Prof. Sunil Rai PDF

Business Continuity Management Model for Indian Banks:
An Empirical Study of Selected Banks in Mumbai
THESIS
Submitted in partial fulfillment

of the requirements for the degree of
DOCTOR OF PHILOSOPHY
By
Sunil Kumar Rai
Under the supervision of

Dr. Lakshmi Mohan
BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE

PILANI (RAJASTHAN) INDIA
2007
BIRLA INSTITUTE OF TECHNOLOGY & SCIENCE
PILANI RAJASTHAN
CERTIFICATE
This is to certify that the Thesis entitled “Business Continuity Management
Model for Indian Banks: An Empirical Study of Selected Banks in Mumbai”
and submitted by Sunil Kumar Rai ID No. 2002PHXF424 for award of Ph.D.
Degree of the Institute, embodies original work done by him under my
supervision.
Signature in full of
the Supervisor:
Name in capital
DR. LAKSHMI MOHAN
block letters:
FACULTY - SCHOOL OF BUSINESS

UNIVERSITY AT ALBANY, STATE
Date: OCTOBER 31, 2007 Designation: UNIVERSITY OF NEW YORK
ADJUNCT FACULTY, S. P. JAIN INSTITUTE
OFMANAGEMENT & RESEARCH
TABLE OF CONTENTS
CHAPTER TITLE PAGE

Acknowledgements ix
List of Figures xi
List of Tables xiii
List of Abbreviations xv
Abstract xxii
Chapter 1 Introduction
1.0 Preamble 1
1.1 Growth of Banking in India 2
1.1.1 Deployment of IT in Banks in India 3
1.1.2 ICT drives Indian baking to International standards 4
1.1.3 Business Continuity practice in Indian Banks 5
1.2 BCM Experiences of US & Europe 6
1.3 Elements of BCM Plan 8
1.4 Gaps 9
1.4.1 Knowledge about BCM centered around western experiences 9
1.4.2 Framework for BCM in Banks not comprehensive 9
1.4.3 Absence of metrics to measure BCM effectiveness 9
1.4.4 Shortfalls in BCM implementation by Banks in India 10
1.5 Objectives of Research 10
1.5.1 Comprehensive BCM framework 10
1.5.2 Status of BCM implementation by Banks in India 11
1.5.3 Development of metrics to measure BCM effectiveness 11
1.5.4 Deliverables for management in banks 11
1.5.5 Improve business continuity for small and medium banks 11
1.6 Scope of Work 11
1.6.1 Development of BCM Implementation Framework 11
1.6.2 Focus on Operational and infrastructural issues 11
1.6.3 Metrics to measure BCM effectiveness 12
1.6.4 Support to small banks 12
1.6.5 Focus on softer issues 12
1.6.6 Mumbai as the sample of study 12
1.7 Hypothesis of the study 13
i
1.8 Research Methodology 13
1.8.1 Phase 1: Review of Literature 13
1.8.2 Phase 2: Development of BCM Implementation Framework 13
1.8.3 Phase 3: Primary Research to Evaluate Framework 13
1.8.4 Phase 4: Development of BCM Model and Metrics 14
1.8.5 Phase 5: Application of Model to Banks 14
1.8.6 Phase 6: Recommendations for BCM implementation in Banks 14
1.8.7 Phase 7: Scope for Future Work 14
1.9 Research Deliverables 15
1.9.1 BCM Implementation framework 15
1.9.2 BCM Reality Check Metrics 18
1.10 Organization of Chapters 20
1.10.1 Chapter 2 Review of Literature 20
1.10.2 Chapter 3 – Research Methodology 20
1.10.3 Chapter 4 - BCM Survey in Indian Banks 21
1.10.4 Chapter 5 - BCM reality check Model for Banks in India 21
1.10.5 Chapter 6 - Recommended BCM model and evaluation metrics for
SMBs in India 22
1.10.6 Chapter 7 – The way ahead 22
Chapter 2 Review of Literature

2.0 Overview of Indian Banking 23
2.1 Growth of Banking System in India 24
2.1.1 Pre - Nationalization Phase (1786 - 1969) 24
2.1.2 Nationalization of Banks (1969 - 1991) 24
2.1.3 Liberalization: Financial and Banking Sector reforms (1992 onwards) 24
2.1.4 The Current Banking System 26
2.1.5 Banking Functions and Processes 28
2.2 Technology deployment in Indian Banking Industry 30
2.2.1 Technology Adoption by Banks in India 30
2.2.2 The Present Level 31
2.2.3 Information and Communication Technology (ICT) revolutionizing e-
banking 32
2.3 Internet Banking in India 37
2.3.1 Internet Banking Promise 37
2.3.2 Indian Banks on Web 37
ii
2.3.3 Emerging Challenges in Internet banking 38
2.4 Current Trends of BCM Preparedness in International Banks 38
2.4.1 Increased redundancy & multiple Data Center sites 39
2.4.2 Increased collaboration with third-party partners 39
2.4.3 Well documented and communicated alternate processes 40
2.4.4 High availability of Solutions and Productivity of employees 40
2.4.5 Computerized document management 40
2.4.6 Continuous contact with employees during disasters 41
2.4.7 Brand value and Customer Confidence 41
2.4.8 Appropriateness of BCM in social and economic context 41
2.5 Business Continuity Management in Banks in India 42
2.5.1 Implementation of Business Continuity Planning in Banks 43
2.5.2 Preparedness status of banks in India 43
2.6 Gaps in BCM Implementation in Banks in India 44
2.6.1 Customer focus 44
2.6.2 Small banks face bigger challenge 45
2.6.3 Higher operating costs 45
2.6.4 BCM is IT Focus and not comprehensive 45
2.6.5 Conformity to International standards 46
2.6.6 Portfolio of products and services 46
2.6.7 Deployment of IT in running processes (Banking and non Banking) 46
2.6.8 Availability of state of the art infrastructure in terms of facilities in IT 46
2.6.9 Management of outsourced services 47
2.6.10 Lack of Documentation 47
2.7 BCM Implementation Planning 47
2.7.1 BCM Implementation Challenges 47
2.7.2 Greater need to implement BCM in banks 48
2.7.3 The importance of Implementing BCM 50
2.7.4 BCM Planning 51
2.7.5 The BCM Plan 52
2.7.6 Elements of BCM Plans 58
2.8 BCM Implementation Framework and Disaster Management 61
2.8.1 Embarking on a BCM project 64
2.8.2 Managing BCM Implementation project 64
2.8.3 Disaster Management 66
2.9 Summary of Findings 67
iii
2.9.1 Banking scenario in India 67
2.9.2 BCM implementation scene in banks in India 68
2.9.3 BCM Planning and Implementation 69
2.10 Conclusion 70
Chapter 3 Research Methodology

3.0 Preamble 71
3.1 Background – BCM Implementation Scenario 71
3.2 Non-Existence of Framework for Measurement of BCM effectiveness 73
3.3 Choice of Mumbai as Representative Sample 74
3.3.1 Largest export / globalization oriented banking activities 74
3.3.2 Consistent high financial performance 74
3.3.3 Concentration of control of banking activity in the country 75
3.3.4 Presence of all types of banks 75
3.3.5 Cultural representation of entire country 75
3.3.6 Presence of Central / Regional Data Centers 76
3.4 Scope of Work 76
3.4.1 Development of an academic model 76
3.4.2 Operational and infrastructural issues 77
3.4.3 Metrics to measure BCM effectiveness 77
3.4.4 Support to small banks 77
3.4.5 Focus on softer issues 77
3.5 Research Methodology Framework 78
3.5.1 Survey in select Banks 79
3.5.2 Model Development 83
3.5.3 Refinement of Model 85
3.5.4 The basis of selection of sample (respondents) for Model Refinement 86
3.5.5 List of Banks That Participated in Model Development and Validation 87
3.6 The Research Objectives 89
3.6.1 Applicability of BCM experiences that are western-evolved to India 89
3.6.2 Non-standardization of BCM implementation frameworks 89
3.6.3 Measurement of BCM effectiveness 89
3.7 Conclusion 90
iv
Chapter 4 BCM Survey in Indian Banks
4.0 Introduction 91
4.1 Objectives of Survey of Banks 91
4.2 The Research Methodology 92
4.2.2 The Study Plan 93
4.2.3 Bank wise Summary of Study 94
4.3 Essential Ingredients of Successful BCM Implementation in Banks 94
4.3.1 Strategic 95
4.3.2 Operational 98
4.3.3 Technological 102
4.4 Learnings from Case Study 106
4.4.1 People and Procedures 106
4.4.2 IT infrastructure 107
4.4.3 DR organization 107
4.5 Status of BCM Essentials in Banks – A Snapshot 107
4.5.1 Strategic 108
4.6 Summary of Findings 111
4.6.1 Strategic 111
4.7 Conclusion 114
Chapter 5 BCM Model for Banks in India

5.0 Preamble 118
5.1 The Need for Business Continuity Management 118
5.2 Methodology for Development of BCM Model and Metrics 119
5.3 The BCM Model 119
5.3.1 Organizational 120
5.3.2 Processes 120
5.3.3 People 121
5.3.4 Technology 123
5.3.5 Facilities Management 124
v
5.4 The Business Continuity Reality Check 124
5.4.1 Application of the Metrics 127
5.4.2 Data Analysis and Findings 128
5.5 Conclusion 130
Exhibit5.1 The BCM Reality Check Metrics 132
Chapter 6 Application of BCM Model and Metrics

6.0 Preamble 137
6.1 Methodology 137
6.1.1 Identification of Samples 137
6.1.2 Data Collection 139
6.1.3 Standardization 140
6.1.4 Computation of BCM Indicators 140
6.1.5 Macro Analysis 141
6.1.6 Factor Assessment 141
6.2 Application of the Model – Cluster Analysis 142
6.2.2 Procedure 142
6.2.3 People 143
6.2.5 Facilities 144
6.3 Observation and Inferences 144
6.3.1 Organization 144
6.3.2 Procedure 145
6.3.3 People 145
6.3.5 Facility 147
6.4 Statistical Analysis of Findings 148
6.4.2 Procedures 150
6.4.3 People 151
6.5 Critical Factors for BCM Implementation in MSRB 153
6.5.2 Procedure: 155
vi
6.5.3 People 156
6.5.6 Recommendations to MSRB’s to address vulnerabilities 158
6.6 Summary of Critical Factors 166
6.6.1 Overall Comparative Status 166
6.6.2 Management comprehension of BCM 166
6.6.3 Critical Success Factors for BCM in Small banks 167
6.6.4 Recommendations for successful BCM in Small banks 169
6.7 Conclusion 170
Exhibit 6.1 Cluster-Wise Details of BCM Parameters 172
Exhibit 6.2 Resilience Indicator and Vulnerability Index 177
Exhibit 6.3 Strength/Preparedness & Vulnerability Factor Summary 187
Exhibit 6.4 Survey of Large and Medium & Small Retail Banks (MSRBs) 192
Exhibit 6.5 Classification of Factors for BCM Implementation 198
Chapter 7 Research Findings and Future Scope of Work

