the target banks were interviewed to gather
macro level information. Preparation for these interviews were made based on the
secondary research carried out and enumerated in Chapter 3 as well as the
guidance received from six consultants who have executed / consulted for variety
of banking projects. The steps followed are enumerated below. These
progressively refined as the researcher gained finer insights after 6 to 8 interviews
were conducted were:
i. The officials to be interviewed were sent objectives of study and broad topics
that are to be discussed along with request for their time at their convenience.
ii. The interview durations ranged from 45 minutes to one and a half hour in their
offices. All respondents were given at least seven days period to go through
the requirements before the interaction.
iii. Most interviews were held late in the evenings or early morning so that the
respondents were at ease and not pressurized by their daily workload
requirements.
iv. For recording interviews “Dictaphone” was used. Paper-pen recording was
resorted to in case of those respondents who had objection to audio recording
of their responses.
v. Information recorded during interviews was collated and sent to the
respondents for validation by emails or hardcopy printouts.
vi. Almost 70 % respondents had sent amendments / alterations which were
incorporated. Others confirmed that recording was as per their views.
79
vii. The responses from officials of the five target banks were then compiled and
sent to selected consultants from leading consulting organizations for their
comments or views. The identity of bank and respondents was kept secret.
Indications to the level (designation) of the official and the type/size
(Private/Public sector & large/medium).
viii. Each response was sent to two different consultants ensuring their views for
different set such as (Public-large, Public medium, Private large, Private-
medium).
ix. Responses / suggestions from consultants were taken into account while
summarizing the findings (given in Chapter 4, paragraph 4.3 ahead)
80
iv. Most interactions were held late in the evenings or on Saturday afternoons so
that the respondents were at ease and not pressurized by their daily workload
requirements.
v. Most responses were recorded on paper as majority of respondents in this
category had objection / aversion to audio recording of their responses.
vi. Information recorded during these interactions was collated and sent to the
respondents for validation by emails or hardcopy printouts. One copy was also
sent to their supervisors as per the agreed terms and conditions.
vii. Most respondents had confirmed that recording was as per their views. About
50 % sent additional information (data, diagrams ) after going through the
records of their responses.
viii. The responses from officials of the five target banks were then compiled and
sent to the supervisors in the bank concerned for their comments and approval.
Most supervisors gave their consent after going through the final tabulated
responses. However about 15 % asked for a joint meeting with the respondents
to clarify certain perceived anomalies (mostly on processes or specifications of
technology deployed)
ix. The final tabulated responses were then sent to selected consultants from
leading consulting organizations for their comments or views. The identity of
bank and respondents was kept secret. Indications to the level (designation)
and department of the official and the type/size (Private/Public sector &
large/medium) were made.
x. Responses were clustered department wise across banks and sent to two
different consultants ensuring their views for different set such as (Public-
large, Public medium, Private large, Private-medium).
xi. Responses / suggestions from consultants were taken into account while
finalizing the details given in Annexure 2 corresponding to their banks and
summarizing the findings (given in section 4.8 ahead).
c. On Spot Observations
Spot observations were made to gain insights into organization, processes,
business touch points and data centers. The following steps were undertaken:
i. Spots were so chosen as to cover various geographic locations for the target
banks (North Mumbai district, Central Mumbai district, Western Mumbai
district, Eastern Mumbai district & New Mumbai).
81
ii. Offices were chosen so as to cover the range of baking operations (Retail,
Corporate, Investment etc.)
iii. Day timings were so chosen as to cover ‘busy’ or ‘peak’ period and ‘lean’
period while making observations.
iv. Paper based recording was resorted to use of photography was prohibited by
almost all banks.
v. Information recorded during these observations was collated and sent to the
supervisors of the concerned banks for validation by emails or hardcopy
printouts. Almost 55 % of respondents sent their comments that were
incorporated.
vi. The final tabulated responses were then sent to selected consultants from
leading consulting organizations for their comments or views./ The identity of
bank was kept secret. Indications the type/size (Private/Public sector &
large/medium) of the bank were made.
vii. Responses were clustered observation entity wise (Data centers, ATMs,
Branch office, etc.) across banks and sent to two different consultants ensuring
their views for different set such as (Public-large, Public medium, Private
large, Private-medium).
viii. Responses / suggestions from consultants were taken into account while
finalizing the details given in Annexure 3 corresponding to their banks and
summarizing the findings (given in section 4.8 ahead).
a. Banks
The basis of selection of banks was to choose one each from
i. Public Sector – Large (SBI)
ii. Private Sector – Large (ICICI)
iii. Public Sector – Medium (UTI / Axis)
iv. Private Sector – Medium (HDFC)
v. Modern bank – Greater degree of online operations (GTB / OBC)
82
b. Respondents
i. The level (designation) of the official commensurate with category of
information being solicited (strategic, operational, technological).
ii. The period that the respondent has spent in the bank (at least 5 years) and in
the branch (at least 2 years)
iii. Recommendation of the supervisor concerned as regards relevant knowledge
of the respondents in case of functional / mid level executives.
iv. Involvement of the respondent in project work under which such initiatives
were being taken either as a core team member or internal audit team.
v. Willingness of the respondent to participate in the survey. Some respondents
recommended by supervisors did not show interest and hence had to be
replaced.
Top 2 16 1 14
Middle 2 16 2 28
Functional 3 24 2 28
Total Respondents 56 70
Average Respondents 25 40
83
3.5.2.1 Methodology for Development of BCM Model and Metrics
The methodology to develop BCM Model and metrics to assess strength and
vulnerability of BCM intervention in Banks both prior to post implementation is
described in Annexure 3. The Steps taken to develop and test the BCM model
together with metrics to measure effectiveness are enumerated succeeding
paragraphs.
c. BCM status and experience in two large, two medium and one modern bank as
culled out from learnings accrued after an elaborate survey of five target banks in
Mumbai.
a. The officials to be interacted were sent the set of questionnaire and themes as
mentioned in Annexure 3.
7
Shore Dave, Web-based solutions can ensure business continuity, Published: 5/20/02,
http://techrepublic.com.com/5100-10878_11-1048802.html?tag=search
8
Srinivasan M. R., Chief General Manager-in-Charge, Internet Banking in India – Guidelines to All Scheduled
Commercial Banks, DBOD.COMP.BC.No.130/ 07.03.23/ 2000-01, June 14, 2001
84
c. Most interviews were held late in the evenings or early morning so that the
respondents were at ease and not pressurized by their daily workload
requirements.
e. The model, grouped into five clusters - Organizational pertaining to Soft issues;
Processes; People; Technology; and Hard Organizational issues pertaining to
Facilities 9(Bleiberg 2005) was given shape in terms of elaborations on measures.
f. The draft (first-cut) Model was then sent to a set of four selected consultants from
leading consulting organizations for their comments or views. The identity of
bank and respondents was kept secret. Indications to the level (designation) of the
official and the type/size (Private/Public sector & large/medium) were made.
g. Each response was sent to two different consultants ensuring their views for
different set such as (Public-large, Public medium, Private large, Private-
medium).
h. Responses / suggestions from consultants were taken into account to fine tune the
parameter descriptions. These parameters were grouped in four levels - Planning /
Policy, Tactical, Tools / Methods and Review / Testing for each cluster.
a. The model was administered to one senior official, one supervisory and two
functional managers to test the efficacy, correctness and completeness. The
sample selection was based on the experience gained by the researcher about the
understanding of the respondent and recommendations made by peers.
9
Bleiberg Ron, SmartAdvice: Planning Ahead Means A Disaster Needn't Wipe Out Your Business, Aug. 22,
2005, http://www.fileon.com/press/articles/disaster-neednt-wipe-out-business.html
85
c. The observations made were discussed with experts (consultants) to fine-tune the
parameter descriptions and elaborate objectives and measures of strength and
vulnerability of BCM implementation.
d. The model and metrics were evaluated by Focus Group discussions employing the
Delphi technique, with senior bank managers from the selected banks and
consultants from the top consulting companies in India.
3.5.4.1 Banks
Top 2 10 2 12 2 16
Middle 2 10 3 18 3 24
Functional 3 15 2 12 2 16
Total Respondents 35 42 56
Average Respondents 25 30 45
86
3.5.4.2 Respondents
b. The period that the respondent has spent in the bank (at least 5 years) and in the
branch (at least 2 years)
d. Involvement of the respondent in project work under which such initiatives were
being taken either as a core team member or internal audit team.
87
a. Large Banks
b. Medium Banks
c. Small Banks
i. Yes Bank
ii. Dhanlakshmi Bank
iii. IndBank
iv. Saraswat Bank
88
3.6 The Research Objectives
The literature survey brought out limitations of wealth of knowledge as regards
applicability to Indian banks and measurement criteria for effectiveness of BCM
implementations. The objectives to undertake research are enumerated in succeeding
paragraphs.
89
in upgrading infrastructure and delivery models for banking. There is no framework
to measure effectiveness of BCM implementation unlike what one finds in the
discipline of engineering and medicine
3.7 Conclusion
The BCM implementation experiences presented in the literature are rich but focus on
North America and Europe. These experiences are mostly highlighting specific
aspects of BCM and DRS and do not provide holistic approach to develop and
implement BCM in Banks. The research methodology suggested in this chapter
transcends following path:
The research work aims to present a comprehensive BCM Metrics Reality Check
Model that has not been developed as yet. One such model is under development
under the aegis of Financial Services Technology Consortium, USA. Mumbai has
been chosen as representative sample for banks in India as it has largest concentration
of Banking activity in the country where all types and levels of banks take part.
90
CHAPTER 4
BCM SURVEY IN INDIAN BANKS
4.0 Introduction
The rise in economic activity in Asia, particularly India and China, during the last
decade has spurred a surge in banking activities. Technology-driven developments in
the financial markets combined with a shrinking universe and the change in outlook
of society from that of “saving for the future” to “consume to make a better present
leading to brighter prospects” have put pressure on the banking industry to provide
continuous and reliable service. The Reserve Bank of India regulations and guidelines
on implementation of technology require banks to create reliable IT infrastructure and
support procedures to ensure high quality service at all times. “The benefits to be
derived from the use and adoption of technology cannot be exaggerated. Central
Banks the world over have been providing their unstinted support to development of
technological infrastructure and to IT innovations in the banking sector. There is no
doubt in my mind that technology usage is a core component of all future efforts of
central banks to improve their deliverables and to play their defined role more
effectively. No system or institution can hope to benchmark itself against international
standards without making optimal use of technology”, remarked Shri Vepa Kamesam,
Deputy Governor, Reserve Bank of India in his address to the Central Bank of Sri
Lanka, Colombo, on August 20, 2003.
91
The purpose of the study was to collect data and other information on the following
aspects:
a. The mission and objectives of the bank in the changed environment of increased
competition and rise in customer demands.
b. Does a wider range of products and services that are offered to customers help in
the realization of BCM objectives?
c. Technology infrastructure, both implemented and planned, to meet consumer
demand and improve efficiency and effectiveness.
d. Business continuity organization, infrastructure and processes, - what has been
implemented?
e. Specific learnings to ascertain the factors that affect the operationalizing of BCM.
4.2.1.1 Interviews
Senior officials and supervisor of the target banks were interviewed to gather macro
level information. Preparation for these interviews were made based on the secondary
research carried out and enumerated in Chapter 2 as well as the guidance received
from six consultants who have executed / consulted for variety of banking projects.
The steps followed are enumerated in Chapter 3 paragraph 3.5.1. These steps were
progressively refined as the researcher gained finer insights after 6 to 8 interviews
were conducted.
92
4.2.2 The Study Plan
The study was planned and conducted in four stages over a period of ten months from
February 2004 to December 2004:
4.2.2.3 IT infrastructure
The infrastructure deployed was studied at the following locations by carrying out
visits, on spot observations and interactions with functional mangers, senior mangers
and Data center personnel:
a. Bank branches
b. Corporate / Regional Offices
c. Data Centers (both main and alternate)
93
4.2.2.4 BCM organization and procedures
To understand the policy and operational issues related to BCM organization in the
bank at both corporate offices and branches, the methodology was as follows:
a. Senior officials of the rank of Vice President and above were interviewed.
b. Communications in the form of relevant booklets on regulations and intranet /
banking software solutions were studied in the selected banks.
c. Survey questionnaires were administered at various levels in the selected banks to
evaluate:
i. Critical processes, possible discontinuities and related impacts on business
along with the level of implementation achieved in the bank to meet possible
disruptions.
ii. Aspects of continuity related to space, processes and technology.
94
and technology infrastructure in place as well as the organizational structure and
processes to ensure continuity in the event of disruptions. Banks are also factoring in
their BCM implementation “softer” issues such as customer satisfaction (e.g.,
convenience, ease, feel-good, etc.), esteem (the image of the bank in the market and in
the eyes of customers), and climate (motivation levels of employees and partners).
The “harder” issues such as IT Infrastructure, facilities, procedures, etc. have already
attained a high degree of maturity in most banks. These are taken as “given”.
Therefore banks are now aspiring to attain a higher BCM maturity level by taking
necessary actions to improve the softer aspects noted earlier.
The essential ingredients of successful BCM Implementation as culled out from the
research findings are grouped in three clusters, - Strategic, Operational and
Technological and discussed in this section
4.3.1 Strategic
The Strategic cluster encompasses the following factors that top management should
consider while setting out policy to institute reliable BCM practices.
1
http://www.icicibank.com
2
Excerpts from the interviews with Ms. Nayana Phanse, AGM, SBI, Regional Office, BKC Mumbai on 23rd
December 2005 and 18th January 2006.
95
“The business does not stop (apparently) from the customer’s perspective even if
there is a discontinuity that is short-lived. In other words, the tolerance limit of
customers to accept disruptions is more if they are satisfied with the bank’s delivery
systems”3.
3
http://www.hdfcbank.com/aboutus/general/Business_Focus.htm
4
http://www.hdfcbank.com/wholesale/default.htm
5
Excerpts from the interviews with Mr. S. S. Purohit, DGM, SBI Zonal Office (West), Mumbai on 28th
December 2005, 24th January 2006 and 16th March 2006.
6
http://www.hdfcbank.com/wholesale/default.htm
96
4.3.1.6 Trusted Partnership
“A large public sector bank has teamed up with Tata Consultancy Services (TCS), the
total IT solutions company for software project implementation, maintenance and
system administration. The hardware is supplied, supported and maintained by HP.
The network services are maintained and managed by Data Craft. The partnership
with these companies is a comprehensive one and is built on mutual faith and trust” 7.
The partnering organizations such as TCS and HP see synergistic arrangements for
mutual growth and are hence “locked-in” with the bank. Such arrangements are
comprehensive, rugged, robust and scalable, thus ensuring a high degree of
continuity.
7
“TCS-FNS emerges as most widely deployed core-banking solution in the country”,
http://www.tcs.com/0_media_room/releases/200603mar/TCS_FNS.htm
8
Excerpts from the interviews with Ms. Nayana Phanse, AGM, SBI, Regional Office, BKC Mumbai on 23rd
December 2005 and 18th January 2006.
9
Samrat Navale, e-Finance for Development - An Indian Perspective, Monterrey, Mexico, March 19, 2002
http://r0.unctad.org/ecommerce/event_docs/monterey/mor-icici-india-EFfD.ppt
97
4.3.1.10 A Hybrid Approach of “Old Economy” Manual and IT-Based Systems
“SBI, whilst embracing technology for automation, has retained its culture of the old-
economy days of running business in branches. There are multiple delivery channels
to transact business. However, experience has shown that when disaster hits, you need
people to manage the crisis, particularly as regards emotions that are most important
to defuse the situation. No technology can substitute this”10 (Purohit 2006). Banks in
India ought to have a judicious mix of “manual” and “IT-enabled” processes as there
are limitations of infrastructure, capital for investment and slow-changing mindsets.
4.3.2 Operational
The factors that go into development of operational processes and structure to ensure
higher levels of Business Continuity in banks are discussed below:
4.3.2.1 Automation
“It reduces reliance on human knowledge of processes thereby reducing dependence
on specifically trained personnel and giving greater flexibility to the bank in
utilization of its human capital and also allowing the work force to address more
value-added activities” remarked Munish Mittal, Assistant Vice President of
Information Technology, HDFC Bank 11.
10
Excerpts from the interviews with Mr. S. S. Purohit, DGM, SBI Zonal Office (West), Mumbai on 28th
December 2005, 24th January 2006 and 16th March 2006.
11
http://www.hdfcbank.com/wholesale/prd_glance.htm
12
Ray, Atmadip, (2005), “Banks Gear Up To Set Up Disaster Recovery Centres”,
http://economictimes.indiatimes.com/articleshow/1186027.cms
98
multi-application capability (insurance, e-purse, toll payments, etc.) and can run on
multiple technology platforms” 13.
13
http://www.hdfcbank.com/wholesale/default.htm
14
http://www.icicibank.com/
15
Navale, Samrat, (2002), “e-Finance for Development - An Indian Perspective, Monterrey, Mexico,
http://r0.unctad.org/ecommerce/event_docs/monterey/mor-icici-india-EFfD.ppt
16
Excerpts from the interviews with Mr. T. Prabhakar, Dy. General Manager (IT - Technical), SBI Corporate
Centre, Navi Mumbai on 12th January 2006, 10th March 2006 and 7th April 2006.
99
minutes and is designed for a quick changeover”17 (Sirsalewala 2003). The load is
optimally balanced between the main site and the DR site, which takes the operating
load at pre-designated instances. Large numbers of ATMs connect to the DR site for
normal operations with a facility to changeover to the central site when required. This
also keeps the staff as also the systems at the DR site fully functional and attentive.
“There have been instances in installations of other banks wherein the changeover to
DR sites during failure has been delayed making the arrangement questionable”
(Sirsalewala 2003).
17
Sirsalewala, Minu, (2003), “Technology converges at HDFC Bank”,
http://www.networkmagazineindia.com/200305/tech3.shtml
18
Kaul, Hemant, 2003, “Customer Focus Banking. The UTI Bank Experience”,
http://www.som.iitb.ac.in/ppts/hemant.ppt
100
work to the right groups, both internal and outsourced, provides better resilience to
meet any eventuality”19 (Sirsalewala 2003).
19
Sirsalewala, Minu, (2003), “Technology converges at HDFC Bank”,
http://www.networkmagazineindia.com/200305/tech3.shtml
20
“TCS-FNS emerges as most widely deployed core-banking solution in the country”,
http://www.tcs.com/0_media_room/releases/200603mar/TCS_FNS.htm
21
TCS-FNS emerges as most widely deployed core-banking solution in the country”,
http://www.tcs.com/0_media_room/releases/200603mar/TCS_FNS.htm
22
Kaul, Hemant, 2003, “Customer Focus Banking. The UTI Bank Experience”,
http://www.som.iitb.ac.in/ppts/hemant.ppt
23
Ramanathan, R.N., (2006), “Transforming a Giant: SBI ensures a smooth transition”, http://www.financial-
insights.com/FI/events/FTA06/downloads/presentations/rn_ramanathan.pdf
101
4.3.2.15 Business Continuity Planning (BCP)
BCP in banks aims at ensuring minimum downturn of business and speedy recovery
of work area and data center sites. It has well-documented and communicated actions
to be taken during a crisis. “The BCP at UTI, developed with the help of TCS and
IBM, is complete and comprehensive, and caters for a large number of discontinuities:
technological, man-made and natural disasters. The plan is reviewed periodically for
corrections and upgrades”.
4.3.3 Technological
The following practices are crucial when setting up and operating technological
structures to ensure a high level of continuity in banks.
102
an integrated view of their business with the bank, creating both “real” and “virtual”
continuity26.
26
“Boosting Datacenter Availability for Largest Private Bank in India with the Help of Symantec”,
http://eval.veritas.com/downloads/sus/ICICI_Bank.pdf
27
“Boosting Datacenter Availability for Largest Private Bank in India with the Help of Symantec”,
http://eval.veritas.com/downloads/sus/ICICI_Bank.pdf
28
Excerpts from the interviews with Mr. Bondaiah Adepu, Manager – IT, Global Trust Bank 22nd February
2006 and 27th April 2006.
103
maintained by partners who have the ability to solve a whole class of problems and
not just the elements provided and supported by them” 29 (Ray 2005).
4.3.3.9 Backup
Storage on Network Attached Storage (NAS) enhances recovery capabilities as the
storage device can be located anywhere on a Local Area Network (LAN) and these
devices have all the functionalities of a server. “A large bank that currently deploys
29
Ray, Atmadip, (2005), “Banks Gear Up To Set Up Disaster Recovery Centres”,
http://economictimes.indiatimes.com/articleshow/1186027.cms
30
Ramanathan, R.N., (2006), “Transforming a Giant: SBI ensures a smooth transition”, http://www.financial-
insights.com/FI/events/FTA06/downloads/presentations/rn_ramanathan.pdf
31
Excerpts from the interviews with Mr. T. Prabhakar, Dy. General Manager (IT - Technical), SBI Corporate
Centre, Navi Mumbai on 12th January 2006, 10th March 2006 and 7th April 2006.
32
“Boosting Datacenter Availability for Largest Private Bank in India with the Help of Symantec”,
http://eval.veritas.com/downloads/sus/ICICI_Bank.pdf
104
SAN is also contemplating installation of NAS. The bank enforces strict policy of
regular backups”33 (Sirsalewala 2003).
4.3.3.11 IT Security
IT security should be implemented at both the systems and user levels. The system
level security is implemented at the network level by installing catalyst switches and
Intrusion Detection System (IDS). Intra- and inter-application level security is
implemented through access control using authentication at application ports and
firewalls. This creates VLANs for applications running on various delivery channels.
“UTI enforces access control using the model of PKI deploying “certifying authority
servers” for administering “session keys” and “registration authority servers” for
generating digital signatures” 35 (Shrikanth 2005).
33
Sirsalewala, Minu, (2003), “Technology converges at HDFC Bank”,
http://www.networkmagazineindia.com/200305/tech3.shtml
34
Kaul, Hemant, 2003, “Customer Focus Banking. The UTI Bank Experience”,
http://www.som.iitb.ac.in/ppts/hemant.ppt
35
G., Shrikanth, (2005), “SERVERS AND WORKSTATIONS: Going FullSteam”,
http://www.dqindia.com/content/DQTop20_05/serversandworkstations/2005/105071808.asp
36
Ray, Atmadip, (2005), “Banks Gear Up To Set Up Disaster Recovery Centres”,
http://economictimes.indiatimes.com/articleshow/1186027.cms
37
Sirsalewala, Minu, (2003), “Technology converges at HDFC Bank”,
http://www.networkmagazineindia.com/200305/tech3.shtml
105
4.3.3.14 Network Management
Managing networks using remote control systems enables IT staff to install, manage,
de-install and upgrade software from a central location thereby improving efficiency
of Network Management and enhancing continuity. “HDFC deploys Unicenter remote
control solution to manage its network which has resulted in high efficiency in
managing the infrastructure and savings. The solution being network-based and with
alternate pathways in it comes handy while recovering systems from failure
remotely”,(Sirsalewala 2003).
38
Excerpts from the interviews with Mr. Dinesh Pandey, AGM, SBI on 4th April 2006 and 26th June 2006.
106
procedures and regular job rotation, training and interaction of employees with senior
management. This ensured that employees are aware of functioning of other
departments enabling them to take up roles of those who are absent and ensure
continuity. The implementation of Core banking solution removed load of back office
processing allowing staff to focus on delivery and support thereby enhancing service
levels and more personal contact with customers.
4.4.2 IT infrastructure
SBI has world class IT infrastructure at Central Data Center at Belapur as also in the
other Regional Data Centers. These are well equipped with safety and environment
control management systems supported by third party agencies. The systems are
based on advanced practices and professionally managed. These centers have remote
management capabilities and are organized in a manner that they replicate each
other’s data and systems, in real time and asynchronous modes, as near and far sites
and can substitute each other if one is not functioning.
4.4.3 DR organization
The DR organization is suited to ensure faster recovery during disruptions. This is
achieved by ensuring that alternate sites are loaded with real transactions regularly to
keep them DR ready. In case of disasters the emergency organization (Controller and
support staff) comes into force to run the data centre from alternate locations as per
specified and well-rehearsed procedure. Emergency procedures and details of layout
of all emergency equipment and continuous breakdown drills, access controls to
various locations, cash lockers, availability of duplicate/alternate keys and emergency
power supply etc are communicated to all concerned.
107
4.5.1 Strategic
Table 4.1 Importance / Criticality Status – Strategic Ingredients
Importance/ Status in
Srl. Essential Ingredient Criticality Bank
(% Respondents)
1. Multiple Delivery options 90 65
2. Customer Focus 85 80
3. Concept of “Bank Customers” 80 65
4. Trust of Society at Large 80 50
5. Rich Collaboration 75 55
6. Trusted Partnership 75 55
7. Centralized Processing 75 65
8. Range of Customer Segments 65 50
9. Leverage Internal Strengths 55 40
10. Hybrid Approach of “Old Economy” 50 40
Manual and IT-Based Systems
“Customer Focus” is the only essential ingredient where the current Status has
matched the perceived Importance / Criticality. This is true to a slightly lesser extent
with regard to “Centralized Processing”. Stark differences are seen for five other
ingredients, #s 1, 3, 4, 5 and 6, where the Status is at a much lower level than the
highly-rated Importance / Criticality of that ingredient. Three of the ingredients, #s 8,
9 and 10, were rated lower than the others in terms of Importance / Criticality; and,
the current Status of these ingredients is also low.
108
4.5.2 Operational
Table 4.2 Importance / Criticality Status – Operational Ingredients
Importance/ Status in
Essential Ingredient Criticality Bank
(% Respondents)
1. Automation 90 80
2. Technology for Competitiveness 90 75
3. Product Innovations 80 70
4. Integration of Diverse Products 85 65
5. Innovations in Delivery Channels 85 65
6. Multi-Channel Integration 90 70
7. Finger on the Pulse of Technology 80 65
8. Optimal Utilization of DR Site 70 70
9. Physical Security 70 80
10. Customer Sensitivity Monitoring 70 55
11. Optimizing the IT Workforce 65 55
12. Location of Assets 65 65
13. Incidence Reporting and Monitoring 60 60
14. Internet Discipline 55 50
15. Business Continuity Planning 55 50
16. Proprietary versus Open Systems 50 50
17. Relationship with Government 50 40
Machinery
Interestingly, “Physical Security” is the only ingredient where the Status is rated
higher than Importance / Criticality.
Four of the ingredients, #s 14, 15, 16 & 17, received a low Importance / Critical rating
that is matched by the current Status in the bank.
109
4.5.3 Technological
Table 4.3 Importance / Criticality Status – Technological Ingredients
Importance/ Status in
Essential Ingredient Criticality Bank
(% Respondents)
1. Efficient Data Sharing 90 80
2. Reliable Data Protection 90 85
3. Balanced Portfolio of Applications 85 70
4. Best-In-Class IT Infrastructure 80 65
5. Data Center Availability and DR 80 70
6. Disaster Recovery Setup 80 70
7. Shared Storage Options 75 65
8. Systems Administration 75 75
9. Backup 75 80
10. Database Security 75 75
11. IT Security 70 70
12. Speedy Server Rebuilding 65 60
13. Redundancy of Hardware and Network 65 55
14. Network Management 65 55
15. Internet Banking Software 55 50
16. Server and Storage Consolidation 55 50
“Efficient Data Sharing” and “Reliable Data Protection” are two highly rated
ingredients with regard to Importance / Criticality, which are also matched reasonably
by the current Status in the selected banks. Four ingredients, “System
Administration”, “Backup”, “Database Security” and “IT Security”, on the other
hand, stood out since the Status is rated on par or even a little higher than Importance
/ Criticality for these ingredients.
110
4.6 Summary of Findings
The BCM practice prevalent in large and medium banks surveyed for the purpose of
this study can be summarized in three categories (Strategic, Operational and
Technology) as below:
4.6.1 Strategic
a. The mission and vision are well defined and communicated in private sector
banks. These, though well-defined, are not adequately communicated or
comprehended by all levels (particularly functional level) in case of PSU banks.
b. Most large and medium banks provide extensive portfolio of products and
services involving Multiple Delivery options. The level of multi-channel
integration is higher in case of private and modern banks though the other banks
are now attributing importance to this aspect and are catching up. Large banks
service wider range of customer segments as compared to medium banks. All
banks have realized the importance of multi-portfolio, multiple delivery and
multi-customer products and service to be driver of higher level of continuity.
c. There is high degree of automation in all medium and large banks as far as core-
banking system is concerned. The integration of diverse products is achieved to a
higher degree in private and modern banks. Other banks are now making efforts in
this direction. Integration and automation of systems is considered crucial to
business continuity by most banks.
g. BCP is practiced in most banks with varying degree of sincerity and effectiveness.
Criticality of processes as regards continuity is appreciated but not clearly
111
articulated. BCM is not found to be clearly integrated with normal operating
procedures when it comes to actual operations.
i. The sensitivity to issues of brand management & image are found to be lower in
public sector banks. Issues related to maintaining good public relations and
ensuring implementation of succession planning in the event of discontinuities is
not formalized or adequately communicated in most banks. This is considered to
be an important factor in achieving greater level of “Trust of Society at Large”.
k. Most banks carry out reviews of their BCM practice annually and communicate
upgrades / modifications through intranet and internal publications.
4.6.2 Operational
c. Sensitivity to good customer service is appreciated by most banks but not to the
extent of desired levels. The efforts to assess and improve performance as regards
efficiency and customer service was found only in few cases where banks made
formal and planned efforts to carry out “Customer Sensitivity Monitoring”
deploying specific tools and methodology.
d. The safety procedures to be adopted in the face of eventualities have been worked
out. There is however a need for better elaboration, communication and training to
ensure compliance. The implementation of safety instructions has not been
112
challenged in India to a significant level, thereby, leaving skepticism about
vibrancy of Disaster Recovery Setups.
f. Most banks are sensitive to changes in market or regulatory conditions. The public
sector banks have an advantage of better relationship with government and civic
machinery, which comes handy in recovering from disruptions.
g. Incidence reporting and logging instructions exist in most banks. These are
however, not adequately communicated and comprehended.
j. All banking operations documents are automated in most banks. The level of
automation of internal management systems (assets, HR…) is low in public sector
banks.
4.6.3 Technological
a. Most banks have implemented Core Banking Solution (Finacle, Spectranet, FNS),
Internet Banking and CRM solutions thereby implemented a balanced portfolio of
applications across products and delivery channels. There is a greater reliance on
proprietary solutions for banking applications except in few cases where banks
have gone in for a combination of proprietary and open systems.
c. There is a higher degree of continuity for banking operations in the case of large
and medium banks owing to the RBI sponsored NIFNET, which ensures sufficient
redundancies to sustain inter-banking operations (RTGS, EFT, SFMS, etc).
113
d. The disaster recovery setup is fairly advanced (particularly in case of private
sector banks) by implementation of “near & far” and “hot & cold” sites that work
in conjunction with the main Data Centres. Banks have optimized utilization of
their Data Centres by relocating assets and more frequent use of DR sites for
selected operations.
g. The Physical Security of Data Centres, ATMs and other business touch points is
found to be implemented using computerized and modern access control and
security systems (fire and damage control). There is extensive use of automation
tools for facilities management. There however, need to be reviewed more
frequently.
h. Banks have put together efficient teams (in-house or outsourced) to carry out tasks
related to Systems Administration, Backing up, Network Management, IT
Security and also current practices of optimization such as Speedy Server
Rebuilding. The skill levels achieved are of a high level.
i. The aspect of insuring assets, both IT and non-IT was found to be lacking or
minimal.
4.7 Conclusion
The level of understanding of factors that are regarded crucial to successful BCM
implementation by large and medium banks and the current degree of achieving them
so as to achieve higher levels of continuity, are summarized below:
114
core banking processes and building efficient value added services that are IT enabled
on these processes.
IT infrastructure involving Data Centres, Servers, Storage and Backup systems must
be of high quality and reliability and kept current by deploying modern practice of
efficient data sharing, server & storage consolidation, data protection and redundancy
of hardware and network. Physical Security of sensitive assets must be ensured using
computerized and modern access control and security systems. The services offered
by banks must be integrated using Internet and advanced CRM solutions. These
features are present to a high degree in Private and foreign banks and now receiving
the attention of banks’ management and being improved in Public sector banks.
The level of adherence to international quality standards (Basel II) and insurance of
IT and non-IT assets in most banks is found to be below what is practiced by banks in
advanced countries. The practice of forging collaborative relationships with trusted
partners and civic machinery in owning and managing IT infrastructure assets for
sustained and continuous high performance is almost absent. There is very little
115
sensitivity to issues of brand management & image that give rise to increased faith in
bank’s ability to recover during disasters.
The findings of the survey summarized in paragraphs 4.7.1 to 4.7.4 above are in
agreement with the first two hypothesis of study as below:
116
The findings point at clear definition and communication of Procedure to affect
“manual workaround”, adopt “correct safety procedures” and “Incidence
reporting and logging” in the face of eventualities, to be pre-requisites of
successful BCM.
The issues related to collaborative relationships with trusted partners and civic
machinery and sensitivity to issues of brand management & image that give rise
to increased faith in bank’s ability to recover during disasters are finding
attention of senior management though the degree of attainment is low.
117
CHAPTER 5
BCM MODEL FOR BANKS IN INDIA
5.0 Preamble
This chapter addresses the issues pertaining to development and implementation of
Business Continuity Management (BCM) solutions for banks in India. The BCM
model to carry out a ‘Reality Check’ in banks before implementing BCM, to decide
on the right strategy and to assess the ‘post-implementation’ effectiveness, is
described in this chapter.
The banking industry is challenged to address the varied needs and expectations of
diverse segments of society (such as youth, working people and retired personnel)
and business. Businesses may range from small to medium to large, from process to
discrete industry, from rural to urban, from national to global and so on. Each
segment has unique demands for a customized range of products and services,
combined with convenience, at low cost, “any time, anywhere”.
This paper proposes a model to design, implement, assess, and upgrade a business
continuity plan for banks. The key factors for a successful BCM implementation
have been identified based on an analysis of experiences by major banks in India. In
this context, the issue of BCM has been addressed in part by two other models: BCP -
Business Continuity Planning, and DR - Disaster Recovery. However, it is submitted
118
that the two put together do not provide the solution for BCM. They have helped a
great deal in streamlining organizational processes and infrastructure to ensure
continuity and were, perhaps, complete in a non-globalized, less competitive world.
But, today, there are newer challenges in the form of higher degree of expectations in
service levels, which transcend transactions and encompass issues dealing with
emotive faith and trust.
The Steps taken to develop and test the BCM model together with metrics to measure
effectiveness are enumerated in Chapter 3 paragraphs 3.5.2 and 3.5.3 respectively.
These include:
119
5.3.1 Organizational
The bank must be clear in its vision and direction. The findings of the survey
highlight the importance of clear articulation of the strategic objectives with respect
to:
a. The markets and geographies to be served.
b. The scale, i.e. volumes, to be achieved each year.
c. The diversity of portfolio of products and services to be offered in line with the
demands of the segments being served.
d. The multiplicity of channels to be deployed for delivering products and services.
e. Innovative methods of differentiating products and services with a view to
enhance value to customers in a cost-effective manner.
f. The organization required to meet the above objectives.
g. The infrastructure building blocks required to meet the objectives in terms of
Information Technology, Communications, Security and Convenience.
5.3.2 Processes
This relates to processes for ensuring continuity of banking transactions, and not the
rules and regulations (banking or legal) governing those operations. The following
procedures need to be designed, communicated, practiced and reviewed periodically
to ensure continuity.
1
Trivedy Ravi, Partner, KPMG and Girish V., Banking, Financial Services & Insurance, Consultant, Excerpts
from interviews, April 15, 2006
120
e. Alternate methods of communication to transact business or obtain information:
Paper-based, Internet-based, Voice-based or through third party such as call
centers and media agencies (television, newspapers, etc.) for informing clients
about alternative processes that have been put in place.
f. Support to Customers through multiple methods of providing support to
customers by way of self-service systems like AVR (Advanced Voice
Recognition), Websites, assisted call center help, customer relationship executives
and associate partners.
5.3.3 People
This is the most important and critical resource to ensure continuity of businesses on
both the demand and supply side. We identify four categories of people who should
be involved and be responsible to ensure business continuity. The “Soft
Requirements” for these stakeholders to engage in a collaborative manner to ensure
continuity are also outlined.
a. Employees: The knowledge, commitment and motivation of employees at all
levels in the bank are paramount to ensure business continuity2 (Bleiberg 2005). It
is essential that all employees perform their designated functions correctly,
efficiently and effectively. Banks have an excellent record in operationalizing the
concept of “job rotation” better than any other kind of business that the authors
have been involved with. This ensures that employees possess an acceptable level
of knowledge of related functions along with their primary function, where they
are expected to be experts3 (Trivedy, 2006). Our survey, however, highlighted
variances in realization of some softer aspects, particularly at the operating level.
These are:
i. Empowerment: To take decisions not only pertaining to authorization and
limits, but also in dealing with situations supposedly outside the realm of
authority to meet the contingency4 (Oltsik 2004). This can however be
authorized ex-post facto.
ii. Commitment: To fulfill customer’s requirements and not just completion
of a task
iii. Motivation: This is an important factor wherein each employee perceives
himself/herself to be the owner of the business, and runs it as if he/she has
a personal stake in its successes.
2
Bleiberg Ron, SmartAdvice: Planning Ahead Means A Disaster Needn't Wipe Out Your Business, Aug. 22,
2005, http://www.fileon.com/press/articles/disaster-neednt-wipe-out-business.html
3
Trivedy Ravi, Partner, KPMG and Girish V., Banking, Financial Services & Insurance, Consultant, Excerpts
from interviews, April 15, 2006
4
Oltsik Jon, Hot spots: So much can go wrong with disaster recovery. What can you do to ensure all goes well?,
Published: Jun 2004, http://storagemagazine.techtarget.com/magItem/1,291266,sid35_gci969972,00.html
121
b. Customers: They are the very reasons for which the business exists and, hence,
are the most important link for business continuity. The following aspects are
essential for effective engagement of customers while transacting business.
i. Awareness: The bank must make the customers aware about the products
and services in terms of offerings, limitations, regulations etc. This is the
task of every employee who interacts with the customer for whatever
duration and for whatever purpose5 (Hunt 2004).
ii. Esteem: Customers should be made to feel important and worthy,
irrespective of the value or importance of the transaction. Operational
responsiveness is only one part of the story. It has to be complemented
with visibly evident disposition of the employees in terms of courtesy and
care.
iii. Trust: Sustained performance, cordial treatment and ethical and upright
disposition ensure high level of trust which translates into tolerance on
part of the customers in the event of business discontinuity6 (Purohit
2006).
c. Business Partners: The terms “Vendors”, “Suppliers” and “Contractors” are passé
in present times. The correct term for representing all those who contribute
towards the success of your business is “business partners”. They may be
involved in facilities management, supplying provisions and consumables,
maintaining IT Infrastructure or bandwidth. Irrespective, they are all more than
equal partners in the business. Their performance and commitment, including a
high degree of ownership, are the mainstays of supporting the business during
unforeseen disruptions7 (Shore 2002). The following elements have to be
considered in this regard:
5
Hunt Hal, Lesson of Hurricane Hugo: Plan Recovery, 08/05/04 6:00 AM PT, Part of the ECT News Network,
http://www.crmbuyer.com/story/35561.html
6
Purohit S. S., DGM, SBI Zonal Office (West), Mumbai on Excerpts from the interviews, 28th December 2005,
24th January 2006 and 16th March 2006.
7
Shore Dave, Sept. 11 teaches real lessons in disaster recovery and business continuity planning, Published:
5/17/02, http://techrepublic.com.com/5100-10878_11-1048799.html?tag=search#
122
iii. Sense of Belonging: Business partners must feel a sense of belonging to
the banks, which can be created by non-discriminatory treatment to them
on the same lines as the bank’s own employee in terms of working space,
usage of common facilities, and other related factors.
5.3.4 Technology
There have been significant advances in the usage of technology in the banking sector
in general. Our survey does indicate that there are higher levels of maturity and
excellence achieved in the selected banks, who have invested heavily in installing
near world class IT infrastructure8 (Staimer 2005). Broadly the technology usage in
banks can be grouped as follows:
a. Banking Applications at Service Points: Core Banking System, Internet Banking,
Phone Banking, and Mobile Banking
b. Electronic Banking: ATM’s, Smart Cards, Credit Cards, Debit Cards, and Prepaid
Cards
c. Back Office Processing and Administration: Intra Branch end of the day (EOD)
transactions, Intranet, Mail Messaging Systems, Online Help, and Magnetic Ink
Character Recognition (MICR) Processing
d. Inter Branch Transaction handling: Real-Time Gross Settlement (RTGS), and
Electronic Funds Transfer (EFT)
e. Data Communications: Intra Branch Network and Inter Bank Network
f. Data Center Management: Main Data Center and Disaster Recovery Site (Servers,
Storage, Backup Systems, Switches, Systems Software, Application Software)
8
Staimer Marc, Data determines the right disaster recovery, Issue: Jan 2005,
http://storageMagazine.techtarget.com/magItem/1,291266,sid35_gci1042972,00.html
123
g. Security: User Level Security - Access Permissions, Authorizations, Application
Security - Transactional & Inter Application Security, Systems Security – System
– Administration Level & Perimeter Security, and Physical Security - Access
Control, System Logs, Fire and Damage Control
h. Technical Support: Help Desk, Documentation, Performance Monitoring, and
Upgrades
9
Hunt Hal, Lesson of Hurricane Hugo: Plan Recovery, 08/05/04 6:00 AM PT, Part of the ECT News Network,
http://www.crmbuyer.com/story/35561.html
10
Security 2002: Rethinking Risk, Published: September 16, 2002,
http://www.cioinsight.com/article2/0,1540,537635,00.asp
11
Security 2002: Rethinking Risk, Published: September 16, 2002,
http://www.cioinsight.com/article2/0,1540,537635,00.asp
124
different levels (clusters A-D) as given in the table 5.1 below. These are the row
headings in the BCM Metrics Model described in Exhibit 5.1 (Table 5.6)
Table 5.1 The BCM Reality Check Metrics – Clusters (Rows in the Model)
C (n) Tools / Methods – The IT Infrastructure and operating instructions that are
pressed into action once discontinuity is declared. This also includes
instructions to switch over to “contingent mode” in terms of alternate
facilities, movement of people and modus operandi to transact business
and reverting back to normal operations once the contingency is over.
125
Table 5.2 Evaluation Criteria Measures (Columns in the Model)
Evaluation Evaluation Criteria description
Criteria
index (to assess the level of parameter being measured)
A total of 107 parameters for the four clusters in Table 5.1 were measured by
surveying 35-46 respondents in the target large and medium banks. Table 5.3 below
shows the number of metrics for each Component and Level (Clusters). Details of
each metric together with summary of values are available in Exhibit 5.1 (Table 5.6).
Each of these metrics was assessed by respondents (35 to 46) in the selected banks
according to four criteria to measure Effectiveness:
126
a. Strength / Preparedness, (shortened as P), of the bank in addressing the issue
specified in the metric on a scale of 0 to 5
0 - Very Low; 1 – Low; 2 – Moderate; 3 – Satisfactory; 4 – High;
5 - Very High
b. Threats / Challenges, (shortened as R), both internal and external, faced by the
bank in meeting the requirements of the metric
0 – Negligible; 1 - Very Low; 2 – Low; 3 – Moderate; 4 – High;
5 - Very High
c. Vulnerability, (shortened as V), of the bank in terms of the Probability of
Occurrence of the threat or challenge in the bank on a scale of 0 to 1: 0 –
Negligible and 1 – Near Certain
The following steps outline the analysis of the data obtained in the surveys to
compare Strengths / Preparedness against Vulnerability:
127
Step 2: Calculate “Vulnerability Indicator” (VI) as shown below:
VI(F) = R(F) * V(F)
where,
VI is the Vulnerability Indicator
F is the Parameter or Metric in question
R is the Threat / Challenge
V is the Vulnerability
These Indicators were then compared for Large and Small banks to evaluate their
relative positioning on each parameter.
a. Small banks are more Vulnerable than Large Banks on all the factors except
“Organization” as can be seen in table 5.4 below:
Interestingly, the Resilience of Small banks is higher than Large banks with
regard to “Facilities” and, to a lesser extent, “Technology”.
128
On the whole, Large banks are less vulnerable (0.71 score) than Small banks
(2.71 score), which is logical given that Large banks have the funds to invest in
organization, infrastructure and technology to establish reliable and rugged
processes to counter any eventuality.
b. The Average Vulnerability Indicator (VI) for each of the three components -
Organizational, Facilities and Technology – is shown below for Large and Small
banks:
c. The Average Resilience (RI) for Facilities Management issues for Large and
Small banks were calculated to be 2.43 and 4.06 respectively. Large organizations
are, hence, less resilient with regard to Facilities management as compared to
Organization and Technology. The lesser resilience of Large banks in managing
facilities is largely due to their size and expanse (all over the country). Small
banks, on the other hand, have mostly state-level operations, and have facilities
which are fairly compact, and can, hence, be managed easily. Large banks have
strong organizational structures, adequately manned departments as well as well-
documented and well-communicated procedures as compared to their smaller
counterparts.
12
Shri Narain and Girish V., Banking Consultants, Excerpts from Meeting in June 2006.
129
5.5 Conclusion
This chapter presented a framework for carrying out reality check using metrics. The
BCM reality check metrics measures and evaluates parameters in five clusters
(Organization, Procedure, People, Technology and Facilities) at four levels
(Corporate, Technical, Methods/Tools and Review/Testing). These parameters are
measured for strength/preparedness (P) and Threats/Challenges(R) on a scale of 0-5
(low-high). These are further qualified by measuring vulnerability of threats (V) and
upgradation of preparedness (T) on a scale of 0-1 indicating low-high probability and
frequency respectively.
The inferences from application of the metrics are drawn by calculating two factors:
Resilience indicator (RI)= P*T and Vulnerability Index (VI) = R*V. These two
factors indicate the levels of strength and vulnerability of the bank from BCM
perspective from each of the parameter in the clusters. The summations of these two
indicators for clusters indicate the status at the cluster level.
The application of the model to banks in India has given insights into the gaps that
exist in otherwise seemingly comprehensive BCM implementations. The BCM
organization and practice needs to be monitored regularly to ensure its relevance
under contemporary conditions. The model serves as a “barometer” to do a reality
checks and apply corrections where necessary. The test results of the metrics indicate
that large banks are more resilient and less vulnerable. Small banks are highly
vulnerable on account of technology and facilities. Both categories of banks are
equally vulnerable from the perspective of organizational readiness and thus merit
more management definition on softer issues of customer service and image.
The trends in banks in India suggest the following conclusions that relate closely to
the research hypothesis:
130
a. Banks with reliable and the state of the art Facilities and Technologies are better
poised to handle business disruptions.
b. More management attention will have to be focused on softer issues of service
delivery such as trust of customers, image in the industry, and participation of all
stakeholders as owners.
131
Exhibit 5.1 (Table 5.6) - The BCM Reality Check Metrics
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Sr.No BCM Parameters
Testing
Testing
P R V T P R V T
ORGANIZATIONAL
A3 Portfolio of Products and Services 4.50 0.83 0.10 0.85 3.00 1.67 0.50 0.90
A5 Participative Governance 4.50 4.17 0.65 0.85 5.00 0.33 0.20 0.30
A6 Social Sensitivity 4.80 4.17 0.80 0.85 3.00 4.17 0.20 0.90
A8 Cultural Change- Agility of bank to adopt changes 4.25 3.33 0.80 0.85 4.00 5.00 0.30 0.80
A9 Promotional Model and Brand Management 3.50 0.67 0.45 0.55 2.00 0.17 0.20 0.30
B3 Allocation of Budget for BCM 4.50 3.67 0.20 0.80 4.00 0.33 0.20 0.95
B5 Relationship with Business Partners 4.80 3.67 0.70 0.80 4.00 4.17 0.50 0.90
B6 Review of Outsourced Activities and Relationships 4.50 3.33 0.70 0.85 3.00 4.17 1.00 0.80
C1 Alternate Processes – Organization and Cost 4.00 3.33 0.20 0.90 3.00 1.67 0.50 0.50
D2 Insurance of Outsourced Partner Assets 4.00 3.33 0.80 0.95 5.00 5.00 0.50 0.90
132
Exhibit 5.1 (Table 5.6) - The BCM Reality Check Metrics
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Sr.No BCM Parameters
Testing
Testing
P R V T P R V T
PROCEDURAL
A1 Contingency Plans 4.50 4.17 0.20 0.80 5.00 4.17 0.80 1.00
A2 Emergency Action Plan 4.50 3.33 0.20 0.80 4.00 3.33 0.80 0.80
A3 Service Level Agreements 4.75 3.33 0.10 0.90 3.00 4.17 0.70 0.50
A4 Documentations 4.75 3.33 0.10 0.90 3.00 4.17 0.80 0.80
A5 Security Rules 4.50 2.50 0.95 0.80 5.00 5.00 1.00 1.00
A6 Safety Rules 4.25 1.67 0.95 0.60 4.00 3.33 0.50 0.80
A8 Health Rules 3.00 1.67 0.20 0.80 3.00 4.17 0.50 0.50
Application of Security Policy across the
A9 4.50 2.00 0.40 0.85 3.00 4.17 0.50 0.50
organization
A14 Standardization of Processes 4.75 2.50 0.20 0.80 3.50 4.67 0.50 0.80
B1 Incident Reporting 4.60 2.50 0.20 0.65 4.00 4.17 0.80 0.70
B2 Incident Logging 4.00 0.83 0.10 0.80 4.00 1.67 0.10 0.10
B3 Handling Media in the event of an accident. 4.00 3.33 0.10 0.80 4.00 4.17 0.80 0.80
Risk Awareness Reality Check Up in the
B4 4.00 3.33 0.20 0.90 4.00 4.17 0.80 0.90
Organization
B5 Security for Outsourced Partners 4.50 3.33 0.20 0.95 3.50 4.67 0.50 0.90
Market/Environment Information Gathering for
B6 4.00 1.67 0.50 0.80 3.50 1.67 0.30 0.30
incorporation in BCP
C1 Data Replication 5.00 1.67 0.50 0.85 4.00 4.67 1.00 1.00
D1 Testing Schedules for Processes 4.50 1.67 0.50 0.95 4.00 4.67 0.50 0.70
D2 Process Updates (Changes) 4.50 1.67 0.50 0.95 3.00 3.33 0.30 0.50
133
Exhibit 5.1 (Table 5.6) - The BCM Reality Check Metrics
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Sr.No BCM Parameters
Testing
Testing
P R V T P R V T
PEOPLE
A1 Crisis Management Team (Multi Functional Team). 4.50 1.67 0.40 0.95 5.00 4.67 0.90 1.00
A2 Deployment Management Team 4.50 1.67 0.40 0.95 4.50 4.17 0.50 0.70
B1 Key Personnel 4.50 2.50 0.35 0.85 5.00 4.67 0.50 0.50
B2 Security Roles and Responsibilities 4.75 1.33 0.80 0.95 4.00 4.17 0.70 0.80
B3 Safety Roles and Responsibilities 4.75 1.33 0.80 0.95 4.00 5.00 0.80 0.50
B4 Risk Awareness and Preparedness tests 4.50 0.83 0.10 0.80 4.00 5.00 0.80 0.50
Tolerance Limit – Assessment and Enablement
B5 4.50 0.83 0.10 0.80 4.00 5.00 0.80 0.50
(Employees)
Tolerance Limit – Assessment and Enablement
B6 4.50 0.83 0.10 0.80 2.50 4.67 0.50 0.50
(Partners)
Tolerance Limit – Assessment and Enablement
B7 3.50 1.67 0.40 0.95 3.50 4.67 0.80 0.50
(Customers)
Training and Education of Stake Holders in running
B8 4.00 0.83 0.20 0.85 3.50 0.83 0.80 0.80
alternate procedures
C1 HR Process Reviews 4.00 0.83 0.20 0.85 2.25 3.33 0.10 0.10
C2 Actions against Defaulters 3.50 0.50 0.20 0.90 3.25 4.67 0.90 0.90
C3 Social Sensitivity 4.50 0.33 0.30 0.90 4.50 4.17 0.80 0.70
Adaptation of Technology and Culture of Self Help
C4 4.00 1.50 0.40 0.95 4.50 4.17 0.80 1.00
– Employees, Customers, Partners
Knowledge Management to track performance of
C5 individuals in situations other than routine 3.00 3.33 0.65 0.95 3.50 4.67 0.60 0.60
operations
D1 Succession Planning 3.50 3.33 0.60 0.90 3.00 5.00 0.50 0.60
Reward System for Outstanding Contributions
D2 2.00 0.33 0.10 0.80 3.50 4.67 0.80 0.80
(Merit Based Promotions and Incentives)
D3 Culture of Shared Values 3.00 1.67 0.60 0.95 4.00 1.67 0.50 0.50
134
Exhibit 5.1 (Table 5.6) - The BCM Reality Check Metrics
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Sr.No BCM Parameters
Testing
Testing
P R V T P R V T
TECHNOLOGY
C1 Network Bandwidth Provisioning and Utilization 4.50 4.17 0.35 0.90 4.00 4.67 0.75 0.75
Network Monitoring and Maintenance using
C2 4.75 2.50 0.35 0.90 4.00 2.50 0.70 1.00
automated tools
Intra Bank Communication System Portfolio –
C3 4.75 0.33 0.50 0.60 3.00 2.50 0.50 0.40
Intranet, voice based, messaging system.
D1 User Access Control 4.50 2.50 0.20 0.60 5.00 4.67 0.80 1.00
D2 Database Security 4.90 2.50 0.20 0.60 5.00 4.67 0.90 1.00
D3 Application Security 4.90 2.50 0.20 0.60 5.00 4.67 0.90 1.00
135
Exhibit 5.1 (Table 5.6) - The BCM Reality Check Metrics
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Sr.No BCM Parameters
Testing
Testing
P R V T P R V T
FACILITIES
136
CHAPTER 6
6.0 Preamble
The generic BCM Model developed and tested for sample banks has been enumerated
in Chapter 6. The model comprises of five clusters of parameters (Organization,
Procedures, People, Technology and Facility) as per the details given in article 6.4.
The model was applied to five large, six medium and eight small banks in Mumbai at
the three levels of management: top, middle and functional. The details of the
parameters cluster wise are enumerated in Exhibit 6.1 (Table 6.9). The total number
of respondents for all the banks and levels of management was close to 100. The data
collected from various banks was collated and analyzed for preliminary findings.
These were then discussed in two or three iterations with banks and respondents for
standardization. The conclusions derived from comparison of large banks and MSRBs
formed the basis of recommendations for the later. The methodology adopted,
analysis of data and conclusions are enumerated in the succeeding paragraphs.
6.1 Methodology
The following steps were adopted for collecting & analyzing data and working out
inferences:
6.1.1.1 Banks
The basis of selection of banks was to choose based on:
137
d. Age – Old & New (instituted in last ten years or later)
6.1.1.2 Respondents
The respondents were selected from the target banks as per the steps given below:
138
6.1.1.3 Experts (Consultants)
a. Relevance of experience of the consultant as regards implementation of BCM
projects particularly in Finance and banking sector.
b. Experience of consultant in analyzing organizations to bring about change
management and re-structuring.
c. Knowledge of consultants is developing models for deployment of IT on large
scale using variety of platforms and solutions.
d. Knowledge in analyzing and revamping IT infrastructure and facilities for large
scale IT enabled business.
e. Academic and scholarly interests of consultants in creating knowledge work by
writing papers & articles and participation in Seminars & Conferences.
139
6.1.3 Standardization
The collated data was standardized using the following steps and procedure:
a. The collated and summarized responses were discussed with a set of officials
drawn from the three levels of management in meetings conducted bank wise. The
office / branch were so chosen as convenient to the group and permitted by the
senior management. In certain cases these meetings had to be repeated.
b. The responses were then updated as per the discussion during the group meetings
and statistical summary prepared. These were sent to an expert group formed of
senior officials (1 or 2) of the bank and consultants (2 or 3) to comment on the
variances and extreme observations in particular.
c. These comments were then discussed with the respondents to understand their
reasons for the level of measures indicated. Some of them re-visited the responses
and suggested amendments. These were then incorporated and set of observations
collated and summarized group-wise (top, middle and functional) for each target
bank.
d. The bank-wise responses grouped and summarized in one excel sheet for all banks
and sent to an expert group comprising of senior officials from RBI and
consultants from leading consulting companies employing the Delphi technique.
e. Responses / suggestions from consultants were taken into account to normalize
the values by taking weighted means of measures (Strength, Threats Vulnerability
and frequency of up gradation of interventions) correcting them for large
variances where recommended by experts.
f. The researcher further evaluated the responses (measures by carrying out spot
observations by visiting Offices, Data centers, DR sites and Business touch points
for correctness and completeness. These were discussed with experts to further
fine-tune the parameter measures and elaborate on reasons of the respondents
while assessing the measures.
140
Resilience Indicator (RI) = P * T
Where,
P is the Strength of Preparedness of the bank for the parameter in question on
a scale of 0 to 5 (low to extremely high)
T is the Upgradation / Review factor indicating the efforts made by the bank
to review the preparedness and upgrade periodically on a scale of 0 to 1.
The resilience indicators and vulnerability indices for the three levels of management
of the two target bank segments together with average, maximum, minimum, variance
and standard deviation of the parameters and clusters is given at Exhibit 6.3 (Table
6.11).
141
Table 6.1 Strength of criticality
The classification of parameters based on the degree of criticality (cluster wise) for
the three levels of management of target banks is given in Exhibit 6.5 (Table 6.13).
6.2.1 Organizational
Large banks have higher degree (15%) of average resilience (3.30) as compared to
smaller banks (2.50). The smaller banks however experience a wider range of
resilience (4.89 to 0.52) as compared to larger banks (4.49 to 1.5). This is evident
from the fact that larger banks have more formal organization with a longer history
and have therefore standardized the strategic policy implementation across branches
and units. The smaller ones are in the process of settling down. This is further
corroborated by large variance on most resilience parameters (1.3 on average) for
small banks as compared to large ones (0.6). The larger banks are slightly lesser
vulnerable on account of this factor (1.39 for large vs. 1.49 for small). Interestingly,
the vulnerability is perceived higher by the middle and functional management of
both segments of banks whereas preparedness is considered higher by the top
management.
6.2.2 Procedure
Large banks were found to be more resilient from this perspective (3.43 vs. 2.60). The
smaller banks showed much higher vulnerability compared to the smaller banks (2.49
142
vs. 0.90). The perceptions of the top management compared to the other levels
favored better resilience and lesser vulnerability as found for the cluster –
organization. The better preparedness of larger banks stems from their experience and
organizational strength in implementing processes supported by focused
organizational structure. The smaller banks are trying to catch up as they need to
constantly add to the portfolio of products and services with lesser organizational
strength to match their larger counterparts. Most small banks have still large number
of processes that are not automated, which is not the case with large banks.
6.2.3 People
The trends observed are similar to those explained above for the cluster – procedure
and for identical reasons. Large banks are more resilient (3.54 vs. 2. 45) and less
vulnerable (0.86 vs. 2.81) compared to their smaller counterparts. Small banks seem
to have more problems with staffing as compared to large banks and hence the
vulnerability on people issues. In this case too, the middle and functional
managements register higher concerns than the top.
6.2.4 Technology
Smaller banks perceive to be a shade more resilient than large banks (3.80 vs. 3.55) as
regards resilience of technology infrastructure is concerned. The dependence of large
banks is higher on technology given the greater degree of automation and hence the
lower resilience. Smaller banks are however, highly vulnerable on this parameter
(3.35 vs. 0.72). This is logical given the fact that large banks have near world-class
and state-of-the-art technology infrastructure. They also have better central and
remote control facilities for performance monitoring and tuning. Most small banks
have stand-alone systems that are networked with low cost technology solutions. This
together with inadequacy of trained technical staff makes them highly vulnerable. The
perceptions of middle and functional managers indicate better preparedness and lesser
vulnerability on account of technology as compared to the top managers – opposite to
what is experienced in case of organization, procedure and people.
143
6.2.5 Facilities
The smaller banks have reported better resilience as regards facility management
compared to large banks (4.02 vs. 2.59) but are more vulnerable (3.26 vs. 0.41). The
large banks have wide spread facility infrastructure in terms of offices, business
outlets, data centers and DR sites (near and far). Smaller banks do not have such wide
spread facilities and are mostly located in residential societies and thus are more
resilient. They are however more vulnerable as they do not have efficient facility
management infrastructure and organization that large banks can afford given their
volumes and scale of operations.
6.3.1 Organization
The managements of large and small banks seem to confirm significantly with one
another as regards Preparedness (RI) (correlation 0.8) and also agree that its value is
high (3.3 on an average). There is lesser agreement on the issue of Vulnerability in
both segments of banks (0.35 average). There is significant difference about the
perception of vulnerability between the three levels of management wherein the
middle and functional management rate vulnerability higher than the top
management. There is wide range of variation between the perception of vulnerability
ranging from 0 to 4.96, whereas the average values of vulnerability are not very high
(1.4 on an average). This indicates that on issues related to organizational strategy and
policy formulation all agree that the preparedness in this regards is of importance for
effective BCM, however, most do not (except for some functional managers in small
banks) consider it to be challenging and probable.
144
6.3.2 Procedure
There is significant uniformity amongst the top, middle and functional managements
of both segments of banks regarding high degree of preparedness amongst them.
There is however significant variation in the values of RI i.e. the extent of
preparedness between the three levels in that the top level perceives better
preparedness compared to the other two (3.13 to 2.42). There is also large variation in
the minimum and maximum values of preparedness from 0.30 to 4.98. All levels of
management in large banks rate the vulnerability (VI) far lower than their
counterparts in smaller banks (0.9 in large vs. 2.49 in small banks). There is a diverse
opinion about vulnerability in both segments of banks amongst the functional
management typified by the negative correlation of RI and VI for this group. The
smaller banks rate their preparedness as lower than larger banks by almost 25% and
feel that their vulnerability is almost 2.5 times that of large banks. The smaller banks
therefore, need to focus in organizing their procedures particularly as regards to
alternate system operations and communications in the event of disaster /
discontinuity. The larger banks seem to be geared up to take on the eventualities on
this score.
6.3.3 People
There seems to be greater agreement (co-relation 0.9) between the respective
management levels of both segments of banks as far as resilience on this issue is
concerned. However, there is a far less agreement across the different levels of
management (co-relation 0.3) in both segments. Interestingly, the levels of
management when responded individually rated preparedness as moderate (RI 2.5
average) whereas collectively they have rated this factor as high (RI 3.5). The large
banks perceived themselves as less vulnerable (VI 0.86) compared to their
counterparts (VI 2.81). On account of this factor, the middle management of both
segments of banks come out strongly in expressing concerns about vulnerability in
their respective segments. However, there is a lesser agreement (Co-relation: - 0.3)
between the preparedness of large banks and vulnerability of small banks as perceived
by the middle level management. There is a slight disagreement (Co-relation: - 0.08)
between the middle managements of both segments of banks as regards vulnerability
of their respective segments. In the overall picture, the larger banks are almost 20%
145
more resilient (RI 3.5 v/s 2.5) and 40% less vulnerable (VI 0.8 v/s 2.8) as compared to
their counterparts. The top and middle management of small banks perceived both
preparedness and vulnerability to be moderate (RI 2.38 v/s VI 2.85) whereas the
functional management perceives vulnerability to be lesser than preparedness (RI 2.78
v/s VI 2.46). This seems to be logical that given the size of small banks, people are
deployed on variety of tasks and thus get better equipped to handle most functions
that comes handy in meeting up eventualities. The large banks have specialists to
handle tasks and thus are not exposed to a greater degree of variety of tasks. The
smaller banks are more vulnerable for the same reason that non-availability of a lesser
percentage of workforces can affect a variety of functions whereas in large banks the
shear numbers provide resilience even with high percentage of non-availability of
workforce.
6.3.4 Technology
There is very high agreement amongst the top management (Co-relation 0.9), high
agreement (Co-relation 0.75) amongst the middle management and comparatively
moderate agreement (Co-relation 0.4) amongst the functional management across the
two segments. However, there is low agreement on the issue of technological
preparedness (Co-relation 0.11) between the two bank segments. The functional
management of large banks seems to differ significantly (Co-relation: - 0.35) on the
issue of preparedness (RI 3.89) against vulnerability (VI 0.71). There seems to be
moderate disagreement between the middle and functional management on the issue
of vulnerability between the two bank segments (Co-relation: - 0.1). In the overall
picture, the agreement varies from low to moderate across all levels of management of
both segments on account of preparedness and vulnerability on people issues.
Interestingly, smaller banks perceive themselves to be slightly more resilient (RI 3.8
v/s 3.5) but approximately 50% more vulnerable (VI 3.35 v/s 0.72) as compared to
large banks. The smaller banks perceive themselves as slightly better prepared (RI
4.97 v/s 4.64 max) but far more vulnerable (VI 4.56 v/s 2.25 max) as compared to
large banks. The dependence of smaller banks on technology is far less as compared
to large banks due to lesser degree of automation in various functions as most small
banks do not have fully integrated front end and back office operations. The larger
banks however have state of the art technology solutions that address their scale and
146
scope of operations. They also have rugged and reliable systems in terms of data
storage, transfer and security supported on professionally managed data centers and
DR sites with alternate bandwidth arrangements. This makes then highly resilient and
less vulnerable. The higher degree of vulnerability of small banks is due to their
inability to invest in state of the art data centers and data transfer arrangements. In the
event of major discontinuities, most offices get disconnected from each other making
them highly vulnerable from continuity perspective.
6.3.5 Facility
There is very high agreement amongst the top management (Co-relation 0.86), high
agreement (Co-relation 0.74) amongst the middle management and moderately high
agreement (Co-relation 0.6) amongst the functional management across the two
segments. However, there is very low agreement on the issue of facility vulnerability
(Co-relation 0.009) between the two bank segments as far as middle level
management is concerned. The functional management of small banks seems to differ
significantly (Co-relation: - 0.24) on the issue of preparedness (RI 1.48) against
vulnerability (VI 0.50). In the overall picture, there is greater level of disagreement
from low to moderate across all levels of management of both segments on account of
preparedness for facility issues. There is a large disagreement displayed not only in
terms of preparedness (Co-relation: -0.120) of smaller banks as compared to larger
banks but also in vulnerability (Co-relation: -0.205) in the same segment. As far as
large banks are concerned, the vulnerability of the banks as regards to their
preparedness is critical (Co-relation: -0.020) and this issue needs to be addressed with
utmost concern. Interestingly, the resilience of both the bank segments in terms of
preparedness is approximately similar (RI 4.93 v/s 4.91) but smaller banks are
extremely vulnerable as compared to larger banks (VI 4.23 v/s 1.47). The smaller
banks seem to be more resilient as compared to larger ones as the demand on facilities
is not as complex and high as large banks going to scale and scope of operations.
However, the absence of exhaustive facility maintenance, arrangements are making
smaller banks highly vulnerable. Given the large capital expenditure requirement to
create and maintain the facilities, the option that smaller banks have is to form
consortiums to address the issue.
147
6.4 Statistical Analysis of Findings
The statistical analysis of data on ‘Resilience’ and ‘Vulnerability’ (Exhibit 6.3, Table
6.11) revealed that the skew in distribution of responses for various levels of
management was found to be close to zero, as in a normal distribution. The test results
are placed at Annexure 8. Further, the correlation coefficients for the two sets of
results, viz standardized scores and percentiles, yielded very high correlation. The
credence to use of ‘Percentiles’ instead of ‘Standardized’ results was thus established.
The test also indicated that an 80 percentile score is at around one standard deviation
or above the mean, which captures nearly 16% of the responses in the ‘high’ values.
Hence an 80 percentile is being considered as a 'high' and a 20 percentile signifies a
'low' category.
The responses from the various levels of the management of the two segments were
therefore given percentiles scores using ‘Statpro’ package to rank them within the
clusters. This was done so as to ascertain relative importance the banks attribute to the
factors in the given clusters (Organization, Procedure, People, Technology and
Facility). The factors (RI and VI) were then marked as high importance (Percentiles
scores more than 0.80) and low importance (Percentiles scores less than 0.20) cluster
vise. Based on these markings, the parameters were categorized into four types from
the standpoint of criticality to implement BCM – Management level wise for both
bank segments.
The parameters were then marked as critical, essential, important and desirable for all
the management levels of the two segments of banks. The details are at appendix 5.
148
The Criticality of factors for the two segments of the banks were then ascertain based
on the markings of the factors by various management levels. A brief analysis of the
criticality of the factors for small banks was carried out and contrasted against the
larger banks. This and remarks on divergent views on the issues of criticality as
perceived by the two bank segments is given in the succeeding paragraphs.
6.4.1 Organization
The performance objectives in terms of growth in volumes and diversities (A2) of
small banks is very critical as they are less prepared and highly vulnerable as
compared to the larger banks which have essential criticality level with high
preparedness and low vulnerability. When we analyze the factor of review of
outsourced activities and relationships (B6), we infer that smaller banks are in very
critical condition as they are highly vulnerable and very less prepared as compared to
larger banks. There is a greater disagreement in terms of communication of alternate
processes (C2) in the organization in both segments of banks. The smaller banks are
less prepared and more vulnerable whereas the larger banks are considering it to be
essential and hence are less vulnerable and highly prepared. There is a level of
agreement on the factor of implementation of BCM in partner organization (D1) in
both the bank segments as this is highly critical and both segments are less prepared
and highly vulnerable. Thus, if we analyze the overall critical factor, we find that both
bank segments are having the divergent views on the factors of Clear definition and
communication of Vision and Mission (A1) and their Performance Objectives (A2).
Similarly, there is a greater level of disagreement on the issues of Participative
Governance (A5), Cultural Change (A8), Business Impact Analysis and Risk
Evaluation (B1), Rationalizing Organization (B2), Review of Outsourced activities
and Relationships (B6), Alternate Processes (C1) and Communication of Alternate
processes in the organization (C2) as the banks are having divergent views on this
matter. Closer analysis of the data reveals that whenever larger banks are more
prepared, they are less vulnerable for various issues except for the fact that in terms of
Social Sensitivity (A6), the larger banks are much more prepared (RI 4.16) and at the
same time they are also highly vulnerable (VI 3.22). When smaller banks are analyzed
it is very obvious that they are very less prepared (RI 2.30) for Review of outsourced
activities and relationships (B6) and highly vulnerable for this particular factor (VI
149
4.15) and our suggestion for this particular to the banks is that they should be better
prepared for this particular matter.
6.4.2 Procedures
There seems to be a disagreement on the issue of Service Level Agreements (A3)
between small banks and large banks wherein the small banks are less prepared and
highly vulnerable and are falling in critical zone for this matter whereas larger banks
are finding this factor as essential and hence they are highly prepared and less
vulnerable. The observation in terms of Documentations (A) of the procedures is very
differing for small banks and large banks. The small banks are less prepared and
highly vulnerable for mishandling of the documentation issues whereas the larger
banks are considering the criticality level of this issue as important wherein even
though they are highly prepared, they are again highly vulnerable for this matter. On
the issue of Knowledge management to track customer behavior, to take proactive
actions during disasters (D3), the smaller banks are again less prepared and highly
vulnerable whereas the larger banks are finding it to be the most desirable in terms of
criticality level. Also on the issue of safety rules (A5), the disagreement is there in
both the bank segments where smaller banks are considering the criticality level as
important as they are highly prepared and highly vulnerable for this factor and the
larger banks are displaying the situation as critical because they are less prepared for
security breaching and highly vulnerable on this factor. The overall picture of the
critical factors for both bank segments show that on the factors of Application of
Security Policy across the organization (A7), Compliance of RBI Regulations (A10),
Incident Logging (B2), Market/Environment Information Gathering for incorporation
in BCP (B6), Testing Schedules for Processes (D1) and Knowledge Management to
track customer behavior, to take proactive actions during disasters (D3), the situation
is highly critical and both the segments are less prepared and highly vulnerable for
miss happenings. For the factors of Contingency Plans (A1), Emergency Action Plans
(A2), Data replication, both bank segments are considering the criticality level to be
important because not only they are highly prepared but vulnerabilities are also very
high.
150
6.4.3 People
The people factor is an important factor while studying Business Continuity
Management in both segments of the banks. The factors of Risk Awareness and
Preparedness Tests (B4) and Tolerance Limit of Employees (B5) are very critical for
small banks as they are less prepared and highly vulnerable but in case of large banks,
the criticality level is essential as this segment is less vulnerable due to high
preparedness. Again on the issues of Tolerance limit of Customers (B7) and Actions
against Defaulters (C2), small banks are displaying high criticality as they are less
prepared and highly vulnerable against these attacks. There is a greater level of
agreement in both the segments of the banks for the deployment of management
teams as both consider it to be an essential factor with high preparedness and low
vulnerability. Again the factor Crisis Management Team (A1) is important for both
the banks with high preparedness and high vulnerability. The smaller banks are not
only better prepared but also very much vulnerable on the issue of Reward System for
Outstanding Contributions (D2) whereas this issue is desirable for larger banks as
they are less prepared and less vulnerable. In the overall picture, the issues of Key
Personnel (B1), Tolerance limit of Employees (B5), Tolerance limit of Customers
(B7), Actions against defaulters (C2) and Succession Planning (D1), both the bank
segments are displaying the conditions to be very critical as their resilience indicator
is low and at the same time their Vulnerability indicator is high and hence a lot of
attention is needed for improvement in this area. For Security Roles and
Responsibilities (B2), Safety Roles and Responsibilities (B3), Risk Awareness and
Preparedness Tests (B4), Social Sensitivity (C3) and Knowledge Management (C5)
both segments are having divergent views on people issues for these factors. Crisis
Management Team (A1) and Deployment Management Team (A2) factors are
important with high preparedness and high vulnerability in both segments of the
banks.
6.4.4 Technology
The criticality level of small banks on the issues of Alternate arrangements for
specialized/automated delivery mechanism (B6), Phone Banking operations and
Security (B7) and Specialized inter banking operations (B9) is highly critical as they
are not having the latest technology and are not prepared and at the same time highly
151
vulnerable for any kind of misshapenness. For all these factors, larger banks have
latest technologies and hence they are less prepared and less vulnerable and thus level
of criticality is desirable for this particular segment. For factors like Data Integrity
(A3), Replication (A5), Internet Banking operation and Security (B8), Infrastructural
renewal (B12), User Access Control (D1) and Data Security (D2), the small banks are
considering the criticality level as important and the resilience indicator for these
factors is high but at the same time they are highly vulnerable with high vulnerability
Indicator. The factors Standardization of Equipments and Applications (A7), System
Administration (A8), Application Monitoring, Tuning and Diagnostics (A9),
Knowledge Management to track Utilization and performance of hardware and
applications (B11) and Application Security (D3) are factors that are considered as
having Essential Criticality level for which the banks are highly prepared but are at
the same time less vulnerable. For the same factors, the large banks are having critical
conditions for which they are less prepared and highly vulnerable. If Overall picture
of Technology issue is analyzed then we can come to a conclusion that Architecture of
IT Solutions (A1), Data Architecture Review (A4), Application Monitoring, Tuning
and Diagnostics (A9), Alternate arrangements for specialized/automated delivery
mechanism (B6), Phone Banking Operations and Security (B7), Specialized Internet
Banking Operations (B9) and Intra Bank Communication System Portfolio (C3) are
some of the factors for which the condition is highly critical and both the segments of
the banks are less prepared and highly vulnerable for Technology vulnerabilities. For
Server consolidation (B1), Backup Systems (B3) and Knowledge Management (B11)
factors, both the segments of the banks are considering the criticality level as essential
wherein they are highly prepared and less vulnerable. For all the other factors, both
the segments of the banks is having divergent views and has greater level of
disagreements in the implementation of technological issues.
6.4.5 Facilities
The smaller banks seem to be in critical condition for factor Safety Equipment and
Maintenance (B3) wherein they are not prepared and are susceptible for higher
vulnerabilities as compared to large banks. Similarly for factors Central Data Center
(A2), Facility Management (B4), Data Center Security (C2), Data Center Safety (C3),
Infrastructural Renewal (D2) and Review of Vulnerability Analysis of Critical Assets
152
(D3) the smaller Banks’ criticality level is important because even though they are
highly prepared, the level of vulnerability is also comparatively high. For factors
Recovery Center Locations (A3), Communication (B1) and Knowledge Management
(D5) the small banks are high prepared with low vulnerabilities. In the overall picture,
both the segments of the banks are in critical condition for the factors Workplace
(A1), Resource Location in Disaster (B2), Transportation (C1), Training and
Education of Stake holders in handling emergency/safety equipments in crisis (D4)
and knowledge management to track utilization and performance of assets (D5)
where these segments are less prepared and highly vulnerable for the miss handling of
the facility issues. For factors Central Data Center (A2), Facility Management (B4),
Infrastructural Renewal (D2) and Review of Vulnerability Analysis of Critical Assets
(D3) both the bank segments are having important criticality level as on these factors,
the banks are highly prepared and at the same time highly vulnerable. There is a
greater level of disagreement on the issues of Recovery Center Locations (A3),
Communication (B1), Safety Equipment and Maintenance (B3), Data Center Security
(C2), Data Center Safety (C3), and Security Planning in Disaster (D1) as the banks
are having divergent views on these factors and both segments feel that their way of
implementation of facilities is proper and up to the mark and thus, these issues need to
be concerned.
153
6.5.1 Organization
154
6.5.2 Procedure:
155
6.5.3 People
156
6.5.4 Technology
157
6.5.5 Facilities
158
Table 6.8 Cluster wise recommendations to MSRBs
Recommendations to management to effect
Parameter of vulnerability
interventions to make MSRBs resilient and
Sr.No to be addressed to improve
come up to levels of large banks in this
resilience for continuity
regard
1. Organization
Highly vulnerable
a. Adaptation of Automation The banks need to create adequate
Technology and imbibing infrastructure for automation in a
Culture of “ Do it yourself” collaborative (outsourced) arrangement with
using Technology for “ providers” who will take care of
Employees investments and risks both for installation
Customers and operations whilst the bank pays for the
Partners – IT, Facilities, time /volume utilized (on demand).
Services, Insurance, The staff needs to be appropriately trained
Safety Roles and and retrained and kept motivated.
Responsibilities Clear directions about roles and
responsibilities during disaster situations
that need to be communicated on intranet as
well as “rule books.”
b. Improved Awareness Better training and motivation by providing
and Enablement of challenges and rewarding performance.
employees ensuring Sensitivity checks carried out randomly in
better preparedness of various outlets by a central team to record
employees . levels of performance and suggest
Greater “Tolerance improvements where necessary.
Limit” of customers to Regular communication by way of bulletins
withstand disruptions and socializing events to appraise customers
without getting ruffled . of new initiatives taken to upgrade service
Regular assessment of levels to them.
sensitivity of both
employees and
customers for the above
two.
c. Regular Tracking of Setting up an up gradation of benchmark
performance of all that are objectively measurable in terms of
individuals at various response times, volume handled, service
levels, roles and rendered etc.
locations in normal Appropriate corrective actions in respect of
operating conditions those not found to perform at par during
Recording performance normal operations.
displayed during De-briefing after disruptions (Knowledge
situations of disruptions Management) and recording performance
for responses in terms of during that situations.
speed and correctness. Outstanding contributions be appropriately
rewarded and below par performances to be
discussed with concerned individuals and
corrected.
159
d. Crisis Management Team Organization that will become operative during
(Multi Functional Team emergency situations defining clear roles and
responsibilities with allocation of alternative
tasks to be clearly defined. This needs to be
adequately communicated by way of intranet,
secure website and rule books placed in
accessible locations.
Moderately vulnerable
e. Enunciation and These banks need to formalize processes to
Communication of communicate growth targets and report
Performance Objectives performance regularly and effectively to all
(e.g. Growth in volumes stakeholders i.e employees, customers and
and diversity) to all partners.
concerned. This will enhance confidence and esteem
Relationship with among them that will be the driver of
Business Partners to adapting newer systems as also participative
foster ability to adopt relationships in growing and furthering
changes. business.
Rationalizing The roles and responsibilities of all
Organization – Roles functionaries internal and external need to
and Responsibilities be rationalized to provide more resilience to
embrace change and growth. These need to
be communicated by way of intranet,
internet and rulebooks.
f. Business Impact Analysis Systems and processes need to be put in place
and Risk Evaluation for to carry out business impact analysis on a
Critical Process to identify regular basis preferably by a team comprising
impact on business. of internal and external consultants. The risk
profile keeps changing in the present day
banking environment owing to changes in
technology, regulations, delivery alternatives,
customer preferences and competition.
2. Procedure
Highly vulnerable
a) Documentations This aspect does not receive adequate attention
Contingency Plans as organization is loaded with operational tasks.
Emergency Action Plan These are extremely important to manage
Security Rules operations during disruptions and recovering
Safety Rules back to normalcy after eventuality is over.
Service Level These documentation need to be adequately
Agreements communicated using all methods (electronic
and paper-based).
b) Knowledge Management There is a tendency of not recording
to track customer parameters of responses, efficiency and
behavior and effectiveness of actions taken in meeting
Employee responses disruptions and effecting recovery. These
during disasters. are due to lack of attitude and also to an
Review of Vulnerability extent owing to organizational issues. A
160
of Critical Processes and dedicated team is to be nominated (using
Analysis of Recovery internal and external consultants) and tasked
from perspective of with this responsibility.
response time and Formats for data gathering need to be
efficiency. created and communicated. These are to be
used post-recovery and during regular
reviews. It is recommended that reviews be
conducted by yearly. The task of analysis
must be entrusted to external consultants.
The findings must be discussed in annual
meetings and instructions issued thereafter.
c) Incident Reporting There has to be a formal structure and
Handling Media in the process to report incidents to appropriate
event of an accident. levels (escalations) and outsourced /
Risk Awareness Reality collaboration partners (a necessity in their
Check Up in the case as most support may be from outside
Organization. the organization). The methodology should
be conducive to data-entry and analysis.
The media-handling function can also be
done by an agency with appropriate SLA in
operation.
There should be an annual reality check
using a metrics, drawn on the lines of one
suggested in this study, modified as per the
“environment”.
Moderately vulnerable
d) Compliance of Security and They should go in for this certification
Safety Procedures in religiously to attain requisite standards on
accordance with ISO 27001. account of security and safety. They should
be reviewed yearly for up gradations.
It is generally expensive to sustain these
initiatives. It is therefore recommended that
these banks should form a consortium that
engages the audit agencies on behalf of the
member banks to reduce financial liability.
e) Integration of Business The operating documents and rule books
Continuity Procedures ought to have sections on alternate
with normal business processes and organization that are to be
processes. operative in the event of disruptions.
Testing Schedules to There should be a schedule to test all the
assess efficacy of alternate processes by conducting
alternate processes in simulation exercises that will keep the
operations. employees in a state of readiness to meet
disruptions.
For both above the “consortium approach”
is recommended.
3. People
Highly vulnerable
161
a) Maintaining High levels These can be achieved by :
of “ Risk Awareness”, Clarity on Roles and Responsibilities that
and “Preparedness” for are well defined and adequately
employees communicated.
Achieving greater Just and proper performance review
“Tolerance Limit” for mechanisms and reward systems.
customers and business Regular training and retraining.
partners. Providing exposure to “best &
contemporary” practices in banking globally
by way of formal and informal interactions
with other banks.
Appropriate correction mechanisms for
those not performing at par.
Regular informative and social interactions
with customers and business partners.
b) Performance of Crisis Reward System for Outstanding
Management Team (Multi Contributions (Merit Based Promotions and
Functional Team). Incentives),
The performance of Crisis Management
Team is to be recorded and analyzed after
every disruption situation. Objective
measures must be applied to gauge
performance levels, effectiveness and
efficiency. Their must be a formal
debriefing session sponsored by the top
management , to accrue learnings and
improve organization and processes.
Outstanding performers must be suitably
rewarded.
c) Fostering culture of “self The organizational initiatives that should be
dependency” and undertaken are enumerated in Section 1 and
adaptability to change. 2 above.
The esteem and self-belief arising out of
high performance and respectable public
image are catalysts in fostering sustaining a
culture of self-dependency and adaptability
in addition to organizational methods.
Moderately vulnerable
d) Deployment Management The key personnel who would own the
Team- Roles and process of countering emergency situations
Responsibilities of Key with alternate processes and participate in
Personnel the recovery to normalcy ought to be clear
about roles, responsibilities and deployment
during emergency.
They need to be “accepted” by their peers as
“leaders” in the situation. This can be
brought about by dissemination of
appropriate information about them
162
organizationally as well as by their own
conduct of exemplary performance during
normal conditions.
e) Enablement of all This is required to facilitate assumption of
stakeholders (Customers, responsibility by all stakeholders in working
Employees and Business the alternate organization and processes
Partners). during disruptions.
True Enablement is realized by ability to
communicate and trust by all involved in
addition to awareness of rules and
procedures.
4. Technology
Highly vulnerable
a) Arrangements for It is recommended that these banks form a
specialized / automated consortium that provides these delivery
delivery mechanisms- systems on usage cum retainer basis.
ATM’s, POS terminals, This would provide greater efficiency as
Kiosks, Phone Banking regards response time and reliability is
Operations and Security concerned. The provider will have the
advantage of economy of scale and would
therefore be able to create and maintain
state of the art infrastructure and also take
away risk and requirement of capital from
bank’s perspective.
Given the ruggedness of modern day data
security and transmission systems, secrecy
of data and can be reliably effected together
with appropriate SLAs.
b) Technology Infrastructure It is recommended that these banks form a
Solution Architecture consortium that provides these delivery
Hardware (Central and systems on usage cum retainer basis.
units) This would ensure that infrastructure will
Applications ( Core & always remain contemporary and reduced
support) cost of operations, maintenance and
Utilization and upgrades.
performance Reduce requirement of capital expenditure,
Database & Application risk. Skilled Technology manpower ( not a
Security core competence of banks ).
Backups (Central and Secrecy of data and operations can be
units) reliably effected by use advanced
Alternate systems monitoring and control system ( all with
Review of Vulnerability. remote operations capabilities) together
Knowledge Management with appropriate SLAs.
to track performance and Review of performance and requisite
effect upgrades upgrades to be carried out by a team of
consortium (internal) and external
(professional) consultants.
c) Data Communications & It will be highly profitable for these banks
163
Security form a consortium and tie up with leading
Network Bandwidth Data communication providers ( both
Provisioning ( LAN – private & public sector ) that provides these
units & WAN inter services on usage cum retainer basis.
units) This would ensure availability of latest in
Access Control & class Data communication infrastructure,
Security reduced requirement of capital and cost of
Performance tuning & operations, maintenance & upgrades and
Administration reduced requirement. Skilled technical
Review of Vulnerability. manpower
Knowledge Management to Secrecy of data and operations can be
track performance and effect reliably effected by use advanced
upgrades monitoring and control system ( all with
remote operations capabilities) together
with appropriate SLAs.
Review of performance and requisite
upgrades to be carried out by a team of
consortium (internal) and external
(professional) consultants.
d) Specialized inter banking Consortium exist for inter banking
operations- Delivery operations using IBRD (Hyderabad) ‘s
Channel Integration and NIFNET. This service is utilized for most
Security, fail safe inter banking operations and reconciliation.
mechanisms and alternatives The cost at the moment are high from
international standards.
The consortium approach will provide better
negotiating power to MSRBs to subscribe to
this as the scale will justify costs that will
get distributed across members.