7.0 Preamble 203
7.2.1 Reality Check Metrics 207
7.2.2 BCM Implementation Methodology 208
7.3 Recommendations for successful BCM in Small banks 210
7.4 Limitations of the Model 210
7.5 Strengthening the Model 211
7.6 The Future scope of Work 213
7.6.1 Measurements of parameters 214
7.6.2 Methodology of application of model 214
7.6.3 Analysis to improve usability 215
7.7 Towards sure business continuity in banks 215
Annexure 1 BCM Implementation Framework 216
Annexure 2 Survey Methodology - BCM Survey in Indian Banks 257
Annexure 3 Development of Metrics for conducting “Reality Check” 270
Annexure 4 Bank wise Summary of Study 278
vii
Annexure 5 BCM in Operation – Experience of a Large Bank 314
Annexure 6 Test of Confidence Level 332
References 334
List of Publications A-1
Biography of Candidate A-2
Biography of Supervisor A-3
viii
ACKNOWLEDGEMENTS
I wish to express deep sense of gratitude and sincere thanks to my thesis supervisor
Dr.Lakshmi Mohan for her able guidance, encouragement and suggestions throughout the
period of this research work. It has been a privilege for me to work under her guidance.
Much appreciation is expressed to Prof. Arya Kumar, Group Leader, Economics & Finance
Group, and Dr. Niranjan Swain who were the members of Doctoral Advisory Committee
(DAC), for their kind suggestions, moral support and assistance.
Gratitude is also accorded to BITS, Pilani for providing all the necessary guidance to
complete the research work. My revered thanks to Dr. L. K. Maheshwari, Vice Chancellor for
being a symbol of encouragement and wisdom to enable me undertake the doctoral work. I
wish to express sincere thanks and gratitude to Dr.M.L.Shrikant, Dean, S. P. Jain Institute of
Management and Research (SPJIMR), who is my ideal and inspiration.
I express my gratitude for the kind and affectionate enquiries about the work and the
encouragement given by Dr. Ravi Prakash, Dean, Research and Consultancy Division, Dr.
S.P. Regella, Dr.S.S. Deshmukh, Mr. Sanjay D. Pohekar of the same Division for their timely
and proper advice. My special thanks to Dr. Dr.Dinesh, In-charge Ph D Programme
Monitoring for giving me an opportunity to do research at the Institute.
I am indebted to my Faculty Colleagues at SPJIMR – Dr. Suranjan Das, Prof. Suresh

Lalwani, Dr. M. J. Arul, Dr. Mythili Venkateshan, Prof. S. Sriram, Dr. Uma Narain, Dr.
Nikhil Agarwal, Dr. Neeru Maheshwari and Dr. Shesha Iyer for their continued guidance and
support.
The encouragement and unflinching support provided by my colleagues – Ms. Priti Miranda
and Ms. Lakshmi Narayan has been a pillar of strength in accomplishing the research data-
gathering task. I am thankful to Ms. Deepa Shetty in providing support in organizing the
resources for data collection and analysis. I express sincere thanks to my friends Mr. Rajesh
S, Mr. Bharat Mishra, Mr. Ravi Gurnani, Mr. Rishish Chandra, Mr.Karthikeya Rathore, Mr.
Rakesh Menon, Ms. Navneet Kaur Nayyar, Ms. Dipali Manjrekar, Ms. Pooja Ahuja and Ms.
Jayashree Thampi for their support.
ix
The professionals from Banking and Consulting who have immensely provided their
guidance and arranging contacts to undertake research have made me indebted to them. Note
worthy amongst them are Mr. V. S. Girish, Mr. Shri Narain, Mr. S. S. Purohit, Mr. Dinesh
Pandey, Ms. Nayna Phanse, Mr. Kalyana Sundaram, Ms. Bhavna Ugrankar, Mr. B. T. Pillai,
Mr. Surendra Shetty, Mr. Ajit Rath, Mr. Ashok Menon, Mr. Srinivasan G, Mr. A. Ganesh,
Mr. T. Prabhakar, Mr. Harish Shetty and Mr. Bondaiah Adepu.
On the domestic front, a very special expression of appreciation is extended to my mother

Ms. Sushila Rani Rai, my father Shri. G. C. Rai, my wife Ms. Manju Rai and my children
Juhi and Ankit. Without their encouragement, patience, and understanding this endeavor
would not have been possible. I would like to record my special affection and thanks to all
my friends and relatives whose constant persuasion and moral support has been a source of
inspiration to me.
Prof. Sunil Rai
x
LIST OF FIGURES
1.1 Elements of BCM Implementation 8
1.2 BCM Implementation Framework 15
1.3 Level of Continuity 19
2.1 BCM Planning Framework 51
2.2 BCM Implementation Framework 63
2.3 Crises Management 66
3.1 Steps in development of BCM Model 76
3.2 Research Methodology Framework 78
A1.1 Risk Management Model 238
A4.1 The IT Architecture at OBC 281
A4.2 Business Intelligence Architecture 284
A4.3 ICICI Bank Network 285
A4.4 ICICI - Branch Network 286
A4.5 Process Organization 290
A4.6 HDFC Bank Network – India 294
A4.7 DPC, Central Branch at Mumbai 295
A4.8 ENet Implementation Architecture of HDFC Bank 296
A4.9 Network Security 302
A4.10 Access Control 303
A4.11 Delivery Channels & Mobile Banking 307
A4.12 CBS Architecture 309
A4.13 Network Infrastructure 310
A4.14 INFINET Supports SBI Network 312
xi
A5.1 Corporate Organization 327
A5.2 Development Organization 328
A5.3 IT Organization 328
A5.4 HR & Administration 329
A5.5 Corporate Banking Group 329
A5.6 International Banking Group 330
xii
LIST OF TABLES
1.1 BCM Metrics Model 18
2.1 Number of Branches of Scheduled Commercial Banks 26
2.2 Percentage of Retail Loans to Total Loans 27
2.3 Retail Portfolio of Banks 27
2.4 Computerization in Public Sector Banks 30
2.5 Extent of Computerization of Branches PSBs 31
2.6 Paper Based v/s Electronic Transactions 33
3.1 Respondents for BCM Metrics Model Development 83
3.2 Respondents for BCM Metrics Model Validation 86
4.1 Importance / Criticality Status – Strategic Ingredients 108
4.2 Importance / Criticality Status – Operational Ingredients 109
4.3 Importance / Criticality Status – Technological Ingredients 110
5.1 The BCM Reality Check Metrics – Clusters 125
5.2 Evaluation Criteria Measures 126
5.3 Number of Cluster Wise Parameters at 4 levels in BCM Metrics 126
5.4 Composite Resilience and Vulnerability Indicators 128
5.5 Overall Vulnerability Indicators 129
5.6 The BCM Reality Check Metrics 132
6.1 Strength of criticality 142
6.2 Criticality of factors 148
6.3 CSFs - Organization 154
6.4 CSFs - Procedure 155
6.5 CSFs - People 156
6.6 CSFs – Technology 157
6.7 CSFs - Facilities 158
xiii
6.8 Cluster wise recommendations to MSRBs 159
6.9 Cluster-Wise Details of BCM Parameters 172
6.10 Resilience Indicator and Vulnerability Index (Cluster-wise) 177
6.11 Strength/Preparedness & Vulnerability Factor Summary 187
6.12 Survey of Large and Medium & Small Retail Banks (MSRBs) 192
6.13 Classification of Factors for BCM Implementation 198
A1.1 Budgeting for a Business Continuity Management Project 236
A2.1 Survey of BCM Status 257
A4.1 Business Continuity Survey Chart 304
xiv
LIST OF ABBREVIATIONS
AGM Assistant General Manager
ATM Automated Teller Machine
AVR Advanced Voice Recognition
B2B Business-to-Business
B2C Business-to-Customer
BC Business Continuity
BCM Business Continuity Management
BCP Business Continuity Plans
BFSI Banking, Financial Systems & Insurance
BIA Business Impact Analysis
BM Branch Manager
BPR Business Process Re-engineering
BRIC Brazil, Russia, India & China
BSR Basic Statistical Returns
CA Certification Authority
CAS Content Addressable Storage
CAS Cash Management Systems
CBS Core Banking Solution
CDMA Collision Detection Media Access
CDSIL Central Depository Services India Ltd
CEO Chief Executive Officer
CFES Centralized Funds Enquiry System
xv
CFMS Centralized Funds Management System
CFTS Centralized Funds Transfer System
CGM Chief General Manager
CIO Chief Information Officer
CITIL Citicorp Information Technology Industries
CMS Content management system
COD Central Office Departments
COO Chief Operating Officer
CRL Certificate Revocation List
CRM Customer Relationship Management
CRR Cash Reserve Ratio
CSFs Critical Success Factors
CTL Card Tech Limited
CTO Chief Technology Officer
D2D2T Disk-to-Disk-to-Tape
DAS Direct Attached Storage
DD Demand Draft
DGM Deputy General Manager
DR Disaster Recovery
DRP Disaster Recovery Planning
DRS Disaster Recovery System
E- Cash Electronic payments
ECB External Commercial Borrowings
xvi
ECS Electronic Clearing Services
EDI Electronic Data Interchange
EFT Electronic Funds Transfer
eIBS e-Internet Banking Software
EOC Emergency Operations Centre
ESLA Enterprise Service Licensing Agreement
FCB Full Branch Computerization
FI Financial Institutions
GDR Global Deposit Receipts
GIC General Insurance Corporation
GM General Manager
GTB Global Trust Bank
HDFC Housing Development Finance Corporation
HO Head Office
HP Hewlett-Packard
HR Human Resource
HUF Hindu Undivided Family
HW Hardware
ICICI Industrial Credit and Investment Corporation of India
ICT Information & Communication Technology
IDBRT Institute for Development of Banking Research and Technology
IDEAS Integrated Delivery Channels Application System
IDL Intra Day Liquidity
xvii
IDM Intelligent Data Mapper
IDRBT Institute for Development and Research in Banking Technology
IDS Intrusion Detection System
IFB International Finance Bureau
IIML Indian Institute of Management Lucknow
INB Internet Banking
IOPS Input Output Operations Performance)
IS Information System
ISIN International Securities Identification Numbers
IT Information Technology
ITMS Integrated Treasury Management System
LADS List Alternate Data Streams
LDAP Lightweight Directory Access Protocol
LIC Life Insurance Corporation
LTF Long Term Finance
M&A Merger and Acquisition
MAD Maximum Allowable Downtime
MAN Metropolitan Area Network
MICR Magnetic Ink Character Recognition
MIS Management Information Systems
MMF Mobile Manufacturers Forum
MNCs Multi National Corporations
MTD Maximum Tolerable Downtime
xviii
NAS Network Attached Storage
NBFCs Non-Bank Financial Companies
NDS Negotiated Dealing System
NEFT National Electronic Funds Transfer
NMS Network Management Systems
NOF Net Owned Fund
NPA Non Performing Assets
NRE Non-Resident Employees
NRI Non-Resident Indian
NRO Non-Resident Organizations
NSDL National Science Digital Library
NSS National Settlement System
OBC Oriental Bank of Commerce
OLAP On Line Analytical Processing
P&HR Personnel & Human Resource
PBB Personal Banking Branches
PDs Primary Dealers
PIN Personal Identification Number
PKI Public Key Infrastructure
PMS Portfolio Management Services Section
POS Point of Sales
PPF Public Provident Fund
PSB Public Sector Banks
xix
PSU Public Sector Undertaking
RA Registration Authority
RAC Real Application Clusters
RAID Redundant Array of Inexpensive Disks
RAPID Receipt and Payment instruments/Documents
RBI Reserve Bank of India
RCO Remote Control Option
RI Resilience Indicator
RO Regional Office
ROTI Rate on Technology Investment
RPO Recovery Point Objective
RTGS Real Time Gross Settlement System
RTO Recovery Time Objective
SAN Storage Area Network
SARI Sustainable Access for Rural India
SBI State Bank of India
SDO Software Delivery Option
SEFT Special Electronic Funds Transfer
SFMS Structured Financial Messaging System
SGL Subsidiary General Ledger
SHG Self Help Group
SLA Service Level Agreement
SME Small and Medium-Sized Enterprises
xx
SPAID Split Path Acceleration of Independent Data Streams
SPNS Shared Payment Network System
SSL Secured Socket Layer
STF Short Term Finance
STP Straight Through Processing
SW Software
SWIFT Society for Worldwide Inter-bank Financial Telecommunication
TCO Total Cost of Ownership
TCP/IP Transmission Control Protocol / Internet Protocol
TCS Tata Consultancy Services
Telco Telecommunications
UPS Uninterruptible Power Supply
VI Vulnerability Index
VRS Voluntary Retirement Scheme
VSAT Very Small Aperture Terminals
WAN Wide Area Network
WTC World Trade Center
WTO World Trade Organization
xxi
BUSINESS CONTINUITY MODEL FOR MEDIUM & SMALL RETAIL BANKS IN INDIA
Abstract of Thesis submitted by Sunil Rai - 2002PHXF424
The banking sector in India has evolved as a great economic force from its inception in
mid- nineteenth century till date and has contributed immensely to the economic growth.
The upsurge in banking activity is largely due to changing mind-set of Indian society and
increase in competition mainly coming from Foreign banks post liberalization and
globalization. There is increased dependence on technology for delivering multiple
products and services to a wide range of customers using multiple channels. This has
brought in more challenges to the banks to ensure higher level of continuity. The banks
world-over particularly in US and Europe have incorporated Systems and Processes on
highly reliable and dependable world class ICT infrastructure. These banks have been
challenged by disastrous events of all kinds including financial disasters, terrorism and
unrest and natural calamities. The stories of their success and failure in ensuring
sustained business continuity presented in literature provide valuable insights in
implementing successful Business Continuity Management (BCM).
The methodologies of BCM Implementation suggested in literature are particularly