It will also provide private players to get
interested in providing these services as
“value added component to their service
delivery models.
e) Standardization of Consortium based approach can provide
Equipments and opportunity to standardize equipment across the
Applications, System member banks that will provide both efficiency
Administration - and reduction in total cost of ownership.
Monitoring, Tuning and
Maintaining using
automated tools
Moderately vulnerable
f) Applications Monitoring, Consortium approach described above is
Tuning and Diagnostics recommended to address this requirement.
using automated tools
Network Monitoring and
Maintenance using
automated tools
g) Enterprise Application Consortium approach described above is
Integration recommended to address this requirement.
164
5. Facilities
Highly vulnerable
a) Central Data Center, Creating and maintaining world class Data
Security, and Safety Center is almost prohibiting proposition for
Safety Equipment and MSRBs.
Maintenance, Facility Consortium approach together with all its
(Power, Fire and advantages of efficiency, effectiveness and
flooding, Access cost, already described above is
Control) Management - recommended.
Monitoring, Tuning and The consortium should have a set of Data
Maintaining using centers that will serve a group of member
automated tools, banks ( number of members in a group
based on collective load ) in a geography.
These will have different status of operation
for the groups. A data center will serve as
“Near Site” for say Group 1, Main Site for
Group 2 and DR Site for Group 3 at the
same time to justify the investment and
thereby reducing total cost of ownership.
Security and safety of these centers can be
made world class by installing latest
technology paid up by the groups.
Typically a group in each category (Near,
Far& DR sites) could be from 10-15
MSRBs.
b) Transportation of Personnel Arrangements to be made, again in
and Equipment to Disaster consortium approach to identify few
Site Location. locations in safe areas that can be used as
Recovery back to Workplace emergency locations when the need arises.
location. These locations can be used for training the
staff by the consortium during normal
situations with capability of getting
converted to alternate locations during
emergency.
The transportation of personnel and
necessary equipment to alternate location
can be outsourced to a logistics agency,
which can be paid on retainer ship cum
usage payment model.
c) Infrastructural Renewal, Review of critical assets that constitute facilities
Review of Vulnerability of including security and safety to be carried out
Critical Assets/Security and by a team of consortium (internal), outsourced
renewal / up gradations of agencies & partners and external (professional)
facilities. consultants to recommend and implement
upgradations when and where necessary.
Moderately vulnerable
165
d) Knowledge Management to This is to be done at consortium level for all
track utilization and member banks. A professional agency can be
performance of assets in employed to effect this. It will serve dual
Normal and other than purpose of third party professional audit (by
normal situations agencies that are approved by government) and
analysis of warehoused data to indicate trends
and improvements.
e) Training and Education of This is to be done at consortium level for all
Stake Holders in handling member banks. A professional training agency
emergency/safety equipment can be employed to effect this.
in crisis.
166
There is a lesser agreement across the different levels of management (top, middle
and functional) regarding ‘preparedness’ on account of People issues in both
categories of banks.
The top management seems to perceive healthy state on this accord whereas the
middle management in both categories hold greater concerns regarding higher
‘vulnerability’ on account this issue (Training, Motivation, Deployment etc). The
functional management perceives ‘preparedness’ to be better and less vulnerable since
the problem conceived by them is local and hence smaller in scale and scope.
The top and middle management of both the categories of bank agree significantly on
issues related to Technology as far as ‘preparedness’ is concerned but differ
significantly on state of ‘vulnerability’. The functional management of larger bank
perceives lower vulnerability than their counter parts of smaller banks but it is other
way round when it comes to the state of ‘preparedness’. This is predominantly due to
greater dependence of larger banks on technology. Therefore, despite their better
infrastructure, they perceive themselves more vulnerable. The smaller banks are less
resilient on this account due huge ‘Total cost of ownership’ in creating and operating
quality IT Infrastructure.
167
d. Elaborate business impact analysis of critical processes.
e. Enunciation and communication of alternate processes (to critical processes).
f. Better documentation of alternate procedures and instructions on safety.
g. Comprehensive Service Level Agreements with reliable outsourced agencies to
provide support as regards Technology, Infrastructure and Facilities.
h. Elaboration of operating BCM as regards incidence logging and taking proactive
actions during disasters and communicating the same to all concerned.
i. Training of Employees to improve “Risk Awareness and Preparedness”.
j. Clear organization of “Crisis Management Team (Multi Functional)” and
communication to all concerned.
k. Testing of BCM efficacy by regular drills.
l. Clear instructions and communication scheme to muster key personnel during
disasters and effect succession planning
m. Measurement of performance and reward systems.
n. Enhancement of IT Infrastructure for better data and applications management
ensured by reliable system with redundancy.
o. Alternate arrangements for IT Enabled transactions across product and service
offerings.
p. Efficient IT based tools and systems for managing operations and security of
networks, applications and databases.
q. Efficient backup hardware, systems and procedures.
r. Knowledge Management and regular audit of IT Infrastructure & Operations for
improvements.
s. Better data center infrastructure with modern access control and support systems.
t. Provision of alternate sites to migrate operations in event of disasters.
u. Deployment of modern safety equipments (automated and IT enabled).
v. Arrangements for alternate spaces and transportation of key personnel.
w. Insurance of assets (People, IT and Equipments).
168
6.6.4 Recommendations for successful BCM in Small banks
The MSRBs are performing effectively in their target segments, which cater mostly to
local population. They have limited portfolio of products and services as compared to
large banks. There is growing expectation of customers in terms of response time and
variety of service delivery options for which large banks are adequately prepared. The
MSRBs are less resilient and more vulnerable on issues of organization policies,
procedures and people issues. They also have humble infrastructure related to IT and
Facilities that is making them fall short on customer expectations as well as makes
them more vulnerable in disruptive situations. The following therefore are brief
recommendations to MSRBs to improve their resilience from continuity perspective.
a. Enhance products and service delivery options by resorting to high degree of
automation both for delivery as well as back office operations.
b. Clear definition of roles and responsibilities that are well documented and
communicated using electronic and paper media to facilitate operationalize
alternate process supported by emergency organizations in event of disaster.
c. Enhance awareness, preparedness and tolerance limits of employees and partners
by way of appropriate training interventions and motivation brought about by
suitable reward system.
d. Augment technology infrastructure both IT and Facilities by forming consortiums
that will collectively outsource asset provisioning, operations and maintenance to
support automated operations.
e. Consortiums can provide these to member banks on retainer cum usage basis
costing model that will reduce total cost of ownership and would improve
efficiency and effectiveness of operations owing to installation of best in class
hardware and software systems that will become affordable.
f. They need to raise the bar in terms of performance and producing results making
them competitive. They must practice transparency in communications to all
stakeholders to improve their esteem and thus resilience.
g. There is a need to foster a culture of adapting to changes and focusing on
enhancing value to customer by way of wider range of services delivered
efficiently and effectively.
169
6.7 Conclusion
Large banks are more resilient on account of parameters related to Organization,
Procedure and People owing to well-established and managed systems but are less
resilient on Facilities owing to their size and scale. Small banks show a comparable
resilience on account of technology, as their infrastructure is more than adequate for
the scale and scope of their operations but are highly vulnerable on account of
Procedures, Technology and Facilities. Large banks are more vulnerable on account
of People due to volumes and expanse of operations needing more people, not the
case with Small banks that cater to localized customers. The smaller banks are more
resilient on account of Facilities owing to lesser demand (hence pressure) of volumes
and diversity of products/services offered by them. The absence of adequate
infrastructure makes the smaller banks far more vulnerable that are unable to create
appropriate facilities due to lack of financial strength.
The managements in two categories of banks perceive that they are less vulnerable
possibly because banks in India have not been challenged significantly in this regard.
Those in small banks perceive greater vulnerability on account of Procedures to meet
discontinuities and view it with concern. The top management seems to perceive that
their staff is well prepared to meet any contingency but the functional management
see this to be an area of concern. The functional management in larger banks
perceives greater vulnerability on account of technology due to greater dependence of
larger banks on technology despite their better infrastructure. The smaller banks are
less resilient on this account due huge ‘Total cost of ownership’ in creating and
operating quality IT Infrastructure.
The SMBs are performing cater mostly to local population and have limited portfolio
of products and services as compared to large banks. They are unable to match the
growing expectation of customers in terms of response time and variety of service
delivery options due their humble IT infrastructure, facilities and organizational
strengths. The SMBs therefore are recommended to improve their resilience from
continuity perspective by resorting to following:
170
Enhance products and service delivery options by resorting to high degree of
automation both for delivery as well as back office operations.
Well defined, documented and communicated roles and responsibilities that are
well documented and communicated using electronic and paper media to facilitate
operationalize alternate process supported by emergency organizations in event of
disaster.
Enhance awareness, preparedness and tolerance limits of employees and partners
by way of appropriate training interventions and motivation brought about by
suitable reward system.
Augment technology infrastructure both IT and Facilities by forming consortiums
that will collectively outsource asset provisioning, operations and maintenance to
support automated operations.
Consortiums can provide these to member banks on retainer cum usage basis
costing model that will reduce total cost of ownership and would improve
efficiency and effectiveness of operations owing to installation of best in class
hardware and software systems that will become affordable.
They need to raise the bar in terms of performance and producing results making
them competitive. They must practice transparency in communications to all
stakeholders to improve their esteem and thus resilience.
There is a need to foster a culture of adapting to changes and focusing on
enhancing value to customer by way of wider range of services delivered
efficiently and effectively.
The above conclusion reinforces the following hypotheses (as concluded in Chapters
2, 4 and 5):
a. Higher the level of state-of-the-art IT infrastructure more is the reliability of the
BC practice and organizational strength, especially for banks that support
multiple products and services delivered through multiple channels.
b. The success in the implementation of BC practices as envisaged in enhanced
image and reputation of the bank depends on the softer aspects of Operations
such as employee awareness, readiness, empowerment, culture of innovation and
adaptability and Adherence to International Quality Standards.
The results of application of BCM reality check model to select banks in Mumbai
enforce the hypothesis:
Small banks are less resilient to meet major disruptions as compared to large
banks on account of technology and facilities due to their inability to invest in
state-of-the-art IT infrastructure and establish reliable and communicated
procedures for alternate operations.
171
Exhibit 6.1 (Table 6.9) - Cluster-Wise Details of BCM Parameters
ORGANIZATIONAL
A5 Participative Governance
A6 Social Sensitivity
Socializing, Planning and Learning from Review of Results and Performance (Bank and
A7
Individuals) and Communicating Results to foster esteem and motivation amongst employees.
A8 Cultural Change- Agility of bank to adopt changes
B4 Process Reviews – Top driven exercise with involvement of concerned stake holders.
172
Srl. BCM Parameter
PROCEDURES
A1 Contingency Plans
A Documentations
A4 Security Rules
A5 Safety Rules
A6 Health Rules
A11 Compliance of Security and Safety Procedures in accordance with ISO 27001
B1 Incident Reporting
B2 Incident Logging
C1 Data Replication
D3 Knowledge Management to track customer behavior, to take proactive actions during disasters
Knowledge Management to assess efficacy of alternate processes in operation and suggest
D4
improvements
173
Srl. BCM Parameter
PEOPLE
B1 Key Personnel
C1 HR Process Reviews
C3 Social Sensitivity
D2 Reward System for Outstanding Contributions (Merit Based Promotions and Incentives)
174
Srl. BCM Parameter
TECHNOLOGY
Architecture of IT Solutions blending proprietary & open source systems and web based &
A1
centralized applications
A2 Enterprise Application Integration
A3 Data Integrity
A5 Replication
B2 Storage Consolidation
B3 Back Up Systems
B11 Knowledge Management to track utilization and performance of hardware and applications
C3 Intra Bank Communication System Portfolio – Intranet, voice based, messaging system.
D2 Database Security
D3 Application Security
175
Srl. BCM Parameter
FACILITIES
A1 Workplace
B1 Communication
D2 Infrastructural Renewal
176
Exhibit 6.2 (Table 6.10) - Resilience Indicator and Vulnerability Index (Cluster-wise)
Strength/Prepardness - P (L-Large Bank) Threats/Risks - R (L- Large) Vulnerability Quotient - V (L-Large) Upgrades /Improvements - T (L-Large)
Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall
Srl.
PLT RLT PLM RLM PLF RLF PL RLT RLT RLM RLM RLF RLF RL VLT RLT VLM RLM VLF RLF VL TLT RLT TLM RLM TLF RLF TL
ORGANIZATION
A1 4.6 8.0 4.5 13.0 4.3 4.0 4.5 1.0 11.0 3.0 4.0 2.0 6.0 1.7 0.1 8.0 0.5 13.0 0.1 4.0 0.3 0.4 11.0 0.5 4.0 0.5 6.0 0.4
A2 4.6 18.0 4.0 3.0 4.3 2.0 4.5 3.3 8.0 1.0 7.0 0.5 6.0 1.7 0.2 18.0 1.0 3.0 0.5 2.0 0.3 1.0 8.0 0.7 7.0 0.8 6.0 0.8
A3 4.9 6.0 4.5 11.0 4.0 5.0 4.5 2.6 10.0 1.3 4.0 1.0 6.0 1.9 0.3 6.0 0.1 11.0 0.1 5.0 0.2 0.9 10.0 0.8 4.0 0.9 6.0 0.9
A4 4.7 6.0 4.3 5.0 4.5 12.0 4.5 2.6 10.0 1.0 4.0 0.5 6.0 1.7 0.1 6.0 0.4 5.0 0.1 12.0 0.2 0.7 10.0 0.9 4.0 0.8 6.0 0.8
A5 4.9 6.0 4.5 13.0 4.0 5.0 4.5 4.2 10.0 4.0 4.0 4.5 4.0 4.2 0.4 6.0 1.0 13.0 1.0 5.0 0.8 0.8 10.0 0.9 4.0 0.9 4.0 0.8
A6 4.9 10.0 4.3 2.0 4.8 12.0 4.8 3.9 13.0 4.5 7.0 3.5 2.0 4.1 0.9 10.0 0.8 2.0 0.7 12.0 0.8 0.9 13.0 0.8 7.0 0.9 2.0 0.9
A7 4.2 5.0 3.0 7.0 3.5 11.0 3.5 1.5 13.0 1.5 3.0 2.0 8.0 1.6 0.5 5.0 0.5 7.0 0.5 11.0 0.5 0.9 13.0 0.5 3.0 0.6 8.0 0.8
A8 4.8 8.0 4.3 12.0 3.5 4.0 4.3 3.4 13.0 3.3 4.0 3.5 1.0 3.4 0.4 8.0 0.7 12.0 1.0 4.0 0.7 0.8 13.0 0.6 4.0 0.9 1.0 0.8
A9 4.2 5.0 3.5 12.0 3.0 7.0 3.5 1.2 11.0 1.5 6.0 1.0 6.0 1.2 0.3 5.0 0.6 12.0 0.5 7.0 0.5 0.9 11.0 0.3 6.0 0.6 6.0 0.6
B1 4.2 19.0 3.5 2.0 3.0 2.0 4.0 3.7 9.0 3.5 3.0 3.0 9.0 3.4 0.6 19.0 0.6 2.0 0.7 2.0 0.6 1.0 9.0 0.7 3.0 0.8 9.0 0.9
B2 4.7 8.0 4.0 11.0 3.0 5.0 4.0 5.0 6.0 2.5 9.0 3.0 6.0 3.4 0.3 8.0 0.3 11.0 0.3 5.0 0.3 0.9 6.0 0.5 9.0 0.6 6.0 0.6
B3 4.8 4.0 4.5 15.0 4.3 4.0 4.5 3.8 10.0 3.0 2.0 3.7 8.0 3.7 0.2 4.0 0.1 15.0 0.3 4.0 0.2 0.9 10.0 0.6 2.0 0.8 8.0 0.8
B4 4.4 9.0 3.5 1.0 4.3 13.0 4.3 1.3 11.0 2.5 6.0 1.7 7.0 1.7 0.0 9.0 0.2 1.0 0.1 13.0 0.1 0.8 11.0 0.6 6.0 0.8 7.0 0.7
B5 4.9 10.0 4.8 12.0 4.3 2.0 4.8 3.3 10.0 3.7 8.0 4.5 5.0 3.7 0.7 10.0 0.8 12.0 0.5 2.0 0.7 0.8 10.0 0.9 8.0 0.8 5.0 0.8
B6 4.2 5.0 4.5 14.0 4.8 4.0 4.5 3.7 8.0 3.5 3.0 3.0 8.0 3.4 0.6 5.0 0.8 14.0 0.8 4.0 0.7 0.9 8.0 0.8 3.0 0.8 8.0 0.8
B7 3.7 6.0 3.0 11.0 2.5 6.0 3.0 0.8 12.0 1.5 6.0 1.0 4.0 1.0 0.1 6.0 0.1 11.0 0.1 6.0 0.1 0.6 12.0 0.3 6.0 0.4 4.0 0.5
C1 3.9 14.0 4.3 4.0 4.5 2.0 4.0 3.5 12.0 2.5 5.0 3.5 5.0 3.3 0.2 14.0 0.3 4.0 0.5 2.0 0.2 1.0 12.0 1.0 5.0 0.9 5.0 0.9
C2 4.3 6.0 4.5 14.0 4.8 3.0 4.5 1.3 10.0 3.0 4.0 2.0 6.0 1.8 0.3 6.0 0.1 14.0 0.1 3.0 0.2 1.0 10.0 0.8 4.0 0.9 6.0 0.9
C3 5.0 22.0 4.7 2.0 4.3 1.0 4.9 3.3 8.0 4.0 6.0 4.5 4.0 3.8 0.7 22.0 1.0 2.0 0.9 1.0 0.7 0.9 8.0 1.0 6.0 0.9 4.0 0.9
D1 3.0 6.0 3.0 14.0 3.3 3.0 3.0 3.2 10.0 3.3 6.0 4.0 2.0 3.3 0.6 6.0 0.7 14.0 0.3 3.0 0.6 0.7 10.0 0.3 6.0 0.5 2.0 0.5
D2 3.9 7.0 4.0 10.0 4.5 3.0 4.1 4.3 8.0 3.0 6.0 2.5 6.0 3.4 0.5 7.0 0.8 10.0 1.0 3.0 0.7 1.0 8.0 1.0 6.0 0.9 6.0 1.0
177
Strength/Prepardness - P (L-Large Bank) Threats/Risks - R (L- Large) Vulnerability Quotient - V (L-Large) Upgrades /Improvements - T (L-Large)
Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall
Srl.
PLT RLT PLM RLM PLF RLF PL RLT RLT RLM RLM RLF RLF RL VLT RLT VLM RLM VLF RLF VL TLT RLT TLM RLM TLF RLF TL
OPROCEDURE
G O
A1 4.9 9.0 4.5 8.0 4.0 7.0 4.5 3.3 8.0 5.0 6.0 4.5 7.0 4.2 0.5 9.0 0.1 8.0 0.1 7.0 0.3 0.9 8.0 0.8 6.0 0.8 7.0 0.9
A2 4.5 11.0 4.3 6.0 4.8 6.0 4.5 3.3 8.0 3.0 6.0 3.5 7.0 3.3 0.1 11.0 0.2 6.0 0.5 6.0 0.2 1.0 8.0 0.8 6.0 0.8 7.0 0.9
A3 4.9 10.0 4.8 12.0 4.0 1.0 4.8 2.9 10.0 3.7 8.0 3.3 6.0 3.3 0.2 10.0 0.1 12.0 0.1 1.0 0.1 0.8 10.0 0.8 8.0 0.9 6.0 0.8
A 4.9 18.0 4.5 3.0 4.3 2.0 4.8 3.5 12.0 4.0 4.0 3.5 4.0 3.6 0.4 18.0 0.1 3.0 0.1 2.0 0.3 0.9 12.0 0.7 4.0 0.9 4.0 0.9
A4 4.9 7.0 4.5 11.0 4.0 5.0 4.5 2.8 11.0 2.5 5.0 2.0 6.0 2.5 1.0 7.0 0.9 11.0 0.9 5.0 0.9 1.0 11.0 0.9 5.0 0.8 6.0 0.9
A5 4.4 5.0 4.3 16.0 3.8 2.0 4.3 2.8 8.0 1.5 6.0 1.0 7.0 1.8 1.0 5.0 0.8 16.0 1.0 2.0 0.9 0.9 8.0 0.4 6.0 0.6 7.0 0.6
A6 3.1 19.0 2.7 3.0 2.5 2.0 3.0 2.3 10.0 1.8 6.0 1.5 7.0 1.9 0.3 19.0 0.1 3.0 0.2 2.0 0.3 0.6 10.0 0.9 6.0 0.8 7.0 0.7
A7 4.6 15.0 4.3 5.0 4.0 2.0 4.5 3.5 8.0 1.0 6.0 1.5 6.0 2.2 0.4 15.0 0.3 5.0 0.5 2.0 0.4 0.9 8.0 0.7 6.0 0.8 6.0 0.8
A8 4.4 15.0 4.3 4.0 4.8 5.0 4.5 3.8 12.0 2.0 5.0 1.0 7.0 2.6 0.4 15.0 0.4 4.0 0.1 5.0 0.4 0.9 12.0 0.7 5.0 0.8 7.0 0.8
A9 4.1 13.0 4.3 2.0 3.7 3.0 4.0 3.3 12.0 2.0 5.0 1.5 7.0 2.5 0.5 13.0 0.9 2.0 0.4 3.0 0.5 0.9 12.0 0.8 5.0 0.8 7.0 0.9
A10 4.8 9.0 4.8 14.0 4.3 1.0 4.8 4.5 12.0 3.0 5.0 2.5 7.0 3.6 0.1 9.0 0.1 14.0 0.1 1.0 0.1 1.0 12.0 0.4 5.0 0.6 7.0 0.8
A11 3.3 10.0 4.0 4.0 3.5 9.0 3.5 2.5 12.0 3.0 6.0 1.5 6.0 2.4 0.1 10.0 0.1 4.0 0.5 9.0 0.3 0.8 12.0 0.7 6.0 0.6 6.0 0.7
A12 4.9 10.0 4.8 11.0 4.3 2.0 4.8 2.9 10.0 2.5 6.0 2.0 6.0 2.5 0.6 10.0 0.1 11.0 0.1 2.0 0.3 0.9 10.0 0.6 6.0 0.8 6.0 0.8
B1 4.3 12.0 4.8 9.0 5.0 4.0 4.6 2.9 10.0 2.0 6.0 2.5 6.0 2.5 0.2 12.0 0.2 9.0 0.2 4.0 0.2 0.9 10.0 0.5 6.0 0.7 6.0 0.7
B2 4.1 17.0 3.5 4.0 4.5 2.0 4.0 1.4 12.0 2.0 4.0 2.3 4.0 1.7 0.1 17.0 0.2 4.0 0.3 2.0 0.1 0.9 12.0 0.8 4.0 0.8 4.0 0.8
B3 4.8 5.0 4.0 15.0 3.0 4.0 4.0 3.8 10.0 3.5 6.0 3.0 7.0 3.5 0.2 5.0 0.1 15.0 0.1 4.0 0.1 1.0 10.0 0.9 6.0 0.9 7.0 0.9
B4 4.6 7.0 4.0 11.0 3.0 4.0 4.0 3.9 13.0 2.5 4.0 2.5 4.0 3.4 0.1 7.0 0.5 11.0 0.2 4.0 0.3 0.9 13.0 1.0 4.0 0.9 4.0 0.9
B5 4.7 6.0 4.5 13.0 4.0 3.0 4.5 3.0 9.0 3.0 6.0 3.5 8.0 3.2 0.1 6.0 0.4 13.0 0.5 3.0 0.3 0.3 9.0 0.9 6.0 0.9 8.0 0.7
B6 3.3 5.0 3.8 4.0 4.3 14.0 4.0 1.3 11.0 2.5 6.0 2.0 6.0 1.8 0.3 5.0 0.5 4.0 0.8 14.0 0.6 0.9 11.0 1.0 6.0 0.8 6.0 0.9
C1 5.0 21.0 4.5 1.0 4.3 1.0 4.9 2.2 9.0 2.0 4.0 1.7 6.0 2.0 1.0 21.0 0.4 1.0 0.1 1.0 0.9 0.9 9.0 0.8 4.0 0.8 6.0 0.8
D1 4.2 6.0 5.0 4.0 4.5 13.0 4.5 2.2 8.0 1.8 7.0 2.0 7.0 2.0 0.6 6.0 0.7 4.0 0.4 13.0 0.5 0.8 8.0 1.0 7.0 0.9 7.0 0.9
D2 4.6 8.0 3.7 2.0 4.5 14.0 4.5 1.2 13.0 2.5 4.0 3.0 3.0 1.8 0.4 8.0 0.3 2.0 0.9 14.0 0.7 0.9 13.0 0.8 4.0 0.9 3.0 0.9
D3 3.1 15.0 3.3 4.0 2.5 5.0 3.0 1.3 12.0 1.3 5.0 1.8 5.0 1.4 0.2 15.0 0.1 4.0 0.1 5.0 0.2 0.7 12.0 0.3 5.0 0.5 5.0 0.5
D4 2.8 13.0 2.8 3.0 3.5 7.0 3.0 1.2 12.0 1.3 5.0 1.8 5.0 1.3 0.4 13.0 0.1 3.0 0.1 7.0 0.3 0.9 12.0 0.2 5.0 0.5 5.0 0.6
178
Strength/Prepardness - P (L-Large Bank) Threats/Risks - R (L- Large) Vulnerability Quotient - V (L-Large) Upgrades /Improvements - T (L-Large)
Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall
Srl.
PLT RLT PLM RLM PLF RLF PL RLT RLT RLM RLM RLF RLF RL VLT RLT VLM RLM VLF RLF VL TLT RLT TLM RLM TLF RLF TL
O GPEOPLE O
A1 4.5 14.0 4.5 9.0 4.0 1.0 4.5 3.3 8.0 1.5 6.0 1.0 6.0 2.1 1.0 14.0 0.1 9.0 0.1 1.0 0.6 1.0 8.0 1.0 6.0 0.9 6.0 1.0
A2 4.8 11.0 4.4 4.0 3.7 3.0 4.5 2.2 12.0 1.3 6.0 1.5 6.0 1.8 0.1 11.0 0.9 4.0 0.6 3.0 0.4 0.9 12.0 0.9 6.0 0.9 6.0 0.9
B1 4.8 13.0 4.3 5.0 4.1 6.0 4.5 4.0 8.0 2.3 8.0 2.0 6.0 2.8 1.0 13.0 0.1 5.0 0.2 6.0 0.6 0.9 8.0 0.6 8.0 0.8 6.0 0.8
B2 4.9 9.0 4.8 6.0 4.6 7.0 4.8 3.0 8.0 1.5 6.0 2.0 6.0 2.3 0.9 9.0 0.5 6.0 0.8 7.0 0.8 1.0 8.0 1.0 6.0 0.9 6.0 1.0
B3 4.8 12.0 4.9 5.0 4.7 5.0 4.8 3.0 8.0 1.5 6.0 0.5 6.0 1.8 1.0 12.0 0.9 5.0 0.7 5.0 0.9 1.0 8.0 0.9 6.0 0.9 6.0 0.9
B4 4.5 10.0 4.7 8.0 4.4 5.0 4.5 2.0 8.0 1.5 6.0 0.5 6.0 1.4 0.3 10.0 0.1 8.0 0.1 5.0 0.2 0.9 8.0 0.7 6.0 0.8 6.0 0.8
B5 4.9 8.0 4.7 6.0 4.0 9.0 4.5 2.0 8.0 1.5 6.0 0.5 6.0 1.4 0.4 8.0 0.1 6.0 0.1 9.0 0.2 0.9 8.0 0.8 6.0 0.8 6.0 0.8
B6 4.9 10.0 4.4 4.0 4.0 5.0 4.5 2.0 8.0 1.5 6.0 0.5 6.0 1.4 0.4 10.0 0.1 4.0 0.1 5.0 0.2 0.9 8.0 0.9 6.0 0.8 6.0 0.9
B7 3.9 13.0 3.2 4.0 3.0 4.0 3.6 3.0 8.0 1.5 6.0 0.5 6.0 1.8 0.6 13.0 0.2 4.0 0.5 4.0 0.5 1.0 8.0 0.9 6.0 0.9 6.0 0.9
B8 4.3 8.0 3.8 5.0 3.5 4.0 4.0 1.5 8.0 1.5 6.0 0.5 6.0 1.2 0.1 8.0 0.2 5.0 0.1 4.0 0.1 0.9 8.0 0.7 6.0 0.8 6.0 0.8
C1 4.4 10.0 4.0 3.0 3.7 5.0 4.1 1.5 8.0 1.5 6.0 0.5 6.0 1.2 0.2 10.0 0.7 3.0 0.2 5.0 0.3 0.9 8.0 0.7 6.0 0.8 6.0 0.8
C2 3.9 11.0 3.5 6.0 3.2 5.0 3.6 3.3 8.0 2.0 5.0 1.0 5.0 2.3 0.5 11.0 0.1 6.0 0.1 5.0 0.3 0.9 8.0 1.0 5.0 0.9 5.0 0.9
C3 4.9 9.0 4.3 8.0 4.0 4.0 4.5 3.0 8.0 0.5 5.0 1.0 5.0 1.8 0.2 9.0 0.7 8.0 0.4 4.0 0.4 0.8 8.0 1.0 5.0 0.9 5.0 0.9
C4 4.3 10.0 3.8 6.0 3.5 4.0 4.0 1.3 8.0 1.3 5.0 2.0 5.0 1.5 0.3 10.0 0.4 6.0 0.8 4.0 0.4 0.9 8.0 1.0 5.0 0.9 5.0 0.9
C5 3.3 9.0 2.5 4.0 3.0 5.0 3.0 2.1 7.0 3.5 6.0 4.0 6.0 3.2 0.7 9.0 0.6 4.0 0.6 5.0 0.6 0.8 7.0 1.0 6.0 0.9 6.0 0.9
D1 3.3 10.0 3.5 8.0 3.8 4.0 3.5 3.3 8.0 3.0 5.0 3.5 6.0 3.3 0.5 10.0 0.4 8.0 0.7 4.0 0.5 1.0 8.0 1.0 5.0 0.9 6.0 1.0
D2 2.3 8.0 1.5 4.0 2.5 3.0 2.1 1.3 12.0 0.7 5.0 0.5 5.0 1.0 0.3 8.0 0.1 4.0 0.1 3.0 0.2 0.8 12.0 0.8 5.0 0.8 5.0 0.8
D3 3.6 10.0 2.5 6.0 3.0 5.0 3.1 1.2 12.0 0.5 5.0 0.3 5.0 0.8 0.5 10.0 0.4 6.0 0.7 5.0 0.5 1.0 12.0 0.9 5.0 0.9 5.0 0.9
179
Strength/Prepardness - P (L-Large Bank) Threats/Risks - R (L- Large) Vulnerability Quotient - V (L-Large) Upgrades /Improvements - T (L-Large)
Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall
Srl.
PLT RLT PLM RLM PLF RLF PL RLT RLT RLM RLM RLF RLF RL VLT RLT VLM RLM VLF RLF VL TLT RLT TLM RLM TLF RLF TL
OTECHNOLOGY
G O
A1 4.6 10.0 4.2 5.0 4.5 3.0 4.5 3.3 8.0 1.7 7.0 1.0 7.0 2.0 1.0 10.0 0.6 5.0 0.6 3.0 0.8 1.0 8.0 0.9 7.0 0.9 7.0 0.9
A2 4.9 8.0 4.5 4.0 4.3 11.0 4.5 2.2 8.0 1.3 6.0 1.5 6.0 1.7 0.6 8.0 0.9 4.0 0.8 11.0 0.8 1.0 8.0 1.0 6.0 0.9 6.0 1.0
A3 4.8 15.0 4.2 3.0 4.0 5.0 4.5 3.0 8.0 1.3 6.0 1.5 6.0 2.0 1.0 15.0 0.5 3.0 0.4 5.0 0.8 0.9 8.0 1.0 6.0 0.9 6.0 0.9
A4 2.3 12.0 1.8 8.0 2.0 4.0 2.1 1.8 8.0 4.0 6.0 4.5 6.0 3.3 0.7 12.0 0.5 8.0 0.9 4.0 0.7 0.8 8.0 0.9 6.0 0.8 6.0 0.8
A5 5.0 12.0 4.8 5.0 4.5 4.0 4.8 1.3 8.0 0.5 6.0 1.0 6.0 1.0 0.7 12.0 0.1 5.0 0.2 4.0 0.4 0.9 8.0 0.7 6.0 0.8 6.0 0.8
A6 4.7 14.0 4.5 5.0 4.0 4.0 4.5 2.0 8.0 0.5 6.0 1.0 6.0 1.3 0.7 14.0 0.1 5.0 0.1 4.0 0.4 0.9 8.0 0.6 6.0 0.8 6.0 0.8
A7 4.8 11.0 4.3 6.0 4.0 5.0 4.5 3.0 8.0 3.0 6.0 3.5 6.0 3.2 0.6 11.0 0.7 6.0 1.0 5.0 0.7 1.0 8.0 0.5 6.0 0.8 6.0 0.8
A8 4.7 11.0 3.5 4.0 3.0 5.0 4.1 3.0 8.0 2.5 6.0 2.0 6.0 2.6 0.8 11.0 0.5 4.0 0.8 5.0 0.7 0.8 8.0 0.7 6.0 0.8 6.0 0.7
A9 4.3 11.0 3.5 7.0 4.0 5.0 4.0 3.0 8.0 3.5 6.0 2.0 6.0 2.9 0.5 11.0 0.1 7.0 0.1 5.0 0.3 0.8 8.0 0.8 6.0 0.6 6.0 0.7
A10 4.6 15.0 4.3 4.0 4.0 4.0 4.5 0.2 8.0 0.7 6.0 0.5 6.0 0.4 0.5 15.0 0.1 4.0 0.1 4.0 0.4 0.7 8.0 0.9 6.0 0.7 6.0 0.8
B1 4.9 10.0 4.5 3.0 5.0 7.0 4.9 0.9 8.0 0.5 6.0 0.3 6.0 0.6 0.3 10.0 0.1 3.0 0.1 7.0 0.2 1.0 8.0 1.0 6.0 0.9 6.0 1.0
B2 4.8 14.0 4.2 7.0 3.8 3.0 4.5 1.1 8.0 0.5 6.0 0.3 6.0 0.7 0.3 14.0 0.1 7.0 0.1 3.0 0.2 1.0 8.0 0.8 6.0 0.9 6.0 0.9
B3 4.9 10.0 4.7 7.0 5.0 7.0 4.9 2.9 8.0 0.5 6.0 0.3 6.0 1.4 0.3 10.0 0.2 7.0 0.1 7.0 0.2 0.9 8.0 0.7 6.0 0.9 6.0 0.8
B5 4.9 8.0 4.2 7.0 4.3 7.0 4.5 0.9 8.0 0.5 6.0 0.3 6.0 0.6 0.4 8.0 0.1 7.0 0.1 7.0 0.2 0.9 8.0 1.0 6.0 0.9 6.0 0.9
B6 4.0 11.0 4.0 3.0 4.0 8.0 4.0 0.9 8.0 0.5 6.0 0.3 6.0 0.6 0.3 11.0 0.1 3.0 0.1 8.0 0.2 0.9 8.0 0.9 6.0 0.9 6.0 0.9
B7 4.2 12.0 3.8 5.0 3.5 3.0 4.0 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.4 12.0 0.1 5.0 0.1 3.0 0.3 0.9 8.0 0.2 4.0 0.6 4.0 0.7
B8 4.7 14.0 4.2 7.0 4.0 3.0 4.5 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.4 14.0 0.1 7.0 0.1 3.0 0.2 0.9 8.0 0.8 4.0 0.8 4.0 0.9
B9 4.9 11.0 4.3 4.0 4.0 6.0 4.5 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.2 11.0 0.1 4.0 0.1 6.0 0.1 0.7 8.0 0.9 4.0 0.8 4.0 0.7
B10 4.8 8.0 4.0 6.0 4.5 7.0 4.5 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.1 8.0 0.1 6.0 0.2 7.0 0.1 0.8 8.0 1.0 4.0 0.8 4.0 0.8
B11 4.9 10.0 4.2 4.0 4.0 5.0 4.5 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.1 10.0 0.1 4.0 0.1 5.0 0.1 0.9 8.0 0.6 4.0 0.8 4.0 0.8
B12 4.9 11.0 4.3 5.0 4.0 6.0 4.5 2.5 8.0 1.5 4.0 2.5 4.0 2.3 0.4 11.0 0.1 5.0 0.1 6.0 0.2 1.0 8.0 0.7 4.0 0.8 4.0 0.9
C1 4.9 10.0 4.5 6.0 4.0 5.0 4.5 3.0 8.0 5.0 6.0 5.0 6.0 4.2 0.1 10.0 0.5 6.0 0.4 5.0 0.3 0.9 8.0 1.0 6.0 0.9 6.0 0.9
C2 5.0 14.0 4.6 4.0 4.5 3.0 4.8 2.8 8.0 2.5 6.0 2.5 6.0 2.6 0.6 14.0 0.7 4.0 0.2 3.0 0.6 0.9 8.0 1.0 6.0 0.9 6.0 0.9
C3 4.7 10.0 4.9 8.0 5.0 6.0 4.8 0.6 8.0 1.3 4.0 1.0 4.0 0.9 0.3 10.0 0.5 8.0 0.8 6.0 0.5 0.5 8.0 0.8 4.0 0.6 4.0 0.6
D1 4.8 13.0 4.3 5.0 4.0 4.0 4.5 2.7 8.0 3.0 6.0 2.0 6.0 2.6 0.2 13.0 0.1 5.0 0.2 4.0 0.2 0.8 8.0 0.3 6.0 0.6 6.0 0.6
D2 4.7 2.0 4.9 3.0 5.0 16.0 5.0 0.7 8.0 3.5 6.0 4.0 6.0 2.5 0.1 2.0 0.3 3.0 0.2 16.0 0.2 0.6 8.0 0.5 6.0 0.6 6.0 0.5
D3 4.6 5.0 4.9 8.0 5.0 9.0 4.9 0.7 8.0 3.5 6.0 4.0 6.0 2.5 0.4 5.0 0.1 8.0 0.5 9.0 0.3 0.5 8.0 0.8 6.0 0.6 6.0 0.6
180
Strength/Prepardness - P (L-Large Bank) Threats/Risks - R (L- Large) Vulnerability Quotient - V (L-Large) Upgrades /Improvements - T (L-Large)
Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall
Srl.