relevant to the geographies where these are deployed. These frameworks have to be
adapted to Indian conditions to enhance their applicability and made comprehensive to
cover all aspects of BCM Planning, deployment, measurements and updating. There is no
metrics to measure the effectiveness of BCM solutions. The objective of this research
work is to develop comprehensive BCM Implementation Frameworks and a reality check
metrics to ascertain its efficiency and effectiveness to ensure business continuity in
banks. A generic framework to implement BCM was developed using the learnings from
literature. The model was validated by conducting primary research in select banks in
Mumbai that have implemented BCM. This was enhanced by incorporating
recommendations from the experts and consultants engaged in BCM implementations for
banks in India. A comprehensive framework to plan, deploy, review and upgrade BCM
initiatives in banks is presented as a product of this study.
The learnings from literature survey and the fifty-three parameters that were brought out
by primary data survey in banks were used to develop a BCM Metrics in consultation
with experts from Banking and Business Consulting disciplines. The metrics enables
banks to measure their BCM effectiveness at four levels – Corporate, Tactical,
xxii
Operational and Review. It comprises of One Hundred and Seven parameters grouped
into five clusters - Organizational, Procedural, People, Technology and Facility. Each
parameters in the metrics can be assessed by concerned managers of appropriate level
and designation, to measure four criteria of BCM effectiveness - Strength / Preparedness
(P) and Threats / Challenges (R) (on a scale of 0-5) and Vulnerability (V) and
Upgradation Factor (T) (on a scale of 0-1). The analysis of comparative Strengths /
Preparedness against Vulnerability for the bank can be carried out by comparing the
following two Indicators: Resilience Indicator: RI = P * T and Vulnerability Index: VI
= R * V.
The Resiliency and Vulnerability Indicators can then be used to take appropriate actions
at macro level for the cluster (people, technology etc) and at individual levels for each
parameter to take functional level actions. The BCM model was applied to select banks in
Mumbai involving about eighty respondents at three levels of management (Top, Middle
and Functional). The data was normalized to smoothen stray responses due to incomplete
knowledge or lack of understanding the genesis of the parameter in question and was
tested statistically to ascertain the degree of confidence. On the whole, large banks were
found to be less vulnerable on account of technology and facilities but the smaller banks
were more resilient on this account. Large banks however, are more vulnerable to
discontinuity on account of Organizational issues as compared to Facilities and
Technology. Small banks are more vulnerable with respect to Facilities and Technology
in comparison to large banks.
Most banks have put together organizational and technology infrastructure to address
Business Continuity issues comprehensively. The smaller banks however, need to put
these together by entering into collaborative arrangements with other banks and large
providers. The entire banking sector in India need to address the softer issues related to
Business Continuity more comprehensively and pay increased attention to issues related
to bank’s image, scale and scope of services and products being delivered supported on
state-of-the-art technology.
xxiii
CHAPTER 1
INTRODUCTION
1.0 Preamble
The banking in India has been synonymous with the economic growth in India and is
currently facing challenges in relation to competition and rising customer expectations.
The banking system in west, particularly US and Europe has been challenged by major
disruptions that have forced them to implement dependable business continuity
management (BCM) solutions. Consultants have recorded these experiences as
organization specific frameworks that are peculiar to the geography and markets being
served. These frameworks have not been applied to Indian conditions hence their
applicability and efficacy cannot be ascertained. There is no standard framework or
metrics to measure effectiveness of BCM solutions. The gaps in implementation of BCM
in West and India and in India between large and small banks have to be understood and
approach to bridge the same to ensure higher continuity of banking operations in India
has to be worked out. This study is a humble attempt to begin that journey
This chapter is organized as follows:

a. Growth of Banking in India - Section 1.1
(Deployment of IT in Banks in India, ICT drives Indian baking to International
standards, Business Continuity practice in Indian Banks)
b. BCM Experiences of US & Europe - Section 1.2
c. Elements of BCM Plans - Section 1.3
(Technology, Procedures, People and Facilities)
d. Gaps in the area of research - Section 1.4
e. Objectives of Research - Section 1.5
f. Hypothesis of the study – 1.6
g. Research Methodology – 1.7
h. Research Deliverables – 1.8
i. Scheme of chapters – Section 1.9
1
1.1 Growth of Banking in India
Banks are drivers of economic growth in India and function through banking system
under the umbrella of RBI, which is the regulatory and central bank, and operate through
three categories Commercial, Regional and Co-operative1 (Balachandran, 2006). The
shape of banking has seen changes from Inception (1870) to pre-nationalization (1949) to
nationalization (1966) which has rewritten the rules of banking (Srivastav 1999& Prabhu
2001).2 Development of technology has challenged traditional banking practices and
service delivery (Hoeing 1998)3. Liberalization / deregulation has resulted into entry of
foreign and large private sector banks 4 (Yodmani et al, 2001). The numbers of banks of
all categories Public, Private and Foreign, have grown phenomenally. The percentage
presence of private sector banks is higher in urban and semi urban areas and that public
sector banks is higher in rural areas5. This gap is narrowing with increased opportunities
in micro financing6.
The huge expansion for banks in India is owing to growing population of bankable
households and increased propensity of urban to take credit and opportunities for retail
financing for housing loans7 (Jalan, 2006). There is an increased focus on retail loans and
diversification of credit base8. Indian banks have posted higher ‘Net Profits’ and ‘Return
on Assets’ during the last few years and have improved efficiency of operations
significantly. As per Jalan (2006), the average cost of operations in Indian Banking,
however, is higher in comparison to International Standards9.
1
M. Balachandran, CMD, Bank of India, Seminar on “Indian Banking Shaping and Economic Powerhouse”,
Mumbai, 18th July 2006.
2
Pradeep Srivastav, Department of Banking surveillance, RBI, “Computerization, efficiency and Financial reforms”
a report published by RBI, September 1999.
Prabhu Giridhar G., Achal Industries, Mangalore, Paper presented at Symposium on Privatization of
Nationalized Banks – Corporation Bank Officers’ Organization (R), Mangalore on 21st July, 2001.
3
Hoenig Thomas M., President, Federal Reserve Bank of Kansas City, Kansas City, Missouri, Financial
Modernization: Implications for the Safety Net Conference on Deposit Insurance, , Washington, D.C., January
29, 1998.
4
Dr. Suvit Yodmani and Dr. David Hollister, Disasters and Communication Technology: Perspectives from Asia,
Presented at the Second Tampere Conference on Disaster Communications, 28-30 May 2001.
5
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 97.
6
Mr. Deepak Ghaisas, CEO iflex, remarked during his speech at SPJIMR auditorium during “NIMITT” conference
held on 17 Jul 2006 speaking on “Innovations in banking”.
7
M.Balachandran, CMD, Bank of India, Seminar on “Indian Banking Shaping and Economic
Powerhouse”,Mumbai, 18th July 2006.
8
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 67 & 70.
9
A comparative analysis indicates that average operating costs of bank in India as a percentage of assets is 2.7% as
compared to progressive economies such as USA and Japan is at 1.7 percent – Jalan (Aug 2006).
2
1.1.1 Deployment of IT in Banks in India
Indian banking is in the midst of IT revolution. The increase in volume of banking
transactions with speedy inter branch reconciliation accelerated the computerization of
accounts and other banking services like remittances10 (Khanna, 2003). Today all private
& foreign banks and almost 80 % of PSBs are fully computerized with higher percentage
of them having implemented Core Banking Solutions11. RBI has created necessary
infrastructure and processes through Institute for Development And Research In Banking
Technology (IDRBT) to provide safe and secure integrated payment settlement systems
using secure channels and encryption12 (Reddy, 2003). The setting up of network and
systems such as BANKNET, INFINET and SWIFT by RBI has facilitated electronic fund
transfers, debits and clearances, reporting and settlement systems. These networks have
proved to be the catalyst in implementation of Real Time Gross Settlement Systems
(RTGS), National Settlement Systems (NSS) and Central Funds Management Systems
(CFMS)13 (Seokumar, 2005). The use of electronic mode of payment has increased, both
in terms of volume and value as a result of unprecedented success of RTGS. The overall
turnover through the various payment and settlement systems has risen by almost 300
percent. This has been mainly due to higher usage of retail payment in the form of
electronic clearing services (ECS), Magnetic Ink Character recognition (MICR) and Non-
MICR14.
Private and foreign banks rely heavily on technology and operate with increasing
efficiencies but the public sector banks enjoy advantage of great reach, size and access to
low cost deposits15 (Kamesam, 2003). Private and Foreign banks have high degree of IT
deployment which is supported on state of the art IT Infrastructure bringing about new
dimensions in Banking services with products like “anywhere banking”, “tele-banking”,
“internet-banking”, “web-banking” etc.16(Muntes, 2005). Banks are increasingly using
10
Khanna Anurag, MD & CEO, Banknet India, Developments in Banking & Banking Technology, Banknet
Directory 2002-03.
11
RBI report on “Trend and Progress of Banking in India 05-06” published on 30th June 2006.
12
RBI measures - Payment Systems, Extract from the Inaugural Address by Dr. Y. V. Reddy Governor, Reserve
Bank of India at Twenty-Fifth Bank Economists’ Conference (BECON- 2003) on December 11, 2003.
13
Seokumar, Emergence of eBanking, 2005, http://www.1888articles.com/emergence-of-ebanking-0bo443i67a.html
14
15
Kamesam Vepa, Deputy Governor, Reserve Bank of India, Excerpt from Address Delivered at Central Bank of
Sri Lanka, Colombo, August 20, 2003.
16
Sumint Muntes, Chief Operating Officer, HSBC, “Disaster Recovery and Business continuity in banks”, Bank
Tech Summit, Taj Lands End Mumbai, 22 Sep 2005.
3
advance technology to implement “Customer Centered Applications” and with high-end
functionality such as Risk Management, Credit Monitoring etc.17 (Rao et..al, 2003).
1.1.2 ICT drives Indian baking to International standards

RBI has asked banks to accelerate the process of developing world class supporting
infrastructure and adopt alternative approaches to serve the customer by creating a
vibrant banking organization orientated to market dynamics providing relevant interfaces
between market demand and delivery capability18. The advancement in Information and
Communication technology has revolutionarized e banking as it allows bank branches to
network at a relatively low and affordable cost with a high degree of reliability19 (Shah,
2007). Internet banking is changing banking relationships by providing exceptional
savings, low rate credit cards, ease of applications and 24-hour access20 (Uchil, 2005).
Traditional banking is facing unprecedented competition from non-traditional banking
institutions, which offer services over the Internet21 (Balasubramanya, 2002).
Growing customer awareness, higher demand for low cost electronic services,
convenience and integration of banking services with e-commerce have resulted in highly
competitive internet banking market and those banks who don’t offer modern banking
will become marginalized22 (Shore, 2002). Banks in India are compelled to align with
International best practices23 (Reddy 2004). The measures of deregulation and increased
competition has lead to a situation where the survival of those banks who do not attain
higher levels of operations in continuity (Kamesan, 2003). Competition forcing banks to
offer multiple products and services24 (Jalan 2006).
17
Rao Gurram Ramachandra and Prathima Kasula, Internet Banking in India, Mondaq Business Briefing, April 11,
2003.
18
Report “India Banking 2010” submitted by McKinsey Consulting to RBI that was included in RBI Report on
Trend and Progress on Banking in India 2005-2006, RBI Publication, June 30,2006
19
Shah Shilpa, Executive, Banknet India, Mumbai, Indian banks moving towards electronic payment systems-
Banknet India, Third Annual Conference on Payment Systems in Banks", 10th January 2007
20
Uchil V. M, Chairman, Nextstep Infotech Pvt Ltd, Interview in July 2005
21
S. Balasubramanya, IT wave breaks over banking, The City, Aug - Sept 2002,
http://www.tcs.com/0_features/articles/it_banking_industry.htm
22
Shore Dave, “Web-based solutions can ensure business continuity”, Tech Republic, 20 May 2002,
http://techrepublic.com.com/5100-10878_11-1048802.
23
Reddy Amarender, Banking Sector Liberalization and Efficiency of Indian Banks, The ICFAI Journal of Bank
Management, Volume II May 2, 2004, P 37-53
24
Bimal Jalan, Governor, Reserve Bank of India, India’s economy in the new millennium, VBS Publishers Pvt. Ltd,
New Delhi, Aug 2006.
4
1.1.3 Business Continuity practice in Indian Banks
Banks need Business Continuity planning (BCP) and robust information risk
management system for minimizing the adverse effects of one of the important areas of
operational risk i.e. business disruption and system failures. They must thoroughly test
BCP to verify its full capability against the changing scenario and assumptions at
frequent intervals25 (Maiwald et al., 2002). The responsibility in respect of BCP rests
with the Board of directors and the top management to provide clear policy guidance and
direction26 (Parthasarthi, 2005). Constant technological change demands banks to
continually upgrade human resource skills and instill the necessary attitudes and work
culture27 (Yodmani et al, 2001) to ensure higher degree of continuity.
RBI, in recognition of increase in eventualities that might even throw banks out of
business, has issued detailed guidelines directing commercial banks to put in place
business continuity measures with lower cost of BCM programs to retain competitive
advantage total cost of BCM programs low to retain competitive advantage. These
programs are to implement by carrying out comprehensive risk assessment, establishing
infrastructure, organization and processes to ensure realization of targeted Recovery
Point Objectives (RPOs) and Recovery Time Objectives (RTOs). Given the complexity
and scale of operations it is necessary that these plans be supported by getting into
agreements with trusted and reliable agencies (Parthasarthy, 2005).
Reserve Bank has asked banks to adopt dual strategy for Disaster Recovery System
(DRS) / BCP - one for mission critical applications and the other for other applications.
The approach towards Business Continuity is to ensure that in case of any contingency,
operations are resumed within a minimal time gap of two hours in the case of mission
critical applications and within a day in the case of others. The IT resources and assets
are recommended to be consolidated in the form of Data Centres both at the Primary Site
and at the Recovery and Continuity sites28 (Das Gupta, 2002). RBI has advised banks to
review and upgrade BCM periodically and resort to insurance as risk mitigation strategy
25
Maiwald Eric & Seiglein William, Security Planning and Disaster Recovery, McGraw-Hill Professional, Osborne,
USA, Jan 2002, P 235 – 249.
26
Parthasarathi P., Chief General Manager, RBI, letter Ref. RBI/2004-05/420 DBS.CO.IS Audit.No.
19/31.02.03/2004-05 dated April 15, 2005 to All Chairmen / Managing Directors / Chief Executive Officers of
all Scheduled Commercial Banks
27
Dr.Suvit Yodmani and Dr.David Hollister, Disasters and Communication Technology: Perspectives from Asia,
Presented at the Second Tampere Conference on Disaster Communications, 28-30 May 2001
28
Das Gupta Soutiman, Banking on business continuance, BCP Stratégies, Network Magazine, August 2002
5
for externalizing risks to third party by reducing financial exposure during disruptions29
(Mani, 2003).
1.2 BCM Experiences of US & Europe