PLT RLT PLM RLM PLF RLF PL RLT RLT RLM RLM RLF RLF RL VLT RLT VLM RLM VLF RLF VL TLT RLT TLM RLM TLF RLF TL
O G FACILITY O
A1 4.7 10.0 4.7 7.0 4.5 3.0 4.7 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.5 10.0 0.9 7.0 0.6 3.0 0.6 0.1 8.0 0.4 4.0 0.2 4.0 0.2
A2 4.8 12.0 4.3 7.0 4.0 4.0 4.5 0.7 8.0 0.0 4.0 0.3 4.0 0.4 0.9 12.0 1.0 7.0 1.0 4.0 0.9 0.9 8.0 1.0 4.0 0.9 4.0 0.9
A3 4.8 12.0 4.3 7.0 4.0 4.0 4.5 0.7 8.0 0.8 4.0 1.5 4.0 0.9 0.2 12.0 0.7 7.0 0.3 4.0 0.3 0.8 8.0 1.0 4.0 0.9 4.0 0.9
B1 4.8 12.0 4.3 7.0 4.0 4.0 4.5 0.5 8.0 0.5 4.0 0.5 4.0 0.5 0.1 12.0 0.1 7.0 0.1 4.0 0.1 1.0 8.0 0.8 4.0 0.9 4.0 0.9
B2 4.0 10.0 3.5 6.0 3.0 8.0 3.5 2.7 8.0 1.0 4.0 1.0 4.0 1.8 0.6 10.0 0.9 6.0 0.3 8.0 0.5 0.9 8.0 0.7 4.0 0.8 4.0 0.8
B3 4.8 12.0 4.7 8.0 4.0 4.0 4.6 0.7 8.0 2.0 4.0 2.3 4.0 1.4 0.4 12.0 0.7 8.0 0.3 4.0 0.5 0.7 8.0 0.8 4.0 0.8 4.0 0.7
B4 4.3 12.0 3.5 5.0 3.7 5.0 4.0 3.0 8.0 2.0 4.0 2.3 4.0 2.6 0.4 12.0 0.2 5.0 0.1 5.0 0.3 0.6 8.0 0.9 4.0 0.7 4.0 0.7
C1 4.5 8.0 4.8 6.0 5.0 8.0 4.8 0.7 8.0 0.7 4.0 0.5 4.0 0.6 0.5 8.0 0.6 6.0 0.1 8.0 0.4 0.5 8.0 0.8 4.0 0.6 4.0 0.6
C2 4.8 12.0 4.7 5.0 4.8 7.0 4.8 2.7 8.0 0.7 4.0 0.5 4.0 1.6 0.1 12.0 0.1 5.0 0.5 7.0 0.2 0.5 8.0 0.1 4.0 0.2 4.0 0.3
C3 4.8 12.0 4.7 5.0 4.8 7.0 4.8 0.7 8.0 0.7 4.0 0.5 4.0 0.6 0.1 12.0 0.1 5.0 0.4 7.0 0.2 0.5 8.0 0.2 4.0 0.2 4.0 0.3
D1 4.8 12.0 4.7 5.0 4.8 7.0 4.8 1.7 8.0 0.7 4.0 0.5 4.0 1.1 0.1 12.0 0.7 5.0 0.6 7.0 0.4 0.5 8.0 0.1 4.0 0.3 4.0 0.3
D2 4.9 13.0 4.7 5.0 4.5 4.0 4.8 2.2 8.0 0.7 4.0 0.5 4.0 1.4 0.2 13.0 0.2 5.0 0.2 4.0 0.2 0.5 8.0 0.5 4.0 0.3 4.0 0.5
D3 3.2 11.0 3.3 7.0 2.8 6.0 3.1 2.2 8.0 0.7 4.0 0.5 4.0 1.4 0.1 11.0 0.1 7.0 0.4 6.0 0.2 0.9 8.0 0.6 4.0 0.8 4.0 0.8
D4 4.5 11.0 4.3 6.0 3.5 4.0 4.3 0.9 8.0 1.3 4.0 0.5 4.0 0.9 0.1 11.0 0.3 6.0 0.5 4.0 0.3 0.5 8.0 0.8 4.0 0.6 4.0 0.6
D5 3.3 10.0 3.3 6.0 2.8 6.0 3.1 2.2 8.0 0.7 4.0 0.5 4.0 1.4 0.6 10.0 0.6 6.0 0.5 6.0 0.6 0.9 8.0 0.3 4.0 0.5 4.0 0.7
181
Strength/Prepardness - P (S-Small Bank) Threats/Risks - R (S- Small) Vulnerability Quotient - V (S-Small) Upgrades /Improvements - T (S-Small)
Overa Overa Overal
Top Middle Functional Overall Top Middle Functional Top Middle Functional Top Middle Functional
Srl. ll ll l
PST RST PSM RSM PSF RSF PS RST RST RSM RSM RSF RSF RS VST RST VSM RSM VSF RSF VS TST RST TSM RSM TSF RSF TS
ORGANIZATION
A1 4.1 25.0 3.8 7.0 4.2 12.0 4.1 3.1 21.0 3.2 13.0 4.0 6.0 3.3 0.4 25.0 0.4 7.0 0.8 12.0 0.5 0.9 21.0 0.4 13.0 0.5 6.0 0.6
A2 3.8 18.0 4.8 4.0 4.2 16.0 4.0 3.4 18.0 3.3 11.0 3.0 5.0 3.3 0.3 18.0 0.5 4.0 0.9 16.0 0.6 0.5 18.0 0.6 11.0 0.4 5.0 0.5
A3 2.6 24.0 3.7 10.0 3.3 8.0 3.0 1.5 28.0 1.6 7.0 2.5 6.0 1.7 0.8 24.0 0.3 10.0 0.8 8.0 0.7 0.9 28.0 0.9 7.0 1.0 6.0 0.9
A4 3.0 15.0 2.7 15.0 3.5 10.0 3.0 1.6 21.0 1.6 13.0 2.2 4.0 1.7 0.0 15.0 0.1 15.0 0.0 10.0 0.1 0.9 21.0 0.8 13.0 0.8 4.0 0.8
A5 4.8 8.0 5.0 36.0 4.5 1.0 4.9 0.3 22.0 0.1 18.0 1.0 2.0 0.3 0.2 8.0 0.1 36.0 0.0 1.0 0.1 0.2 22.0 0.2 18.0 1.0 2.0 0.2
A6 3.1 30.0 2.9 9.0 2.8 4.0 3.0 4.3 6.0 4.3 24.0 3.5 8.0 4.2 0.0 30.0 0.1 9.0 0.6 4.0 0.1 0.9 6.0 0.9 24.0 0.9 8.0 0.9
A7 2.8 32.0 3.3 6.0 4.0 4.0 3.0 1.3 21.0 1.7 12.0 2.5 12.0 1.7 0.2 32.0 0.2 6.0 0.3 4.0 0.2 1.0 21.0 0.8 12.0 0.5 12.0 0.8
A8 3.9 13.0 4.0 22.0 4.2 3.0 4.0 4.8 7.0 5.0 33.0 4.6 3.0 4.9 0.2 13.0 0.3 22.0 0.6 3.0 0.3 1.0 7.0 0.7 33.0 0.8 3.0 0.8
A9 2.0 22.0 1.8 15.0 2.5 4.0 2.0 0.2 26.0 0.4 7.0 0.1 10.0 0.2 0.2 22.0 0.2 15.0 0.4 4.0 0.2 0.3 26.0 0.4 7.0 0.1 10.0 0.3
B1 4.2 24.0 4.0 6.0 3.5 8.0 4.0 3.6 20.0 3.0 22.0 3.0 3.0 3.3 0.7 24.0 0.9 6.0 0.6 8.0 0.7 0.3 20.0 0.9 22.0 0.6 3.0 0.6
B2 4.9 9.0 5.0 33.0 4.7 1.0 5.0 3.3 23.0 3.6 9.0 3.2 12.0 3.3 0.2 9.0 0.5 33.0 0.6 1.0 0.4 0.4 23.0 0.6 9.0 0.5 12.0 0.5
B3 4.1 29.0 4.6 6.0 3.5 10.0 4.0 0.1 17.0 0.5 17.0 0.5 6.0 0.3 0.3 29.0 0.2 6.0 0.1 10.0 0.2 1.0 17.0 0.9 17.0 1.0 6.0 0.9
B4 3.5 5.0 2.7 7.0 3.0 30.0 3.0 1.6 17.0 1.1 7.0 1.5 18.0 1.5 0.4 5.0 0.1 7.0 0.2 30.0 0.2 0.4 17.0 0.5 7.0 0.4 18.0 0.4
B5 4.3 7.0 3.8 10.0 4.0 23.0 4.0 4.6 12.0 3.9 14.0 4.0 15.0 4.2 0.1 7.0 0.6 10.0 0.5 23.0 0.5 1.0 12.0 1.0 14.0 0.7 15.0 0.9
B6 3.2 7.0 2.9 13.0 3.0 25.0 3.0 4.8 10.0 3.7 15.0 4.2 12.0 4.2 1.0 7.0 1.0 13.0 1.0 25.0 1.0 0.8 10.0 0.7 15.0 0.9 12.0 0.8
B7 3.5 23.0 3.6 19.0 3.0 3.0 3.5 1.1 18.0 0.3 17.0 1.2 7.0 0.8 0.3 23.0 0.1 19.0 0.0 3.0 0.2 0.4 18.0 0.5 17.0 0.5 7.0 0.5
C1 3.0 25.0 2.8 13.0 3.5 3.0 3.0 1.7 24.0 2.6 9.0 1.2 11.0 1.7 0.6 25.0 0.5 13.0 0.4 3.0 0.5 0.3 24.0 0.5 9.0 0.8 11.0 0.5
C2 4.4 14.0 3.7 16.0 4.0 12.0 4.0 3.6 13.0 3.2 18.0 3.2 8.0 3.3 0.3 14.0 0.5 16.0 1.0 12.0 0.6 0.5 13.0 0.7 18.0 0.6 8.0 0.6
C3 4.9 17.0 5.0 28.0 4.7 1.0 4.9 4.9 6.0 5.0 32.0 4.7 2.0 5.0 1.0 17.0 1.0 28.0 1.0 1.0 1.0 1.0 6.0 1.0 32.0 0.8 2.0 1.0
D1 3.3 10.0 3.6 29.0 3.0 2.0 3.5 2.7 20.0 3.1 7.0 2.0 12.0 2.5 1.0 10.0 1.0 29.0 1.0 2.0 1.0 0.8 20.0 1.0 7.0 0.2 12.0 0.6
D2 4.9 14.0 5.0 30.0 4.7 1.0 4.9 4.9 6.0 5.0 32.0 4.7 2.0 5.0 0.6 14.0 0.8 30.0 0.2 1.0 0.7 1.0 6.0 0.9 32.0 0.9 2.0 0.9
182
Strength/Prepardness - P (S-Small Bank) Threats/Risks - R (S- Small) Vulnerability Quotient - V (S-Small) Upgrades /Improvements - T (S-Small)
Overa Overa Overal
Top Middle Functional Overall Top Middle Functional Top Middle Functional Top Middle Functional
Srl. ll ll l
PST RST PSM RSM PSF RSF PS RST RST RSM RSM RSF RSF RS VST RST VSM RSM VSF RSF VS TST RST TSM RSM TSF RSF TS
OPROCEDURE
G O
A1 4.9 14.0 5.0 29.0 4.6 2.0 4.9 4.1 19.0 4.5 12.0 3.5 5.0 4.2 0.8 14.0 1.0 29.0 0.7 2.0 0.9 1.0 19.0 1.0 12.0 1.0 5.0 1.0
A2 4.4 9.0 3.8 16.0 4.0 18.0 4.0 3.6 16.0 3.2 17.0 3.2 12.0 3.3 0.9 9.0 0.7 16.0 0.8 18.0 0.8 1.0 16.0 0.9 17.0 0.6 12.0 0.8
A3 2.7 14.0 3.1 24.0 3.5 5.0 3.0 4.6 20.0 3.8 8.0 4.0 15.0 4.2 0.9 14.0 0.7 24.0 0.6 5.0 0.7 0.4 20.0 0.7 8.0 0.7 15.0 0.5
A 3.1 27.0 2.8 9.0 2.7 4.0 3.0 4.3 34.0 4.0 4.0 3.5 4.0 4.2 0.6 27.0 0.8 9.0 0.7 4.0 0.7 0.8 34.0 0.9 4.0 0.5 4.0 0.8
A4 4.9 7.0 5.0 37.0 4.6 1.0 5.0 4.8 7.0 5.0 32.0 4.6 2.0 4.9 1.0 7.0 1.0 37.0 1.0 1.0 1.0 1.0 7.0 1.0 32.0 1.0 2.0 1.0
A5 4.1 27.0 4.1 7.0 3.5 8.0 4.0 3.6 14.0 3.2 13.0 3.2 12.0 3.3 0.5 27.0 0.8 7.0 0.0 8.0 0.4 0.5 14.0 1.0 13.0 0.5 12.0 0.7
A6 3.2 25.0 3.0 10.0 2.5 9.0 3.0 4.8 8.0 4.0 18.0 4.3 17.0 4.2 0.6 25.0 0.3 10.0 0.6 9.0 0.5 0.2 8.0 0.6 18.0 1.0 17.0 0.7
A7 3.1 23.0 3.7 5.0 2.7 16.0 3.0 4.2 25.0 4.3 14.0 3.5 5.0 4.2 0.2 23.0 0.8 5.0 0.2 16.0 0.2 0.3 25.0 0.6 14.0 0.5 5.0 0.4
A8 4.5 31.0 4.6 7.0 4.2 6.0 4.5 4.6 28.0 4.9 14.0 4.2 3.0 4.7 0.7 31.0 0.8 7.0 0.6 6.0 0.7 0.7 28.0 0.6 14.0 0.9 3.0 0.7
A9 4.1 27.0 4.1 7.0 3.5 7.0 4.0 3.8 19.0 3.9 8.0 3.5 12.0 3.8 0.3 27.0 0.8 7.0 0.7 7.0 0.4 0.5 19.0 0.7 8.0 0.8 12.0 0.6
A10 4.0 31.0 4.0 10.0 3.5 2.0 4.0 4.8 26.0 4.7 13.0 4.6 5.0 4.7 0.1 31.0 0.8 10.0 0.6 2.0 0.3 0.7 26.0 0.4 13.0 0.2 5.0 0.6
A11 4.0 32.0 4.0 11.0 3.5 2.0 4.0 4.0 20.0 3.6 10.0 3.5 9.0 3.8 0.5 32.0 0.8 11.0 0.7 2.0 0.6 0.9 20.0 1.0 10.0 0.5 9.0 0.8
A12 3.6 26.0 3.8 4.0 3.3 12.0 3.5 4.7 22.0 4.7 11.0 4.2 2.0 4.7 0.1 26.0 0.5 4.0 0.5 12.0 0.2 0.8 22.0 0.6 11.0 0.7 2.0 0.8
B1 4.1 30.0 4.0 8.0 3.5 6.0 4.0 4.0 12.0 4.5 10.0 4.2 18.0 4.2 1.0 30.0 0.7 8.0 0.9 6.0 0.9 0.9 12.0 0.6 10.0 0.5 18.0 0.6
B2 4.2 26.0 3.7 6.0 3.5 6.0 4.0 1.8 22.0 1.9 13.0 1.2 9.0 1.7 0.1 26.0 0.1 6.0 0.1 6.0 0.1 0.2 22.0 0.1 13.0 0.2 9.0 0.2
B3 4.1 26.0 4.1 8.0 3.7 8.0 4.0 4.4 17.0 4.3 19.0 3.5 5.0 4.2 0.8 26.0 0.9 8.0 0.9 8.0 0.8 0.9 17.0 1.0 19.0 0.1 5.0 0.9
B4 4.1 18.0 4.0 13.0 3.9 9.0 4.0 4.4 16.0 4.1 21.0 3.8 4.0 4.2 0.8 18.0 0.8 13.0 0.9 9.0 0.8 1.0 16.0 1.0 21.0 0.5 4.0 0.9
B5 3.6 21.0 3.6 8.0 3.3 14.0 3.5 4.6 19.0 4.9 22.0 3.7 4.0 4.7 0.4 21.0 0.5 8.0 0.8 14.0 0.5 0.9 19.0 1.0 22.0 0.8 4.0 0.9
B6 3.6 26.0 3.4 13.0 3.3 5.0 3.5 1.9 23.0 1.5 14.0 1.5 5.0 1.7 0.2 26.0 0.3 13.0 0.3 5.0 0.3 0.2 23.0 0.2 14.0 0.6 5.0 0.3
C1 4.1 26.0 4.1 9.0 3.5 5.0 4.0 4.8 10.0 4.8 4.0 4.7 22.0 4.7 1.0 26.0 1.0 9.0 1.0 5.0 1.0 1.0 10.0 1.0 4.0 1.0 22.0 1.0
D1 4.1 19.0 4.0 12.0 3.8 7.0 4.0 4.6 26.0 4.9 13.0 4.2 2.0 4.7 0.5 19.0 0.5 12.0 0.5 7.0 0.5 0.7 26.0 0.5 13.0 0.3 2.0 0.6
D2 3.0 23.0 3.1 10.0 2.8 10.0 3.0 3.7 14.0 3.4 14.0 3.0 15.0 3.3 0.3 23.0 0.3 10.0 0.5 10.0 0.3 1.0 14.0 0.2 14.0 0.2 15.0 0.5
D3 3.2 7.0 2.9 14.0 3.0 17.0 3.0 4.9 6.0 5.0 33.0 4.7 2.0 4.9 0.8 7.0 0.8 14.0 1.0 17.0 0.9 0.5 6.0 0.2 33.0 0.8 2.0 0.2
D4 3.4 26.0 3.7 14.0 3.2 3.0 3.5 3.2 14.0 3.4 22.0 2.8 3.0 3.3 0.7 26.0 0.4 14.0 0.8 3.0 0.6 0.9 14.0 0.2 22.0 1.0 3.0 0.5
183
Strength/Prepardness - P (S-Small Bank) Threats/Risks - R (S- Small) Vulnerability Quotient - V (S-Small) Upgrades /Improvements - T (S-Small)
Overa Overa Overal
Top Middle Functional Overall Top Middle Functional Top Middle Functional Top Middle Functional
Srl. ll ll l
PST RST PSM RSM PSF RSF PS RST RST RSM RSM RSF RSF RS VST RST VSM RSM VSF RSF VS TST RST TSM RSM TSF RSF TS
O GPEOPLE O
A1 4.9 9.0 5.0 25.0 4.8 3.0 4.9 4.8 9.0 4.8 28.0 4.2 4.0 4.7 0.8 9.0 1.0 25.0 0.9 3.0 0.9 1.0 9.0 1.0 28.0 1.0 4.0 1.0
A2 4.9 14.0 4.1 15.0 4.5 12.0 4.5 4.1 17.0 4.3 24.0 3.8 3.0 4.2 0.5 14.0 0.5 15.0 0.5 12.0 0.5 0.8 17.0 0.3 24.0 0.7 3.0 0.5
B1 4.9 5.0 5.0 32.0 4.9 2.0 5.0 4.6 17.0 4.8 15.0 4.3 4.0 4.7 0.6 5.0 0.5 32.0 0.2 2.0 0.5 0.4 17.0 0.3 15.0 0.4 4.0 0.4
B2 4.3 14.0 3.9 14.0 3.8 12.0 4.0 4.1 20.0 4.5 12.0 3.8 6.0 4.2 0.7 14.0 0.8 14.0 0.3 12.0 0.6 0.8 20.0 0.9 12.0 0.7 6.0 0.8
B3 4.1 14.0 4.0 13.0 4.1 9.0 4.1 4.7 4.0 5.0 33.0 4.8 1.0 5.0 0.8 14.0 0.9 13.0 0.3 9.0 0.7 0.5 4.0 1.0 33.0 0.5 1.0 0.9
B4 4.1 14.0 4.0 11.0 3.8 8.0 4.0 4.8 7.0 5.0 30.0 4.9 3.0 4.9 0.7 14.0 0.9 11.0 0.7 8.0 0.7 0.5 7.0 0.5 30.0 0.6 3.0 0.5
B5 4.3 18.0 3.3 10.0 4.3 9.0 4.0 4.7 4.0 5.0 31.0 4.8 1.0 5.0 0.9 18.0 0.6 10.0 1.0 9.0 0.8 0.5 4.0 0.3 31.0 0.5 1.0 0.3
B6 2.3 20.0 2.7 16.0 2.8 6.0 2.5 4.7 15.0 4.9 21.0 4.2 8.0 4.7 0.5 20.0 0.4 16.0 0.6 6.0 0.5 0.5 15.0 0.3 21.0 0.8 8.0 0.4
B7 3.5 20.0 3.6 14.0 3.5 9.0 3.5 4.7 21.0 4.8 14.0 4.5 3.0 4.7 0.8 20.0 0.9 14.0 0.5 9.0 0.8 0.1 21.0 0.8 14.0 0.7 3.0 0.4
B8 4.2 12.0 3.2 18.0 3.3 11.0 3.5 1.1 20.0 0.7 14.0 0.4 9.0 0.8 0.9 12.0 0.9 18.0 0.5 11.0 0.8 0.5 20.0 0.9 14.0 1.0 9.0 0.8
C1 2.4 13.0 2.1 19.0 2.8 5.0 2.3 3.6 28.0 2.7 12.0 3.5 3.0 3.3 0.2 13.0 0.1 19.0 0.0 5.0 0.1 0.2 28.0 0.1 12.0 0.1 3.0 0.2
C2 3.6 25.0 2.8 13.0 2.8 6.0 3.3 4.6 30.0 4.9 7.0 4.3 2.0 4.7 0.9 25.0 1.0 13.0 0.8 6.0 0.9 0.7 30.0 1.0 7.0 1.0 2.0 0.8
C3 4.2 17.0 4.8 13.0 4.7 11.0 4.5 4.5 24.0 3.8 10.0 3.9 6.0 4.2 0.9 17.0 0.6 13.0 0.7 11.0 0.8 0.6 24.0 0.6 10.0 0.9 6.0 0.6
C4 4.2 14.0 4.8 15.0 4.3 4.0 4.5 4.1 23.0 4.3 9.0 3.9 4.0 4.2 0.7 14.0 0.9 15.0 0.6 4.0 0.8 1.0 23.0 1.0 9.0 1.0 4.0 1.0
C5 3.8 20.0 2.9 10.0 3.5 12.0 3.5 4.6 21.0 4.8 10.0 4.5 7.0 4.7 0.5 20.0 0.7 10.0 1.0 12.0 0.7 0.8 21.0 0.5 10.0 1.0 7.0 0.7
D1 3.1 18.0 2.9 16.0 3.5 4.0 3.0 4.8 7.0 5.0 30.0 4.9 3.0 4.9 0.3 18.0 0.5 16.0 0.9 4.0 0.5 0.4 7.0 0.5 30.0 0.9 3.0 0.5
D2 3.5 19.0 3.6 13.0 3.3 7.0 3.5 4.6 17.0 4.8 15.0 4.3 4.0 4.7 0.8 19.0 0.9 13.0 0.8 7.0 0.8 0.8 17.0 0.9 15.0 0.9 4.0 0.8
D3 3.4 12.0 4.3 20.0 4.2 9.0 4.0 1.9 23.0 1.5 14.0 1.5 5.0 1.7 0.6 12.0 0.3 20.0 0.9 9.0 0.5 0.5 23.0 0.6 14.0 0.5 5.0 0.5
184
Strength/Prepardness - P (S-Small Bank) Threats/Risks - R (S- Small) Vulnerability Quotient - V (S-Small) Upgrades /Improvements - T (S-Small)
Overa Overa Overal
Top Middle Functional Overall Top Middle Functional Top Middle Functional Top Middle Functional
Srl. ll ll l
PST RST PSM RSM PSF RSF PS RST RST RSM RSM RSF RSF RS VST RST VSM RSM VSF RSF VS TST RST TSM RSM TSF RSF TS
OTECHNOLOGY
G O
A1 4.3 16.0 3.7 15.0 4.2 7.0 4.0 4.5 24.0 3.8 10.0 3.9 6.0 4.2 0.9 16.0 0.8 15.0 0.6 7.0 0.8 0.9 24.0 1.0 10.0 0.8 6.0 0.9
A2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.1 23.0 4.3 9.0 3.9 4.0 4.2 0.7 6.0 0.5 31.0 0.6 3.0 0.5 0.3 23.0 0.6 9.0 1.0 4.0 0.4
A3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.7 22.0 4.7 11.0 4.2 2.0 4.7 0.9 6.0 1.0 31.0 0.7 3.0 1.0 1.0 22.0 1.0 11.0 0.8 2.0 1.0
A4 3.7 13.0 3.4 17.0 3.5 9.0 3.5 4.2 18.0 4.4 16.0 3.0 3.0 4.2 0.8 13.0 0.5 17.0 0.7 9.0 0.7 0.8 18.0 0.6 16.0 1.0 3.0 0.7
A5 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.6 28.0 4.9 14.0 4.2 3.0 4.7 1.0 6.0 1.0 31.0 0.9 3.0 1.0 1.0 28.0 1.0 14.0 1.0 3.0 1.0
A6 4.4 17.0 3.9 16.0 3.5 9.0 4.0 4.7 4.0 5.0 31.0 4.8 1.0 5.0 1.0 17.0 0.9 16.0 0.6 9.0 0.9 1.0 4.0 1.0 31.0 1.0 1.0 1.0
A7 4.9 6.0 5.0 31.0 4.9 3.0 5.0 3.6 16.0 3.2 17.0 3.2 12.0 3.3 1.0 6.0 0.9 31.0 0.8 3.0 0.9 1.0 16.0 1.0 17.0 1.0 12.0 1.0
A8 4.9 6.0 5.0 31.0 4.9 3.0 5.0 3.6 13.0 3.2 18.0 3.2 8.0 3.3 1.0 6.0 1.0 31.0 1.0 3.0 1.0 1.0 13.0 1.0 18.0 1.0 8.0 1.0
A9 4.9 6.0 5.0 31.0 4.9 3.0 5.0 3.4 18.0 3.3 12.0 3.0 5.0 3.3 1.0 6.0 0.5 31.0 0.8 3.0 0.6 0.9 18.0 0.7 12.0 0.8 5.0 0.8
A10 3.3 18.0 3.4 15.0 4.2 7.0 3.5 1.8 19.0 1.8 14.0 1.0 6.0 1.7 0.6 18.0 0.5 15.0 0.2 7.0 0.5 0.2 19.0 0.7 14.0 0.6 6.0 0.4
B1 4.8 10.0 3.5 18.0 4.2 8.0 4.0 4.2 18.0 4.4 16.0 3.0 3.0 4.2 0.9 10.0 0.9 18.0 0.3 8.0 0.8 1.0 18.0 1.0 16.0 1.0 3.0 1.0
B2 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.6 28.0 4.9 10.0 4.0 2.0 4.7 0.9 17.0 0.7 18.0 0.8 8.0 0.8 1.0 28.0 1.0 10.0 1.0 2.0 1.0
B3 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.5 24.0 3.8 10.0 3.9 6.0 4.2 0.9 17.0 1.0 18.0 0.7 8.0 0.9 1.0 24.0 1.0 10.0 1.0 6.0 1.0
B5 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.6 16.0 3.8 16.0 4.0 12.0 4.2 0.9 17.0 1.0 18.0 1.0 8.0 0.9 1.0 16.0 1.0 16.0 1.0 12.0 1.0
B6 3.7 17.0 3.7 13.0 3.0 12.0 3.5 4.9 13.0 5.0 31.0 4.6 3.0 4.9 1.0 17.0 0.7 13.0 1.0 12.0 0.9 1.0 13.0 0.5 31.0 1.0 3.0 0.7
B7 4.7 11.0 3.9 16.0 3.5 11.0 4.0 4.6 28.0 4.9 14.0 4.2 3.0 4.7 0.9 11.0 0.8 16.0 1.0 11.0 0.9 1.0 28.0 0.6 14.0 1.0 3.0 0.9
B8 4.3 14.0 4.0 14.0 3.5 9.0 4.0 4.7 23.0 4.5 11.0 4.5 3.0 4.7 0.9 14.0 0.9 14.0 0.9 9.0 0.9 1.0 23.0 1.0 11.0 1.0 3.0 1.0
B9 2.7 14.0 2.7 14.0 2.0 9.0 2.5 4.9 18.0 4.9 9.0 4.4 3.0 4.8 0.9 14.0 0.9 14.0 0.9 9.0 0.9 1.0 18.0 1.0 9.0 1.0 3.0 1.0
B10 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.7 21.0 4.7 13.0 4.3 4.0 4.7 0.7 17.0 0.5 18.0 0.4 8.0 0.6 0.9 21.0 0.6 13.0 1.0 4.0 0.8
B11 4.9 6.0 5.0 31.0 4.9 3.0 5.0 3.6 16.0 3.2 17.0 3.2 12.0 3.3 0.1 6.0 1.0 31.0 0.6 3.0 0.8 1.0 16.0 1.0 17.0 1.0 12.0 1.0
B12 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.4 26.0 4.0 11.0 4.0 3.0 4.2 0.9 6.0 1.0 31.0 0.8 3.0 1.0 0.9 26.0 1.0 11.0 1.0 3.0 1.0
C1 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.8 9.0 4.8 28.0 4.2 4.0 4.7 0.7 17.0 0.9 18.0 0.4 8.0 0.7 0.5 9.0 1.0 28.0 0.8 4.0 0.9
C2 4.8 17.0 3.5 18.0 3.5 8.0 4.0 2.7 18.0 3.2 5.0 2.5 4.0 2.8 0.8 17.0 0.6 18.0 0.7 8.0 0.7 1.0 18.0 1.0 5.0 1.0 4.0 1.0
C3 3.0 17.0 2.9 14.0 3.3 8.0 3.0 2.5 12.0 2.5 2.0 2.0 4.0 2.4 0.9 17.0 0.4 14.0 0.3 8.0 0.6 0.4 18.0 0.3 5.0 0.6 4.0 0.4
D1 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.6 28.0 4.9 10.0 4.0 2.0 4.7 0.8 6.0 1.0 31.0 0.5 3.0 0.9 1.0 28.0 1.0 10.0 1.0 2.0 1.0
D2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.6 28.0 4.9 14.0 4.2 3.0 4.7 1.0 6.0 1.0 31.0 0.6 3.0 1.0 1.0 28.0 1.0 14.0 1.0 3.0 1.0
D3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.7 23.0 4.5 11.0 4.5 3.0 4.7 1.0 6.0 0.5 31.0 1.0 3.0 0.6 1.0 23.0 0.7 11.0 1.0 3.0 0.9
185
Strength/Prepardness - P (S-Small Bank) Threats/Risks - R (S- Small) Vulnerability Quotient - V (S-Small) Upgrades /Improvements - T (S-Small)
Overa Overa Overal
Top Middle Functional Overall Top Middle Functional Top Middle Functional Top Middle Functional
Srl. ll ll l
PST RST PSM RSM PSF RSF PS RST RST RSM RSM RSF RSF RS VST RST VSM RSM VSF RSF VS TST RST TSM RSM TSF RSF TS
O GFACILITY O
A1 4.2 18.0 3.9 15.0 3.8 8.0 4.0 3.7 17.0 3.3 14.0 2.5 10.0 3.3 1.0 18.0 0.9 15.0 0.2 8.0 0.8 0.9 17.0 0.8 14.0 0.7 10.0 0.8
A2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.3 8.0 4.8 18.0 4.7 18.0 4.7 0.9 6.0 1.0 31.0 0.9 3.0 1.0 1.0 8.0 1.0 18.0 1.0 18.0 1.0
A3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 10.0 4.7 13.0 4.8 14.0 4.7 0.7 6.0 0.5 31.0 0.5 3.0 0.5 1.0 10.0 1.0 13.0 1.0 14.0 1.0
B1 4.4 16.0 3.8 12.0 3.8 11.0 4.0 3.2 20.0 3.1 15.0 4.0 8.0 3.3 0.2 16.0 0.2 12.0 1.0 11.0 0.4 0.9 20.0 0.4 15.0 0.6 8.0 0.7
B2 4.9 12.0 3.6 13.0 3.5 10.0 4.0 4.5 17.0 4.8 15.0 4.7 12.0 4.7 0.8 12.0 0.8 13.0 0.5 10.0 0.7 1.0 17.0 1.0 15.0 1.0 12.0 1.0
B3 4.2 18.0 4.3 16.0 3.0 7.0 4.0 4.7 26.0 4.6 11.0 4.6 6.0 4.7 0.9 18.0 0.9 16.0 0.5 7.0 0.8 0.5 26.0 1.0 11.0 0.9 6.0 0.7
B4 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.6 13.0 4.8 14.0 4.7 12.0 4.7 0.9 6.0 0.9 31.0 1.0 3.0 0.9 1.0 13.0 1.0 14.0 1.0 12.0 1.0
C1 3.4 17.0 3.6 15.0 3.7 8.0 3.5 3.3 15.0 3.3 12.0 3.2 8.0 3.3 1.0 17.0 0.7 15.0 1.0 8.0 0.9 0.5 15.0 0.5 12.0 0.4 8.0 0.5
C2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 0.8 6.0 1.0 31.0 1.0 3.0 1.0 1.0 17.0 1.0 14.0 1.0 12.0 1.0
C3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 0.9 6.0 1.0 31.0 0.8 3.0 1.0 1.0 17.0 1.0 14.0 1.0 12.0 1.0
D1 4.8 15.0 3.7 15.0 3.5 12.0 4.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 0.9 15.0 0.9 15.0 0.5 12.0 0.8 1.0 17.0 1.0 14.0 1.0 12.0 1.0
D2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 1.0 6.0 0.8 31.0 0.8 3.0 0.8 1.0 17.0 1.0 14.0 1.0 12.0 1.0
D3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 0.7 6.0 0.7 31.0 0.7 3.0 0.7 1.0 17.0 1.0 14.0 1.0 12.0 1.0
D4 4.0 21.0 4.0 13.0 4.5 8.0 4.1 3.3 18.0 3.1 10.0 4.0 6.0 3.3 0.7 21.0 0.7 13.0 0.2 8.0 0.6 0.6 18.0 1.0 10.0 0.8 6.0 0.7
D5 4.0 21.0 4.0 13.0 4.5 8.0 4.1 3.3 18.0 3.4 12.0 3.0 5.0 3.3 0.8 21.0 0.5 13.0 0.9 8.0 0.7 1.0 18.0 1.0 12.0 1.0 5.0 1.0
186
Exhibit 6.3 (Table 6.11) - Strength/Preparedness & Vulnerability Factor Summary
Strength/Prepardness (large) Strength/Prepardness (Small) Vulnerability (Large) Vulnerability (Small)
Srl. RILT RILM RILF RIL Avg Vari SD Max Min RIST RISM RISF RIS Avg Vari SD Max Min VILT VILM VILF VIL Avg Vari SD Max Min VIST VISM VISF VIS Avg Vari SD Max Min
ORGANIZATIONAL ORGANIZATIONAL
A1 3.96 1.70 2.13 1.95 2.43 1.07 1.04 3.96 1.70 3.53 1.43 2.10 1.95 2.25 0.81 0.90 3.53 1.43 0.10 1.50 0.20 0.52 0.58 0.41 0.64 1.50 0.10 1.36 1.23 3.20 1.73 1.88 0.82 0.90 3.20 1.23
A2 2.15 2.55 1.72 3.71 2.53 0.73 0.86 3.71 1.72 1.75 3.02 1.68 3.71 2.54 0.99 0.99 3.71 1.68 0.61 1.00 0.25 0.55 0.60 0.09 0.31 1.00 0.25 0.84 1.66 2.70 1.81 1.75 0.58 0.76 2.70 0.84
A3 4.41 3.86 3.80 3.89 3.99 0.08 0.28 4.41 3.80 2.36 3.19 3.14 3.89 3.14 0.39 0.62 3.89 2.36 0.78 0.13 0.10 0.29 0.32 0.10 0.31 0.78 0.10 1.30 0.41 2.00 1.17 1.22 0.43 0.65 2.00 0.41
A4 4.20 3.31 3.60 3.48 3.65 0.15 0.39 4.20 3.31 2.73 2.05 2.80 3.48 2.76 0.34 0.58 3.48 2.05 0.26 0.40 0.05 0.27 0.25 0.02 0.14 0.40 0.05 0.05 0.16 0.00 0.08 0.07 0.00 0.07 0.16 0.00
A5 0.76 1.05 3.80 3.68 2.32 2.70 1.64 3.80 0.76 0.74 1.16 4.28 3.68 2.46 3.15 1.77 4.28 0.74 1.56 4.00 4.50 3.55 3.40 1.66 1.29 4.50 1.56 0.06 0.01 0.00 0.03 0.02 0.00 0.02 0.06 0.00
A6 4.41 3.73 4.32 4.16 4.15 0.09 0.30 4.41 3.73 2.78 2.47 2.48 4.16 2.97 0.65 0.80 4.16 2.47 3.53 3.60 2.45 3.22 3.20 0.28 0.53 3.60 2.45 0.00 0.48 2.10 0.33 0.73 0.88 0.94 2.10 0.00
A7 4.20 2.50 1.75 2.70 2.79 1.05 1.03 4.20 1.75 2.81 2.75 2.00 2.70 2.57 0.14 0.38 2.81 2.00 0.73 0.75 1.00 0.82 0.83 0.02 0.12 1.00 0.73 0.27 0.36 0.63 0.37 0.41 0.02 0.15 0.63 0.27
A8 4.78 2.95 2.80 3.34 3.47 0.81 0.90 4.78 2.80 3.88 2.81 3.36 3.34 3.35 0.19 0.44 3.88 2.81 1.47 2.31 3.50 2.22 2.38 0.70 0.84 3.50 1.47 1.19 1.42 2.76 1.46 1.71 0.50 0.71 2.76 1.19
A9 1.20 1.35 0.30 2.22 1.27 0.62 0.79 2.22 0.30 0.58 0.69 0.25 2.22 0.94 0.77 0.88 2.22 0.25 0.40 0.90 0.50 0.63 0.61 0.05 0.22 0.90 0.40 0.06 0.07 0.04 0.06 0.06 0.00 0.01 0.07 0.04
B1 1.35 3.25 1.80 3.46 2.46 1.09 1.04 3.46 1.35 1.35 3.71 2.10 3.46 2.66 1.25 1.12 3.71 1.35 2.22 2.10 2.10 2.05 2.12 0.01 0.07 2.22 2.05 2.54 2.73 1.80 2.34 2.35 0.16 0.40 2.73 1.80
B2 1.83 2.53 1.50 2.57 2.11 0.28 0.53 2.57 1.50 1.91 3.16 2.35 2.57 2.50 0.27 0.52 3.16 1.91 1.34 0.63 0.75 0.86 0.89 0.10 0.31 1.34 0.63 0.74 1.78 1.92 1.49 1.48 0.28 0.52 1.92 0.74
B3 4.75 3.86 4.30 3.67 4.15 0.23 0.48 4.75 3.67 4.06 3.95 3.50 3.67 3.79 0.07 0.26 4.06 3.50 0.89 0.30 0.93 0.55 0.67 0.09 0.30 0.93 0.30 0.04 0.08 0.05 0.08 0.06 0.00 0.02 0.08 0.04
B4 1.93 1.75 1.70 3.12 2.13 0.45 0.67 3.12 1.70 1.51 1.35 1.20 3.12 1.79 0.79 0.89 3.12 1.20 0.06 0.50 0.17 0.14 0.22 0.04 0.19 0.50 0.06 0.69 0.16 0.30 0.32 0.37 0.05 0.22 0.69 0.16
B5 4.90 4.80 3.01 4.07 4.19 0.76 0.87 4.90 3.01 4.29 3.80 2.80 4.07 3.74 0.43 0.66 4.29 2.80 2.41 2.96 2.25 2.76 2.59 0.10 0.32 2.96 2.25 0.66 2.36 2.00 1.92 1.73 0.55 0.74 2.36 0.66
B6 3.22 2.97 4.32 3.68 3.55 0.35 0.59 4.32 2.97 2.46 1.90 2.70 3.68 2.69 0.55 0.74 3.68 1.90 2.13 2.63 2.40 2.42 2.39 0.04 0.20 2.63 2.13 4.80 3.69 4.20 4.15 4.21 0.21 0.46 4.80 3.69
B7 1.59 1.46 1.25 1.50 1.45 0.02 0.14 1.59 1.25 1.51 1.76 1.50 1.50 1.57 0.02 0.13 1.76 1.50 0.08 0.15 0.10 0.10 0.11 0.00 0.03 0.15 0.08 0.32 0.03 0.00 0.15 0.13 0.02 0.15 0.32 0.00
C1 1.16 2.34 3.60 3.79 2.72 1.50 1.23 3.79 1.16 0.91 1.55 2.80 3.79 2.26 1.66 1.29 3.79 0.91 0.65 0.75 1.75 0.79 0.98 0.26 0.51 1.75 0.65 0.99 1.28 0.48 0.95 0.93 0.11 0.33 1.28 0.48
C2 2.07 3.05 2.88 4.17 3.04 0.75 0.86 4.17 2.07 2.07 2.50 2.40 4.17 2.79 0.88 0.94 4.17 2.07 0.38 0.30 0.20 0.28 0.29 0.01 0.07 0.38 0.20 1.08 1.54 3.20 1.90 1.93 0.83 0.91 3.20 1.08
C3 4.97 4.70 3.44 4.49 4.40 0.45 0.67 4.97 3.44 4.89 4.98 3.76 4.49 4.53 0.31 0.56 4.98 3.76 2.29 4.00 4.05 2.75 3.27 0.79 0.89 4.05 2.29 4.87 4.99 4.70 4.96 4.88 0.02 0.13 4.99 4.70
D1 2.25 3.00 0.66 1.66 1.89 0.98 0.99 3.00 0.66 2.45 3.62 0.60 1.66 2.08 1.62 1.27 3.62 0.60 1.81 2.31 1.20 2.04 1.84 0.22 0.47 2.31 1.20 2.65 3.14 2.00 2.54 2.58 0.22 0.47 3.14 2.00
D2 3.80 3.56 4.05 3.92 3.83 0.04 0.21 4.05 3.56 4.72 4.42 4.23 3.92 4.32 0.11 0.34 4.72 3.92 2.31 2.40 2.50 2.48 2.42 0.01 0.09 2.50 2.31 2.78 3.89 0.94 3.48 2.77 1.70 1.30 3.89 0.94
Avg 3.04 2.87 2.70 3.30 2.54 2.68 2.48 2.50 1.24 1.60 1.47 1.39 1.30 1.50 1.67 1.49
Vari 2.16 1.08 1.59 0.75 1.66 1.33 1.14 1.11 0.94 1.69 1.91 1.31 2.10 2.17 2.08 1.99
SD 1.47 1.04 1.26 0.86 1.29 1.15 1.07 1.05 0.97 1.30 1.38 1.14 1.45 1.47 1.44 1.41
Max 4.97 4.80 4.32 4.49 4.89 4.98 4.28 4.89 3.53 4.00 4.50 3.55 4.87 4.99 4.70 4.96
Min 0.76 1.05 0.30 1.50 0.58 0.69 0.25 0.52 0.06 0.13 0.05 0.10 0.00 0.01 0.00 0.03
187
Strength/Prepardness (large) Strength/Prepardness (Small) Vulnerability (Large) Vulnerability (Small)
Srl. RILT RILM RILF RIL Avg Vari SD Max Min RIST RISM RISF RIS Avg Vari SD Max Min VILT VILM VILF VIL Avg Vari SD Max Min VIST VISM VISF VIS Avg Vari SD Max Min
PROCEDURES PROCEDURES
A1 4.89 4.50 4.00 3.83 4.31 0.23 0.48 4.89 3.83 4.87 4.97 4.60 4.92 4.84 0.03 0.16 4.97 4.60 1.63 0.50 0.45 1.04 0.90 0.30 0.55 1.63 0.45 3.28 4.44 2.45 3.80 3.49 0.71 0.84 4.44 2.45
A2 4.29 3.67 2.88 3.98 3.70 0.37 0.60 4.29 2.88 4.24 3.23 2.40 3.30 3.29 0.56 0.75 4.24 2.40 0.33 0.60 1.75 0.75 0.86 0.39 0.62 1.75 0.33 3.35 2.36 2.56 2.69 2.74 0.18 0.43 3.35 2.36
A3 1.84 3.30 2.80 4.02 2.99 0.83 0.91 4.02 1.84 1.03 2.11 2.45 1.65 1.81 0.38 0.61 2.45 1.03 0.52 0.37 0.33 0.44 0.42 0.01 0.08 0.52 0.33 4.01 2.57 2.40 3.11 3.02 0.52 0.72 4.01 2.40
A 3.78 4.05 2.15 4.09 3.52 0.85 0.92 4.09 2.15 2.38 2.55 1.35 2.27 2.14 0.29 0.54 2.55 1.35 1.23 0.40 0.35 1.06 0.76 0.20 0.45 1.23 0.35 2.67 3.38 2.45 2.86 2.84 0.16 0.40 3.38 2.45
A4 4.89 4.50 4.00 4.21 4.40 0.15 0.38 4.89 4.00 4.86 4.99 4.60 4.96 4.85 0.03 0.18 4.99 4.60 2.82 2.25 1.70 2.32 2.27 0.21 0.46 2.82 1.70 4.84 4.98 4.60 4.94 4.84 0.03 0.17 4.98 4.60
A5 2.39 4.30 1.90 2.70 2.82 1.08 1.04 4.30 1.90 2.23 4.14 1.75 2.73 2.71 1.07 1.03 4.14 1.75 2.67 1.20 1.00 1.55 1.60 0.55 0.74 2.67 1.00 1.71 2.54 0.00 1.46 1.43 1.12 1.06 2.54 0.00
A6 0.62 1.74 2.50 2.20 1.76 0.68 0.82 2.50 0.62 0.64 1.93 2.50 2.11 1.79 0.65 0.81 2.50 0.64 0.72 0.18 0.30 0.54 0.44 0.06 0.24 0.72 0.18 2.95 1.19 2.37 2.26 2.19 0.54 0.73 2.95 1.19
A7 1.54 2.46 2.00 3.69 2.42 0.85 0.92 3.69 1.54 1.02 2.11 1.35 1.28 1.44 0.22 0.47 2.11 1.02 1.45 0.30 0.75 0.85 0.84 0.22 0.47 1.45 0.30 0.64 3.43 0.70 1.01 1.45 1.77 1.33 3.43 0.64
A8 3.11 2.46 4.32 3.73 3.40 0.64 0.80 4.32 2.46 3.21 2.61 3.78 3.05 3.16 0.23 0.48 3.78 2.61 1.65 0.80 0.10 0.94 0.87 0.40 0.64 1.65 0.10 3.23 3.64 2.52 3.23 3.16 0.22 0.47 3.64 2.52
A9 2.12 3.01 2.78 3.47 2.84 0.31 0.56 3.47 2.12 2.13 2.90 2.63 2.51 2.54 0.10 0.32 2.90 2.13 1.53 1.80 0.60 1.25 1.29 0.26 0.51 1.80 0.60 0.98 3.26 2.45 1.61 2.08 0.99 0.99 3.26 0.98
A10 3.53 2.14 0.86 3.69 2.56 1.76 1.33 3.69 0.86 2.94 1.79 0.70 2.34 1.94 0.91 0.95 2.94 0.70 0.60 0.30 0.25 0.41 0.39 0.02 0.15 0.60 0.25 0.28 3.75 2.76 1.21 2.00 2.41 1.55 3.75 0.28
A11 3.04 4.00 1.75 2.57 2.84 0.88 0.94 4.00 1.75 3.72 3.95 1.75 3.37 3.20 0.99 1.00 3.95 1.75 0.25 0.30 0.75 0.61 0.48 0.06 0.24 0.75 0.25 2.11 2.78 2.45 2.25 2.40 0.08 0.29 2.78 2.11
A12 4.06 3.05 3.01 3.74 3.46 0.27 0.52 4.06 3.01 2.99 2.39 2.28 2.68 2.58 0.10 0.32 2.99 2.28 1.80 0.25 0.20 0.83 0.77 0.55 0.74 1.80 0.20 0.36 2.36 2.10 1.11 1.48 0.85 0.92 2.36 0.36
B1 3.86 2.88 2.50 3.38 3.16 0.35 0.59 3.86 2.50 3.69 2.40 1.75 2.58 2.61 0.65 0.81 3.69 1.75 0.70 0.40 0.50 0.56 0.54 0.02 0.13 0.70 0.40 3.84 2.93 3.78 3.77 3.58 0.19 0.44 3.84 2.93
B2 0.85 0.35 0.90 3.33 1.36 1.79 1.34 3.33 0.35 0.88 0.37 0.70 0.70 0.66 0.05 0.21 0.88 0.37 0.16 0.40 0.69 0.25 0.38 0.05 0.23 0.69 0.16 0.18 0.19 0.12 0.17 0.17 0.00 0.03 0.19 0.12
B3 4.56 4.00 0.30 3.78 3.16 3.74 1.93 4.56 0.30 3.84 4.06 0.37 3.47 2.93 2.98 1.73 4.06 0.37 0.68 0.35 0.30 0.40 0.43 0.03 0.17 0.68 0.30 3.28 3.73 3.15 3.39 3.39 0.06 0.25 3.73 3.15
B4 4.53 4.00 1.50 3.80 3.46 1.80 1.34 4.53 1.50 3.95 4.00 1.95 3.77 3.42 0.97 0.98 4.00 1.95 0.39 1.25 0.50 1.08 0.80 0.18 0.42 1.25 0.39 3.53 3.51 3.42 3.53 3.50 0.00 0.05 3.53 3.42
B5 4.27 4.50 3.20 2.96 3.73 0.59 0.77 4.50 2.96 3.31 3.56 2.64 3.32 3.21 0.16 0.40 3.56 2.64 0.30 1.20 1.75 1.05 1.08 0.36 0.60 1.75 0.30 1.74 2.25 2.96 2.47 2.35 0.26 0.51 2.96 1.74
B6 0.75 0.79 2.58 3.53 1.91 1.89 1.38 3.53 0.75 0.82 0.70 1.95 0.93 1.10 0.33 0.58 1.95 0.70 0.34 1.25 1.60 1.13 1.08 0.28 0.53 1.60 0.34 0.43 0.43 0.45 0.44 0.44 0.00 0.01 0.45 0.43
C1 4.98 4.50 4.30 4.10 4.47 0.14 0.38 4.98 4.10 4.08 4.11 3.50 4.01 3.93 0.08 0.29 4.11 3.50 2.06 0.80 0.17 1.77 1.20 0.76 0.87 2.06 0.17 4.84 4.75 4.70 4.74 4.76 0.00 0.06 4.84 4.70
D1 2.79 2.69 1.35 4.05 2.72 1.22 1.11 4.05 1.35 2.75 2.15 1.14 2.45 2.12 0.49 0.70 2.75 1.14 1.30 1.26 0.80 1.01 1.09 0.05 0.23 1.30 0.80 2.30 2.46 2.10 2.34 2.30 0.02 0.15 2.46 2.10
D2 4.63 0.82 0.90 3.88 2.56 3.93 1.98 4.63 0.82 3.04 0.69 0.56 1.40 1.42 1.30 1.14 3.04 0.56 0.48 0.75 2.70 1.19 1.28 0.98 0.99 2.70 0.48 1.03 0.92 1.50 1.10 1.14 0.06 0.25 1.50 0.92
D3 1.41 0.51 2.00 1.62 1.38 0.40 0.63 2.00 0.51 1.46 0.45 2.40 0.69 1.25 0.78 0.88 2.40 0.45 0.29 0.13 0.18 0.25 0.21 0.01 0.07 0.29 0.13 3.67 3.77 4.70 4.28 4.10 0.23 0.48 4.70 3.67
D4 2.49 0.69 3.50 1.91 2.15 1.38 1.17 3.50 0.69 3.03 0.91 3.20 1.87 2.25 1.15 1.07 3.20 0.91 0.47 0.13 0.18 0.36 0.29 0.03 0.16 0.47 0.13 2.29 1.19 2.10 1.98 1.89 0.23 0.48 2.29 1.19
Avg 3.13 2.87 2.42 3.43 2.80 2.63 2.18 2.60 1.01 0.72 0.75 0.90 2.40 2.78 2.45 2.49
Vari 2.04 2.01 1.28 0.53 1.66 1.95 1.35 1.39 0.61 0.31 0.45 0.25 2.11 1.66 1.66 1.74
SD 1.43 1.42 1.13 0.73 1.29 1.40 1.16 1.18 0.78 0.56 0.67 0.50 1.45 1.29 1.29 1.32