The experience of banks that have implemented dependable BCM solutions and met
contingencies effectively point at certain stark features enumerated in succeeding
paragraphs that could provide valuable lessons to banks in India.
Most progressive banks in western countries have BCM plans that are designed to protect
them against any disruptions, man-made or natural, catastrophic or relatively minor30
(Ambrosio, 2001) and are comprehensive enough to cover all consequences from large
scale disasters to certain trivial discontinuities like absence of key staff31 (O’Neil, 2005).
The BCM exercise undertaken by them are led by banks’ senior management with the
right level of experience and with their whole hearted support must for it to be effective
and not a mere corporate nuisance32 (Oltsik, 2004). Business units have driven their BCM
effort based on the interrelationships between the core department and other units in
bank and make recovery plan for processes that actually need them33 (Herbane et al,
1997).
Implementation of BCM has enabled the banks to survive as a legal and financial entity
by addressing entire key assets that are necessary to continue operations – process,
technology, people and facilities34 (Bleiberg, 2005). The success of the BCM plans,
where achieved is attributed to sound execution by the designated teams in the face of
disaster35 (Howarth, 2004). BCM of banks that have focused too much on technology
protection without effective development and deployment of policies and procedures to
react in minimizing damage and recovery have been found to be dysfunctional (O’Neil,
2005).
29
Rahul Neel Mani, Indian IT industry shies from investing in BCM initiatives,
http://www.expresscomputeronline.com/20030707/indtrend1.shtml, 7th July 2003.
30
Ambrosio Johanna, The Information Archirect: Disaster recovery: Know what you really need, Published:
10/25/2001.
31
O'Neill Shane, Senior News Writer, DR plans stuck on, 02 Feb 2005.
32
Oltsik Jon, Hot spots: So much can go wrong with disaster recovery. What can you do to ensure all goes well?
Published: Jun 2004, http://storagemagazine.techtarget.com/magItem/1,291266,sid35_gci969972,00.html.
33
Brahim Herbane, Dominic Elliott and Ethne Swartz ( Leicester Business School, UK), Contingency and continua,
Achieving Excellence through Business continuity planning, Business Horizons, December 1997.
34
Bleiberg Ron, SmartAdvice: Planning Ahead Means A Disaster Needn't Wipe Out Your Business, Aug. 22, 2005.
35
Howarth Fran, Business continuity planning: will your plans save you? Published: 12th January 2004,
http://www.it-director.com/article.php?articleid=11564.
6
Banks that have realized greater effectiveness of BCM have identified core processes that
need to be kept running to keep the business continuous together with key personnel and
technology infrastructure involved36 (Sharp, 2003). They have defined these processes
well, after collecting data from all stakeholders involved, documented well and stored
electronically37 (Smith, 2002). They have carried out detailed risk assessment of critical
assets and systems, for all core processes, that need protection against all potential threats
that can interrupt operations to deploy right alternate processes and technologies mostly
with support of external agencies to ensure business integrity (Oltsik, 2004).
Banks in US & Europe have faced large-scale disasters and hence have augmented their
BCM approach. They have increased redundancy of key resources and switched to
multiple Data Center sites operation by collaborating with third-party partners who have
multi site and multi platform capabilities supported on dependable communication
network38 (Coles, 2006). Banks have devised alternate processes that covers all critical
business functions including those of key outsourcers which they have well documented
and communicated. They have disseminated the information on alternate procedures
elaborately to all stakeholders and customers thereby increased their confidence in banks’
ability to provide normal services during disruptions39 (Watanagase, 2007).
Banks are implementing document management and imaging systems using modern tools
to house their loan documents40 (King, 2006 ). They have endeavored to ensure high
availability of solutions and productivity of employees while top management is focusing
on improving communication with customers and employees during disruptions to
customer confidence, brand value, market position 41 (Ryods, 2007). The common feature
of all the well-executed BCM plans is that they are simple and regularly updated with
systematic reviews proactively to ensure they remain current and effective42 (Kirkpatrick,
36
Sharp John, Business Continuity Management & The Duties Under Civil Contingencies Act, Continuity Forum,
April 2003, http://www.bristol.gov.uk/ccm/cms-service/download/asset/?asset_id=12781050.
37
Smith Laura, The new face of disaster recovery, Published: Mar 2002.
38
Warren Coles, Executive Vice President, PULSE EFT Association, Houstan USA comments in his interview with
Bank systems & Technology, Planning for Continuity, Feb 27, 2006.
http://www.banktech.com/showArticle.jhtml?articleID=181400621.
39
Mrs. Tarisa Watanagase, Governor, Bank of Thailand. BOT Notification No. 118-2550 (23-01-07),Jan 23, 2007
40
Jason King, Director of financial services, Hyland Software's Vendor's OnBase content management firm, Ohio,
USA comments in his interview with Bank systems & Technology, Planning for Continuity, Feb 27, 2006
http://www.banktech.com/showArticle.jhtml?articleID=181400621
41
James Ryods, founding partner of InfoSec Associates and past Chairman of Information Security & BS7799
Survive - The Future of Business Continuity Management, Credit Control, House of Words Ltd, Jan 2007.
42
Kirkpatrick ,Terry A remarked in report published in CIO Insight in 2002.
7
2002). Banks test the BCM plans with a battery of potential scenarios with total
participation of staff as even the best-laid plans did encounter unexpected challenges43
(Amato-McCoy et..al, 2006).
1.3 Elements of BCM Plan
The literature survey brought out elements of successful BCM Implementation that are
depicted in Fig 1.1 below. It also enabled working out of Research Hypothesis and
parameters for assessing effectiveness of BCM solutions that were used for module
development.
PROCEDURE
• Alternate Processes and Roles
• Multiple Site Operations
• Backup Site and Relocation
• Documentation of Procedures
• Culture of Empowerment and Innovation
FACILITIES PEOPLE
• Redundant physical space • Communications Planning
Elements of BCM
• Data Centres Implementation • Transportation
• Commercial Power • Involvement
• Access Controls • Training
TECHNOLOGY
• Security
• Servers and Storage Platforms
• Information and Data Backup
• Data Protection Technologies
• Network and Bandwidth
Figure 1.1 Elements of BCM Implementation
43
Amato-McCoy Deena M., Planning for Continuity, Bank Systems & Technology, February 27, 2006,
8
1.4 Gaps
The literature survey, primary research of BCM Practices in Indian Banks and focused
interactions with experts and consultants have brought to light following gaps in the
BCM Practice in Banks in India, particularly in small and medium banks.
1.4.1 Knowledge about BCM centered around western experiences

The literature, both printed and Internet based, contains comprehensive knowledge about
technology and processes in maintaining high level of business continuity, particularly in
banking and finance sector in North America and Europe. This has been mainly based on
reports by consultants and senior executives of affected banks who have met with serious
disasters in the last decade of high magnitude such as the September 11, 2001 incidence
of New York. The efficacy of these experiences may have no direct or limited relevance
to the Indian context (Reddy, 2003).
1.4.2 Framework for BCM in Banks not comprehensive

RBI has issued detailed instructions to the banks in India from 2002 onwards to plan and
implement BCM in their respective organizations and report status on a regular basis
(Kamesam, 2003). This has improved the level of continuity in most large banks from
technology and facilities perspective. There is a need for streamlining policies and
procedures as regards softer aspects such as alternate organization and readiness of
people to make BCM comprehensive so as to improve responses during the disaster and
the recovery phase (Jalan, 2006).
1.4.3 Absence of metrics to measure BCM effectiveness

There is no recognized framework to measure effectiveness of BCM implementation that
would enable banks to assess the present level of vulnerability and preparedness so as to
undertake measures to improve continuity. The first ever initiative in this regard is being
undertaken by Financial Services Technology Consortium (FSTC) in collaboration with
JPMorgan Chase, U.S. Bank, Bank of America, fifteen other top-tier banks and
technology companies under the technical guidance of Carnegie Mellon University, USA
to develop Financial Services Resiliency Model. This is the first effort of its kind in
creating a framework to benchmark for business continuity in Banks and Financial
Institutions using appropriate metrics, which is expected to be completed by 2008
(Wallen, 2006). The BCM health check metrics suggested as a part of the current study
thus would be a pioneering effort.
9
1.4.4 Shortfalls in BCM implementation by Banks in India
There are following gaps in BCM Implementation in Banks in India as compared to their
western counterparts:
Higher average cost of operations in comparison to International standards
Lower level of commitment to customers and customer service standards
BCM planning is mostly focused on IT set-up not so much in case of organization
and alternate support systems.
Lack of conformity to International standards and norms.
Inability to provide wider range of product and services through multiple delivery
channels.
Small banks are unable to offer wide range of products at reasonable price due to
inhibition in their ability to spend in technology.
Lack of documentation and communication of alternate processes
Non-availability of state of the art infrastructure and facilities
Non-deployment of IT in running banks internal processes
Lack of appropriate management of outsourced services and non-comprehensive
Service Level Agreements
1.5 Objectives of Research

This research work aims at providing frameworks and metrics to help management of
Banks in India in implementing effective BCM solutions and improve levels of continuity
in event of major disruptions. Following are the objectives in brief:
1.5.1 Comprehensive BCM framework

Develop a comprehensive framework to plan, implement, review and upgrade BCM
organization and practice for improving business continuity of financial organizations
focused to Banks in India. The framework is to be deduced from the collective
experiences present in the body of knowledge mostly articles and papers by consultants
and experts.
10
1.5.2 Status of BCM implementation by Banks in India
The state of BCM effectiveness of banks in India is to be ascertained using the
framework deduced from western experiences and gaps in improving BCM effectiveness
and continuity to be identified.
1.5.3 Development of metrics to measure BCM effectiveness

A framework to measure effectiveness of BCM implementation comprehensively
(organizational, procedural, technological, people and facilities) is to be developed based
on body of knowledge and actual implementation experiences in Banks. The metrics is to
serve as a barometer to measure effectiveness and identify gaps to plan improvements in
BCM and improve continuity
1.5.4 Deliverables for management in banks

This work intends to present the management in Banks in India with comprehensive
framework for BCM implementation, a metrics to measure effectiveness and suggestions
to improve continuity.
1.5.5 Improve business continuity for small and medium banks

This work aims at helping the management in small banks (less than 1 billion asset size)
who face challenges of financial and organizational strength due to their limitation in size
and operations. This is further challenged by the growing customer expectations and
increased competition forcing them to remain ‘continuous’ under all circumstances.
1.6 Scope of Work

The following is the scope of work:
1.6.1 Development of BCM Implementation Framework

A framework enumerating components of a successful BCM implementation based on
literature survey and primary research to be developed.
1.6.2 Focus on Operational and infrastructural issues

Issues related to procedures, policies and infrastructure (IT and facilities) from
operational (organization, processes & people) perspective that are required to ensure
high level of preparedness in Banks to ensure continuity were studied and critical
11
parameters identified. The study does not look at banking and financial risk and focuses
only on banking operations as regards continuity.
1.6.3 Metrics to measure BCM effectiveness

A framework of metrics to comprehensively measure effectiveness of BCM
implementation with a view to identify gaps and suggest improvements. The metrics is to
identify the BCM effectiveness numerically as regards strengths and vulnerability on
account of critical parameters.
1.6.4 Support to small banks

This study is to help small and medium banks to look at alternate and efficient ways of
planning and implementing BCM solutions to improve continuity. These banks do not
have financial and organizational strength to replicate the models practiced by large
banks.
1.6.5 Focus on softer issues