Max 4.98 4.50 4.32 4.21 4.87 4.99 4.60 4.96 2.82 2.25 2.70 2.32 4.84 4.98 4.70 4.94
Min 0.62 0.35 0.30 1.62 0.64 0.37 0.37 0.69 0.16 0.13 0.10 0.25 0.18 0.19 0.00 0.17
188
Strength/Prepardness (large) Strength/Prepardness (Small) Vulnerability (Large) Vulnerability (Small)
Srl. RILT RILM RILF RIL Avg Vari SD Max Min RIST RISM RISF RIS Avg Vari SD Max Min VILT VILM VILF VIL Avg Vari SD Max Min VIST VISM VISF VIS Avg Vari SD Max Min
PEOPLE PEOPLE
A1 4.33 4.50 4.00 4.32 4.29 0.04 0.21 4.50 4.00 4.66 4.98 4.80 4.89 4.83 0.02 0.14 4.98 4.66 3.11 0.15 0.10 1.23 1.15 1.98 1.41 3.11 0.10 3.88 4.75 3.78 4.45 4.21 0.21 0.46 4.75 3.78
A2 3.66 1.50 2.59 4.10 2.96 1.35 1.16 4.10 1.50 3.78 1.41 3.15 2.40 2.68 1.03 1.02 3.78 1.41 0.22 1.17 0.90 0.64 0.73 0.16 0.41 1.17 0.22 2.07 2.17 1.90 2.11 2.06 0.01 0.12 2.17 1.90
B1 1.99 1.38 1.64 3.49 2.12 0.89 0.94 3.49 1.38 2.06 1.60 1.94 1.87 1.87 0.04 0.20 2.06 1.60 3.82 0.23 0.30 1.63 1.49 2.81 1.68 3.82 0.23 2.69 2.41 0.86 2.31 2.07 0.68 0.82 2.69 0.86
B2 3.91 4.48 3.22 4.65 4.06 0.42 0.65 4.65 3.22 3.43 3.60 2.66 3.29 3.25 0.17 0.41 3.60 2.66 2.83 0.75 1.60 1.75 1.73 0.73 0.86 2.83 0.75 2.96 3.73 1.14 2.65 2.62 1.18 1.09 3.73 1.14
B3 2.40 4.78 2.35 4.44 3.49 1.69 1.30 4.78 2.35 2.05 3.87 2.05 3.70 2.92 1.00 1.00 3.87 2.05 2.88 1.35 0.35 1.60 1.54 1.08 1.04 2.88 0.35 3.79 4.30 1.44 3.47 3.25 1.57 1.25 4.30 1.44
B4 2.24 2.35 2.64 3.64 2.72 0.41 0.64 3.64 2.24 2.04 2.02 2.28 2.03 2.09 0.02 0.13 2.28 2.02 0.60 0.15 0.05 0.26 0.27 0.06 0.24 0.60 0.05 3.16 4.35 3.43 3.67 3.65 0.26 0.51 4.35 3.16
B5 2.22 1.24 2.00 3.69 2.29 1.05 1.03 3.69 1.24 1.91 0.87 2.15 1.17 1.53 0.36 0.60 2.15 0.87 0.70 0.15 0.05 0.26 0.29 0.08 0.29 0.70 0.05 4.11 2.89 4.80 4.09 3.97 0.63 0.79 4.80 2.89
B6 2.33 1.25 3.20 3.91 2.67 1.32 1.15 3.91 1.25 1.10 0.75 2.24 1.11 1.30 0.42 0.65 2.24 0.75 0.70 0.15 0.05 0.32 0.31 0.08 0.29 0.70 0.05 2.37 2.10 2.52 2.30 2.32 0.03 0.17 2.52 2.10
B7 0.45 2.65 2.10 3.31 2.13 1.50 1.23 3.31 0.45 0.39 2.97 2.45 1.48 1.83 1.29 1.14 2.97 0.39 1.89 0.30 0.25 0.94 0.85 0.59 0.77 1.89 0.25 3.75 4.18 2.25 3.58 3.44 0.69 0.83 4.18 2.25
B8 2.33 3.56 3.50 3.26 3.16 0.32 0.57 3.56 2.33 2.24 2.99 3.30 2.68 2.80 0.20 0.45 3.30 2.24 0.21 0.30 0.05 0.18 0.18 0.01 0.10 0.30 0.05 0.95 0.67 0.20 0.66 0.62 0.10 0.31 0.95 0.20
C1 0.88 0.40 0.37 3.39 1.26 2.08 1.44 3.39 0.37 0.49 0.21 0.28 0.39 0.34 0.01 0.12 0.49 0.21 0.27 1.05 0.10 0.33 0.44 0.18 0.42 1.05 0.10 0.62 0.27 0.00 0.37 0.31 0.07 0.26 0.62 0.00
C2 2.72 3.40 3.04 3.41 3.14 0.11 0.33 3.41 2.72 2.55 2.76 2.66 2.51 2.62 0.01 0.11 2.76 2.51 1.77 0.20 0.10 0.74 0.70 0.59 0.77 1.77 0.10 4.16 4.74 3.44 4.22 4.14 0.28 0.53 4.74 3.44
C3 2.74 2.58 3.60 3.93 3.21 0.43 0.65 3.93 2.58 2.34 2.87 4.23 2.80 3.06 0.66 0.81 4.23 2.34 0.70 0.35 0.40 0.78 0.56 0.05 0.21 0.78 0.35 4.18 2.25 2.73 3.22 3.10 0.68 0.83 4.18 2.25
C4 4.30 3.80 3.50 3.65 3.81 0.12 0.35 4.30 3.50 4.19 4.84 4.30 4.50 4.46 0.08 0.28 4.84 4.19 0.33 0.52 1.60 0.60 0.76 0.33 0.57 1.60 0.33 3.02 3.81 2.34 3.27 3.11 0.37 0.61 3.81 2.34
C5 2.47 1.20 2.85 2.69 2.30 0.56 0.75 2.85 1.20 2.87 1.40 3.33 2.52 2.53 0.67 0.82 3.33 1.40 1.43 2.10 2.20 1.96 1.92 0.12 0.34 2.20 1.43 2.45 3.31 4.28 3.20 3.31 0.56 0.75 4.28 2.45
D1 1.41 1.76 3.42 3.33 2.48 1.08 1.04 3.42 1.41 1.31 1.45 3.15 1.58 1.87 0.74 0.86 3.15 1.31 1.66 1.20 2.45 1.65 1.74 0.27 0.52 2.45 1.20 1.64 2.49 4.41 2.31 2.71 1.41 1.19 4.41 1.64
D2 1.79 1.38 2.25 1.66 1.77 0.13 0.36 2.25 1.38 2.67 3.34 2.97 2.96 2.98 0.08 0.28 3.34 2.67 0.31 0.07 0.05 0.17 0.15 0.01 0.12 0.31 0.05 3.52 4.52 3.44 3.86 3.84 0.24 0.49 4.52 3.44
D3 1.78 1.59 1.50 2.91 1.94 0.43 0.65 2.91 1.50 1.69 2.72 2.10 2.17 2.17 0.18 0.42 2.72 1.69 0.59 0.20 0.21 0.42 0.36 0.03 0.19 0.59 0.20 1.17 0.40 1.35 0.88 0.95 0.17 0.41 1.35 0.40
Avg 2.44 2.43 2.65 3.54 2.32 2.48 2.78 2.45 1.33 0.58 0.60 0.86 2.81 2.96 2.46 2.81
Vari 1.15 1.81 0.83 0.48 1.36 1.86 1.08 1.35 1.33 0.32 0.64 0.38 1.31 2.17 2.08 1.49
SD 1.07 1.35 0.91 0.69 1.17 1.36 1.04 1.16 1.15 0.57 0.80 0.62 1.14 1.47 1.44 1.22
Max 4.33 4.78 4.00 4.65 4.66 4.98 4.80 4.89 3.82 2.10 2.45 1.96 4.18 4.75 4.80 4.45
Min 0.45 0.40 0.37 1.66 0.39 0.21 0.28 0.39 0.21 0.07 0.05 0.17 0.62 0.27 0.00 0.37
189
Strength/Prepardness (large) Strength/Prepardness (Small) Vulnerability (Large) Vulnerability (Small)
Srl. RILT RILM RILF RIL Avg Vari SD Max Min RIST RISM RISF RIS Avg Vari SD Max Min VILT VILM VILF VIL Avg Vari SD Max Min VIST VISM VISF VIS Avg Vari SD Max Min
TECHNOLOGY TECHNOLOGY
A1 4.26 4.20 3.60 4.11 4.04 0.09 0.30 4.26 3.60 3.93 3.67 3.36 3.71 3.67 0.06 0.24 3.93 3.36 3.12 1.02 0.60 1.63 1.59 1.22 1.10 3.12 0.60 4.22 2.98 2.34 3.45 3.25 0.63 0.79 4.22 2.34
A2 1.28 2.70 4.30 4.37 3.16 2.17 1.47 4.37 1.28 1.28 2.99 4.85 2.12 2.81 2.33 1.53 4.85 1.28 1.33 1.17 1.20 1.28 1.25 0.01 0.07 1.33 1.17 2.90 2.16 2.34 2.25 2.41 0.11 0.33 2.90 2.16
A3 4.59 4.20 3.20 4.24 4.06 0.36 0.60 4.59 3.20 4.75 4.99 3.88 4.80 4.60 0.24 0.49 4.99 3.88 2.86 0.65 0.60 1.58 1.42 1.12 1.06 2.86 0.60 4.22 4.70 2.94 4.48 4.08 0.62 0.79 4.70 2.94
A4 1.92 1.04 1.90 1.72 1.64 0.17 0.41 1.92 1.04 3.08 1.93 3.33 2.56 2.72 0.38 0.62 3.33 1.93 1.34 2.00 4.05 2.24 2.41 1.34 1.16 4.05 1.34 3.27 2.36 2.10 2.74 2.62 0.26 0.51 3.27 2.10
A5 4.95 4.80 4.50 3.87 4.53 0.23 0.48 4.95 3.87 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.87 0.05 0.20 0.43 0.39 0.13 0.36 0.87 0.05 4.38 4.84 3.57 4.56 4.34 0.30 0.55 4.84 3.57
A6 4.66 4.50 4.00 3.49 4.16 0.28 0.53 4.66 3.49 4.38 3.88 3.50 4.00 3.94 0.13 0.36 4.38 3.50 1.31 0.05 0.10 0.55 0.50 0.34 0.59 1.31 0.05 4.48 4.71 2.88 4.33 4.10 0.69 0.83 4.71 2.88
A7 4.77 4.30 4.00 3.39 4.11 0.34 0.58 4.77 3.39 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 1.77 2.10 3.50 2.25 2.41 0.57 0.76 3.50 1.77 3.41 2.86 2.40 2.99 2.92 0.17 0.42 3.41 2.40
A8 4.73 3.50 3.00 2.99 3.55 0.67 0.82 4.73 2.99 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 2.35 1.25 1.60 1.86 1.76 0.21 0.46 2.35 1.25 3.62 3.17 3.20 3.32 3.33 0.04 0.20 3.62 3.17
A9 4.05 2.45 3.20 2.98 3.17 0.44 0.66 4.05 2.45 4.60 3.49 3.88 4.14 4.03 0.22 0.46 4.60 3.49 1.53 0.35 0.20 0.84 0.73 0.36 0.60 1.53 0.20 3.20 1.71 2.40 2.00 2.33 0.42 0.65 3.20 1.71
A10 1.10 2.89 2.40 3.40 2.45 0.97 0.99 3.40 1.10 0.78 2.28 2.52 1.57 1.79 0.61 0.78 2.52 0.78 0.10 0.07 0.05 0.16 0.10 0.00 0.05 0.16 0.05 1.01 0.88 0.20 0.79 0.72 0.13 0.36 1.01 0.20
B1 4.85 4.50 5.00 4.64 4.75 0.05 0.22 5.00 4.50 4.75 3.50 4.20 4.00 4.11 0.27 0.52 4.75 3.50 0.26 0.05 0.03 0.12 0.11 0.01 0.10 0.26 0.03 3.75 3.94 0.90 3.19 2.94 1.96 1.40 3.94 0.90
B2 4.75 4.20 3.80 3.93 4.17 0.18 0.42 4.75 3.80 4.75 3.50 3.50 4.00 3.94 0.35 0.59 4.75 3.50 0.33 0.05 0.03 0.15 0.14 0.02 0.14 0.33 0.03 4.40 3.25 3.20 3.75 3.65 0.31 0.56 4.40 3.20
B3 4.85 4.70 5.00 4.04 4.65 0.18 0.42 5.00 4.04 4.75 3.50 3.50 4.00 3.94 0.35 0.59 4.75 3.50 0.86 0.10 0.03 0.29 0.32 0.14 0.37 0.86 0.03 4.05 3.61 2.73 3.74 3.53 0.32 0.57 4.05 2.73
B5 4.90 4.20 4.30 4.15 4.39 0.12 0.35 4.90 4.15 4.75 3.50 3.50 4.00 3.94 0.35 0.59 4.75 3.50 0.30 0.05 0.03 0.11 0.12 0.01 0.12 0.30 0.03 3.94 3.63 4.00 3.83 3.85 0.03 0.16 4.00 3.63
B6 4.00 2.06 4.00 3.50 3.39 0.84 0.92 4.00 2.06 3.74 1.91 3.00 2.39 2.76 0.63 0.79 3.74 1.91 0.27 0.05 0.03 0.12 0.12 0.01 0.11 0.27 0.03 4.88 3.71 4.60 4.54 4.43 0.25 0.50 4.88 3.71
B7 4.20 2.17 3.50 2.64 3.13 0.81 0.90 4.20 2.17 4.73 2.22 3.50 3.48 3.48 1.05 1.02 4.73 2.22 0.31 0.05 0.03 0.16 0.14 0.02 0.13 0.31 0.03 4.36 3.73 4.20 4.13 4.11 0.07 0.26 4.36 3.73
B8 4.70 4.20 4.00 3.82 4.18 0.14 0.38 4.70 3.82 4.30 4.03 3.50 4.00 3.96 0.11 0.33 4.30 3.50 0.30 0.05 0.03 0.15 0.13 0.01 0.12 0.30 0.03 4.02 4.29 4.05 4.18 4.13 0.01 0.12 4.29 4.02
B9 4.87 4.30 4.00 3.28 4.11 0.44 0.66 4.87 3.28 2.68 2.66 2.00 2.51 2.46 0.10 0.32 2.68 2.00 0.15 0.05 0.03 0.09 0.08 0.00 0.05 0.15 0.03 4.40 4.55 3.96 4.41 4.33 0.07 0.26 4.55 3.96
B10 4.54 2.49 4.50 3.72 3.81 0.92 0.96 4.54 2.49 4.48 2.18 3.50 3.35 3.38 0.89 0.94 4.48 2.18 0.09 0.05 0.06 0.08 0.07 0.00 0.02 0.09 0.05 3.34 2.35 1.70 2.63 2.50 0.46 0.68 3.34 1.70
B11 4.79 4.20 4.00 3.65 4.16 0.23 0.48 4.79 3.65 4.83 4.99 4.85 4.93 4.90 0.01 0.07 4.99 4.83 0.09 0.05 0.03 0.06 0.06 0.00 0.02 0.09 0.03 0.18 3.07 1.92 2.67 1.96 1.64 1.28 3.07 0.18
B12 4.66 4.30 4.00 4.01 4.24 0.10 0.31 4.66 4.00 4.66 4.99 4.85 4.79 4.82 0.02 0.14 4.99 4.66 0.89 0.15 0.25 0.51 0.45 0.11 0.33 0.89 0.15 3.71 3.99 3.20 4.06 3.74 0.15 0.39 4.06 3.20
C1 2.64 4.40 3.20 4.28 3.63 0.73 0.85 4.40 2.64 2.59 3.43 2.80 3.46 3.07 0.19 0.44 3.46 2.59 0.30 2.50 2.00 1.20 1.50 0.93 0.96 2.50 0.30 3.56 4.19 1.47 3.42 3.16 1.38 1.18 4.19 1.47
C2 4.96 4.60 4.50 4.54 4.65 0.04 0.21 4.96 4.50 4.75 3.50 3.50 4.00 3.94 0.35 0.59 4.75 3.50 1.69 1.75 0.50 1.49 1.36 0.34 0.58 1.75 0.50 2.07 1.92 1.75 1.90 1.91 0.02 0.13 2.07 1.75
C3 2.03 1.52 3.00 2.80 2.34 0.47 0.69 3.00 1.52 1.29 0.89 1.98 1.31 1.37 0.20 0.45 1.98 0.89 0.19 0.65 0.80 0.44 0.52 0.07 0.26 0.80 0.19 2.13 0.89 0.60 1.34 1.24 0.45 0.67 2.13 0.60
D1 4.77 4.30 4.00 2.55 3.91 0.92 0.96 4.77 2.55 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.48 0.30 0.30 0.40 0.37 0.01 0.09 0.48 0.30 3.48 4.79 2.00 4.27 3.63 1.47 1.21 4.79 2.00
D2 4.70 4.90 5.00 2.67 4.32 1.23 1.11 5.00 2.67 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.07 1.05 0.80 0.52 0.61 0.18 0.42 1.05 0.07 4.38 4.83 2.52 4.46 4.05 1.07 1.04 4.83 2.52
D3 4.62 3.56 5.00 3.08 4.07 0.80 0.89 5.00 3.08 4.93 3.63 4.85 4.56 4.49 0.36 0.60 4.93 3.63 0.27 0.35 2.00 0.84 0.86 0.64 0.80 2.00 0.27 4.73 2.38 4.50 2.94 3.64 1.33 1.15 4.73 2.38
Avg 4.12 3.67 3.89 3.55 4.05 3.58 3.80 3.80 0.87 0.59 0.71 0.72 3.56 3.31 2.65 3.35
Vari 1.40 1.18 0.61 0.49 1.56 1.37 0.81 1.18 0.77 0.56 1.14 0.49 1.22 1.39 1.35 1.08
SD 1.18 1.09 0.78 0.70 1.25 1.17 0.90 1.09 0.88 0.75 1.07 0.70 1.11 1.18 1.16 1.04
Max 4.96 4.90 5.00 4.64 4.93 4.99 4.85 4.97 3.12 2.50 4.05 2.25 4.88 4.84 4.60 4.56
Min 1.10 1.04 1.90 1.72 0.78 0.89 1.98 1.31 0.07 0.05 0.03 0.06 0.18 0.88 0.20 0.79
190
Strength/Prepardness (large) Strength/Prepardness (Small) Vulnerability (Large) Vulnerability (Small)
Srl. RILT RILM RILF RIL Avg Vari SD Max Min RIST RISM RISF RIS Avg Vari SD Max Min VILT VILM VILF VIL Avg Vari SD Max Min VIST VISM VISF VIS Avg Vari SD Max Min
FACILITIES FACILITIES
A1 4.15 3.83 3.15 0.82 2.99 2.26 1.50 4.15 0.82 3.66 3.20 2.66 3.26 3.19 0.17 0.41 3.66 2.66 0.38 0.45 0.18 0.39 0.35 0.01 0.12 0.45 0.18 3.49 2.95 0.50 2.55 2.37 1.71 1.31 3.49 0.50
A2 4.75 4.30 4.00 4.03 4.27 0.12 0.35 4.75 4.00 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.57 0.00 0.30 0.38 0.31 0.06 0.24 0.57 0.00 3.93 4.79 4.23 4.56 4.38 0.14 0.38 4.79 3.93
A3 4.75 4.30 4.00 3.93 4.25 0.14 0.37 4.75 3.93 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.10 0.56 0.45 0.31 0.36 0.04 0.20 0.56 0.10 2.96 2.38 2.38 2.47 2.54 0.08 0.28 2.96 2.38
B1 4.37 1.85 2.40 4.08 3.17 1.53 1.24 4.37 1.85 4.00 1.61 2.28 2.77 2.66 1.02 1.01 4.00 1.61 0.05 0.05 0.05 0.05 0.05 0.00 0.00 0.05 0.05 0.57 0.55 4.00 1.36 1.62 2.66 1.63 4.00 0.55
B2 4.00 3.50 3.00 2.95 3.36 0.24 0.49 4.00 2.95 4.85 3.62 3.50 4.01 3.99 0.37 0.61 4.85 3.50 1.47 0.90 0.25 0.99 0.90 0.25 0.50 1.47 0.25 3.34 3.90 2.35 3.25 3.21 0.41 0.64 3.90 2.35
B3 2.52 4.70 3.60 3.43 3.56 0.80 0.89 4.70 2.52 2.22 4.25 2.70 2.82 3.00 0.76 0.87 4.25 2.22 0.23 1.40 0.69 0.65 0.74 0.23 0.48 1.40 0.23 4.10 4.02 2.30 3.78 3.55 0.71 0.84 4.10 2.30
B4 4.25 3.50 3.70 2.73 3.54 0.40 0.63 4.25 2.73 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 1.05 0.40 0.23 0.67 0.59 0.13 0.36 1.05 0.23 3.87 4.31 4.47 4.20 4.21 0.06 0.25 4.47 3.87
C1 2.04 2.40 2.00 2.83 2.32 0.15 0.39 2.83 2.00 1.53 1.79 1.48 1.61 1.60 0.02 0.14 1.79 1.48 0.33 0.42 0.05 0.24 0.26 0.02 0.16 0.42 0.05 3.16 2.40 3.20 2.88 2.91 0.13 0.37 3.20 2.40
C2 4.79 4.70 4.80 1.46 3.94 2.74 1.65 4.80 1.46 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.27 0.07 0.25 0.35 0.23 0.01 0.12 0.35 0.07 3.34 4.83 4.70 4.46 4.33 0.46 0.68 4.83 3.34
C3 4.79 4.70 4.80 1.60 3.97 2.51 1.58 4.80 1.60 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.07 0.07 0.20 0.12 0.11 0.00 0.06 0.20 0.07 3.79 4.83 3.76 4.46 4.21 0.27 0.52 4.83 3.76
D1 4.79 4.70 4.80 1.60 3.97 2.51 1.58 4.80 1.60 4.84 3.67 3.50 4.04 4.01 0.36 0.60 4.84 3.50 0.17 0.49 0.30 0.42 0.34 0.02 0.14 0.49 0.17 3.83 4.21 2.35 3.54 3.48 0.65 0.80 4.21 2.35
D2 4.91 4.70 4.50 2.20 4.08 1.59 1.26 4.91 2.20 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.43 0.14 0.10 0.28 0.24 0.02 0.15 0.43 0.10 4.23 3.66 3.76 3.66 3.83 0.07 0.27 4.23 3.66
D3 3.23 3.30 2.80 2.50 2.96 0.14 0.38 3.30 2.50 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.31 0.07 0.20 0.27 0.21 0.01 0.11 0.31 0.07 2.90 3.63 3.29 3.39 3.30 0.09 0.31 3.63 2.90
D4 2.58 4.13 2.80 2.57 3.02 0.56 0.75 4.13 2.57 2.25 3.80 3.60 2.94 3.15 0.49 0.70 3.80 2.25 0.12 0.39 0.25 0.23 0.25 0.01 0.11 0.39 0.12 2.37 2.01 0.80 2.02 1.80 0.47 0.69 2.37 0.80
D5 3.25 3.30 2.80 2.06 2.85 0.33 0.58 3.30 2.06 3.97 3.96 4.50 4.07 4.13 0.06 0.25 4.50 3.96 1.29 0.42 0.25 0.79 0.69 0.21 0.46 1.29 0.25 2.56 1.75 2.70 2.37 2.34 0.17 0.42 2.70 1.75
Avg 3.94 3.86 3.54 2.59 4.12 4.05 3.88 4.02 0.46 0.39 0.25 0.41 3.23 3.35 2.99 3.26
Vari 0.94 0.79 0.85 0.99 1.40 1.31 1.32 1.20 0.20 0.14 0.03 0.07 0.85 1.66 1.55 0.94
SD 0.97 0.89 0.92 0.99 1.18 1.15 1.15 1.10 0.45 0.37 0.16 0.26 0.92 1.29 1.25 0.97
Max 4.91 4.70 4.80 4.08 4.93 4.99 4.85 4.97 1.47 1.40 0.69 0.99 4.23 4.83 4.70 4.56
Min 2.04 1.85 2.00 0.82 1.53 1.61 1.48 1.61 0.05 0.00 0.05 0.05 0.57 0.55 0.50 1.36
191
Exhibit 6.4 (Table 6.12) - Survey of Large and Medium & Small Retail Banks (MSRBs)
Clusters Overall Top Middle Functional
Average RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 3.30 2.50 1.39 1.49 3.04 2.54 1.24 1.30 2.87 2.68 1.60 1.50 2.70 2.48 1.47 1.67
Procedure 3.43 2.60 0.90 2.49 3.13 2.80 1.01 2.40 2.87 2.63 0.72 2.78 2.42 2.18 0.75 2.45
People 3.54 2.45 0.86 2.81 2.44 2.32 1.33 2.81 2.43 2.48 0.58 2.96 2.65 2.78 0.60 2.46
Technology 3.55 3.80 0.72 3.35 4.12 4.05 0.87 3.56 3.67 3.58 0.59 3.31 3.89 3.80 0.71 2.65
Facility 2.59 4.02 0.41 3.26 3.94 4.12 0.46 3.23 3.86 4.05 0.39 3.35 3.54 3.88 0.25 2.99
Max RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 4.49 4.89 3.55 4.96 4.97 4.89 3.53 4.87 4.80 4.98 4.00 4.99 4.32 4.28 4.50 4.70
Procedure 4.21 4.96 2.32 4.94 4.98 4.87 2.82 4.84 4.50 4.99 2.25 4.98 4.32 4.60 2.70 4.70
People 4.65 4.89 1.96 4.45 4.33 4.66 3.82 4.18 4.78 4.98 2.10 4.75 4.00 4.80 2.45 4.80
Technology 4.64 4.97 2.25 4.56 4.96 4.93 3.12 4.88 4.90 4.99 2.50 4.84 5.00 4.85 4.05 4.60
Facility 4.08 4.97 0.99 4.56 4.91 4.93 1.47 4.23 4.70 4.99 1.40 4.83 4.80 4.85 0.69 4.70
Min RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 1.50 0.52 0.10 0.03 0.76 0.58 0.06 0.00 1.05 0.69 0.13 0.01 0.30 0.25 0.05 0.00
Procedure 1.62 0.69 0.25 0.17 0.62 0.64 0.16 0.18 0.35 0.37 0.13 0.19 0.30 0.37 0.10 0.00
People 1.66 0.39 0.17 0.37 0.45 0.39 0.21 0.62 0.40 0.21 0.07 0.27 0.37 0.28 0.05 0.00
Technology 1.72 1.31 0.06 0.79 1.10 0.78 0.07 0.18 1.04 0.89 0.05 0.88 1.90 1.98 0.03 0.20
Facility 0.82 1.61 0.05 1.36 2.04 1.53 0.05 0.57 1.85 1.61 0.00 0.55 2.00 1.48 0.05 0.50
Variance RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 0.75 1.11 1.31 1.99 2.16 1.66 0.94 2.10 1.08 1.33 1.69 2.17 1.59 1.14 1.91 2.08
Procedure 0.53 1.39 0.25 1.74 2.04 1.66 0.61 2.11 2.01 1.95 0.31 1.66 1.28 1.35 0.45 1.66
People 0.48 1.35 0.38 1.49 1.15 1.36 1.33 1.31 1.81 1.86 0.32 2.17 0.83 1.08 0.64 2.08
Technology 0.49 1.18 0.49 1.08 1.40 1.56 0.77 1.22 1.18 1.37 0.56 1.39 0.61 0.81 1.14 1.35
Facility 0.99 1.20 0.07 0.94 0.94 1.40 0.20 0.85 0.79 1.31 0.14 1.66 0.85 1.32 0.03 1.55
SD RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 0.86 1.05 1.14 1.41 1.47 1.29 0.97 1.45 1.04 1.15 1.30 1.47 1.26 1.07 1.38 1.44
Procedure 0.73 1.18 0.50 1.32 1.43 1.29 0.78 1.45 1.42 1.40 0.56 1.29 1.13 1.16 0.67 1.29
People 0.69 1.16 0.62 1.22 1.07 1.17 1.15 1.14 1.35 1.36 0.57 1.47 0.91 1.04 0.80 1.35
Technology 0.70 1.09 0.70 1.04 1.18 1.25 0.88 1.11 1.09 1.17 0.75 1.18 0.78 0.90 1.07 1.16
Facility 0.99 1.10 0.26 0.97 0.97 1.18 0.45 0.92 0.89 1.15 0.37 1.29 0.92 1.15 0.16 1.25
192
Resilience Indicator and Vulnerability Index Correlations
ORGANIZATION
193
Resilience Indicator and Vulnerability Index Correlations
PROCEDURE
194
Resilience Indicator and Vulnerability Index Correlations
PEOPLE
195
Resilience Indicator and Vulnerability Index Correlations
TECHNOLOGY
196
Resilience Indicator and Vulnerability Index Correlations
FACILITY
197
Exhibit 6.5 (Table 6.13) - Classification of Factors for BCM Implementation
Organization
Srl. CFLT CFST CFLM CFSM CFLF CFSF CFL CFS CF RLRIL RSRIS VLVIL VSVIS
A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 1.95 2.65 0.52 1.73
A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 3.71 2.07 0.55 1.81
A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 3.89 2.71 0.29 1.17
A4 A4 A4 A4 A4 A4 A4 A4 A4 A4 3.48 2.54 0.27 0.08
A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 3.68 1.12 3.55 0.03
A6 A6 A6 A6 A6 A6 A6 A6 A6 A6 4.16 2.64 3.22 0.33
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 2.70 2.46 0.82 0.37
A8 A8 A8 A8 A8 A8 A8 A8 A8 A8 3.34 3.01 2.22 1.46
A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 2.22 0.52 0.63 0.06
B1 B1 B1 B1 B1 B1 B1 B1 B1 B1 3.46 2.55 2.05 2.34
B2 B2 B2 B2 B2 B2 B2 B2 B2 B2 2.57 2.33 0.86 1.49
B3 B3 B3 B3 B3 B3 B3 B3 B3 B3 3.67 3.76 0.55 0.08 Legend
B4 B4 B4 B4 B4 B4 B4 B4 B4 B4 3.12 1.29 0.14 0.32 Parameter Type PT
B5 B5 B5 B5 B5 B5 B5 B5 B5 B5 4.07 3.56 2.76 1.92 Criticality level CL
B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 3.68 2.30 2.42 4.15 Resilence Indicator RI
B7 B7 B7 B7 B7 B7 B7 B7 B7 B7 1.50 1.64 0.10 0.15 Vulnerability Indicator VI
C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 3.79 1.43 0.79 0.95 PT VI
C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 4.17 2.38 0.28 1.90 RI CL High Low
C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 4.49 4.89 2.75 4.96 High Important Essential
D1 D1 D1 D1 D1 D1 D1 D1 D1 D1 1.66 2.19 2.04 2.54 Low Critical Desirable
D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 3.92 4.45 2.48 3.48 Divergent Views
198
Procedures
Srl. CFLT CFST CFLM CFSM CFLF CFSF CFL CFS CF RLRIL RSRIS VLVIL VSVIS
A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 3.83 4.92 1.04 3.80
A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 3.98 3.30 0.75 2.69
A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 4.02 1.65 0.44 3.11
A A A A A A A A A A 4.09 2.27 1.06 2.86
A4 A4 A4 A4 A4 A4 A4 A4 A4 A4 4.21 4.96 2.32 4.94
A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 2.70 2.73 1.55 1.46
A6 A6 A6 A6 A6 A6 A6 A6 A6 A6 2.20 2.11 0.54 2.26
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 3.69 1.28 0.85 1.01
A8 A8 A8 A8 A8 A8 A8 A8 A8 A8 3.73 3.05 0.94 3.23
A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 3.47 2.51 1.25 1.61
A10 A10 A10 A10 A10 A10 A10 A10 A10 A10 3.69 2.34 0.41 1.21
A11 A11 A11 A11 A11 A11 A11 A11 A11 A11 2.57 3.37 0.61 2.25
A12 A12 A12 A12 A12 A12 A12 A12 A12 A12 3.74 2.68 0.83 1.11
B1 B1 B1 B1 B1 B1 B1 B1 B1 B1 3.38 2.58 0.56 3.77
B2 B2 B2 B2 B2 B2 B2 B2 B2 B2 3.33 0.70 0.25 0.17 Legend
B3 B3 B3 B3 B3 B3 B3 B3 B3 B3 3.78 3.47 0.40 3.39 Parameter Type PT
B4 B4 B4 B4 B4 B4 B4 B4 B4 B4 3.80 3.77 1.08 3.53 Criticality level CL
B5 B5 B5 B5 B5 B5 B5 B5 B5 B5 2.96 3.32 1.05 2.47 Resilence Indicator RI
B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 3.53 0.93 1.13 0.44 Vulnerability Indicator VI
C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 4.10 4.01 1.77 4.74 PT VI
D1 D1 D1 D1 D1 D1 D1 D1 D1 D1 4.05 2.45 1.01 2.34 RI CL High Low
D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 3.88 1.40 1.19 1.10 High Important Essential
D3 D3 D3 D3 D3 D3 D3 D3 D3 D3 1.62 0.69 0.25 4.28 Low Critical Desirable
D4 D4 D4 D4 D4 D4 D4 D4 D4 D4 1.91 1.87 0.36 1.98 Divergent Views
199
People
Srl. CFLT CFST CFLM CFSM CFLF CFSF CFL CFS CF RLRIL RSRIS VLVIL VSVIS
A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 4.32 4.89 1.23 4.45
A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 4.10 2.40 0.64 2.11
B1 B1 B1 B1 B1 B1 B1 B1 B1 B1 3.49 1.87 1.63 2.31
B2 B2 B2 B2 B2 B2 B2 B2 B2 B2 4.65 3.29 1.75 2.65
B3 B3 B3 B3 B3 B3 B3 B3 B3 B3 4.44 3.70 1.60 3.47
B4 B4 B4 B4 B4 B4 B4 B4 B4 B4 3.64 2.03 0.26 3.67
B5 B5 B5 B5 B5 B5 B5 B5 B5 B5 3.69 1.17 0.26 4.09
B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 3.91 1.11 0.32 2.30
B7 B7 B7 B7 B7 B7 B7 B7 B7 B7 3.31 1.48 0.94 3.58 Legend
B8 B8 B8 B8 B8 B8 B8 B8 B8 B8 3.26 2.68 0.18 0.66 Parameter Type PT
C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 3.39 0.39 0.33 0.37 Criticality level CL
C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 3.41 2.51 0.74 4.22 Resilence Indicator RI
C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 3.93 2.80 0.78 3.22 Vulnerability Indicator VI
C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 3.65 4.50 0.60 3.27 PT VI
C5 C5 C5 C5 C5 C5 C5 C5 C5 C5 2.69 2.52 1.96 3.20 RI CL High Low
D1 D1 D1 D1 D1 D1 D1 D1 D1 D1 3.33 1.58 1.65 2.31 High Important Essential
D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 1.66 2.96 0.17 3.86 Low Critical Desirable
D3 D3 D3 D3 D3 D3 D3 D3 D3 D3 2.91 2.17 0.42 0.88 Divergent Views
200
Technology
Srl. CFLT CFST CFLM CFSM CFLF CFSF CFL CFS CF RLRIL RSRIS VLVIL VSVIS
A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 4.11 3.71 1.63 3.45
A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 4.37 2.12 1.28 2.25
A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 4.24 4.80 1.58 4.48
A4 A4 A4 A4 A4 A4 A4 A4 A4 A4 1.72 2.56 2.24 2.74
A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 3.87 4.97 0.43 4.56
A6 A6 A6 A6 A6 A6 A6 A6 A6 A6 3.49 4.00 0.55 4.33
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 3.39 4.97 2.25 2.99
A8 A8 A8 A8 A8 A8 A8 A8 A8 A8 2.99 4.97 1.86 3.32
A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 2.98 4.14 0.84 2.00
A10 A10 A10 A10 A10 A10 A10 A10 A10 A10 3.40 1.57 0.16 0.79
B1 B1 B1 B1 B1 B1 B1 B1 B1 B1 4.64 4.00 0.12 3.19
B2 B2 B2 B2 B2 B2 B2 B2 B2 B2 3.93 4.00 0.15 3.75
B3 B3 B3 B3 B3 B3 B3 B3 B3 B3 4.04 4.00 0.29 3.74
B5 B5 B5 B5 B5 B5 B5 B5 B5 B5 4.15 4.00 0.11 3.83
B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 3.50 2.39 0.12 4.54
B7 B7 B7 B7 B7 B7 B7 B7 B7 B7 2.64 3.48 0.16 4.13
B8 B8 B8 B8 B8 B8 B8 B8 B8 B8 3.82 4.00 0.15 4.18
B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 3.28 2.51 0.09 4.41 Legend
B10 B10 B10 B10 B10 B10 B10 B10 B10 B10 3.72 3.35 0.08 2.63 Parameter Type PT
B11 B11 B11 B11 B11 B11 B11 B11 B11 B11 3.65 4.93 0.06 2.67 Criticality level CL
B12 B12 B12 B12 B12 B12 B12 B12 B12 B12 4.01 4.79 0.51 4.06 Resilence Indicator RI
C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 4.28 3.46 1.20 3.42 Vulnerability Indicator VI
C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 4.54 4.00 1.49 1.90 PT VI
C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 2.80 1.31 0.44 1.34 RI CL High Low
D1 D1 D1 D1 D1 D1 D1 D1 D1 D1 2.55 4.97 0.40 4.27 High Important Essential
D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 2.67 4.97 0.52 4.46 Low Critical Desirable
D3 D3 D3 D3 D3 D3 D3 D3 D3 D3 3.08 4.56 0.84 2.94 Divergent Views
201
Facilities
Srl. CFLT CFST CFLM CFSM CFLF CFSF CFL CFS CF RLRIL RSRIS VLVIL VSVIS
202
CHAPTER 7
7.0 Preamble
This chapter describes the findings of research and their relationship with the
hypothesis of study. It also details the limitations of the study and future scope of
work.
The IT infrastructure involving Data Centres, Servers, Storage and Backup systems
possessed by all private and foreign banks and most large public sector banks is of
high quality and reliability and kept current by deploying modern practice of efficient
data sharing, server & storage consolidation, data protection and redundancy of
hardware and network. They have secured their sensitive assets using computerized
and modern access control and security systems. Large percentages of services
offered by these banks are integrated using Internet and advanced CRM solutions. The
small and medium banks do not possess high quality and reliable IT infrastructure
that is run on modern system optimizing practices.
Foreign, private and large public sector banks have attained higher degree of
sustained business continuity. SBI displayed very high degree of continuity when
203
challenged by the catastrophic floods that submerged the city of Mumbai on July 26,
2006. The recovery efforts of the bank to bring it back to life within thirty six hours
whilst others remain crippled for almost five days, was made possible by their world
class IT infrastructure housed at Central Data Center at Belapur that is well equipped
with safety and environment control management systems supported by third party
agencies. SBI’s data centers have remote management capabilities and are organized
in a manner that they replicate each other’s data and systems, in real time and
asynchronous modes, as near and far sites and can substitute each other if one is not
functioning.
The above findings support the hypothesis - Higher the level of state-of-the-art IT
infrastructure more is the reliability of the BC practice and organizational strength,
especially for banks that support multiple products and services delivered through
multiple channels.
7.1.2 Focus on Softer Issues
7.1.2.1 Communicated BCM Policy and Procedures
Most large banks have put in place comprehensive BCM organization and have
identified vulnerability of critical processes with quantified impact. They have well
documented policy and procedures to run the operations in alternate mode that ensure
their high level of continuity. These however have not been communicated to all
stakeholders (customers, partners, support agencies, etc.) elaborately. Banks in India
therefore have experienced severe constraint in switching to alternate modes
whenever challenged.
The management of SBI attributes the success of their recovery after the Mumbai
floods to their efficient DR organization wherein the real transactions are loaded in
alternate sites regularly and the instructions to the emergency organization (Controller
and support staff) are well communicated and procedures well rehearsed. That helps
them bring into effect the alternate organization to run the data centre from alternate
locations as per specified procedure. The fine details of emergency procedures such as
layout of all emergency equipment and continuous breakdown drills, access controls
to various locations, cash lockers, availability of duplicate/alternate keys and
emergency power supply etc are communicated to all concerned. Communication
(to all concerned) and practice (by all involved) of BCM policy (organization and
people) and procedures (alternate operating processes and recovery methods) is
paramount to success of BCM implementation.