Most business continuity frameworks define methods to make IT infrastructure and
related facilities and organization dependable and efficient to ensure high state of
business continuity. This does produce results, as almost all processes in banks are IT
enabled. This has also brought about fair amount of standardization amongst banks to
deliver their products and services efficiently using IT. The growing competition as a
result of this, and globalization has raised customer expectations above the level of
efficient and timely service. Differentiations therefore (real or perceptions) will come
from managing softer issues of esteem, trust and image.
1.6.6 Mumbai as the sample of study

Mumbai has been chosen as a representative sample of banking practice in India since
more than forty percent of banking activity by value and twenty five percent by volume is
manifested from Mumbai. The city has either headquarters or major regional offices of all
banks from all categories: Public, Private, Cooperative; large, medium, small; urban,
semi-urban; local, export-oriented. The management and staff working in banks is drawn
from almost all states in the country thus providing an opportunity to study cultural
issues.
12
1.7 Hypothesis of the study
The following are the hypothesis of the study:
a. Higher the level of state-of-the-art IT infrastructure more is the reliability of the BC
practice and organizational strength, especially for banks that support multiple
products and services delivered through multiple channels.
b. The success in the implementation of BC practices as envisaged in enhanced image
and reputation of the bank depends on the softer aspects of Operations such as
employee awareness, readiness, empowerment, culture of innovation and
adaptability and Adherence to International Quality Standards.
c. Small banks are less resilient to meet major disruptions as compared to large banks
on account of technology and facilities due to their inability to invest in state-of-the-
art IT infrastructure and establish reliable and communicated procedures for
alternate operations.
1.8 Research Methodology

The following are the major phases of research:
1.8.1 Phase 1: Review of Literature

Survey of published information about implementation of BCM practices and
experiences (both success and failure) was carried out in detail to ascertain essential
ingredients of a comprehensive BCM organization and implementation in the financial
sector, particularly, banks. The literature studied included articles & publications and RBI
communications/directives to understand the regulatory provisions and state of BCM
Implementations in banks in India.
1.8.2 Phase 2: Development of BCM Implementation Framework

Based on the literature survey carried out above a theoretical framework for
implementing BCM in banks was developed. This framework encompasses features
related to design, organization, and implementation, costing, reviewing and upgrading
BCM initiatives in banking sector, particularly in India. The review enabled identification
of parameters to assess effectiveness of BCM solutions.
13
1.8.3 Phase 3: Primary Research to Evaluate Framework
Primary research was undertaken in selected banks in Mumbai who have implemented
BCM to evaluate the theoretical framework as regards completeness and effectiveness.
Interviewing corporate managers, bank unit heads and junior executives carried out the
study. Questionnaires (that were progressively evolved by testing on samples, on spot
observations and discussion with subject matter experts) were administered to various
levels for identification of factors that are responsible to create and implement successful
BCM. The learnings enabled identification of parameters, clustered in groups:
Organizational, Process, People, IT Infrastructure and Facilities, to measure effectiveness
of BCM Implementation in banks.
1.8.4 Phase 4: Development of BCM Model and Metrics

A generic model giving comprehensive framework addressing issues related to
Organizational, Process, People, IT Infrastructure and Facilities was developed based on
the results of primary research conducted in Phase 3. A set of metrics to measure
implementation status and performance of BCM and Operations was created. The model
and metrics were evaluated by focused group-discussions employing Delphi technique
involving Senior Corporate Managers from target large banks and consultants from top 5
Consulting companies in India.
1.8.5 Phase 5: Application of Model to Banks

The generic model developed and tested was applied and evaluated for its application to
selected banks in Mumbai The gaps in efforts of Small and Medium banks in
implementing BCM focusing on factors like cost, efficiency, organization structure and
climate were assessed in respect of target banks.
1.8.6 Phase 6: Recommendations for BCM implementation in Banks

The findings of the research undertaken in Phase 5 above served in formulating
recommendations for implementing BCM in banks in India with focus on Small and
Medium Banks, (SMB’s) together with performance evaluation metrics.
1.8.7 Phase 7: Scope for Future Work

The scope of work that can be undertaken in the future for developing a collaborative
framework for BCM implemented is presented.
14
1.9 Research Deliverables
The managements in banks in India are presented with two deliverables that are the
outcome of this study, to enhance their business continuity:
BCM Implementation framework
BCM Reality Check Metrics
1.9.1 BCM Implementation framework

A framework, based on the literature survey carried out as a part of this study and the
salient features of BCM model enumerated in the Disaster Recovery Journal (Volume 15,
No.3, Summer 2002), Canada44 has been developed. This is depicted in Figure 1.2 below
and brief description is provided in the succeeding paragraphs. The details are
enumerated in Chapter 2 paragraphs 2.7 to 2.9.
Preparing to implement a BCM
Project Initiation
Business Impact Analysis (BIA)
Maintaining and
Updating the BCM
Designing and developing a BCP
Implementation
Review and Testing
Figure 1.2 BCM Implementation Framework
44
Disaster Recovery Institute Canada, http://www.dri.com and http://www.incident response.org;
http://www.drii.org, July 2002
15
1.9.1.1 Why must banks invest in BCM
Banks need to invest in BCM by creating appropriate organization and infrastructure so
as to maintain their market position, preserve confidence of customers, governments &
shareholders and prevent losses to business and liabilities towards employees,
shareholders and customer claims (Herbane et al, 1997). Effective BCM ensures
prevention of discontinuities, quick response if they occur, speedy resumption of critical
tasks, early recovery of other non-critical processes and smooth restoration to normalcy45
(MacSweeny, 2003)
1.9.1.2 Embarking on a BCM project

Following steps are suggested to embark on project to design and implement a BCM:
Formation of BCM Implementation team drawn from both the bank and consultants
and having a rich blend of functional and practice experts46 (Gallagher, 2002)
Budgeting the BCM Program with provisions to provide adequate funding every year
to account for one time, annual maintenance and updating costs47 (Gondek (2002).
Conducting Business Impact Analysis (BIA) and related Insurance needs to examine
the threats, vulnerabilities and possibility of exposure of business to these ( Mawson,
2003).
1.9.1.3 Managing BCM Implementation project

A framework, based on literature survey, is suggested that gives steps to implement
BCM.
a. Project Initiation – Supported by Senior Management drawing objectives,
enumerating budget, details of resource requirements and reporting process48
(Karakasidis, 1997).
b. Business Impact Analysis - Identify and quantifying organizational risks

(financial and operational), critical business processes and supporting equipment
and systems with prioritization of risks / vulnerabilities that are to be insured by
alternative processes and recovery schematic49 (Rodetis, 1997).
45
Greg MacSweeny, Redefining Best BC Practice, Insurance & Technology, Aug 2003
46
Michael Gallagher, What is the worst that could happen, Financial Times, Printece Hall, May 2003
47
Richard Gondek, (Internetworking Practice Lead, Greenwich Technology Partners) Journal of Business Strategy,
Aug 2002
48
Kon Karakasidis, (KPMG Information Technology Consulting Division, Melbourne, Australia) A project
planning process for business continuity, Information Management & Computer Security, Vol. 5 , No. 2, Aug 1997
49
Susan Rodetis, Can your business survive the unexpected, Journal of Accountancy, Feb 1999
16
c. Designing and Developing a BCP -Feasible, realistic and workable BCM plans
aligned with organizational strategy, business objectives and priorities that can
effectively counteract interruptions to business activities and protect critical
business processes from the effects of major failures or disasters are to be drawn
out (Gallagher, 2003). Recovery system alternatives must have emphasis on the
importance of human factor, alternate emergency operations and processes using
technology components and the drill to rebuild the state of normal operations50
(Morganti, 2001). A Business continuity planning framework comprising of three
sections is suggested:
One - Sequence of resumption / recovery
Two - Steps to operationalize plan
Three - Maintenance Schedule & upgradation
d. Implementation - Banks must establish trained and committed teams to lead
manage and direct the organization through the crisis and provide necessary
technical, operational and administrative support to move to alternate scheme
during discontinuities and recover to normal scheme once crisis is over.
(Morganti, 2001) Agreement must be entered into with appropriate vendors for
delivery of replacement service/support within critical time frames. Allocation of
responsibilities, systems and processes must be worked out and communicated to
all concerned. (Rodetis, 1999)
e. Testing - BCM Plan and operating scheme needs to be tested for efficiency and
relevance from annually or after major organizational changes or an incident.
Testing proves that BCP is feasible and demonstrates the ability of the
organization to recover. (Gondek, 2002)
f. Maintenance and Updating the Plan - The BCM organization and practice must
be updated at least annually or after major organizational changes,
implementation of new systems, networks and hardware or changes in market
conditions / staff levels. (MacSweeny, 2003)
50
Michael Morganti, A business continuity plan keeps you in business, Record – The magazine of Property
Conservation, September 2001
17
1.9.1.4 Disaster Management
Disaster management is effected in the four distinct phases namely, mitigation,
preparedness, response and recovery (Yodmani et al 2001). As per DR Institute, Canada
outlines the priority in which disaster situation needs to be responded is safety and
prevention of injury to personnel on site first, prevention or limiting damage to facilities
and equipment second and keeping critical business functions operational next. Crisis
once triggered and not responded to appropriately can expand. A credible spokesperson
must lead the Media and provide Information to avoid speculations (Herbane et al, 1997).
1.9.2 BCM Reality Check Metrics