204
The level of adherence to international quality standards (Basel II) and insurance of
IT and non-IT assets in most banks is found to be below what is practiced by banks in
advanced countries. The practice of forging collaborative relationships with trusted
partners and civic machinery in owning and managing IT infrastructure assets for
sustained and continuous high performance is almost absent. There is very little
sensitivity to issues of brand management & image that give rise to increased faith in
bank’s ability to recover during disasters.
Adherence to international quality standards in terms of infrastructure and processes
enhances image and faith of customers in bank more than it improves operational
efficiency and readiness
The above findings prove the hypothesis: The success in the implementation of BC
practices as envisaged in enhanced image and reputation of the bank depends on the
softer aspects of Operations such as employee awareness, readiness, empowerment,
culture of innovation and adaptability and Adherence to International Quality
Standards.
205
The application of the BCM reality check model (developed in this study) to banks in
India has given insights into the gaps that exist in otherwise seemingly comprehensive
BCM implementations. The BCM organization and practice needs to be monitored
regularly to ensure its relevance under contemporary conditions. The model serves as
a “barometer” to do a reality checks and apply corrections where necessary. The test
results of the metrics indicate that large banks are more resilient and less vulnerable.
Small banks are highly vulnerable on account of technology and facilities. Both
categories of banks are equally vulnerable from the perspective of organizational
readiness and thus merit more management definition on softer issues of customer
service and image.
The above observations prove the hypothesis – Success of BCM depends more on
softer aspects of Operations such as employee awareness, readiness, empowerment,
culture of innovation and adaptability in bank that enhances its image and reputation.
206
The small banks therefore have to organize themselves in different model to counter
disruptions, which is to get into collaborative arrangements where they do not “own”
but “use” infrastructure, people and process support from third party agencies in a
form of consortium.
This supports the hypothesis - Small banks are less resilient to meet major
disruptions as compared to large banks on account of technology and facilities due
to their inability to invest in state-of-the-art IT infrastructure and establish reliable
and communicated procedures for alternate operations.
The inferences from application of the metrics are drawn by calculating two factors:
Resilience indicator (RI)= P*T and Vulnerability Index (VI) = R*V. These two factors
indicate the levels of strength and vulnerability of the bank from BCM perspective
from each of the parameter in the clusters. The summations of these two indicators for
clusters indicate the status at the cluster level.
The inferences from application of the metrics are drawn by calculating two factors:
Resilience indicator (RI)= P*T and Vulnerability Index (VI) = R*V. These two factors
indicate the levels of strength and vulnerability of the bank from BCM perspective
207
from each of the parameter in the clusters. The summations of these two indicators for
clusters indicate the status at the cluster level.
BCM Implementation relies heavily on effective use of Key Personnel who are
empowered and motivated individuals with good understanding of business processes.
It must ensure safety of personnel & equipment, protection of assets and minimize
confusion and uncertainty, quick rebuilding and return to normal processing and re-
establishing market share and customer Confidence. Banks must learn from the
incidence and document actions that can be taken in future.
208
Embarking on a BCM project
Formation of BCM Implementation team drawn from both the bank and
consultants and having a rich blend of functional and practice experts
Budgeting the BCM Program with provisions to provide adequate funding every
year to account for one time, annual maintenance and updating costs.
Conducting Business Impact Analysis (BIA) and related Insurance needs to
examine the threats, vulnerabilities and possibility of exposure of business to these.
209
them more vulnerable in disruptive situations. The following therefore are brief
recommendations to MSRBs to improve their resilience from continuity perspective.
Enhancing products and service delivery options by resorting to high degree of
automation.
Clear and documented roles and responsibilities to facilitate operationalize
alternate process.
Enhance awareness, preparedness and tolerance limits of employees and partners
by way of appropriate training.
Augment technology infrastructure both IT and Facilities by forming consortiums
that will collectively outsource asset provisioning, operations and maintenance to
support automated operations.
Raise the bar in terms of performance and communicate to all stakeholders.
Foster a culture of adapting to changes and focusing on enhancing value to
customer by way of wider range of services delivered efficiently and effectively.
The following are considered to be the limiting factors that must be taken into account
to enhance the strength the model before re-application.
a. Certainty about the level of knowledge of the respondents about the parameter
being surveyed needs to be ascertained by cross-referencing. The higher levels
of managements are more aware about policy and strategic aspects whilst
functional levels have better view of operational features and constraints.
210
b. The ability of respondents to provide the measure of preparedness, threats,
vulnerability and effectiveness of upgrades on a numeric scale is limited. They
need to be trained in. converting subjective knowledge to numeric
representation scale.
c. The levels of performance & success and culture prevalent in the banks in
India are diverse. This makes generalizations less accurate unless supported by
a large number of objective measures (for each response) and normalized. The
methodology adopted in this study did address this to an extent by educating
respondents about the parameters on several occasions and normalizing the
responses with the help of experts and consultants by re-referencing and
applying statistical corrections.
e. The technology aspects for the entire infrastructure (IT & facilities) can be
ascertained more objectively by researching into operating and failure logs.
These are not shared even with internal people. Since most operations in banks
(front and back office as well as inter bank) are IT enabled “Data mining” of
operating logs that are system generated can provide valuable and reliable
information about performance and related up gradations.
211
ii. Number of full-time personnel assigned to BCP process formulation /
improvement
iii. Number of personnel assigned to BC implementation
iv. Number of revisions of the BCP (version no.)
v. Number of incidences of disruptions recorded and the time to recover
b. It is wise to have an emergency response plan and a crisis control plan in place.
The identification of crisis-roles and responsibilities for every center is also
crucial. The preparedness could be assessed using metrics such as:
i. Percentage of centers that an identified crisis-commanders (and maybe,
backups) came to the rescue (recovery)
ii. Frequency of test-deploying the DR plan and verification of results
c. With the exception of certain large private sector banks, which are moving
towards server virtualization, there are no practices in the Indian Banking
industry, which reduces the risk of data loss. In US and Europe, offsite data
centers or electronic vaults are quite popular (such as Iron Mountain, formerly
Arcus Data Security). One therefore needs to explore the Supply side in India as
regards intent and capability of providing comprehensive DR support. This is
happening sporadically as understood in this study.
d. The level of maturity of a BCP is clearly evident in the quantitative nature of the
process. The following attributes would be present in a good BCP. The banks can
be compared and contrasted across these attributes to obtain accurate measures
and thus more reliable solutions.
i. Identification of possible disasters (no: of disasters planned for)
ii. Quantitative assessment of Business Impact for each incident
iii. Time-frames for recovery, and test logs for drills (Testing can be explored
in detail)
iv. Minimum resource requirements for each scenario
v. Clear established guidelines for priority based in criticality and urgency
212
servers etc). Putting in place “knowledge Management” practice and recording &
reviewing incidences of discontinuity can ascertain this.
213
d. Investment in technology.
e. Investment in reviews and their frequency.
f. Investment in training.
g. Investment in infrastructure and Facilities.
h. Failures and recoveries statistics.
i. Growth in volumes and variety (scale and scope).
j. Mention in media for performance
k. Number of employees
l. Retention and hiring statistics.
m. New customers added during the period.
n. Customers lost during the period.
o. Number of business partners
p. Retention and retirement of partners
q. Deficiencies in operating SLAs.
r. Incidences of security breaches.
s. Incidences of regulatory defaults.
t. Any other measure that will support the survey perception for definition of
high/low.
214
7.6.3 Analysis to improve usability
The data collected and finalized must be analyzed by resorting to:
a. Statistical Techniques to ascertain significance and variances
b. Employing Delphi technique to discuss suggested solutions.
c. Pilot testing the recommendations on selected branch/office.
d. Deliberations with three levels of management, first separately and then
collectively to evaluate recommendations.
215
ANNEXURE 1
BCM IMPLEMENTATION FRAMEWORK
1.0 BCM Paradigm
The experiences of various financial institutions and banks and the views of experts
and consultants suggest the following paradigm to plan and implement successful
BCM.
Banks have a duty to provide customers with uninterrupted access to bank accounts
especially so that people can quickly receive relief and aid provided to them by
government and other agencies in event of disaster. They must put in place BCM
plans that are comprehensive to cover all consequences and protect the bank against
any disaster / disruptions, man-made or natural, catastrophic or relatively minor. Most
banks have formal crisis management and response plans that deal with contingencies
like virus attack, natural disasters etc and over look certain trivial discontinuities like
absence of key staff. The recovery plans are of two types: one to effect immediate
recovery to cover the most critical elements of business (involves 20% of the work
force) and other to address long term perspective of recovering the business to
normalcy (involves 80% of the work force
BCM must enable banks to survive as a legal and financial entity by addressing entire
key assets that are necessary to continue operations – process, technology, people and
facilities even the best-laid plans can encounter unexpected challenges. Therefore
plans must be tested with a battery of potential scenarios with total participation of
staff. Experiences of banks in UK that tried to recover from discontinuities reveal that
the key is in execution of a well planned BCM during the face of disaster. Too much
focus on technology protection can be dysfunctional in absence of effective
development and deployment of policies and procedures to react in minimizing
damage and recovery. Senior Management with the right level of experience must
lead the BCM planning with their wholehearted support else it can reduce to a mere
corporate nuisance.
BCM Plan involves planning process that identifies core business processes that need
to be kept running to keep the business continuous together with key personnel and
technology infrastructure involved. The processes must be well defined after
collecting data from all stake holders involved in ensuring continuity and documented
preferably electronically. Banks must carry out detailed risk management assessment
by identifying critical assets and systems that need protection against all potential
threats that can interrupt operations. Once vulnerabilities are identified banks need the
216
right processes and technologies possibly with support of external agencies to ensure
business integrity. BCM Plans must be simple and regularly updated with systematic
reviews proactively to ensure they remain current and effective.
The elements that constitute an effective BCM Plan are given below and enumerated
in paragraphs 2.1 to 2.4.
Procedure
People
Technology
Facilities
1.1 Procedure
The procedures for multiple/ alternate site operations and documentation to ensure
continuity are enumerated below.
Olstik (Nov 2004) in his paper has described the practice followed by Chittenden
Corporation, a bank holding company headquartered in Burlington, Vt., that replicates
data between two IBM AS/400 systems in Burlington and Brattleboro. This allows the
bank, in case of a fire or some other disaster at their Burlington headquarters, to set up
shop in a nearby BCM office in Burlington and begin replicating data from
Brattleboro. Specialized BCM service providers companies provide "hot" and "cold"
site services as an insurance policy against rare natural disasters, such as hurricanes,
floods or earthquakes. This protection is not only costly but it usually means some
degree of downtime as service providers set up and emulate corporate systems in
1
Remarks by many CIOs and CTOs in response to a survey report published in Security 2002: “Rethinking
Risk”, Published: September 16, 2002.
217
remote data centers or in tractor trailers2. Olstik (Nov 2004) says that costs and
inconveniences are the price one pays for a worst-case insurance policy.
Large companies are bringing BCM in-house to overcome the above shortcomings,
Olstik (Nov 2004) describes that,
a. Business collocation. Companies like to own their own facilities near their central
operations to increase choice of options. 3
b. Architectural flexibility. The traditional concept of a redundant BCM site is
rapidly becoming obsolete. Geographic clustering, grid computing and wide-area
Storage Area Networks (SANs) mean companies that own their BCM
infrastructure can use that equipment for everyday business processing while
maintaining protection.
c. Consideration of natural. Often times, the biggest obstacle is Mother Nature
storms, floods, and earthquakes. This restricts choices of alternate sites to locate
BCM sites.4.
2
Shared infrastructure services (typical "cold" sites) may not offer enough coverage when recovery time
objectives (RTOs) and recovery point objectives (RPOs) mandate minimal downtime. Dedicated equipment
at a BCM service provider's data center (a "hot" site) can overcome that limitation, but may place the
backup systems thousands of miles from IT staff and business operations.
3
New York-based firms don't want their backup data centers in BCM facilities in Arizona or Florida but own
facilities in preferred nearby locations such as New Jersey or Brooklyn.
4
San Francisco-based companies, on the other hand, typically replicate their data to Salt Lake City or Phoenix,
rather than just across the bay to Oakland, because the two California cities sit on some of the same fault
lines that cause the area's occasional earthquakes.
5
Donald Ferguson, an enterprise storage consultant, from EMC, Hopkinton, MA, USA provided his views of
“Configurations in Future” to Smith Laura, in her article “The new face of disaster recovery”, Mar 2002.
218
configuration that ensures the proximity of storage devices so as to minimize the
wait".
Bleiberg (2005), asserts that it is pertinent that backup facilities are on different power
and communications grids than data center. To protect day-to-day operations,
organizations also should have redundant network connections, through different
service providers. Authorized employees should have access through a virtual private
network not only to E-mail, but to business applications.
1.2 People
Most organizations while addressing the people issues to address continuity appoint
alternates to each key role. Kelly (et.al 2002) observes that almost all plans contain an
assumption that the key people identified to populate their teams will be both
available and will have the wherewithal to function to their normal capability
following the disaster event.7 When questioned about this, few have really addressed
the issue of the impact of a disaster event on the people upon whom the carefully
planned response is dependent.8 Barnes (2005), has made specific questions that need
to be asked:
6
Brooks Darryl, Best Practices, Published: Nov 2003.
7
John Kelly & David Stark Presented at the Reginald H. Jones Center’s 3rd Annual conference on the Internet
and Strategy- “The Internet and the 21st Century Firm” April 12, 2002(WP 2003-02).
8
Barnes Peter, FBCI, Planning for people, March 18, 2005, http://www.continuitycentral.com/feature0186.htm
219
a. Will a designated team really be able to perform with the speed and efficiency
foreseen within the plan when close colleagues have been fatally injured in the
firm’s disaster?
b. What is the effect on individuals, for whom you depend in a disaster, when their
personal space and memories (trinkets, photographs and so on that many maintain
in their work-space) have been wantonly vandalized or destroyed?
c. To what extent have you assessed the risk that your employees / team members
might be affected by the same disaster scenario at home? In many scenarios their
primary concern will be to the immediate safety and welfare of their family.
1.2.2 Transportation
Business Continuity Plans have been generally found to be related to equipment and
software comprehensively but often does not spell out clear schemes to house the staff
during disasters. Lee (2004) feels that telecommuting, something his organization has
hesitated to use so far is considering deploying as a solution to get numbers to work
during emergency9. Ulsch, (2004) found that one backup site isn't enough. The firm
established a back up site in Western suburb of Boston 20 miles away anticipating
that employees could reach it in 30 minutes discovered that in situations of Bomb
threats post September 11, when the organization attempted alternate site operations,
it took the employees six hours to get there, because every other business around them
9
Lee, CIO, Baltimore, Maryland's tax department commented on problems faced in moving 900 employees
across its 24 offices during emergency – Security 2002: Rethinking Risk, Published: September 16, 2002.
220
was evacuating as well10. Hunt (2004) in his remark on ‘People deployment’ by banks
post Hugo Hurricane disaster observes while deploying people to backup sites at
locations such as Atlanta, Philadelphia and Norfolk resulted in sending key personnel
away from main operating location at Charleston just when they were most needed. In
some cases, lack of advance travel plans hampered these efforts. He recalls that
another organization, which experienced facilities damage, operated temporarily from
trailers brought into its parking lot.
1.2.3 Involvement
Olstik (June 2004), says “As for half-hearted support from the corner office, this is a
certain recipe for failure”. CEOs and senior management must champion the plan in a
visible way. Executives must sit in on training and highlight the BCM plan at
corporate meetings in order to maintain the role of BCM cheerleader. It is essential to
communicate the plan's importance and maintain focus. At the executive level, lines
of succession should be included in firm’s corporate charter and board of directors
meeting minutes, so that there's no question about who is empowered to make what
decisions. As per Bleiberg (2005), in the case of major disasters, one should have
access to a detailed organization chart with job descriptions for every position. An
employee file containing training levels and certifications for each employee should
accompany this. Should some personnel be unable to perform their tasks after an
event, this can be used to fill key positions quickly. Businesses can use an in-house or
outsourced call center to notify employees of immediate and ongoing status.
1.2.4 Training
Barnes (2005) insists that BCM plans should include training and drills in the
continuity plan itself. In addition to having disaster plans in place, it is critical to keep
personnel trained to carry them out effectively.11 In addition, if possible, it is
important to give people enough lead time to accomplish all of the planned disaster
preparations (Hunt, 2004). Organizations must ensure that all appropriate staff
receives training for their respective plan components. For example, if users will be
responsible for helping to move computer equipment, they should be trained how to
disconnect the computers to move them to safer locations within the buildings.
Improperly disconnecting equipment can cause damage, which can then unnecessarily
delay return to service on the desktops. Equipment remaining in vulnerable locations
risks water damage. Hunt (2004) iterates that personnel must be aware of details such
10
Ulsch, Financial Services Inc, Boston, comments on need fore more alternate sites to move people, Security
2002: Rethinking Risk, Published: September 16, 2002.
11
Barnes Peter, FBCI, Planning for people, March 18, 2005, http://www.continuitycentral.com/feature0186.htm
221
as the locations of emergency power off switches, and how to properly shut down the
fire alarm, fire suppressant and uninterruptible power supply (UPS) systems.
1.3 Technology
As per Periera (2002), the benefits to be derived from the use and adoption of
technology cannot be exaggerated. Central Banks the world over have been providing
their unstinted support to development of technological infrastructure and to IT
innovations in the banking sector. 12Technology usage, therefore, is a core component
of all future efforts of central banks to improve their deliverables and to play their
defined role more effectively. No system or institution can hope to benchmark itself
against international standards without making optimal use of technology.
1.3.1 Security
The need for enforcing security measures is getting due attention by most companies
since the levels of security breaches ire increasing (Howarth, 2004). As per a survey
ninety percent of companies experienced security breaches of some sort in the 2003
and that this threat was growing at a rate of fifty percent or more every year13.
Companies have responded to this threat by drawing both IT and business executives
into contingency planning and enforcing security procedures. As per Boulton (2005)
encryption of data is a must have practice to ensure “leak-free” storage.
Large number of banks in Europe and USA do posses’ ability to continue critical
business operations in the face of a malicious disaster. Many have tightened security
procedures, decentralized computing and storage architectures, and even relocated
data centers. The physical separation of Technology and Business provides flexibility
necessary to meet the firm's Recovery Time Objectives (RTO) in the event of an
untimely business interruption. Fucito (2004) reports that in his bank Primary
Business locations, Production and Backup Data Centers are strategically located to
protect against wide scale disruptions14. There are no simple answers to ensuring
security. "You don't just buy some software and install it. We're dealing with a
number of issues that are pretty complex—internal and external security, disaster
recovery, business continuity, crisis management, privacy and regulatory issues."15
12
Brian Periera, implementing a Business continuity plan, network magazine, issue of Aug 2002
13
Findings by Robin Bloor, of Bloor Research, USA (2003).
14
Fucito Robert, BNP Paribas, Business Continuity report (2004).
15
MacDonnell Ulsch, managing director of Janus Risk Management Inc. in Marlborough, comments in report
“Security 2002: Rethinking Risk”, Published: September 16, 2002.
222
Business continuity plans to combat cyber terrorism and system breaches need
strengthening as internet-based commerce is on the rise. Gartner study in this regard
reveals alarming trends. Pescatore says, "Our estimate is that the Internet systems of
about 65 percent of Fortune 5,000 companies are vulnerable to an attack that at least
results in a content change. Another 25 to 30 percent are vulnerable to an attack that
could cause a financially significant event that would have to be reported”.16
Battling the insider threat involves watching the behaviors among people inside the
business. Threatening actions include password misuse or theft, social engineering
and unintentional – yet damaging – security breaches by employees.17 Luft (2005)
recommends that organizations should consider a written security policy as a means to
battle the Internet as well as insider threats. A security policy puts in place an ongoing
statement of protection, detection and response. Some of issues the policy should
address are:
a. Appropriate use of the e-mail system.
b. Method to handle sensitive information.
c. Responsive actions when faced with a security incident.
d. Securing all IT systems.
e. Measures for protecting employee, customer or accounting information.
f. Appropriate use of user IDs and passwords.
g. Roles and responsibilities of administrator, users, and providers.
h. Enforcement.
The security policy should encompass all of the organization’s assets and IT systems
ensuring that all the risks against the vulnerabilities are assessed. . This will help
determine how much time and money is to be invested in various areas. The bottom
line is that small and medium-sized businesses face multiple threats to their business
that get more serious and difficult to battle each day. Luft (2005) asserts that by taking
a proactive approach to protecting and securing critical data and leveraging
appropriate technology, IT set ups can minimize the chances of losing data and
increase ability to have the business back up and running in the event of catastrophic
data loss.
16
Pescatore from Gartner , comments in report “ Security 2002: Rethinking Risk”, Published: September 16,
2002.
17
Luft David, Proactive plans thwart SMB threats, Published: 15 Jun 2005.
223
1.3.2 IT Infrastructure
Many firms that have excellent IT infrastructure in place have taken steps to minimize
risks by relocating, dispersing or distributing parts of their IT infrastructure, such as
servers and storage. All furnishings and equipment in a facility are important to
business resumption and should be protected. Hunt (2004) sharing his observation
states that use of custom plastic covers for the mainframe equipment, servers and
peripherals in were a key element in preventing water damage to the equipment, so
the military center at Charleston and enabled quick resumption of operations when
US was struck by Hurricane Hugo on September 21, 1989.
Disaster Recovery Planning (DRP) experts are of the opinion that older methods for
DRP, based on mainframe recovery, have become too cost prohibitive in distributed
systems environments. As per Smith (2002) N-tier client-server systems and
burgeoning networked storage topologies have introduced newer challenges that can
be met only with considerable technical expertise. BCM must be proactive. Toigo
(2004) enumerates, "Planners can't simply wait to be dealt a hand of cards. They need
to get involved in actual systems development and ask questions about the impact of
this or that middleware choice (for example) on the recoverability of the application
in a disaster. Most system developers, when asked why they didn't design
recoverability into their application, say no one asked them to."18
Oltsik (2004) observes certain BCM plans are at too high a level and suffer from a
lack of granularity. These plans define which systems need protection but do not dive
down into the equipment level protection steps. The data storage platforms should be
so selected as to ensure ‘data portability’ i.e. to facilitate restoration of data to
identical equipment at a recovery facility or an alternate storage platform if necessary.
This is significant in terms of recovery plan expense and timeframe. As per Smith
(2002) storage managers, who are a part of the BCM team, are to ascertain which
storage technologies are appropriate for protecting which applications and data. They
are to consider cost difference between mirroring to a remote hot site and sending
tapes off-site is orders of magnitude, balanced against the time-to-restore differential
of minutes to days.
Staimer (2005) feels that the key to cost-effective BCM is first placing a value on the
data and understanding how the data's value changes over time and then matching
18
William Toigo, a BCMP consultant commented on TV program Lesson of Hurricane Hugo on May 8, 2004 at
6:00 AM on ECT News Network.
224
various data protection technologies to that value. A cost-effective BCM strategy
requires a mix of BCM applications running on several platforms. Managing cost and
effectiveness requires matching the value of the data to specific BCM capabilities.
This mix-and-match approach will reduce overall BCM cost while meeting the
organization's needs. 19 This process must be repeated periodically to re-evaluate new
technologies, products, (Service Level Agreement) SLA requirements and compliance
regulations.
Luft (2005) has suggested following steps that are to be taken to determine ‘data
protection scheme’21 :
a. Decide what you need to back up. Ask yourself, "What can we afford to lose?"
19
Staimer Marc, Data determines the right disaster recovery, Issue: Jan 2005.
20
Oltsik Jon, Hot Spots, Issue: Nov 2004.
21
Luft David, suggested a framework in his paper, Proactive plans thwart SMB threats, Published: 15 Jun 2005
225
The key here is to get high-level buy-in from around the corporation, so that the
IT group isn't guessing about what's important Ambrosio (2001).
b. Know your data environment. Then determine where that data is located in your
IT system. How often does it need to be backed up? How often is it retrieved or
restored?
Organizations have to look at their application base and determine the effort and
money to be put in for shoring up most critical resources firs and in such a way
that doesn't disrupt everyday operations, As per Gruener (2001) 22, "Different data
have different performance requirements. One therefore needs to assess what all
this will mean to existing storage devices, networks and applications if you start
mirroring applications or doing hot backups”. Ambrosio (2001) suggest the
technologies that can be choose: Data mirroring (taking a copy of the data as it is
created in real-time, such as with Redundant Array of Inexpensive Disks [RAID]);
Hot backup (copying real-time data and storing it on a server at a different
facility); taking a Snapshot at intervals of every five minutes, every hour, or every
24 hours.
c. Document backup policies and procedures. Validate the integrity of the backups.
Make sure they are complete and that you haven't backed up viruses or other
malware. Also be sure they can be successfully restored.
The issue here can be the time it takes to actually recover the data. Storage-area
networks are wonderful tools for storing information, but they can be less efficient
at actually finding the stored data.
d. Keep backups in a safe place. This is typically done by storing them offsite in a
secure location.
e. Routinely check your backup plan to ensure it is current and has evolved with the
business.
f. At the end of the backup lifecycle, be sure it is destroyed completely so that the
data cannot be retrieved by an unauthorized person.
g. One huge lesson from the WTC disaster is that people also kept critical
information on their desktops - regardless of whether or not the company
mandated that such information should be stored on a network drive. Solutions to
this problem in the past have been a nightmare: lost diskettes and negligent
backups.
22
Jamie Gruener’s, (an analyst at the Yankee Group in Boston) comment in the article ‘Disaster recovery: Know
what you really need’ by Ambrosio Johanna, October 25, 2001.
226
1.3.4 Data Protection Technologies
1.3.4.1 Tape
These have been the most widely used devices for bulk data storage as a primary back
up. Smith (2002) observes that the role of tapes is being reexamined post September
11 incidence. This is mainly due to the problem of transporting and reading tapes
written on older drives while effecting recovery. However as per Scott (2002) the
need for tape won't disappear because of the potential for corruption or sabotage while
organizations’ attempt recovery of their data with mirroring.23
23
Scott (Gartner) sharing his experience with Smith Laura in her article “The new face of disaster recovery”,
Published: Mar 2002
24
Bill Mulcahy, assistant vice president of Systems, Sun Life Assurance explained the structure of electronic
vaulting deployed by his company to Smith Laura in her article “The new face of disaster recovery”,
Published: Mar 2002
227
objective) and RTO (Recovery Time objective). The RPO is "zero" lost data, and the
RTO is typically seconds to minutes. Asynchronous remote mirroring is a "store-and-
forward" technique that reduces I/Os and wait delays, allowing remote writes to fall
behind the local writes. This means the RPO for lost data can range from seconds to
minutes, and even hours in some cases. Asynchronous remote mirroring is most often
utilized when the remote site is a long distance from the local site.
Another disadvantage is that remote mirroring doesn't prevent a rolling disaster, data
damage, corruption or accidental deletion. If data is corrupted, damaged or deleted at
the primary site, it will also be at the BCM site. Less-expensive alternatives to remote
mirroring can also provide the lowest possible RPO and RTO. They're generally
Continuous Data Protection (CDP) products and include time-based continuous
snapshots, automated backup, replication of changed data and automated,
generational-change distributed backup. They offer a lower TCO (total cost of
ownership) than remote mirroring, support heterogeneous storage and provide better
rollback capabilities. But they usually require installing and managing agents.
228
As per Olstick (Nov. 2004), the two key disadvantages of backup are that its RPO and
RTO are usually quite high, and backup is a local process. Data consistency and
usability--the ability to use the backed up data without modification, reordering or re-
creation--may also be a problem. Backup programs require server-based agents and
backup costs escalate sharply as the environment scales and grows more complex.
However backup products are evolving and improving. Virtual tape, disk-to-disk-to-
tape (D2D2T) and massive array of idle disks (MAID) technologies speed backups
and recovery times. New types of backup software, such as content-addressable
storage (CAS), reduce the amount of data required to back up by sending only
changed data and meta tags about data, there by significantly reducing recovery times
and dramatically increases recovered data usability.
1.3.4.5 Replication
Replication software replicates data from server to server synchronously and
asynchronously. There are incremental and CDP modes. Replicated data travels over
TCP/IP networks to a remote server's disk, and then a backup client is needed to move
the data to a storage device. RPO for replication is similar to the RPO for storage
array remote mirroring, depending on whether it's synchronous or asynchronous. RTO
can be a little faster because the BCM application servers are already collocated with
the BCM storage. According to Olstick (Nov.2004), Replication software is easy to
install & operate and it can run locally & distributed. One important benefit to
replication is data migration. However, Replication software can't prevent damaged
data from being replicated.
1.3.4.6 Snapshot
A snapshot provides a point-in-time reference marker to data stored on a storage
system. Snapshots are a way to speed RTOs. There are two primary types of
snapshots: copy-on-write and split-mirror. As per Olstick (Nov.2004), a copy-on-
write snapshot stores changes and additions to existing data, which ensures rapid
recovery. A split-mirrored snapshot references all the data on a set of mirrored drives
where one is local and the other is local or remote. Each time the snapshot is run, it
snaps the entire volume, not just new or updated data. Snapshot is easy to install and
operate. A copy-on-write snapshot provides a short RTO and a relatively slow RPO
(data must still be recovered before it can be used). Split-mirror snapshots have a
relatively long RPO, but they speed data recovery (RTO), duplication and data
229
archival. One important benefit to split-mirror snapshots is that it's possible to access
data offline for tasks such as data mining and offline production data testing.
230
1.3.5.3 Purpose-built Storage Appliance
As per Olstik (Nov 2004) this is nothing more than a BCM application optimized
server and can be viewed as a networked storage controller. It leverages technologies
specifically optimized for storage BCM applications. Optimization includes I/O
performance, throughput, scalability and high availability (no single point of failure).
TCO is definitely lower than for the storage array or intelligent server, but these are
mostly proprietary. They may also have higher initial acquisition costs and may not
keep up with server technology advances.
1.4 Facilities
Two aspects of facilities namely Space and Power are described in succeeding
paragraphs.
1.4.1 Redundant physical space
The business-continuity plans of many enterprises deal with physical facility
protection as just that protection. Bleiberg (2005) asserts that a state-of-the-art plan,
however, should include having agreements in place for occupying other locations
from which business can be conducted for an extended period of time. The plans must
include agreements with disaster recovery service providers that are contracted to
231
provide emergency desk space. Despite some prearrangement with providers, the
events of Sept. 11 brought about some unique difficulties for all parties. Shore (2002)
explains that although a company may hold an individual contract with a service
provider, the emergency space promised in the agreement is usually shared with other
companies. Disaster recovery service providers base their plans on the probability that
multiple clients will not invoke their agreements at the same time for the same
space—an unforeseen issue in the case of the New York City events. While the client
organization is busy restoring business as usual, the disaster recovery service provider
is left with as many as six other clients who share that same disaster recovery space
and cannot invoke that space if necessary25. This leaves the disaster recovery service
suppliers looking for alternate space as well, possibly competing with their clients to
find suitable housing.
Shore (2002) further observes that usually service providers predict an expected
duration of occupancy following an invocation. The typical expectation is that
recovery from the incident will occur within days, or at worst, within two to three
weeks. This was clearly not enough time for the organizations affected by the events
of September 11. Organizations are contemplating arrangements with disaster
recovery providers for longer term and also proceed with acquisition of alternate
premises (possibly a move to another location within the same organization) to allow
the full complement of staff to resume normal work.
The investment-banking sector has a huge investment in BCM planning for obvious
reasons. Having dealers and traders out of commission for just a few minutes can
mean millions in lost deals or trades. As per Shore (2002) even in this high-stakes
business sector, the development of business continuity plans is still in a state of
infancy. Despite the size of the potential losses, typical disaster recovery plans only
provide sufficient facilities for about 20 percent of the headcount to allow
dealers/traders to close positions as quickly as possible 26. The planning assumption is
that, in most situations, normal service to the primary office environment will be
quickly restored.
A major factor in the decision to provide only limited recovery facilities is the cost of
having “redundant” office space ready to use just in case of an incident. This is
25
Shore Dave, “Sept. 11 teaches real lessons in disaster recovery and business continuity planning”, May 17,
2002.
26
Shore Dave, Web-based solutions can ensure business continuity, 20 May 2002
232
especially true in the investment-banking environment. Here, the technology piped to
the desks of the dealers/traders is always utilizing the latest technology and is
complex to set up. To replicate this in a BCM site is equally expensive and
complicated, especially when the temporary site has to be maintained to the same
level as the real work environment. Providing desk space with a workstation at a
BCM site for a dealer/trader position is typically three times more expensive than an
ordinary office desk utilizing general office systems. Shore (2002) believes that the
extra cost of BCM sites can be offset somewhat with new products that exploit
Internet capabilities. If dealers and traders could access the exact same information
through the Internet as they can at their work location, they could conceivably work
from anywhere, even from home.
Shore (2002) suggests that internet based solution provided to staff / partners on their
desktops would have possibly allowed them to continue working from home locations
in the weeks and months after the disaster of September 11. The disaster recovery site
itself would have needed only to implement a new server and install the firm’s
analytics and models created with the software. For IT staff says Shore (2002), this
would mean that they would have to maintain only the server systems and would not
have to connect all the data feeds to each dealer/trader desktop. For disaster recovery
planners, all that remained would be to keep the backup server up to date and ready
for action. This Web-based approach could be the answer to providing a quicker,
cheaper solution for disaster recovery and business continuity planners.
27
Bruno-Britz Maria, Banking System Defiant in Katrina's Aftermath, September 13, 2005.
28
Hunt Hal, commented on “Lesson of Hurricane Hugo” on ECT News Network, at 6:00 AM on May 08, 2004
233
1.5 BCM Implementation Methodology
Business Continuity Management includes all of the functions needed to develop, test
and maintain a Business Continuity Plan and the skills and techniques employed in a
crisis situation to effectively execute the BCP as a strategic tool in the Recovery
Process (Karakasidis, 1997). A framework, based on literature survey is provided in
the succeeding paragraphs.
234
In many instances, the secret behind a successful BCP program is not the quality of
the program itself, it is knowing your needs and providing the leadership and
coordination to make the plan a reality29.
Following steps are suggested to embark on project to design and implement a BCM:
a. BCM Implementation Team - Composition and Skills
b. Budgeting the BCM Program
c. Risk Identification
a. BCM Project Leader: The project leader has to be one who can work with
people, Understand, Motivate, and direct them. He should enjoy the confidence of
senior management and have good awareness of Corporate Priorities. He/She
must be at an appropriate level in the Organization having ability to influence
decisions.
b. Team Members: The members ought to know their business especially the area
they work in. It is desirable, however, to get people that also know how the
various departments interact and how the business processes flow within and
externally to the bank (Karakasidis, 1997).
29
Disaster Recovery Journal (Volume 15, No.3, Summer 2002).
30
Compass Management Consulting, Survey Carried out in 2004
235
1.5.2.2 Budgeting the BCM Program
Gondek (2002) opines that a BCM program is a dynamic and valuable investment for
an organization31. Provisions have to be made to provide adequate funding every
year to account for one time, annual maintenance and updating costs. The Table A1.1
below gives an indicative list of costs that need to be considered while working out a
business continuity plan32. This needs to be adapted for the existing environment
(organizational and technical) of the target bank. One must watch for low initial cost
but extra ordinary annual costs. Nearly every tool has hidden costs such as
maintenance, storage, backups, technical assistance etc
One Annual /
Cost
Item Time Periodic
Description
Cost Cost
Consulting Costs
31
Richard Gondek, (Internetworking Practice Lead, Greenwich Technology Partners) Journal of Business
Strategy, Aug 2002.
32 Courtesy: Henry Bellwood Consulting, Canada, 2002
236
Budgeting for a Business Continuity Management Project
One Annual /
Cost
Item Time Periodic
Description
Cost Cost
Development Communication Systems
Legal Costs
Printing Costs
Distribution
Delivery of Data
237
Gallagher (2003) emphasizes that the issue of ownership of implementation of BCM
is paramount. The study of various banks suggests, particularly in present times when
business risk is being carried by the functional units that the ownership must rest with
business units. Accordingly, the funding has to be supplied in appropriate proportions
both from Corporate and departmental budgets
Mawson (2003) identifies some examples of Risks that are possible sources of
business interruptions include – Water Leakage, Flooding, Storms, Communications
and Utility failures, Natural Events – earthquakes, Fire, Viruses, Employee Error
238
etc33. Some risks are hidden and not as obvious – Corporate Culture, Push for delivery
before quality, Poor morale, Fraudulent activity, Poor controls, Tendency to hide
errors etc.
33
Thomas Mawson, Executive Director, DRI international, Virginia, Risk evaluation & Control, Security
Magazine, May 2003.
34
Miller Kevin, consultant, Stroh Consulting Services, July 2003.
35 Kon Karakasidis, (KPMG Information Technology Consulting Division, Melbourne, Australia) A project
planning process for business continuity, Information Management & Computer Security, Vol. 5 , No. 2,
Aug 1997.
239
1.6.1.2 Senior Management Support
Rodetis (1999) emphasizes that the success of any organization wide intervention
such as BCM depends largely on the support of Senior Management who must take
visible actions to make it known. This is to be done by appointing a Project Sponsor
who is “Director Level” executive36. Appropriate announcement letter must follow
this to the entire organization, declaring the importance of BCM Project and soliciting
support of all units of the bank to assist BCP team in their endeavor.
36
Susan Rodetis, Can your business survive the unexpected, Journal of Accountancy, Feb 1999.
240
In the risk assessment phase organizations must identify critical assets that need
protection and also uncover all of the potential threats that could interrupt operations.
Both of these assignments can become problematic, as it may be difficult determining
which threat is real and which is a stretch. As per Olstick (2004), "Organizations used
to be worried about natural disasters but now they are more concerned about business
interruptions from things like Internet worms, terrorist attacks or cyber terrorism. One
needs to be comprehensive, but this creates a long list of potential problems."
O’Neill (2005) recommends that the board of directors need to have an active role in
the BCM process to determine what needs protection and what doesn't. The BCM
plan should start with some assumptions about which systems will need protection
and any changes or compromises that must be made after this should be viewed as a
business (not an IT) decision.
Mawson (2003) explains that BIA involves identification of risks (vulnerabilities) and
their impact on the organization. Since BIA is a subjective risk assessment the results
are as good as the information gathered and the information is as good as the people
involved. This therefore requires use of multiple instruments of data gathering namely
Surveys, Questionnaires, Workshops and Interviews. Snow (2003) recommends that,
while undertaking survey the questions have to be customized to the level of the
sample and documentation needs to be “intelligent” to draw correct results 37.It is
recommended that automated tools are used as they provide standardization,
completeness and tried and proven methodologies. The disadvantages of using tools
is the costs involved in purchase and training and that they could be cumbersome,
complex or too boilerplate and may only support one recovery alternative.
37
Snow David, Senior Consultant , Stroh Consulting Services, July 2003, http/www. Stroh.systems.com
241
1.6.3 Business Impact Analysis (BIA)
a. Financial impacts
The following are the financial impacts of disruptions.
i. Loss of banking transactions
ii. Loss of income (receipts)
242
iii. Delayed Income (transfers)
iv. Additional Expenditures
Rental of temporary premises/equipment
Moving equipment, cash, people
Media reconstruction
b. Operational Impacts
The following are the operational impacts of disruptions
i. Reputation, Negative public image
ii. Loss of shareholders confidence
iii. Impact on Customers
iv. Impact on other departments
v. Complexity of Systems – is a partial recovery possible?
Can a manual workaround be set up?
How long can the workaround be used?
vi. Voice and Data Communications requirements
Is email more important than telephone?
243
d. Distribute the survey and / or conduct interviews / observations. Note v/ collect
the readings / responses.
e. Conduct follow up survey / interviews where needed
f. Modify survey responses based on interviews / follow ups
g. Analyze survey data
h. Verify results with business / service unit management
i. Prepare a report – present findings to management
244
1.7.2 Assumptions of BCM plan defined
Gondek (2002) recommends that the following assumptions should be defined prior
to developing the plan:
a. The bank’s business / service goals and objectives in terms of level, speed and
type of operations.
b. The bank’s policy on maintaining service / operations continually
c. Service / operation interruption scenarios that pertain to each functional area /
location
d. Definition of “minor interruption” and “major disaster” in terms of service /
operation impact and anticipated duration of outage.
e. Which service / operation will be reused / recovered and to what capacity levels
over what period of time?
f. Which service / operation will be resumed immediately?
g. Which service / operation will not be resumed immediately and when will they
be available?
h. Which service / operation are expendable?
i. What resumption and recovery strategies are to be employed and what are the
priority sequences associated with each?
j. What resources need to be pre-positioned and what are their interdependencies
(inter and intra channel)
38
Disaster Recovery Journal, http://www.drj.com, May 2003.
245
ii. Well-documented, agreed and understood (by all stake holders involved)
alternate procedures & processes. Possibly a manual workaround to cater for
immediate requirement.
iii. Staffing requirements – key personnel & support staff
iv. Non-information processing resources
v. Identification & agreement of all responsibilities and emergency procedures
vi. Enabling services and resources to achieve the resumption – accessibility of
business unit premise, alternate spaces, power supply, communication etc.
vii. Fallback arrangement for information processing facilities
viii. External business dependencies and relevant Contracts in place
ix. Staff education in procedures, processes & crisis management
x. Conditions for activating the plans
How to assess the situation
Who should be involved
xi. Emergency procedures - Actions to be taken
xii. Public relations management - Effective liaison with public authorities e.g.
police, fire dept., local Govt.
xiii. Fallback Procedures
Moving essential business activities or support services to alternative
temporary locations
Bring business process back into operation in required time scale -
Resumption Procedures
Action for returning to normal business operations
246
1.7.4 Strengthening the BCM Plans
39
BCM plans can be made more resilient by addressing the issues given below
(Herbane, Elliott, Swartz et al, 1997):
a. Policy matters
Top management sponsoring BCM projects should display high degree of
involvement in guiding the effort on certain key items enumerated below
Organization structure - Responsibility for coordination of BCM process
(Rodetis, 1999).
i. Recovery System Alternatives40
Banks Own Resources
Outsourced – Certain systems like Payroll, Customer Contact, Mailing,
Shipping, Web Site Maintenance etc can be outsourced.
ii. Reliance on outside firms – especially telecom, government and utility firms.
Arrangements have to be made with these external agencies, by way of
maintaining formal and informal relationships, to obtain their unflinching
support during crisis.
iii. Location and Organization (People, Security, Access etc) of:
Primary Site
Alternative sites
Off site storage
39
Brahim Herbane, Dominic Elliott and Ethne Swartz ( Leicester Business School, UK), Contingency and
continua, Achieving Excellence through Business continuity planning, Business Horizons, December 1997.
40
Financial Times, June 2005,Business Continuity and Disaster Recovery.
247
c. The Human Factor
Morganti (2001) emphasizes the importance of Human factor41 in ensuring
reliable BCM implementation and execution.
i. People are not equipment – that must not be forgotten.
ii. Disturbed Emotions may affect ability to respond
iii. Family issues may impact availability
iv. Stress related illness and fatigue has to be considered.
v. Sustenance of staff must be taken care of.
d. Technical
Rodetis (1999) emphasizes that the people and systems (desktops, servers and
networks) need to be kept operational. Alternate / emergency operations are
therefore to be planned as also the processes and drill to rebuild the state of
normal operations 42.
i. Immediate Recovery Options -Data Mirroring, Site Mirroring
ii. Near Immediate Recovery Options - Hot Site, Mobile Site, Service Bureau,
Multiple Processing Sites
iii. Medium Term Outage can be met by providing for Warm Site or Data Re-
entry.
iv. Long Term Outage can be met by providing for Rental of alternate space (cold
site) or Data reconstruction.
v. Emergency Operations Centre (EOC) - Issues pertaining to EOC address
questions such as :
How far should it be located
How large in size
How much equipment
What Communications Systems and Access Systems are required
Housekeeping and Security of Emergency Operations Centre.