The BCM reality check metrics designed as a product of this study measures and
evaluates parameters, which are crucial for successful and effective BCM in banks, in
five clusters: Organization, Procedure, People, Technology and Facilities. For each
cluster parameters at measured at four levels: Corporate or strategic, Technical,
Methods/Tools and Review/Testing). These parameters are measured for
strength/preparedness (P) and Threats/Challenges(R) on a scale of 0-5 (low to high).
These are further qualified by measuring vulnerability of threats (V) and upgradation of
preparedness (T) on a scale of 0-1 indicating low to high probability and frequency
respectively.
Table 1.1 BCM Metrics Model
Measures
Parameters
P T RI R V VI
Organization (O) P1-n(O) T1-n(O) P1-n(O) * T1-n(O) R1-n(O) V1-n(O) R1-n(O) * V1-n(O)
Procedure (P) P1-n(P) T1-n(P) P1-n(P) * T1-n(P) R1-n(P) V1-n(P) R1-n(P) * V1-n(P)
People (H) P1-n(H) T1-n(H) P1-n(H) * T1-n(H) R1-n(H) V1-n(H) R1-n(H) * V1-n(H)
Technology (T) P1-n(T) T1-n(T) P1-n(T) * T1-n(T) R1-n(T) V1-n(T) R1-n(T) * V1-n(T)
Facilities (F) P1-n(F) T1-n(F) P1-n(F) * T1-n(F) R1-n(F) V1-n(F) R1-n(F) * V1-n(F)
18
The state of preparedness or vulnerability of BCM in target bank can be inferred by
application of the metrics by calculating two factors:
Resilience indicator (RI)= P*T
Vulnerability Index (VI) = R*V.
These two factors indicate the levels of strength and vulnerability of the bank from BCM
perspective from each of the parameter in the clusters. The summations of these two
indicators for clusters indicate the status at the cluster level.
Resilience
(Provided by Banks)
Continuity
Vulnerability
(Posed by Environment)
Figure 1.3 Level of Continuity
The test results of the metrics indicate that large banks are more resilient and less
vulnerable. The small banks are highly vulnerable on account of technology and
facilities. Both categories of banks are equally vulnerable from the perspective of
organizational readiness and thus merit more management definition on softer issues of
customer service and image.
19
The BCM reality check metrics model51 has been published under the title “Business
Continuity Model: A Reality Check for Banks in India” in the Journal of Internet
Banking and Commerce, August 2006. The paper is placed at Annexure 1 in this report.
The model has been appreciated and is in the process of incorporation as reference by
Banking Association of India to serve as BCM reality check framework by member
banks. This has been discussed during the bankers meet in April 2007 at La Meridian
Mumbai, organized by Banking Frontiers magazine.
1.10 Organization of Chapters

The chapters together with themes covered, following this introduction chapter where we
have presented the background of the research, scope, objectives and hypotheses being
tested, are outlined below:
1.10.1 Chapter 2 Review of Literature

This chapter presents the review of literature to assess the BCM practice implemented by
progressive banks in the world and the experiences accrued in India in this regard. The
chapter traces the banking scenario in India as regards level of operations, growth and
competition from Foreign and MNC banks. It explores the challenges faced by banks in
implementing dependable BCM and the compliance requirements as per RBI guidelines
by banks in India. The components of a comprehensive Business Continuity plan have
been deduced based on the literature survey of the BCM implementation experiences of
financial institutions and banks those have achieved success in Operationalizing them. A
BCM implementation framework was developed and presented in the chapter. The
parameters to assess effectiveness were also identified.
1.10.2 Chapter 3 – Research Methodology

This chapter describes the gaps in literature regarding frameworks and metrics for
successful BCM Implementation. The research methodology to validate the theoretical
framework of BCM Implementation, development of metrics model to measure
effectiveness of BCM solutions has been enumerated. The chapter highlights the
methodology for identification of samples and respondents. The reasons for selecting
Mumbai as representative sample are also explained.
51
Prof. Sunil Rai, Joint Director, S. P. Jain Institute of Management & Research, Mumbai, India and Dr. Lakshmi
Mohan, Information Technology Management Faculty, School of Business, University at Albany, State
University of New York, “Business Continuity Model: A Reality Check for Banks in India” in the Journal of
Internet Banking and Commerce, August 2006, vol. 11, no.2 (http://www.arraydev.com/commerce/jibc/)
20
1.10.3 Chapter 4 - BCM Survey in Indian Banks
The chapter elaborates the survey and findings conducted on major banks in Mumbai.
The survey was designed to validate the theoretical framework of BCM Implementation
developed based on the literature survey. The parameters that can be used to measure the
effectiveness of BCM Solutions based on experiences of select banks that have
implemented BCM were identified. This formed input to development of BCM Metrics
model described in the next chapter. This chapter also presents a case study about
successful implementation of BCM by a leading bank that was proved in the face of a
disaster. A paper entitled52 “Business Continuity Management in Banks – The Indian
Experience”, has been published by the researcher in “Journal of Internet Banking and
Commerce, August 2006” which is based on the primary data survey enumerated in this
chapter. This paper is available on http://www.arraydev.com/commerce/jibc/.
1.10.4 Chapter 5 - BCM reality check Model for Banks in India

This chapter describes a framework for carrying out reality check using metrics and
suggested methodology to plan and implement BCM in banks. The BCM reality check
metrics measures and evaluates parameters in five clusters (Organization, Procedure,
People, Technology and Facilities) at four levels (Corporate, Technical, Methods/Tools
and Review/Testing). The inferences drawn from application of the metrics help ascertain
the levels of strength and vulnerability of the bank from BCM perspective from each of
the parameter in the clusters. A paper entitled53 “Business Continuity Model – A reality
checks for banks in India ”, has been published by the researcher in “Journal of Internet
Banking and Commerce, August 2006” which is based on the application of the model to
select banks. This paper is available on http://www.arraydev.com/commerce/jibc/
1.10.5 Chapter 6 - Recommended BCM model and evaluation metrics for SMBs in India
This chapter details the application of the BCM model to eight large, six medium and
eight small banks in Mumbai at various levels of management involving close to 100
52
Prof. Sunil Rai, Joint Director, S. P. Jain Institute of Management & Research, Mumbai, India & Dr. Lakshmi
University of New York, “Business Continuity Management in Banks – The Indian Experience”, Journal of
Internet Banking and Commerce, August 2006, vol. 11, no.2
(http://www.arraydev.com/commerce/jibc/)
53
Prof. Sunil Rai, Joint Director, S. P. Jain Institute of Management & Research, Mumbai, India & Dr. Lakshmi
University of New York, “Business Continuity Management in Banks – The Indian Experience”, Journal of
Internet Banking and Commerce, August 2006, vol. 11, no.2
21
respondents. The collated data was normalized and analyzed iteratively to draw
comparison amongst target banks and recommend steps of successful and reliable BCM
implementation in SMBs. The critical success factors and steps recommended to SMBs,
to improve their resilience and counter vulnerability from continuity perspective while
planning and implementing reliable BCM Organization & Infrastructure and its operation
& maintenance, are enumerated.
1.10.6 Chapter 7 – The way ahead

The chapter indicates few of the limitations of the proposed BCM Model and the way in
which the same can be strengthened while applying to banks desirous of implementing
BCM. The Future scope of work as regards enhancing measurability of parameters and
their analysis to improve usability is described.
22
CHAPTER 2
REVIEW OF LITERATURE
2.0 Overview of Indian Banking

Banking is a mirror of economy as illustrated by the symbiotic growth of economic
reforms and banking (Balachandran, 2006)1 The major participants of the Indian
financial system are the Commercial Banks, the Financial Institutions (FIs),
encompassing term-lending institutions, investment institutions, specialized financial
institutions and the state-level development banks, Non-Bank Financial Companies
(NBFCs) and other market intermediaries such as the stock brokers and money-
lenders. The commercial banks and certain variants of NBFCs are among the oldest of
the market participants. The FIs, on the other hand, are relatively new entities in the
financial market place.
Jalan (2006) believes that intense competitive pressure on the financial system has
generated a variety of products and services to meet the specialized needs of millions
of customers. The impact of these changes in the international financial system
resulted in initiation of the process of integrating Indian economy with the global
economic order2. This ushered in the phase of financial sector reform that primarily
aimed at aligning the Indian banking system to the international best practices
(Reddy, 2004). The Indian financial system is presently undergoing a major phase of
metamorphosis3.
As per Jalan (2006), banking has become the major partner in growth and
development of any nation or society. This is particularly the case with fast
developing economies such as India. The disruptions in banking activity can pose a
major threat to this cause. Dell ( et al 2004) state that the continuity of banking system
1
Powerhouse”,Mumbai, 18th July 2006.
2
Bimal Jalan, Governor, Reserve Bank of India, Indias economy in the new millennium, VBS Publishers Pvt.
Ltd, New Delhi, Aug 2006.
3
Reddy Amarender, Banking Sector Liberalization and Efficiency of Indian Banks, The ICFAI Journal of Bank
Management, Volume II May 2, 2004, P 37-53
23
can be enhanced and crisis during disruptions can be better managed by collaborative
efforts of legal, regulatory and the banking system.4
2.1 Growth of Banking System in India

The history of Indian banking that be identified in three phases throws up several
insights into the development of banking industry in India. The phases of
development are compiled from the reports on banking reforms and liberalization by
Shrivastav (1999)5, Prabhu (2001)6 and Reddy (2004) are summarized below.
2.1.1 Pre - Nationalization Phase (1786 - 1969)

Bank of Hindustan, set up in 1870, was the earliest Indian Bank. Banking in India on
modern lines started with the establishment of three presidency banks under
Presidency Bank's act 1876 i.e. Bank of Calcutta, Bank of Bombay and Bank of
Madras. Reserve Bank of India Act was passed in 1934 & Reserve Bank of India
(RBI) was constituted as an apex bank without major government ownership. Banking
Regulations Act was passed in 1949. This regulation brought Reserve Bank of India
under government control and gave RBI wide ranging powers for supervision &
control of banks. The Act also vested licensing powers & the authority to conduct
inspections in RBI
2.1.2 Nationalization of Banks (1969 - 1991)
In 1955, RBI acquired control of the Imperial Bank of India, which was renamed as
State Bank of India (SBI). The RBI enforced compulsory merger of weak banks with
the strong ones reduced the number of banks from 566 in 1951 to 85 in 1969. The
government of India nationalized 14 major banks and acquired 6 large banks to ensure
that banks play role of catalytic agents for economic growth. The Narsimham
Committee report suggested wide ranging reforms for the banking sector in 1992 to
introduce internationally accepted banking practices.
4
Dell’Ariccia Giovanni, Detragiache Enrica and Rajan Raghuram, Executives IMF, The Real Effect of Banking
Crises, October 2004
5
Pradeep Srivastav, Department of Banking surveillance, RBI, “Computerization, efficiency and Financial
reforms” a report published by RBI, September 1999
6
Prabhu Giridhar G., Achal Industries, Mangalore, Paper presented at Symposium on Privatization of
Nationalized Banks – Corporation Bank Officers’ Organization (R), Mangalore on 21st July, 2001
24
2.1.3 Liberalization: Financial and Banking Sector reforms (1992 onwards)
Liberalization and deregulation witnessed in the Indian markets in the 1990s resulted
in a spurt in banking activity in India which was further accelerated due to advances
in communication technology enabling banks to expand their reach, both in terms of
geography covered as well as new products introduced (Yodmani et al, 2001)7. This
period saw increased competition in wholesale banking due to the entry of foreign
banks and new private sector banks. Reddy (2004) observes that competition from
multinational banks and entry of new private sector banks has rewritten the rules of
the retail lending business in India. The Indian retail lending market is relatively
unexplored with the per-capita usage of retail product offerings as compared to Asian
peers. The relative size of the Indian market, backed by factors such as a growing
population of bankable households, low penetration rate for retail finance products
and the increased propensity of the urban populace to take credit, offers scope for
expansion (Jalan, 2004).
This period witnessed developments in technology that challenged traditional banking