41
Michael Morganti, A business continuity plan keeps you in business, Record – The magazine of Property
Conservation, September 2001.
42
American Society for Industrial Security, http://www.asisonline.org and International Association of
Emergency Managers, http://www.nccem.org May 2002.
248
set up. Agreement must be entered into with appropriate vendors for delivery of
replacement service/support within critical time frames. The strength of the vendors
must be ascertained to ensure that they are not over whelmed by requests for support
in the event of a large-scale disaster
1.8.3 Systems
As per Rodetis (1999) systems and processes must be worked out and communicated
to all concerned regarding the following aspects:
a. Off Site Storage
43
Disaster Recovery Information Exchange, http://www.drie.com and Survive – The Business Continuity
Group, http://www.survive.com July 2002
249
b. Data, Documentation, Procedures
c. Unneeded Data
d. Protection of Data
e. Change Control
f. Frequency of Backups
g. Access Control
h. Physical Security of Site
Even though the BCM plan seems complete, numerous problems may exist. For
example, sometimes the BCM plan is overly complex and only the core BCM team
can truly understand it. There are also instances where upon completion, the BCM
plan remains static and doesn't accommodate changes to technical infrastructure or
business processes. Olstick (2004), maintains that BCM plan is a living document and
changes to the business or technology infrastructure must trigger a parallel change to
the BCM plan.
44
Kirkpatrick, Terry A remarked in report published in CIO Insight in 2002.
45
Leading Companies Revive Focus on Best Practices to Bolster Profits in Recessionary Climate, February 26,
2002.
46 Doede de Waij, Senior Manager, Marsh Risk Consulting, BCM - Protecting enterprise value, July 2006.
250
a. Identify overall strategic objectives for response and recovery.
b. Analyze what are the requirements to meet these objectives (BIA) and conduct
gap analysis.
c. Design strategies to close the gaps; organizational structure to implement the
formulated strategic objectives; and operating model to respond to the incident
/ crisis.
d. Execute / Implement the chosen strategies and document the procedures to be
followed in applying the strategies (plan writing).
e. Measure results through exercising, training, auditing and maintenance.
Olstick (2004) assets “It isn't worth the time, money and effort to put a BCM plan
together unless the company is willing to invest in comprehensive training and
frequent testing. This will maximize preparation while providing a method to uncover
and fix any weaknesses”.
a. Basic Tests – The BCM can be tested for overall effectiveness by resorting to
review by senior management by carrying out tabletop exercises. Using
software simulations to carry out Structured Walkthrough and make
appropriate recordings can also test these.
b. Partial Tests – These are resorted to test the capability of system for partial
recovery of selected systems.
c. Complex Testing – This is a full blown test in which banks should simulate
total breakdown of infrastructure and support to test alternate systems
involving both internal stakeholders as well as support partners and regulatory
/ government agencies.
47
Disaster Recovery Information Exchange, http://www.drie.com and Survive – The Business Continuity
Group, http://www.survive.com July 2002
251
1.9.3 Periodicity of Testing BCM
BCM organization and documentation must be tested on following occasions,
deficiencies recorded and improvements / modifications worked out (Gondek, 2002).
a. At least Annually
b. After major organizational changes
c. After an incident
d. Implementation of new systems, networks and hardware
e. Changes in market conditions
f. Changes in staff levels
g. After tests
48
Greg MacSweeny, Redefining Best BC Practice, Insurance & Technology, Aug 2003
252
ii. Solicit as much feedback as possible
iii. Designate personnel responsible for correcting deficiencies
f. Document all changes to the plan and watch for version control
g. Report results of tests to management for incorporation
49
Dr.Suvit Yodmani and Dr.David Hollister, Disasters and Communication Technology: Perspectives from
Asia, Presented at the Second Tampere Conference on Disaster Communications, 28-30 May 2001.
50
Disaster Recovery Institute Canada, http://www.dri.com and http://www.incident response.org;
http://www.drii.org, July 2002.
51
253
chart out so as to aid decision-making, questions Karakasidis (1997). The authority
that can declare disaster must be nominated. A list of all those key personnel both
from within and outside the organization, who are to be alerted, must be prepared and
published. The services (alternate) that need to be mobilized must be listed and made
available.
254
whether there is a need to escalate. There must be a preset drill of reaching the key
people and all should know who is to be in command.
255
1.13.7 During an incident
The response team must follow the plan to keep the business operational and prevent
further development/impact of incident. They must gather information to permit
effective response (Herbane et al, 1997). It has been found that the teams responding
in disaster situation thereby making the operation totally ineffective did not adhere to
a well chalked out plan.
256
ANNEXURE 2
SURVEY METHODOLOGY - BCM SURVEY IN INDIAN BANKS
All the respondents were given an assurance that the information collected is purely
for the purpose of study for doctoral work and not for any commercial use. The
respondents were also assured of maintaining anonymity about their views expressed.
257
iii. What is the vision and mission of 100% Medium Well defined for
your bank in terms of to high HDFC and ICICI.
Moderate for others.
performance targets, delivery
mechanisms, products & services
and other non-banking service
offerings?
iv. What are the challenges envisaged 100% Medium Well defined for
and how are they met in the to high HDFC and ICICI.
Moderate for others.
present times when there is fierce Details provided.
competition amongst banks due to
entry of private sector and MNC
banks in a big way?
v. What is the degree of automation / 100% High to High degree of
computerization in your bank in Medium automation in all
except SBI where it
terms of front office and back is moderate. Block
office processes? Diagrams provided.
vi. Do you use standard quality 100% Low to Low in GTB,
frameworks for process High moderate in UTI
and SBI and high in
improvements (e.g. BS7799, ICICI.
Basel II, etc) in your bank?
vii. What is the strategic view of 100% High to High incase of all
technology implementation in medium except SBI (IDEAS,
FinnOne,
achieving higher efficiency and Spectranet). Details
effectiveness? provided.
258
ix. How critical is it to maintain 80% Low to Low in PSUs. High
continuity for the prosperity of High in Private Sector
banks.
your bank? How is prosperity of
the business defined in your bank
(e.g. business objectives,
strategy)?
x. What in your opinion are the 80% Moderate All banks do it in
major discontinuities that can some measure. Need
to be more
hamper operations of your bank? exhaustive and
How do these impact and to what clarity expressed.
extent? What is the probability of
these threats occurring?
xi. How are the steps to manage the 80% Moderate All banks do it in
disruptions / threats incorporated some measure. Need
to be more
in your organizational policy and exhaustive and
procedures? How is the staff clarity expressed.
trained /educated in this regard?
xii. What is an acceptable/tolerance 80% Medium Clarity not
level of your stakeholders, in experienced.
terms of disruptions and
subsequent revival?
xiii. How well are BCP practices 80% Moderate Clarity not
integrated with normal operating experienced.
procedures?
xiv. Do you have a clear brand or 80% Low to Low in PSUs.
policy for managing global medium Medium in Private
sector banks. No
reputation or image? Is this well clear organizational
preserved in major business processes.
developments to ensure the
company’s image is protected?
259
xv. Have you tested the PR machine 60% Low No clarity on the
in the event of an incident? issue.
xvi. Does succession planning feature 60% Low No clarity on the
as a matter of course in your issue.
organization’s risk management
approach? How appropriate is the
organization’s “key man
insurance” for the business?
xvii. What risk mitigating actions are 80% Medium Reasonably well-
in place? Is the cost of accepting defined.
the risk lower than any mitigation
actions?
xviii. Are the considerations the same if 60% Medium Not articulated
this occurred during a critical exactly.
period of the business, e.g. end of
a financial reporting cycle?
xix. Are business objectives and 80% Medium Not articulated
strategy clearly defined to help exactly.
determine which activities are
critical for the managing the
prosperity and continuity risk
strategy?
xx. What is the strategy or cost 80% Low to Not articulated
evaluation for accepting risks or Medium exactly.
transferring them?
xxi. Does the organization know what 80% Medium Most banks have
is acceptable to/expected by key general idea. But no
specifics.
stakeholders? Have costs of the
plans been rationalized?
260
xxii. How is business continuity 80% Medium Most banks have
integrated with your risk general idea. But no
specifics.
management framework? Does
the concept of business continuity
feature in the risk map/landscape
in every part of the business?
xxiii. What mechanisms / frameworks 60% Low No clarity on the
do you adopt to gather market issue.
intelligence as regards
performance of your products &
services and use of technology as
compared to your
contemporaries?
xxiv. Do you carry out sensitivity test 80% Medium UTI carried out
on your employees regularly to specific initiative
called ‘Mystery
assess their preparedness to Customer’. Other do
confront eventualities? it as ‘good to do’
only.
xxv. Have youimplemented 80% Low to Low in PSUs. High
knowledge management practice High in Private Banks.
Block Diagram and
in your bank to review incidents schematic provided.
and draw out lessons to formulate
continuity guidelines?
261
ii. Are the alternate processes to key 80% Medium Most banks have
processes of the bank, whose general idea. But no
specifics.
disruption may cause serious
impact and losses, well defined in
terms of steps to be taken,
delegation of authority and assets
to be used?
iii. Do you have a manual 80% Medium Most banks have
workaround for the core general idea. But no
specific instructions
processes? How is the information except in case of
collected during manual working SBI.
updated to the IT system once
normalcy is attained?
iv. Are the safety procedures well 80% Medium Most banks have
communicated in your bank? Do general idea. But no
specifics.
you conduct regular training of
your employees to make them
aware of these?
v. Do you outsource services to 100% Medium Most banks
undertake critical activities to high outsource non-core
functions. ICICI has
towards ensuring business specific contracting
continuity or safeguards to scheme to manage
outsourcing.
minimize disruption? How are
these incorporated in service
contracts?
vi. Do these contracts provide 60% Low No clarity on the
appropriate levels of issue.
compensation in the event of
failure to provide an acceptable
level of service (acknowledging
that compensation may not always
be sufficient to cover cost of
certain high profile failures)?
262
vii. Does the contract provide for 60% Low to No clarity on the
independent checks or testing of medium issue.
the outsourcer’s business
continuity arrangements?
viii. Have the outsourcer’s business
60% Low to No clarity on the
continuity arrangements been medium issue.
tested – in particular where
significant core activities are
involved?
ix. What internal risk assessment of 80% Medium Most banks have
the outsourcer has taken place to general idea. But no
specifics.
manage the potential failure of the
outsourcer to provide an
acceptable level of uninterrupted
service?
x. Does the cost of
insurance 60% Medium Most banks have
outweigh the potential loss or general idea. But no
specifics.
damage to the rest of the
business? Should the organization
merely accept the risk and cost of
rebuilding the lost service or
activity, or opt for total shutdown
of that activity? If the risk
becomes too great, should the
activity (still) be outsourced?
xi. Has the organization carried out a 80% Low Except in case of
risk culture or awareness heath UTI.
check?
xii. What is the likelihood of major 90% High All banks expressed
disruption to the business due to this as a critical
factor.
prolonged unplanned absence of
key individuals?
263
xiii. Have you assessed
the 80% Medium Most banks have
vulnerability of your business general idea. But no
specifics
portfolio to changes in economic /
social conditions?
xiv. Is the organization well positioned
60% Low to High in case of
to influence the direction of Medium ICICI. Details
provided.
regulation and professional
standards?
xv. How is the organization keeping 80% High Senior
its finger on the pulse of managements highly
sensitive to this.
regulatory or market changes?
xvi. Does your business continuity
100% Medium Most banks have
management extend beyond the to High BCM for IT setup.
Block Diagrams
traditional areas of IT and provided. Explicit
physical security? instructions in case
of SBI.
xvii. Are there risks to the business’s
80% Low to Low in PSUs.
ability to stay on track of its goals Medium Moderate in Private
sector banks.
that have yet to be identified,
assessed and managed?
264
xx. What are the incidence logging 60% Low No clarity on the
mechanisms? How are these issue.
analyzed and the results
communicated to the employees?
xxi. Is knowledge management 80% Low to Low in PSUs. High
practiced? How is this integrated High in Private Sector
banks. Block
with other computerized systems? Diagrams &
Specifications
provided.
xxii. Are emergency action plans and
80% High Safety instructions
other safety regulations made exist and well
promulgated.
available to the employees in a Implementation not
manner that they are easily really challenged.
accessible during contingency?
xxiii Do you hold post event audits
60% Low No clarity on the
with a view to draw learnings and issue.
suggest improvements?
xxiv Does the reward system in your
60% Low to Low in PSUs.
bank objectively recognize medium Practice of rewards
does exist but not
performance and sensitivity of really linked to
your employees towards business BCM.
continuity?
xxv. Do you conduct regular training
90% High Increased awareness
of all stakeholders in the issues in banks in taking
this seriously was
related to emergency procedures, observed.
alternate equipments etc.?
265
ii. What are the major applications 100% High Most banks have
that are installed in a bank to implemented CBS,
Internet Banking
address structured workflow (e.g. and CRM solutions
core banking processes)? (Finacle, Spectranet,
FNS).
iii. How is the informal workflow 80% High Good Use of IT in
(e.g. mails, interdepartmental using internal
communications
notes…) realized in your bank? found.
iv. What is the level of automation in 60% Low to All banking
your bank as regards electronic high operations
document
documentation and information automated in most
exchange? How paperless have banks. Internal
management (assets,
you become? HR…) low in PSUs.
v. What is the data transfer 90% Medium Most banks have
organization and architecture to High near state-of-the-art
infrastructure for
deployed in your bank? What is banking operations.
the network architecture at branch Block diagrams
provided.
level and interbranch level?
vi. What are the various hardware 100% High Most banks have
platforms and system software near state-of-the-art
hardware at data
deployed to support your IT centre level.
Infrastructure? Specifications
provided.
vii. How robust is your security 90% Medium UTI has excellent
policy? Is this policy applied to high security policy
documentation and
consistently across the group? implementation.
viii. Are there gaps in the
IT 90% Medium Most banks are
infrastructure which may expose sensitized to this.
parts of the database and
applications?
266
ix. As most data is held on servers, 90% Medium Most banks have
are you confident that any to high comprehensive
applications running
unauthorized access with the risk on CBS to take care
of misappropriation and of this.
corruption of financially sensitive
data, will be detected?
x. If using outsourcers, are they 60% Medium UTI has elaborate
appropriately covered by your to high practice in
managing this.
security policy? Block diagram
provided.
xi. Are existing insurance 60% Low No clarity on the
arrangements appropriate – to issue.
cover both data, system & system
time loss?
xii. Is there a coherent
incident 60% Low No clarity on the
reporting system to maximize use issue.
of these insurance arrangements?
xiii. Do you have a central incident log
60% Low Only GTB had well-
or hotline? defined system.
Specifications
provided.
xiv. Do all contractors and staff in
60% Low No clarity on the
privileged positions sign a issue.
confidentiality clause?
xv. What are the various storage 90% Medium Most banks have
devices deployed in your bank? to high near state-of-the-art
hardware at data
How do they compare with the centre level.
contemporary banks? Specifications
provided.
xvi. Is there a detailed backup policy
90% Medium Most banks have
in your bank? What are the to high reasonably well-
defined backup
various devices used to take policy.
backups? Specifications
provided.
267
xvii. How is the bandwidth of the IT
100% High All banks have well-
setup of your bank managed? managed
(outsourced)
What are alternate modes of data bandwidth
communication? management with
alternate/ redundant
modes of
telecommunications.
Specifications
provided.
268
xxii. Do you have alternate 60% Medium Private sector banks
arrangements for specialized have larger number
of ATMs (per
automated delivery mechanisms customer) that serve
such as ATMs, point of sale as alternate to each
other. PSUs have
terminals, kiosks, etc.? lesser in number.
xxiii How is the intra-bank 80% High to High in private
communication system deployed? medium sector banks.
Medium in PSUs.
What is the portfolio (intranet,
voice based, messaging based)
etc.?
xxiv Are there failsafe mechanisms for
100% High RBI sponsored
specialized inter-banking NIFNET ensures
sufficient
operations, such as RTGS, EFT, redundancies to
SFMS, etc? sustain these inter-
bank operations.
Details provided.
xxv. Do you use automation tools for
60% Low to Low in GTB.
carrying out facilities high Extensive use of
automation tools
management? How frequently do found. Reviews not
you review the performance of that frequent.
Details provided.
non-IT assets?
xxvi Do you carry out knowledge
80% Low to Low in GTB and
management to assess the high PSUs. Advanced BI
Practice in private
performance of IT applications sector banks. Block
and benchmark them with the best diagrams and
specifications
available in the industry? provided.
269
3.0 Introduction 270
3.1 Pre-development activity 270
3.2 Model Development. 270
3.2.1 Questions asked 271
3.3 Themes explored 272
3.3.1 Organizational 272
3.3.2 Procedural 273
3.3.3 People 274
3.3.4 Technological 275
3.3.5 Facilities 276
3.4 The BCM Model 277
ANNEXURE 3
3.0 Introduction
These have been worked out based on the knowledge gained on literature survey,
secondary research (exploring literature on BCM successes and failure globally) and
primary research (survey of 5 major, 8 medium and 6 small banks of both private and
public sector in Mumbai). The knowledge components are listed below:
d. BCM status and experience in two large, two medium and one modern bank as
culled out from learnings accrued after an elaborate survey of the target banks as
enumerated in Chapter 4, Section 4.5.
The BCM model was developed by interacting with 26 officials of Banks that were
surveyed to study BCM state in India and 8 BCM consultants from leading
Consulting companies in India.
For this purpose the questions asked and themes explored to articulate BCM
parameter are given in the paragraphs below.
270
3.2.1 Questions asked
Following questions were asked from the respondents in respect of the themes given
in Section 7.3 below
h. Is the parameter in question considered critical (moderate, not critical) from BCM
perspective?
l. Are there budgets sanctioned to address the issues related to the initiatives to
provide continuity in respect of the parameter?
m. How are these utilized and monitored? Who are involved at functional &
supervisory levels?
271
3.3 Themes explored
3.3.1 Organizational
a. Sensitivity to issues of brand management & image and maintaining good public
relations
c. Focus on sustaining high level of Business continuity adopting dual strategy for
Disaster Recovery System - one for mission critical applications and the other for
routine applications.
h. Enlarging services offered such as selling insurance, mutual funds and investment
opportunities.
i. Provide wide range of products and services to meet the specialized needs of
customers by offering extensive portfolio involving Multiple Delivery options.
272
k. Modernization of system of reporting and reconciliation of transactions of
customer accounts and other banking services like remittances etc. at branch level
has been revamped and modernized.
m. Effective use of MIS for control of operations and of maintaining customer and
business/industry databases for strategic planning.
3.3.2 Procedural
g. Consolidation of IT resources and assets in the form of Data Centers both at the
Primary Site and at the Recovery and Continuity site/s.
h. A hybrid approach where in there is still faith in “Old Economy” manual systems
working symbiotically with modern IT-Based Systems.
j. BCM is practiced with greater degree of sincerity and effectiveness and integrated
with normal operating procedures when it comes to actual operations.
273
k. Operationalizing BCM planning process effectively - Data collection &
Documentation, Calculating Risks and Review & Testing.
m. Conducting BCM reviews and testing of disaster recovery and business continuity
plans and changing business processes accordingly, updating/modifying and
communicating
r. Collaborations in the area of owning & managing assets and IT infrastructure with
trusted partners.
3.3.3 People
274
b. Ensuring implementation of succession planning in the event of discontinuities to
achieve greater level of “Trust” in abilities of work-force to tackle disruptions.
3.3.4 Technological
b. Ensuring higher degree of continuity for banking operations using RBI sponsored
NIFNET, which ensures sufficient redundancies to sustain inter-banking
operations (RTGS, EFT, SFMS, etc).
275
Storage Appliance and Intelligent Storage Networking Switch), Storage and
Backup systems.
h. Ensuring optimal utilization of their Data Centers by relocating assets and more
frequent use of DR sites for selected operations.
3.3.5 Facilities
b. Use of automation tools and software systems (GPS enabled) for facilities
management along with display terminals and control room.
c. Provision for availability of Redundant Physical Space (in other branches or with
an outsourced agency) to provide workspaces for relocated staff. The facility is to
be complete with essential communication and computing arrangements (PCs,
Network Points etc).
276
d. Provision for allowing staff members to work from home by providing them PCs
with modems connected to telephone lines/cable TV.
The BCM model developed and tested comprises of 107 parameters that can be
measured and an objective assessment can be made as regards the health of BCM plan
or implementation. The model along with test data is enumerated in Exhibit 5.1.
277
ANNEXURE 4
BANK WISE SUMMARY OF STUDY
OBC aimed "To be a Modern and a Model Bank". They endeavored to realize the
vision by:
a. Building the Business and the Institution
b. Creating Shareholder Value
c. Growing Profitably
d. Developing a Complete Financial Services Organization
e. Fostering a Caring and Sensitive Organization
278
This emphasis on technology has led the Bank's concerted forays into Internet
banking in addition to Automated Teller Machines and Phone Banking. With
ibank@gtb, the Internet banking capability, customers could bank from home just by
clicking away while the ATMs bring in the convenience of round the clock banking.
The Banks telecommunication network was one of the best deployed at that time in
the country. A customer could access Global Trust Bank from anywhere in the world,
anytime.
The bank undertook two major projects, in keeping with its objective of becoming the
modern bank. One with the support of Infosys entitled “BankAway” and the other
with in-house efforts, entitled “IDEAS”. The brief description of these projects in
enumerated below:
279
4.1.2.2 IDEAS (Integrated Delivery Channels Application System)
The IDEAS system is a flexible, modular and business driven solution designed to
manage various activities related to delivery channels. It provides multi-channel
integration for enterprise management of transactions and interfaces to the core
processing systems providing secure Web-based access for remote banking locations.
It manages operations related to delivery channels, including branches, ATMs, phone
and Internet banking, kiosks and mobile devices.
The system was developed using a relational database (Microsoft SQL 2000) on
Microsoft platform, (Windows 2000 and SQL 2000). Users at branches access the
system using the thin-client (Java Servlets, JDBC database connections) mode which
makes deployment quick and easy. Users at the back office access the system using
the thick-client (client-server) mode so that operations involving complex
computations can be done using the power of the client, thereby avoiding any impact
on the response times for online request entry and inquiries.
4.1.3 IT Infrastructure
The IT infrastructure design was done in alignment with the objective by using the
latest technology and in a way, to reduce overall cost and project itself a
contemporary bank. The entire investment in IT is governed by a well- inculcated and
understood belief in ‘ROTI’ (Rate on Technology Investment). They have been able
to achieve this objective by implementing the most appropriate technology at the most
appropriate time and at the optimum cost.
280
The schematic of the IT Infrastructure is given below:
Applications Core Banking
Bank away/ Service,
Pay away Mumbai
Back End
Server
Core Banking
Bank Service (Finacle),
Connected Hyderabad
Web
ATM
Server
The salient features of IT Infrastructure to provide OBC competitive edges are given
below:
a. Fast Response: Faster response time and error free delivery of service resulted in
high customer satisfaction. Customer accounts were debited in real time no matter
from where in the country the transaction originates, be it at a branch, an ATM or
the Internet.
b. Security: Fully secured transactions using encryption and secured channels.
c. Uninterrupted business: A high uptime rate ensured using redundant data
communication channels.
d. Accessibility and wider coverage at minimum cost: Realized through Internet
billing and banking options.
e. High productivity: Through effective use of IT across all facets of their business
activity.
f. Focus on Strengths: The design leveraged OBC’s strength in core banking
operations coupled with in-house software development capabilities.
281
4.1.3.2 Security at OBC Bank
Security is a major concern at OBC bank just like any other bank. And it is making
huge efforts to secure both its hardware and software from issues of security. The
Internet Banking infrastructure of OBC, located in the data centre, is fully secured
using Firewalls from Check Point and other security features such as 128 bit
encryption, digital certificates etc.
It is also taking help of Infosys in this field - which provides complete online security
consulting services and other customization and implementation services to OBC.
ICICI Bank seeks to be at the forefront of technology usage in the financial services
sector. Information technology is a strategic tool for business operations, providing
the bank with a competitive advantage and improved productivity and efficiencies.
All the bank’s IT initiatives are aimed at enhancing value, offering customer
convenience, and improving service levels.
282
It is the first bank to offer Internet banking services in India. It is also extending
online banking to rural communities via kiosks.
4.2.1.1 Vision
a. One Stop Financial Services Shop
b. Cross Selling
c. E-Commerce Gateways – Online Buying
d. Building Long-Lasting Customer Relationships
283
f. The bank has implemented CRM using Siebel for automation of customer
handling in all key retail products and centralized tracking of complaints &
turnaround times
g. Tapping The Market by linking accounts to online buying, leveraging usage of
existing e-commerce gateways and tie-ups with online shopping houses. The bank
thus obtains “free data” about the consumer spending pattern and maintains data
warehouse. The bank has elaborate business intelligence architecture to run data
mining solutions for supporting CRM (refer figure A4.2 below).
h. Bank focuses on young customers (teenagers) by providing them “Plastic Pocket
Money” and Track their spending patterns.
1
Courtesy http://www.icicibank.com/
284
c. Phone Banking: Existing Customers Help Line (Query Handling), Product
Details for New Customers (Lead Generation), Application Status for Loan &
Credit Card Applicants
d. Chat: Customer Service for NRIs
e. 24 Hour ATM Service: Branch / Offsite Locations, Largest ATM Network, Cash
Dispensing, Cash/Cheque Deposit, Bill Payment, Order New Products, Enquiry &
Customer Service
f. IT Enabled Services: Mobile banking, E-Lobby, ATMs, Internet banking,
Partnerships with micro finance institutions, Direct lending to self help groups
4.2.4 IT Infrastructure
ICICI Bank Limited (ICICI Bank) is a trendsetter in the use of banking technology in
India. The bank is achieving 99.9 percent application availability and 99.99 percent
uptime for its server infrastructure. The bank relies on a full range of software tools:
agents and options for data protection that has ensured 50 percent reduction in the
time to rebuild corrupted servers and 25 percent annual growth in data volume
without any increase in staffing resources. A schematic of ICICI Network at the Bank
and Branch level are given at figures A4.3 and A4.4 below.
285
Figure A4.4 ICICI - Branch Network
The Finacle 7.0 is scalable and has been benchmarked on HP Superdome server at the
HP Capacity Planning Centre in Atlanta, USA proving 16 million transactions per
hour in an online mode and more than 13 million interest accrual transactions per hour
in the batch mode. The software provides features of
Intelligent Purging of Data and History, Workflow analysis capabilities by the user,
Increased customization capabilities, Multilingual facility for ICICI’s operations at
middle east and single database setup for host of applications: Personal banking,
Share trading, Credit cards, etc.
ICICI Bank deployed Oracle 9i database and Oracle Real Application Clusters (RAC)
to provide a robust database component for its enterprise applications, while other
applications such as Internet Banking and Customer Relationship Management use
Microsoft SQL Server 2000 Enterprise Edition.
286
The data center has several Sun Fire 15K, E6900, E2900, and E6500 enterprise class
servers and various Sun Fire mid-range servers—25 in all— running the Solaris 9
Operating System. The data for the Finacle application is stored on a new HP Storage
Works XP 12000 disk array. Periodically, point-in-time copies of the data are made to
facilitate restoration of database in case there is a corruption. While the HP
StorageWorks XP 12000 disk array permits such internally via its native
asynchronous data replication software, the FlashSnap option allows copying of the
data onto less expensive disk arrays from Hitachi or Sun.
The IT infrastructure which is both scalable and futuristic and addresses wide ranging
portfolio of products and services for front office and back office operations. The
development was realized in three phases. The IT group at ICICI is now focusing on
augmenting the infrastructure in terms of scale, scope and complexity. Few of the
projects on the anvil include:
a. New modes of payments
b. Internal Ratings based Accreditation Approach
c. Develop a database containing the historical data of loans approved, terms and
conditions, quality of customer, etc
d. Quantifying operating risk
e. Computerization of Rural branches and Networking of Post Offices
f. Online processing of Retail Loans
287
4.2.5.1 Building a World class Data Centre
ICICI bank has built a world-class data center looking at requirements of the future in
terms of growth and complexity. Adequate provisions were made to ensure that all
banking data had to be protected and recovered in case of disaster. In building the data
center at Mumbai, ICICI focused on establishing relationships with suppliers who
could solve a whole class of problems.
288
4.2.5.5 Bare Metal Restore speeds server Rebuilds
ICICI deploys the NetBackup Bare Metal Restore Option to address the requirement
of automatic rebuilding of servers that may get corrupted.
4.2.5.6 Enterprise Service Licensing Agreement (ESLA) saves time and money
ICICI entered into a comprehensive ESLA with Symantec that included Storage
Foundation, Cluster Server, and NetBackup, and associated options and agents. The
ESLA also provides ICICI Bank with the option to use other Symantec software
products that the bank wants to evaluate and test for future needs.
The bank has launched onto high degree of automation ensuring high degree of
efficiency and effectiveness since inception. The strategy is to provide high degree of
customer service by providing convenience, reducing transaction cost and increasing
core operating efficiency by enabling the work force. The bank focuses on multiple
delivery channels to service its customers and moves at a high speed with latest
289
offerings. Munish Mittal, Assistant Vice President of Information Technology, HDFC
Bank Ltd., asserts “The time from when we conceived our Internet banking solution
to deployment was less than 12 weeks."
The Bank has prioritized its engagement in technology and the Internet as one of its
key goals and has already made significant progress in web-enabling its core
businesses. In each of its businesses, the Bank has succeeded in leveraging its market
position, expertise and technology to create a competitive advantage and build market
share.
A Customer doesn’t belong to the branch anymore; he is the customer of the Bank
When HDFC decided to interconnect its branches, it was looking for the most cost-
effective method. The hub and spoke architecture proved to be beneficial in many
ways.
The bank services vast range of customer segments and offers differentiated treatment
to them to ensure customer lock-in. The “Hi-Touch” Group comprises of the age
group of 36 and above and demands speed, quality of service and value for their time
and social status. The “Accessibility” group – 46 to 60 years of age prefers convenient
time and closeness to residence. The “Value-added” segment – 18 to 25 years of men
& women are tech savvy and demand high speed, efficiency and esthetics. The
“Safety-first” Group comprises of traders, shopkeepers demand trust and conformity
to regulations. All segments expect prompt efficient & courteous service with or
without a smile. A schematic of process organization that enables HDFC to deliver
wide ranging services is given in figure A4.5 below:
290
Figure A4.5 Process Organization
On the corporate side HDFC Bank started with MicroBanker and then moved to
Flexcube in 2002. They use Flexcube UBS, which operates on a Compaq Alpha box-
GS160. The bank uses SAN solutions from Hitachi Data Systems. On the retail side
the bank uses Finware from i-flex solutions. HDFC Bank had acquired Times Bank in
2000. All the Times Bank customers were shifted from their package (called Kapiti)
to HDFC Bank's Finware and MicroBanker.
291
4.3.1.3 Management of All Financial & MIS Reports – NEWGEN
Huge amount of corporate reports are generated daily, volume is of order of terabytes
of data. Besides, there was duplication of reports that were generated at corporates
and at the branches. To curb the growing expenses & increase higher customer
satisfaction levels, the bank was looking for an effective and efficient system that
could provide instant access to all reports and also bring down the cost of operations
and maintenance – realized by NEWGEN.
292
k. Capital Mkts.@Net ..Capabilities – Demat, Calendaring and buying & selling
stocks
4.3.3 IT Infrastructure
HDFC has made an investment of over Rs. 200 crores. Overall, the IT system gives
HDFC Bank the ability to manage risk effectively with the availability of online
information. It also allows for better pricing of derivatives. For bank employees, the
new system has reduced the time to assimilate treasury information. The mundane
work of assimilating information on Excel for various activities is now being done by
the new systems, thus, increasing overall productivity.
293
4.3.3.2 Network
Based on the bank's hub & spoke architecture for the network, the branches are
distributed under different regions and each major location has a regional hub. The
branches falling under a location connect to the hub at the main region. These hubs
then connect to the central site (data center) using a combination of 2 Mbps and 64
Kbps pipes, depending on the total volume of the transactions that pass through. A
highlight of HDFC Bank's network is the presence of two or more hubs in one
location.
294
MicroBANKER – Core Banking System. It also deploys CAS – Cash Management
systems and SWIFT for Customer Support. The schematic of Enet Implementation
Architecture is given in figure A4.7 below.
4.3.3.4 Storage
HDFC currently deploys SAN and is considering NAS for installation sometime in
the future. The bank is investing heavily in all areas like backup, disaster recovery and
others. The bank has to store data for eight years as per the RBI guidelines and uses
tapes for off-line storage. The SAN deployment permits additions of extra devices in a
hot mode to address scalability and ensures better server power utilization for
business applications. Accordingly network capacity is released to the end user to
support customer services.
295
Figure 4.3.5
The website management solution has enhanced HDFC’s customers access for online
services thereby providing more convenience, 100 percent availability, faster response
time and enhanced transaction experience during every single interaction. The usage
of Net for banking has helped HDFC to reduce the investment in hardware by 10
percent. It has reduced administrative costs and system downtime, leaving more time
for IT staff to focus on strategic and business-critical issues.
296
4.3.3.6 Data Warehousing at HDFC
The data warehouse is built using SQL Server 2000 and Windows 2000 Advanced
Server with i-flex’s Reveleus. This solution will enable HDFC Bank to provide better
service and cross-sell high-value products across their customer base of 3.25 million.
This is the largest known SQL server-based data warehouse in India. Microsoft’s
Consulting Services team joined up with Intel, HP and i-Flex to benchmark the
solution for performance and scalability.
The entire systems set-up and the network is system-managed using UnicenterTNG,
which helps manage capacity better, secure the infrastructure and maintain assets
centrally. The bank has integrated its own payment gateway with VISA and
MasterCard. Plans are afoot for setting up a disaster recovery center as well.
297
infrastructure, and network monitoring tools. Facilities management practices have
been formalized as they are considered to be the key to successful operations.
HDFC has the primary site (central data center) at Mumbai and the DR site in
Chennai — both for the system and operations. The features of operating the two sites
include:
a. The work is split between both the primary and DR sites, so as to achieve
optimum utilization and load balancing.
b. As both the sites operate in tandem, the staff is adequately familiar with the DR
process and can takeover & manage operations during periods of downtime.
c. The DR site is always online and data from the banking system is replicated on
the DR site within 15 to 30 minutes depending on traffic delay in the transmission
lines.
d. The lag between Mumbai database and Chennai backup database is maximum
limited to 15 minutes.
e. All ATMs are connected to both the sites and the state of the art switches
incorporated ensure quick changeover.
f. Periodic trials of the ATM switches are conducted every six months.
g. The entire retail, wholesale banking system, cash management are also covered in
DR.
298
h. The DR site at Chennai is designed to ensure “Near Zero Data Loss”. The main
technology centers religiously take up daily backups.
The Business Continuity initiatives at HDFC are now focusing on bringing in state-of-
the-art IT infrastructure practices such as Server and Storage Consolidation. They are
planning to deploy additional alternate connections, with built-in redundancy in the
network. The management of facilities and IT infrastructure, though already fairly
modern, is being upgraded to incorporate more comprehensive network and
applications management tools from CA and HP.
The bank has achieved a high degree of usage of technology to run its processes and
has implemented ‘finacle’ (by Infosys) core banking solution. The bank is focusing on
providing better service by way of offering products through multiple channels. The
processing has been pushed from branches to central offices to enable the staff to
engage in improving relationships and serving the customer better.
The bank is proactively building customer centric culture in all its branches. This is
effected and measured by an initiative called “Mystery Customer Shopping” wherein
the project team members simulate an exercise by visiting bank branches as pseudo
customers to measure sensitiveness of behavior of the staff towards customer needs.
The staff members are then ranked on customer sensitive index and suggested
methods to achieve the same.
299
4.4.2 Products and Services
The bank is aggressively launching new products and services to expand its retail
assets and client base. UTI Bank aims to increase its market share of auto and home
loans in large proportions. The products for savings bank and term deposits cater to:
Retirees, Students, Trusts/NGOs, Children, Women and Others. The products and
services specifically designed for the salaried segment opting for savings bank include
Government (State and Central), Defense Establishments, Corporates (Large, Small &
Medium and PSUs).
The Savings Bank products are offered through multiple channels: branch outlets,
Debit cards, ATMs, Bill Payments, Retail Loans, Internet, Demat facility, Retail
Bonds, Loans against security and Power - 24 Accounts and customer relationship
executives (home delivery). The bank offers wide ranging products specifically
designed for defense personnel. The bank offers “Travel Card” to the customers
engaging in frequent foreign travel. It gives them ease & flexibility of operation and
choice of currency for transactions with less service charges.
UTI offers unique product ‘Priority Banking’ to preferred customers who transact
large volumes. The Privileges offered to these customers are:
a. Banking privileges – a differentiated treatment is enjoyed by this segment in
terms of ease, speed and limits of transactions related to various products.
b. Investment privileges - guide to market information for investments.
c. Life style privileges – invitation to select and choiced events.
d. Other privileges – information on research and publications.
The financial services offered are marketed through various third party financial
products to the tune of over Rs. 2500 crore. The bank offers 15 schemes for
investments in loans.
4.4.3 IT Infrastructure
The IT Infrastructure is one of the best in terms of security and connectivity. The
central data center is at Mumbai, to which all the branches connect in a secure mode.
The bank is well settled with all banking and financial processes running on finacle.
They are now concentrating on implementing non-financial services through Internet
i.e. research information and bank’s own administration. The project is being
undertaken in consultation with TCS.
300
The banks current infrastructure is supported on proprietary systems. They are
considering development of certain applications using open system software and
general purpose hardware platforms. This is primarily due to two reasons: one – the
bank has high degree of skills present internally in Unix and Linux and two – they
have excellent support relationship with Oracle Corporation for maintaining their
database software.
4.4.3.3 Security
The security policy, practices and the operating culture in this regard is one of the
finest. The top management lays great emphasis on operationalizing and auditing
security procedures. UTI, though has adequate hardware and systems software to
implement security, believes that the cause is better served by imbibing right
education and concern in people.
301
4.4.3.4 IT Security
The IT security structure of UTI is implemented at two levels:
a. System Administration level – at the data centers in central and branch locations.
The structure of IT security solutions implemented at Systems level in UTI
comprises of:
i. Network Security – using VPNs and a combination of firewalls and IDSs to
regulate and monitor traffic (refer figure A4.9 below).
302
generating and distributing digital signatures respectively (refer figure
A4.10 below).
b. Operating level – users at branches and the customers hooking up to the systems
through Internet. The bank has elaborate guidelines for all the operators
connecting to the system to follow good practice while working both on computer
system and otherwise, to ensure prevention of a security breach.
303
4.4.3.6 Security Monitoring
The security incident reporting and management procedures are well-documented and
implemented. The 24X7 helpdesk supports incident handling by providing online help
and guidance. The bank has created teams that monitor activities related to security
for the entire range of applications by way of logging & analyzing audit trials and
providing antidotes and warnings.
304
S.No Cost Description
Cost of off site backup of data /document
5. Testing Annual hot site test
Periodic tests
Delivery of data
6. Maintenance & External audit review
Updation Annual review by business unit reps
Annual compilation of changes
305
e. In case of serious deficiencies, same study repeated on the same officer after 6
months.
The BPR exercise has resulted in massive reorganization at branch and zonal /
regional levels. There is now better “enabling” of the workforce engaged in managing
customers and markets. Cells have been created to address specific needs of segments
for particular products and services, both from delivery and processing perspective.
306
loans being processed at central hubs. This would cut turnaround time and ensure
uniform appraisal standards. As part of a restructuring exercise that was conducted in
the early 1990s, SBI had centralized its large loan accounts in the corporate account
group branches.
The bank has undertaken large scale technology initiatives. SBI has successfully
deployed CBS in a large number of its branches along with those of other 7 associate
banks. The bank has launched other cutting edge technology initiatives such as
prepaid cards for mobile users, wireless ATMs and Internet based customer support.
4.5.2 Products
The banking behemoth offers entire range of products and services that a banking
organization can offer through multiple delivery channels using modern technology
(refer figure A4.11 below).
307
4.5.2.2 Personal Finance
SBI has a variety of schemes under Personal Finance to satisfy varying needs of the
banking public. The Bank offers a variety of schemes with attractive rates of interest
for large number of personal requirements and for different segments.
4.5.2.5 Services
SBI offers a wide range of services in the following segments:
a. Personal Banking
b. Agriculture / Rural – Micro Credit
c. SME’s & SSI’s
d. NRI Services
e. International Banking
f. Merchant Banking
g. Project Export Finance
h. Treasury
i. Portfolio Management & Custodial Services
j. Corporate Banking
k. Government Business
l. Public Provident Fund
4.5.3 IT Infrastructure
4.5.3.1 Core Banking Solution
SBI has successfully implemented Core Banking Solution (refer figure A4.12 below)
in consultation with Tata Consultancy Services (TCS) supported by HP and Datacraft.
308
The project is one of the largest projects of its kind in the world in terms of the
number of branches, customers and transaction volume. TCS manages the entire
project and system integration, in collaboration with Financial Network Services,
Australia (FNS) and Hewlett Packard, India (HP) for this project.
309
Figure A4.13 Network Infrastructure
310
d. Internet Banking (INB): This on-line channel enables customers to access their
account information and initiate transactions on a 24x7, boundary less basis. It
caters to the requirements of individual and corporate customers.
e. Telebanking & Remote Login For Corporate Customers: This is a Value
added service to retail and corporate customers, which support Transactional
requests.
f. Govt. Business: SBI takes care of managing and generating reports for settlement
and reconciliation of Govt. funds.
g. SEFT: Electronic funds transfer systems for inter bank transactions.
h. MICR Centers: MICR Cheque Processing systems at 15 centers.
i. Trade Finance: The bank provides Internet based facility for handling Trade
Finance transactions for Corporate and Commercial Network branches.
311
database servers with back office and reconciliation process run on the central
database. The transactions after updations (commit) in the central data centre are
mirrored on the hot DR site at Chennai. The system is designed for an RTO of 5 hours
for the entire set of branches.
312
h. The bank constantly reviews the technology infrastructure and incorporates
upgradations where necessary to ensure high uptime rate.
SBI’s Business Continuity preparedness owes a great deal to the rugged and reliable
IT Infrastructure in terms of hardware and solutions well supported on an efficient
network. The bank has entered into a dependable arrangement with IDRBT to carry
their banking transactions traffic both from branches and ATMs in a secured and
reliable manner. IDRBT constantly upgrades the switches to absorb the demand of
explosion of scale with more and more banks hooking up to the Net and security and
privacy issues.
313
ANNEXURE 5
BCM IN OPERATION – EXPERIENCES OF A LARGE BANK
5.0 Preamble
Banking services have become an integral part of social life in the digital era which
witnesses high paced economic activity. Disruptions of banking services have far
more pronounced effect on businesses and personal financial needs than ever before.
It is, therefore, pertinent that organizations, particularly those engaged in financial
activities in public domain, ensure high level of continuity to remain in business. This
requirement is being challenged by the disturbances created by social / political unrest
as also by the fury of nature – flooding, tsunamis. It is believed by few that
investment in infrastructure, information technology and reengineering processes are
few of the recommended prescription to guarantee business continuity. The
organizations who have made such investments have also not been able to address this
problem comprehensively. The growing sizes of businesses both in volume and scope
complicate the situation further. What more does it take, therefore, to ensure high
level of continuity? This chapter explores these by surveying the successful
disposition of a large public sector bank in the face of a recent disaster.
Despite the closure of banks and exchanges the city did its best to open for business
but crippled infrastructure and struggling workforces testified that the city is
unprepared. The local trains remained cut off and most of the roads submerged
underwater. The emergency services were not able to respond and the administration
has failed to anticipate and respond.
Even though the damage was not that high, some people could turn up to work. In
addition to the general chaos that surrounds natural disasters, some companies have
failed to prepare for flood scenarios and this is testing their disaster recovery plans.
314
One of the main issues is the large number of buildings with basements - water had
flooded these basements where the control systems are, so one can't have power and
can't even get in there. Mobile networks were affected and large parts of landlines too.
Internet backbone services went down for three days.
The banks remained closed and certain ATMs had to be shutdown on account of
power shutdown, loss of connectivity or water logging in the buildings/complexes
housing the ATMs, for most part of the week. Even people in Delhi reported being
unable to withdraw cash from ATMs as a result of systems failures in Mumbai. The
CitiBank, ICICI, HSBC and the Reserve Bank of India all reported to have
experienced problems with ATM networks.
“Ours was the first bank to recover, even though it had branches in some of the worst
affected areas like Kurla. SBI was fully equipped and capable of operating from their
DR site in Chennai on 26th July evening itself. As compared to this, private banks and
other commercial banks were slow in getting back to normalcy,” said Mr Purohit Dy
General Manager, SBI Western Region, Mumbai.
Following the floods in Mumbai on 26th July, a DR cell was set up on 27th in HO
(Mumbai). Within an hour, a list of branches on the network was obtained. Audit
team entered strongholds that were in the basement, counted the notes and sent them
to RBI within 48 hours. Total amount saved was upto 10 crores.
“When one of the branches was totally down, the customers were not kept waiting.
Instead they were asked to bank at the nearest branch and all their needs were
serviced. This was possible due to the branches being online,” said Mr Anantharaman
Ganesh – Chief Manager, SBI.
315
5.3 Organisation
In terms of personnel and business continuity, SBI has a structure where there is no
single person absolute dependency at any level. In case of any personnel being
indisposed to perform their function, the reporting structure has been defined so that
there is no interruption in processes. SBI has defined responsibility of individuals in
the hierarchy in terms of scope of duty and communication. Individual powers have
been given to people to use their discretion.
In case of key personnel not being available, internal bank guidelines that are already
outlined provide the necessary knowledge to effect transactions by others. The Branch
Manager takes approval on “substitute personnel” from his controller and
communicates it to the employees at the branch via a circular. This list is subject to
audit and verification, and is renewed every year.
“In case of key personnel being incapacitated, the second rung of officials takes over.
The “task allocation list” is discussed in the branch meeting and recorded. Written
permission to promulgate the list is obtained from senior official (controller) each
year. Appropriate instructions are communicated to the employees to make them
aware, particularly about changes made from earlier instructions. The process is
internally audited,” said Mr. Srinivasan – Assistant General Manager.
The operational control and information flow scheme at various levels is as per the
organization hierarchy enumerated in figures A5.1 to A5.6 placed at the end of this
Annexure. The hierarchy of control is exercised through different levels of
controllers: branch manager, regional manager, zonal manager, and HO. The Chief
General Manager along with other General Managers picks the senior officers who in
turn pick the team under them. The Circle Management Committee comprising of the
CGM and GMs reviews periodic reports from the senior officers heading the cell.
Senior officers visit all branches under their control periodically, as per calendar, to
audit preparedness. The observations and comments on performance by the visiting
teams are shared with the branch manager. He / She incorporates the changes and
reports on the improvements made to the immediate controller. Senior officers
conduct regular internal staff meetings with employees of the branch to facilitate
improvements in individual and overall performance.
316
IFB Division of SBI commenced in 1997. It services corporate customers only,
roughly around 66 accounts. Daily turnover of the credit, forex etc depts. is approx
100 crores. There are approx 2000 branches of the total 9000 online in the core
banking system. By March 2006, 5000 branches are expected to come online.
Personnel & Human Resource department deals with various activities like transfers,
promotions, leave records, staff loans, welfare activities like scholarships etc. There
are 179 officers in Region 4, covering 33 branches. The person heading the branch,
whether it is AGM, CGM, or BM, depends on the volume of business generated by
that particular branch. Local HO comes up with the number of staff necessary at each
branch, depending on volume of business.
5.4 Culture
The planning for maintaining Business Continuity at all times has always been part of
the organizational culture in SBI. The comprehensiveness and clarity of the rules and
regulations that are well communicated ensures less individual intervention except in
the case of disasters, where decisions need to be made. The richness of open culture
promotes the practice of personnel at every level enjoying the liberty of approaching
senior management or immediate senior. There is no inhibition to any one in bringing
the suspected malpractice cases that are against the best interests of the bank, to the
notice of senior management. One could consider this to be a type of continuous
internal audit ensuring high degree of business continuity and quality.
“It is the organizational culture of SBI that motivates people to take initiatives in case
of disasters or any other untoward scenario is the culture in SBI. This has been
propagated by the top management and has helped to inculcate a feeling of
belongingness in the organization. Individuals are consciously identified by the top
management to be leaders in case of emergencies. The outsourced agencies administer
tests (psychosomatic analysis, situational analysis), usually done at the time of
appraisals and promotions, to employees to help this process,” said Ms. Naina Panse –
Asst. General Manager, SBI. She further adds, “Competency mapping is carried out
by way of these tests and helps employees perform their jobs better as they are
empowered in terms of knowledge and repercussions of faulty actions.”
317
The attitude and sponsorship of top management makes noticeable difference in
shaping the organization culture. Monthly bulletins enumerating vision, practices and
achievements, are circulated by the corporate center to the employees. Training
courses conducted, both on HR as well as operational issues reinforces the sense of
belongingness in employees. The high sense of belonging amongst SBI people is
further highlighted by the views of Mr. Dinesh Pandey – Asst. General Manager, SBI.
“Employee motivation levels are high due to the organizational culture. Employees
are aware of repercussions to the organization and self in case of any disaster. This
feeling of responsibility and belongingness is enhanced by continuous training in the
behavioral sciences, which is conducted in training schools and colleges,” said.
5.5 Practices
SBI launched on to massive BPR (Business Process Re-engineering) exercise with the
help of consultants to identify problem areas in processes. The study pointed out that
while process efficiency was well addressed customers had become low priority for
the managers engaged in business development initiatives. There were some issues of
clarity as regards job definitions, communication and focus. The re-engineered
processes ensure that customer becomes and remains the main point of focus of
managerial attention in SBI. There are clear metrics to measure performance of all
processes related to customer management e.g. contact time, delivery etc. These have
been defined with stringent timelines to be followed.
To ensure smooth running of processes in SBI, the different processes have been
bifurcated. The branch now acts only as a front end for customers. Previously every
procedure in SBI was done manually, and supervised by Branch Manager personally.
With extensive use of IT, cells have been formed for different functions of processing
and the back office work is now shifted out of the branch to the respective cell
(Central Processing Cell). This leaves the branch manager and the other employees
with ample time to focus on new business development, which was previously not
happening. The back office also needs to complete its processing within a certain
time, since audit is held and any lag is questioned.
“Nationalized banks offer more personalized contact with the customer as compared
to private banks, who use franchisees to contact customers. The only advantage
private banks have is online access for the customers to their money, and a range of
318
services. But with the advent of IT in nationalized banks of late, this advantage is
slowly disappearing,” said Mr. Anantharaman Ganesh – Chief Manager, SBI
Employees are rotated every 3 months within the same dept and annually between
depts. This helps in ensuring continuity incase of employee absenteeism, since other
employees can pitch in. Continuity can be looked at from a point of things like getting
relevant documents from customers, getting them on time etc. This helps processes to
run without any idle time. For this continuity, it is important that the customer is
educated, not only about existing processes but also about new products in the market.
This also adds to the trust factor and helps in retention of customer & expansion of
business.
Single window counter concept was started three years ago. The employee manning
this window is usually a senior or a special assistant, and is given certain powers so
that all sorts of queries and processes can be done at that window itself. There is
usually also a senior person sitting at the next counter, so that any tasks to be done
which requires additional sanctions can be done immediately. With decrease in
manual work, there will be more specialists in the organization. This will increase
efficiency and speed in processes.
319
5.6 The Continuity Framework
DR plan is prepared in case of circumstances like fire, flood etc. Steps are taken to
recover at the earliest in case of a disaster. DR cell identifies people who will be
taking charge of the operations in case of disaster. Representatives from all divisions
(sections) with alternate / substitute officers (in case of incapacitation of selected
officers) are chosen. Discretion of senior officials and experience of the person under
consideration is also used to choose these people. People more than technology are
responsible for a DR plan and processes working effectively and efficiently. Policies
and guidelines are also important to put processes in place.
“In the month of October, a mock drill was held wherein the State Bank of Patiala
worked for a day accessing the Chennai DR site. The drill was largely successful,”
said Mr. Dinesh Pandey – Asst. General Manager, SBI
Each branch of SBI prepares a DR plan taking into consideration various factors like
the floor layout, the number of employees, volume of business etc. For transactional
safety, the system is closed at the end of the day. A 2nd set of transactions is prepared
each day and stored in a floppy at a nearby branch. There is a fireproof cabinet
assigned to each branch in which the floppy is stored. Officers to be taking charge of
the DR cell are selected by their superiors. Reporting structure is already laid down
and known to employees. Communication is done to the employees as to who will be
doing what function. The process of selecting these officers is according to discretion
of superior officer. One key to this cabinet is deposited at the local office. The branch
manager signs monthly certificate saying that this procedure has been followed
meticulously and this report is given to the controller. In case of a system failure,
backup taken as above, is used, so there is little or no idle time. In case of a disaster,
the immediate controller assumes responsibility. Then feedback is given to the next
immediate controller. India is divided into 14 circles totally. Mumbai and Goa are
included in the same circle and cover about 850 branches. In case of any disaster in
any branch, controller is given immediate feedback.
The Branch Manager prepares this every year and submits it to the controller for
approval. The controller is the reporting functionary like the Regional Manager or
DGM. This plan covers various eventualities like fire, system breakdown, employees
(senior functionaries) on leave or absconding. This plan when approved becomes a
branch document and is made available to all employees. Mock drills are conducted a
320
minimum of 2-3 times a year at random intervals, to test the DR plan. Security
officers who are retired military personnel, check the procedures followed during the
drills. There is a branch audit 3- 4 times a year. This audit checks the DR plan, the
controller’s remarks, and the action taken on the remark by the Branch Manager.
5.7 Processes
Tracking sheets are used to measure timelines and checked for adherence to processes
on a daily basis. The responsible individual explains reasons for delay in any of these
timelines. Tracking sheets are sent to the corporate office on a weekly basis. This
ensures auditing at regular intervals. Above all, ownership of processes needs to be
taken by individuals at management level.
“Another aspect is locking up of security, infrastructure, cash etc that is also done
each day. A duplicate key for access is kept at a nearby branch. The key number,
contents stored, person having the original and duplicate is documented and sent to
the controller. It is also recorded in the branch document register,” said Mr.
Srinivasan – Assistant General Manager, SBI.
Whenever there is any problem at any ATM, a team of engineers visits it to sort out
problems immediately. Specialisation in departments is being considered as an
initiative in the bank. Single window policy has also been started. Here, the customer
gets all services like drafts, account queries etc at a single window. The employee
manning this window is given certain powers so that decisions can be taken by him
alone instead of escalating matters to the senior official. Staff is also given 2 layers of
support, from peers as well as from senior officers.
“Awareness is increased by usage of the intranet. Policy decisions are also made
available easily through the intranet, so employees are kept informed and feel like part
of the organization,” said Mr. Srinivasan – Assistant General Manager, SBI.
“The security personnel hold security meetings and reports are given to the Branch
Manager. When the audit is held, the Branch Manager has to give a compliance report
otherwise the case is not closed. Ratings are also given to the branch on this
compliance report,” said Mr Dinesh Pandey – Asst. General Manager, SBI.
321
Employees are given access online to directions on how to use the software. This has
helped to educate them and increase the usage of IT. They are also allowed to view
their job cards having rules and regulations online.
Data about officers is stored in floppies by the P&HR department and sent to the local
HO. There it is stored in electronic format.
Rules and policies are well set, so that decisions can be easily made. Only exceptions
need to be considered, for which discretion is used by senior officer. Management has
given more powers to supervisory staff so that officers can focus more on marketing.
Every month, there is a performance review meeting of branch managers to analyze
and improve performance. In case of any personnel on leave or being incapacitated,
the senior officer immediately takes over.
5.8 Computerization
Computerization was introduced in SBI in 1992, which touched around 3 lakh
employees. There are totally 52 training centers, out of which 28 are for technical
training alone. There is a help line both in terms of telephone and web-based, which
caters to an entire circle. This can be used even for solving even the smallest
disruption. There are 2 help lines catering to the Maharashtra and Goa region. Web-
based help lines are e-learning modules, as well as the intranet. Inclination to change
is most important in a person. Therefore motivation is essential for changes to be
embraced, in terms of processes or IT. Age of the employee can also be a factor in
learning. Younger employees are much more likely to educate themselves through the
intranet, whereas older employees tend to call up the help line. In the initial 15-20
days, three to five IT people give an on-the-job training. Control mechanisms are also
taught to branch managers.
322
IT department, which then does the needful. Sizing of requirements at the branch
level is done by the IT department, in discussion with the Branch Manager. The
programming of the software is then done through the network.
“In the current core banking implementation process, the team doing the
implementation is temporary. After stabilization of the new process, the team might
get disbanded. The roles of the individuals in the team are likely to change to
maintaining control mechanisms,” said Mr. R J. Desai – Asst. General Manager – IT
Services dept., SBI.
Core banking project being implemented in SBI has its data center at Belapur, and DR
site is at Chennai. SBI has 3 global data centers, one each in US, UK and India. The
branches in Asia Pacific region are connected to the Indian global data center.
Capacity planning exercises of DR site are done once in 6 months. Data center
operations are managed by TCS while routine operations like the in house SBI team
does report generation. Long-term plan is to have totally in house DR operations.
“IT initiatives have lessened manual work. Time thus saved by employees is used in
expanding business by cross selling. Incentives are given for this, which has proved to
be a motivation,” said Mr. Ashok Menon – Chief Manager, SBI.
5.9 IT Organization
Communication to employees regarding updates, trainings, news etc is done via an
intranet newsletter, which is accessible to all employees of SBI. This is used
extensively throughout the organization and has proved to be quite helpful. Continuity
in processes also requires that employees know how to perform jobs effectively. Job
cards are available via the intranet, so that there is no barrier to communication
among employees.
In terms of system recovery, backup is taken each day. One backup is kept at office
and a copy is kept offsite. So recovery does not take more than a few hours at the
most. There is also a centralized data center at Belapur, which caters to problems/
queries from all the branches. This is facilitated since most of the branches are now
online. There is also an offsite backup at Chennai. In case of electricity outage, 2 UPS
batteries will take over as backup. Even if one UPS stops working, atleast 50% of the
branch will still function with the other UPS. The number of UPS to be kept at each
323
branch is decided by the IT team (Computers and communication system), depending
on the number of nodes at the location.
“IT has made facilitation of transactions easier due to networking of branches. Core
banking solution software was introduced in March 2005, and support is being given
by the IT team at Belapur. Employees are also given training on an ongoing basis on
the software, so that they can use the software effectively. Online help through the
intranet has also increased the level of motivation in the employees,” said Mr.
Srinivasan – Assistant General Manager, SBI.
Currently around 2500 branches are on the core-banking network. Associate banks
have around 3000 branches on the network. The data center has physical
infrastructure which is totally redundant having UPS back up as DG which has
another DG as backup, 2 air handling units etc. Electronic access controls are used for
physical security. Environment control management is done by parameters, which are
measured on real time basis. In terms of IT infrastructure, HP superdome servers (4
numbers) are clustered together in fail over mode to provide redundancy. Two of
these servers are used for SBI and the remaining 2 are used for the associate banks.
Racks are also configured with dual input so as to enable redundant power supply. In
terms of software, database used is Oracle and platform used is HP UNIX 11i. To
ensure that there is no bandwidth problem in transfer of logs, 156 mbps dedicated
lease line with a redundant link of 34 mbps is used.
TCS provides software solutions. Infosys provides applications to the branches abroad
and FNS (taken over by TCS) provides the domestic application. The logs of the End-
of-day operations are transferred to the DR site in Chennai. Log is shifted in
asynchronous and not real time mode. Therefore there is a slight time lag of around 3
minutes. In the case of a disaster, the current log and the subsequent logs will not be
shifted, due to the time lag. In the worst-case scenario, these logs will have to be re-
entered and re-sent. To ensure that there is zero data loss of logs in case of disaster,
SBI is coming up with plans for a nearby secondary DR site. There will be
synchronous data replication with log being maintained at the nearby site first and
then copied to the Belapur site. Therefore, even in case of current data not being
transferred to Chennai, current log can be retrieved from nearby site.
“RTO (recovery time objective) estimated for uptime is 4 hours. SBI has held mock
drills and the recovery have been managed within this estimated time frame.
324
However, fine-tuning of operations can still be done to further reduce this time frame.
RTO is extended due to the fact that after logs are transferred, they have to be
converted into production mode, which takes some amount of time. Also, in case of
disaster, the network provider (Datacraft) has to switch traffic through a different
router. This also adds to the RTO, which will hence take a total of around 3-4 hours,”
said Mr. T. Prabhakar – Deputy General Manager – IT Technical, SBI.
The Chennai site works on the same infrastructure as the Belapur data center, except
that redundancies are not built in. The site can take the load of transactions for atleast
a few weeks. Central service desk is used to solve user problems through the intranet.
There are various categories like hardware, software etc. User can log in through his
terminal to this helpdesk, log in his complaint, get a ticket, and follow up on the
status.
Escalation level is built into the software. 2nd level of escalation is the functional or
domain level expert and 3rd level of escalation is the system administrator. 80% of
user problems are solved within 2-3 hours. Otherwise they are escalated to 2nd and
3rd level as necessary. Third level is used when there are bugs in the system or code
changes need to be made. In such cases, functionality is checked in a test environment
and only then given to production.
325
5.10.1 Policy
a. Clear definition of vision & mission and performance of bank as well as the
employees not only serves as good motivator but also prepares a vibrant BCM
organization.
b. Creation of an organizational culture of empowerment and enablement amongst
employees to display high sense of belonging while overcoming disasters by
taking leadership positions augments BCM effectiveness.
c. A well-defined and communicated structure that is to be followed in challenging
situations as regarding sharing of roles and responsibilities is paramount to
realization of DR Plans. Processes need to be re-engineered to make them
substitutable with alternate processes when required.
d. Computerization of Core Banking and Allied processes allows pushing Back
office work out of branches to data centers allowing staff to focus on delivery
and support thereby enhancing customer service levels and more personal
contact.
5.10.2 Personnel
a. Employees are rotated every 3 months within the same dept and annually
between depts. This helps in ensuring continuity incase of employee
absenteeism. This also adds to the trust factor and helps in retention of customer
& expansion of business.
b. Awareness of policy decisions and operating procedures can be increased by
usage of the intranet. Training and re-training of employees must enjoy serious
management attention. User champion’s are to be identified at the branch to help
other employees.
c. More interaction between senior officers and branch employees helps operating
level understand corporate vision and enhances preparedness. It also serves as a
mechanism to facilitate improvements.
5.10.3 Facility
a. DR plans are to include details of floor layout, the number of employees,
volume of business , fire systems breakdown drills, access controls to various
locations, cash lockers, placement of duplicate/alternate keys in other locations
(nearby branch).
b. Basements are commonplace to install alternate power supply systems, air
conditioning equipment and water supply pumps etc. These become serious
326
constraints to continuity due to accidental flooding. Innovative ideas in locating
these enhance continuity.
b. The logs of the End-of-day operations can be transferred to the Cold site in
asynchronous mode and nearby secondary site in real time mode to ensure faster
recovery during disruptions. The alternate sites must be loaded with transactions
regularly to keep them DR ready.
DR Operations
a. Data center operations that are normally managed by main centre staff must
have provisions (and must be practiced) for remote operations from other sites
or a service provider. Escalation levels are to be built into the centre
management software for functions, processes and system administration. 2nd
level of escalation is the functional or domain level expert and 3rd level of
escalation is the system administrator.
b. In case of disasters the organization that will come into force (Controller and
support staff) to run the data centre from alternate locations must be defined and
information communicated to all concerned to ensure continuity of operations.
327
Organization of SBI
Corporate Office
Zonal Office
Regional Office
Branch Office
328
Figure A5.2 Development Organization
329
Figure A5.4 HR & Administration
330
Figure A5.6 International Banking Group
331
Annexure 6
Test of Confidence Level (Standardized v/s Percentile Data)
Standardized Standardized Standardized
RLRIt Percentile RLRIm Percentile RLRIf Percentile
Data Data Data
A1 3.96 0.627 0.60 1.70 -1.132 0.15 2.13 -0.457 0.40
A2 2.15 -0.606 0.40 2.55 -0.313 0.40 1.72 -0.778 0.25
A3 4.41 0.931 0.75 3.86 0.952 0.85 3.80 0.871 0.75
A4 4.20 0.788 0.65 3.31 0.422 0.70 3.60 0.713 0.65
A5 0.76 -1.555 0.00 1.05 -1.755 0.00 3.80 0.871 0.75
A6 4.41 0.931 0.75 3.73 0.826 0.80 4.32 1.283 0.95
A7 4.20 0.788 0.65 2.50 -0.356 0.30 1.75 -0.754 0.30
A8 4.78 1.179 0.90 2.95 0.077 0.45 2.80 0.078 0.45
A9 1.20 -1.257 0.10 1.35 -1.465 0.05 0.30 -1.904 0.00
B1 1.35 -1.151 0.15 3.25 0.362 0.65 1.80 -0.714 0.35
B2 1.83 -0.822 0.25 2.53 -0.324 0.35 1.50 -0.952 0.15
B3 4.75 1.162 0.85 3.86 0.959 0.90 4.30 1.267 0.90
B4 1.93 -0.754 0.30 1.75 -1.080 0.20 1.70 -0.794 0.20
B5 4.90 1.264 0.95 4.80 1.861 1.00 3.01 0.245 0.55
B6 3.22 0.123 0.50 2.97 0.097 0.50 4.32 1.283 0.95
B7 1.59 -0.989 0.20 1.46 -1.355 0.10 1.25 -1.150 0.10
C1 1.16 -1.283 0.05 2.34 -0.510 0.25 3.60 0.713 0.65
C2 2.07 -0.664 0.35 3.05 0.174 0.60 2.88 0.142 0.50
C3 4.97 1.314 1.00 4.70 1.765 0.95 3.44 0.586 0.60
D1 2.25 -0.539 0.45 3.00 0.126 0.55 0.66 -1.618 0.05
D2 3.80 0.514 0.55 3.56 0.668 0.75 4.05 1.069 0.85
332
Analysis:
The skewness of the distribution of responses for top and middle levels of management are found to be close to zero, indicating that
usage of standardized results would be consistent with the usage of percentile ranks, which have been used in the analysis. Further, the
correlation coefficients for the two sets of results, viz Standardized scores and Percentiles, yielded 0.978 and 0.982 respectively for top
and middle management, showing credence to use of percentiles. In case of responses by the third group, i.e., lower levels of
management, the skewness of -0.311 surely indicates the presence of higher scores towards the upper percentiles. However, this
cannot be a deterent to using percentiles for making a comparative prediction amongst the three management levels. This is due to the
fact that
(a) the mean score of this third group is lowest at 2.701 amongst the three groups
(b) the correlation coefficient between using standardized scores and percentiles is high at 0.985.
Inference:
It has been observed that an 80 percentile score is at around one standard deviation or above the mean, which captures nearly 16% of
the responses in the top bracket. The confidence in quoting this figure of 16% stems from the skewness factor of the responses, which
is found to be almost close to zero, as in a normal distribution. Hence an 80 percentile is being considered as a 'high' and a 20
percentile signifies a 'low' category.
333
REFERENCES
Amato-McCoy Deena M., Planning for Continuity, Bank Systems & Technology, February
27, 2006,
http://www.banktech.com/showArticle.jhtml?articleID=181400621
Bill Mulcahy, Assistant vice president of Systems, Sun Life Assurance explained the
structure of electronic vaulting deployed by his company to Smith Laura in her article “The
new face of disaster recovery”, March, 2002
Bimal Jalan, Governor, Reserve Bank of India, India’s economy in the new millennium,
VBS Publishers Pvt. Ltd, New Delhi, Aug 2006.
Bleiberg Ron, SmartAdvice: Planning Ahead Means A Disaster Needn't Wipe Out Your
Business, Aug. 22, 2005
http://www.fileon.com/press/articles/disaster-neednt-wipe-out-business.html
Bloor Robin, Bloor Research, BCM Findings in USA – A report, Jan 2003.
Brahim Herbane, Dominic Elliott and Ethne Swartz ( Leicester Business School, UK),
Contingency and continua, Achieving Excellence through Business continuity
planning, Business Horizons, December 1997.
Brian Periera, implementing a Business continuity plan, network magazine, issue of August
2002.
334
Bruno-Britz Maria, Banking System Defiant in Katrina's Aftermath, September 13, 2005.
Coles Warren, Executive Vice President, PULSE EFT Association, Houstan USA,
“Planning for Continuity”. - interview with Bank systems & Technology, February 27,
2006.
http://www.banktech.com/showArticle.jhtml?articleID=181400621
Core Banking Infrastructure - Sustenance and Deployment, Special Report, Indian Bank’s
Association, March 2006,
http://www.iba.org.in/iba_ibs.asp#
Croy Michael, Director of business continuity for Forsythe Solutions Group Bank systems
& Technology, Planning for Continuity, February 27, 2006.
http://www.banktech.com/showArticle.jhtml?articleID=181400621
Dell’Ariccia Giovanni, Detragiache Enrica and Rajan Raghuram, Executives IMF, The Real
Effect of Banking Crises, October 2004
DeZabala Ted, Principal and National security services leader, Deloitte & Touché, “A
survey on large number of companies in UK”, Financial Services Technology,
September, 2002.
Dhawan, Consultant KPMG, comment in the article “Indian IT industry shies from investing
in BCM initiatives”, Express computers. Indian Express Group, July 7, 2003,
Djankov, S. C. McLiesh and A. Shleifer 2005, Private credit in 129 countries, NBER
Working Paper 11078, January 2005.
DoedeDe Waij, Senior Manager, Marsh Risk Consulting, BCM - Protecting enterprise
value, July 2006.
335
Donald Ferguson, an enterprise storage consultant, from EMC, Hopkinton, MA, USA
provided his views of “Configurations in Future” to Smith Laura, in her article “The
new face of disaster recovery”, Mar 2002.
Donna Scott of the Gartner Group, Stamford, CT. comments in “Leading Companies Revive
Focus on Best Practices to Bolster Profits in Recessionary Climate”, February 26,
2002.
G Padmanabhan, Chief General Manager, Dept of IT, RBI, “Business Continuity – a new
priority for banks”, Bank Tech Summit, Taj Lands End Mumbai, ,September 22, 2005
Gallagher Michael, What is the worst that could happen, Financial Times, Printece Hall,
May 2003.
Greg MacSweeny, Redefining Best BC Practice, Insurance & Technology, Aug 2003
Herring Richard J. and Diebold Frank, Operational Risk Poses Challenges to Financial
Institutions and Regulations, Wharton School at the University of Pennsylvania,July
03, 2002
Knowledge@Wharton.edu
336
Hoenig Thomas M., President, Federal Reserve Bank of Kansas City, Kansas City,
Missouri, Financial Modernization: Implications for the Safety Net Conference on
Deposit Insurance, , Washington, D.C., January 29, 1998
Howarth Fran, Business continuity planning: will your plans save you, January 12, 2004
http://www.it-director.com/article.php?articleid=11564
Hunt Hal, “Lesson of Hurricane Hugo” - ECT News Network, at 6:00 AM on May 08,
2004
Hunt Hal, Lesson of Hurricane Hugo: Plan Recovery, 6:00 AM PT, Part of the ECT News
Network May 8, 2004
http://www.crmbuyer.com/story/35561.html
James Royds, founding partner of InfoSec Associates and past Chairman of Information
Security & BS7799 Survive - The Future of Business Continuity Management, Credit
Control, House of Words Ltd, January 2007.
James Ryods, founding partner of InfoSec Associates and past Chairman of Information
Security & BS7799 Survive - The Future of Business Continuity Management, Credit
Control, House of Words Ltd, January 2007.
Jamie Gruener’s, (an analyst at the Yankee Group in Boston) comment in the article
‘Disaster recovery: Know what you really need’ by Ambrosio Johanna, October 25,
2001.
John Webster, a senior analyst at Illuminata Inc. in Nashua, N.H., Disaster Recovery
Journal (WP 2003-02)., September 2002.
Kamesam Vepa, Deputy Governor, Reserve Bank of India, Excerpt from Address Delivered
at Central Bank of Sri Lanka, Colombo, August 20, 2003.
Kapoor Sameer, Executive Director, PWC, “Business Continuity and Disaster Recovery”,
Interview to Financial Times, June 2005.
Kaul, Hemant, “Customer Focus Banking. The UTI Bank Experience”, January, 2003,
http://www.som.iitb.ac.in/ppts/hemant.ppt
337
Kelly John and David Stark, Presentation at the Reginald H. Jones Center’s 3rd Annual
conference on the Internet and Strategy- “The Internet and the 21st Century Firm”
April 12, 2002
Kerry Massaro, Mapping out BCP guidelines, Wall street Technology magazine, pages 21
to 22, June 2003
Khanna Anurag, MD & CEO, Banknet India, Developments in Banking & Banking
Technology, Banknet Directory, January 2002
King Jason, Director of financial services, Hyland Software's Vendor's OnBase content
management firm, Ohio, USA comments in his interview with Bank systems &
Technology, Planning for Continuity, February 27, 2006,
http://www.banktech.com/showArticle.jhtml?articleID=181400621.
Kovar, Joseph F, Helping SMBs to weather the storm, CMP Media LLC, July 28, 2003.
www.CRN.com
Lee, CIO, Baltimore, Maryland's tax department commented Security 2002: Rethinking
Risk, September 16, 2002.
Luft David, Proactive plans thwart SMB threats, June 15, 2005
M.Balachandran, CMD, Bank of India, Seminar on “Indian Banking Shaping and Economic
Powerhouse”,Mumbai, July 18, 2006.
Maiwald Eric & Seiglein William, Security Planning and Disaster Recovery, McGraw-Hill
Professional, Osborne, USA, P 235 – 249., January 2002.
Mani Rahul Neel, Indian IT industry shies from investing in BCM initiatives, July 7, 2003
http://www.expresscomputeronline.com/20030707/indtrend1.shtml,
338
Martin Pat, Vice President, Corporate Communications, Regions Bank, Birmingham, USA,
interview extracts, Bank systems & Technology, Planning for Continuity, February
27, 2006.
http://www.banktech.com/showArticle.jhtml?article ID=181400621
Mawson Thomas, Executive Director, DRI international, Virginia, Risk evaluation &
Control, Security Magazine, May 2003.
Miller Kevin, Consultant, Stroh Consulting Services, BCM Report, July 2003.
Mishra A. K., Professor, IIM Lucknow, Internet Banking in India – Part I, Conference
paper, Booz Allen & Hamilton, August 2005
Mohan Lakshmi and Rai Sunil, “, “Business Continuity Model: A Reality Check for Banks
in India”, Journal of Internet Banking and Commerce, vol. 11, no.2, August 2006,
http://www.arraydev.com/commerce/jibc/
Mohan Lakshmi and Rai Sunil, “Business Continuity Management in Banks – The Indian
Experience”, Journal of Internet Banking and Commerce, vol. 11, no.2, August 2006,
http://www.arraydev.com/commerce/jibc/
Morganti Michael, A business continuity plan keeps you in business, Record , The
magazine of Property Conservation, September 2001
Muntes Sumint, Chief Operating Officer, HSBC, “Disaster Recovery and Business
continuity in banks”, Bank Tech Summit, Taj Lands End Mumbai, September 22,
2005.
Oltsik Jon, Hot spots: So much can go wrong with disaster recovery. What can you do to
ensure all goes well?, June 2004,
http://storagemagazine.techtarget.com/magItem/1,291266,sid35_gci969972,00.html
339
O'Neill Shane, Senior News Writer, DR plans stuck on, February 02, 2005.
Parthasarathi P., Chief General Manager, RBI, letter Ref. RBI/2004-05/420 DBS.CO.IS
Audit.No. 19/31.02.03/2004-05 dated April 15, 2005 to All Chairmen / Managing
Directors / Chief Executive Officers of all Scheduled Commercial Banks, April
15,2005.
Ramanathan, R.N, “Transforming a Giant: SBI ensures a smooth transition”, January 2006
http://www.financialnsights.com/FI/events/FTA06/downloads/presentations/rn_raman
athan.pdf
Rao Gurram Ramachandra and Kasula Prathima, Internet Banking in India, Mondaq
Business Briefing, April 11, 2003.
Ray, Atmadip, “Banks Gear Up To Set Up Disaster Recovery Centres”, January 2005
http://economictimes.indiatimes.com/articleshow/1186027.cms
Reddy Amarender, Banking Sector Liberalization and Efficiency of Indian Banks, The
ICFAI Journal of Bank Management, Volume II P 37-53, May 2, 2004.
Reddy Y.V, RBI measures - Payment Systems, Extract from the Inaugural Address by
Governor, Reserve Bank of India at Twenty-Fifth Bank Economists’ Conference
(BECON- 2003) , December 11, 2003.
Scott, Gartner, interview with Smith Laura in her article “The new face of disaster
recovery”, Security Magazine, March 2002.
Shah Shilpa, Executive, Banknet India, Mumbai, Indian banks moving towards electronic
payment systems- Banknet India, Third Annual Conference on Payment Systems in
Banks", January 10, 2007.
340
Sharp John, Business Continuity Management & The Duties Under Civil Contingencies
Act, Continuity Forum, April 2003.
http://www.bristol.gov.uk/ccm/cms-service/download/asset/?asset_id=12781050.
Shore Dave, “Web-based solutions can ensure business continuity”, Tech Republic, May
20, 2002.
http://techrepublic.com.com/5100-10878_11-1048802.
Shore Dave, Sept. 11 teaches real lessons in disaster recovery and business continuity
planning, May 17, 2002.
http://techrepublic.com.com/5100-10878_11-1048799.html?tag=search#
Smith Laura, “The new face of disaster recovery”, Disaster Recovery Magazine, March
2002.
Staimer Marc, Data determines the right disaster recovery, Issue: January 2005,
http://storageMagazine.techtarget.com/magItem/1,291266,sid35_gci1042972,00.html
Susan Rodetis, “Can your buiness survive the unexpected”, Journal of Accountancy,
February 1999.
341
Ulsch, Financial Services Inc, Boston, “Need for more alternate sites to move people” ,
Security 2002: Rethinking Risk, September 16, 2002.
Watanagase Tarisa, Governor, Bank of Thailand., BOT Notification No. 118-2550 (23-01-
07), January 23, 2007
Y.V. Reddy , Governor RBI, Report on trend and progress of banking in India 2005-06 ,
submitted to the Central Government in terms of Section 36(2) of the Banking
Regulation Act, 1949, Page 77, June 30, 2006.
342
RBI Directives and Reports
Banking Regulation Act of India, 1949 and Negotiable Instruments Act 1881
India Banking 2010, report submitted by McKinsey Consulting to RBI that was included in
RBI Report on Trend and Progress on Banking in India 2005-2006, RBI Publication,
June 30,2006.
RBI plans national settlement system, BS Banking Bureau in Mumbai, May 04, 2005.
RBI report on “Trend and Progress of Banking in India 05-06” June 30, 2006.
RBI Report on trend and progress of banking in India 2005-06 , Page 189, June 30, 2006,
RBI Report on trend and progress of banking in India 2005-06 , Page 98, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06 ,Page 97, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06 Page 67, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06 Page 84, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06, , Page 97, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06, Page 189, June 30, 2006,
RBI Report on trend and progress of banking in India 2005-06, Page 97, June 30, 2006,
RBI Report on trend and progress of banking in India 2005-06, Page 98, June 30, 2006,.
RBI Report on trend and progress of banking in India 2005-06, Page 98, June 30, 2006,
RBI Report on trend and progress of banking in India 2005-06, Page 116, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06, Page 70, June 30, 2006
RBI report, “The overall turnover - payment and settlement systems, ECS, MICR and Non-
MICR , June 2006.
Reserve Bank of India provides business continuity instructions to banks, August 11, 2006
343
Reports and Websites
Boosting Datacenter Availability for Largest Private Bank in India with the Help of
Symantec.
http://eval.veritas.com/downloads/sus/ICICI_Bank.pdf
Business Continuity Report , Tower Group, a Research and advisory firm, January 2002.
Deloitte & Touché LLP and CPM Global Assurance conducted a survey of 200 corporate
and IT managers from various industries, January 2005.
Disaster Recovery Information Exchange, and Survive – The Business Continuity Group,
July 2002
http://www.survive.com
European banking industry attitudes towards IT continuity explored, January 18, 2006,
http://continuitycentral.com/news02296.htm
Hidden threats to enterprise: will your business continuity go according to plan, a Report,
Financial Services Technology ,June 2003.
344
Leading Companies Revive Focus on Best Practices to Bolster Profits in Recessionary
Climate, February 26, 2002.
Modernizing Payment Systems is a Top Priority for Indian Banks, Banknet India’s
Conference on Payment Systems in Banks, Mumbai, January 17, 2006.
Security 2002: “Rethinking Risk”, Reports of CIOs and CTOs, A survey report , September
16, 2002.
TCS-FNS emerges as most widely deployed core-banking solution in the country, March 3,
2006
http://www.tcs.com/0_media_room/releases/200603mar/TCS_FNS.htm
345
EXCERPTS FROM INTERVIEWS
Bondaiah Adepu, Manager – IT, Global Trust Bank, February 22, 2006 and April 27, 2006.
Dinesh Pandey, AGM, SBI on April 4, 2006 and June 26, 2006.
Dr. R. B. Burman, Executive Director, RBI made to the researcher in special meeting
organized in his office on March 20, 2007
Girish V, Principal Consultant, Banking association of India and editor Banking Frontiers,
magazine, August 12, 2005 and April 4, 2007.
Narain and Girish V., Banking Consultants, Excerpts from Meeting in June 2006.
Nayana Phanse, AGM, SBI, Regional Office, BKC Mumbai , December 23, 2005 and
January 18, 2006.
S. S. Purohit, DGM, SBI Zonal Office (West), Mumbai on December 28, 2005, January 24,
2006 and March 16, 2006.
Sundaram Kalyan, General Manager (IT) Bank of Baroda, BKC, Mumbai during the
meeting on May 12, 2007.
T. Prabhakar, Dy. General Manager (IT - Technical), SBI Corporate Centre, Navi Mumbai
on January 12, 2006, March 10, 2006 and April 7, 2006.
Trivedy Ravi, Partner KPMG and Girish. V., BFSI Consultant, Excerpts from meeting held
on August 22, 2005 and September 19, 2005 respectively.
Trivedy Ravi, Partner KPMG, Banking vertical division, during meeting, May 16, 2007.
Trivedy Ravi, Partner, KPMG and Girish V., Banking, Financial Services & Insurance,
Consultant, Excerpts from interviews, April 15, 2006
346
List of Publications
Prof. Sunil Rai (2002PHXF424)
International Journals
1. Business Continuity Management in Banks – The Indian Experience
Co-authored with Dr. Lakshmi Mohan
Journal of Internet Banking and Commerce, August 2006, vol. 11, no.2
(http://www.arraydev.com/commerce/jibc/)
Conference Papers
1. E-Governance through Information Technology Act, 2000
February 11, 2001, Economic Development Centre, Panaji, Goa, Conference on
eGovernance – “The State of Goa in the Next Millennium” organized by the
Government of Goa.
2. Role of Higher Education in Transforming India
April 8, 2004, Hotel Renaissance, Powaii, Mumbai, Conference – Vision 2020
organized by Veer Jijamata Technological Institute, Mumbai.
3. Ensuring quantifiable returns on investments made in technology
December 13, 2004, Le Royal Meridien, Mumbai, Conference – Financial
Technology Forum organized by Marcus Evans Conferences, Malaysia
4. Identifying infrastructure requirements for IT security
February 21, 2006, Hyatt Regency, Mumbai, Conference - Corporate IT Security
organized by Marcus Evans Conferences, Malaysia
5. Development of Young Managerial Talent
October 12, 2006, Conference Hall, Kalina Campus, University of Mumbai,
Conference - SAS Forum International 2007 organized by SAS India.
A-1
Biography of Candidate
Prof. Sunil Rai
Prof. Rai is currently the Joint Director of the S.P. Jain Institute of Management & Research
(SPJIMR), Mumbai. He is also the Chairperson of the PGDM Program, Centre for
Information Technology at SPJIMR and the Bhavan’s Centre for InterDisciplinary Studies of
Bharatiya Vidya Bhavan, who have set up several institutions of higher learning including
SPJIMR.
As Chairperson and Professor in the Centre for Information Management at SPJIMR, he has
designed and conducted courses in IT Infrastructure Management and IT Services
Management. He has re-designed the Systems (Information) Management Program for MBA
Specialization with a unique pedagogy that aims at Scenario-based Industry Focus Solution
Architecture, Integration and Implementation. He is currently developing a unique
interdisciplinary program, “Professional Program in Management”, for aspiring young
managers who will complete this program as part of their undergraduate education.
A-2
Biography of Guide – Dr. Lakshmi Mohan
Lakshmi Mohan is a member of the Management Science and Information Systems faculty of
the School of Business. She began her doctoral studies at the University of California,
Berkeley, and received her Ph.D. degree from Columbia University. Before joining SUNY,
she taught at the Sloan School of Management, M.I.T. and the Indian Institute of
Management, Calcutta. She has also been teaching the required course on Managing
Information Technology at the Duxx Graduate School of Business Leadership in Monterrey,
Mexico, since the inception of the school in 1996. She has been invited by the Nanyang
Business School, Nanyang Technological University, Singapore, to teach a course on
Customer Relationship Management in their MBA Program in July 2002.
Dr. Mohan brings to her teaching and research an analytical approach fostered by her
mathematical education, combined with pragmatism in putting theory into practice, which
she gained from her business experience. At SUNY, her empirical research on decision
support systems, executive information systems and management of information technology
has been supported by over US $2 million in grants from Fortune 100 firms and government
agencies. Her current research interests are in Enterprise Resource Planning (ERP), Customer
Relationship Management (CRM) and Supply Chain Management (SCM) systems, and use of
the Net in business. She is a member of the Senior Program Faculty of the University’s
interdisciplinary Doctoral Program in Information Science and has chaired several
dissertations. She has also lectured and consulted worldwide including Argentina, China,
India, Indonesia, Malaysia, Mexico, Singapore and South Africa. She has been appointed to
serve on the Advisory Board of The Bombay School of Business to guide curriculum
development for the Post-Graduate Program in E-Business, which was launched in July 2001.
Dr. Mohan has been active in conducting executive development programs in several
countries of the world, including some that were sponsored by the United Nations in
Bangkok, Taipei, Seoul, Singapore, Hong Kong and Kuala Lumpur, and by Unilever in
London and Bombay. At the invitation of the World Bank, she conducted a four-week
A-3
program on Decision Support Systems in Shanghai for a group of fifty faculty members
selected from various Chinese universities. She has also conducted a number of programs in
Singapore in Executive Information Systems for the Institute of Systems Science of the
National University of Singapore. She conducted several two-day Workshops on CRM in
Bombay and Singapore (Jan 2002), in Bombay, Hong Kong, Kuala Lumpur and Singapore
(July 2002) and is scheduled to do another series of these Workshops in Shanghai, Dubai and
Bombay (Feb 2003).
Dr. Mohan received the Dean Warren Hayes Outstanding Graduate Teaching Award of the
School of Business in 1986, and the Outstanding Faculty Service Award in 1999.
A-4