models resulting in introduction of Automated Teller Machine (ATM) cards, debit
cards and internet banking that changed the face of banking forever as they provide
customers with choice and convenience (Hoenig, 1998)8. As per Kamesam (2003),
foreign banks operate with higher efficiencies in their niche markets being the
innovators in terms of technology introduction in the domestic scenario, focused
operations and lower but more productive employee force.9 The PSB’s have greater
reach, great size and access to low cost deposits due to their strong presence in the
rural and semi-urban sector. Table 2.1 presents the picture of banking space in India
as shared by various categories of banks.
7
Dr.Suvit Yodmani and Dr.David Hollister, Disasters and Communication Technology: Perspectives from Asia,
Presented at the Second Tampere Conference on Disaster Communications, 28-30 May 2001.
8
Hoenig Thomas M., President, Federal Reserve Bank of Kansas City, Kansas City, Missouri, Financial
Modernization: Implications for the Safety Net Conference on Deposit Insurance, , Washington, D.C.,
January 29, 1998
9
Kamesam Vepa, Deputy Governor, Reserve Bank of India, Excerpt from Address Delivered at Central Bank of
Sri Lanka, Colombo, August 20, 2003
25
Table 2.1 - Number of Branches of Scheduled Commercial Banks10
Bank Group Number of Branches
Rural Semi- Urban Metro- Total

urban politan
Public Sector Banks (PSBs)
Nationalized Banks 12,992 7,120 7,056 7,017 34,185
State Bank Group 5,229 4,023 2,449 2,110 13,831
Private and Foreign banks
Old Private sector Banks 936 1,447 1,236 947 4,566
New Private Sector Banks 97 322 674 857 1,950
Foreign Banks NIL 1 27 221 259
Total 19,254 12,933 11,452 11,152 54,791
2.1.4 The Current Banking System

Banking System in India functions under the umbrella of Reserve Bank of India and is
organized in three categories: Commercial banks, Regional Rural Banks and Co-
operative banks. The commercial banking structure consists of Scheduled
Commercial Banks (included in the Second Schedule of RBI) and Unscheduled
Banks. The banking sub sector comprises of Public sector banks who have either the
Government of India or RBI as the majority shareholder (SBI and its subsidiaries and
Other nationalized banks). The Private sector comprises of fast growing banking
majors such as ICICI Bank, HDFC Bank, Kotak Bank etc. Last decade has witnessed
greater participation of foreign banks – Citibank, HSBC, American Express, ABN
Amro, Standard Chartered etc. There are two main categories of the co-operative
banks. Short term lending oriented co-operative Banks (State co-operative banks,
District co-operative banks and Primary Agricultural co-operative societies) and Long
term lending oriented co-operative Banks (land development banks at state, district
and village level).
As per Djankov (et al, 2005), Indian banks, under favorable macroeconomic
environment, have improved their asset quality and risk management practices using
10
Courtesy: RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 97.
26
more vigorous systems and scoring models for identifying credit risks.11 There is an
increased focus on retail loans and diversification of credit base. The percentage of
retail loans to total loans and retail portfolio of banks is given in tables 2.1 and 2.2
respectively below.
Table 2.2 - Percentage of Retail Loans to Total Loans12
Loan Type 2004 2005 2006
Retail 22 24 26
Housing 10 12 14
Consumer Durable 1 1 1
Credit Card 1 1.5 2
Others 10 11 13
Table 2.3 - Retail Portfolio of Banks13
Outstanding as at end
March (in Billion Rs.) Percentage
Item
Variation
2005 2006
Housing Loan 1342.76 1791.16 33.4
Consumer Durable 38.10 44.69 17.3
Credit Card receivables 84.05 124.34 47.9
Auto Loan 350.43 613.69 75.1
Other Personal Loans 850.77 1183.51 39.1
Total Retail Loans 2666.10 3757.39 40.9
Percentage of Retail of Total 23.5 25.5
Total Loans & Advances 11250.56 14737.23 31.0
11
Djankov, S. C. McLiesh and A. Shleifer (2005), Private credit in 129 countries, NBER Working Paper 11078,
January 2005.
12
13
27
2.1.5 Banking Functions and Processes
Banks are custodians of public money and promote lending or deposits. A list of
activities undertaken by the banks is given below:14
2.1.5.1 Deposit accounts

The following types of accounts are offered to customers:
a. Fixed Deposits
b. Savings Accounts
c. Current Account
2.1.5.2 Lending money to the public

Banks lend money to public using the deposits received and thereby earn interest.
Following are the methods adopted:
a. Cash credit Account
b. Overdraft
c. Bill discounting
d. Term Loans
2.1.5.3 Commercial Lending

Banks provide commercial loan for a variety of purposes both for long and short
tenures. Based on customer profile, these loans are of two types:
a. Corporate Loans
b. Retail Loans
2.1.5.4 Domestic Lending

Banks provide credit to public to meet their needs and promote economic growth.
a. Short Term Finance (STF)
b. Long Term Finance (LTF)
14
Banking Regulation Act of India, 1949 and Negotiable Instruments Act 1881
28
2.1.5.5 Global Lending
The funding avenues potentially open to a borrower in the global capital markets can
be categorized as follows:
a. Bonds (Straight Bonds, Floating Rate Notes , Zero-coupon and deep discount
bonds, Bonds with a variety of option features embedded in them)
b. Syndicated Credit (usually at floating rate of interest)
c. Committed Underwritten Facilities (buyers' and suppliers' credits)
d. Project Finance
2.1.5.6 Remittance Business

Banks carry out, act of transfer of money, both domestic and foreign, from one place
to another, on behalf of their customers, using following instruments:
a. Demand Draft
b. Mail Transfers or Mail Orders
c. Telegraphic Transfers or Tele Orders
d. Electronic Mode of Transfer
2.1.5.7 Trustee Business

Banks act as trustees for various requirements of the Corporates, Government and
General Public.
a. Lockers
b. Collection Business
2.1.5.8 External Commercial Borrowings (ECB)

Indian firms' are provided access to global capital markets through ECB by way of
loans, suppliers' and buyers' credits, fixed and floating rate bonds (without
convertibility) and borrowings from private sector windows of multilateral Financial
Institutions.
29
2.2 Technology deployment in Indian Banking Industry
Indian banking industry, today is in the midst of an IT revolution. Khanna (2003)
believes that a combination of regulatory and competitive reasons have led to
increasing importance of total banking automation in the Indian Banking Industry. 15
2.2.1 Technology Adoption by Banks in India

The Indian Banking witnessed a massive growth post nationalization (1950’s) that
resulted in an explosion of sorts in volumes of transactions and inter-branch
reconciliation that challenged manual handling. It was in this background that the first
steps towards automation were taken. The whole system of reporting and
reconciliation of transactions was revamped and modernized in early 1970’s
(Srivastav, 1999). Some efforts to develop Management Information System (MIS) in
the area of Deposits and Advances through use of Uniform Balance Books etc., which
finally matured in the form of Basic Statistical Returns (BSRs) were developed. In the
early 1980s the advent of Personal Computers (PCs) brought significant development
on the bank computerization that was necessitated by inability of manual transaction
handling methods, which led to dwindling customer service and increasing complaints
(Kesavam, 2003). However, mechanization of any kind was opposed by the Unions
and resulted in slowing down of computerization drive in Indian Banks (Srivastav,
1999). The current state of computerization in Public Sector Banks16 is captured in
Table 2.4 below.
Table 2.4 Computerization in Public Sector Banks
Srl. Branch Computerization Status Percentage
1 Branches already Fully computerized (other than 48.5

branches under Core Banking Solution)
2 Branches under Core Banking Solution 28.9
3 Fully computerized Branches (I+II) 77.5
4 Partially computerized Branches 18.2
15
Khanna Anurag, MD & CEO, Banknet India, Developments in Banking & Banking Technology, Banknet
Directory 2002-03
16
RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 98
30
RBI undertook massive drive in end 1980s to speed up Information Technology (IT)
deployment in Indian banks by issuing explicit and exhaustive instructions and
guidelines to hasten the pace automation of operations in the banking sector in a
phased and planned manner (Kesavam, 2003)17. The focus by this implementation
(justifiably) was on customer service and automation of operations in other areas like
funds transfer, electronic mail and ATMs etc. While most Private Sector and MNC
Banks have achieved higher degree of computerization by implementing modern
technological solutions, the Public Sector banks are now making investments in this
regard (Balachandran, 2006). The extent of computerization achieved in Public Sector
Banks18 is given below:
Table 2.5 Extent of Computerization of Branches PSBs (as on March 31, 2006)
Srl. Extent of Computerization Number of Banks
1 Less than 20 percent 3
2 More than 20 and upto 40 5
5 More than 80 22
2.2.2 The Present Level

The Financial Reforms that were initiated in the early 90s and the globalization and
liberalization measures brought in a completely new operating environment to the
banks those were till then operating in a highly protected milieu. Kesavam (2003)
observes that the arrival of foreign banks and financial Institutions, the setting up of a
number of private banks and the measures of de-regulation that encouraged
competition has led to a situation where the survival of those who do not join the race
will become difficult. As per Padmanabhan (2005) unless the state-of-the-art IT is
introduced as early as possible, winning new business and even holding on to the old
17
The high level committee formed under the chairmanship of Dr. C Rangarajan, then Governor of the Reserve
Bank of India, drew up a phased plan for computerization and automation in the Banking Industry over a
five year time frame of 1985-89
18
31
one will become increasingly difficult. Services and products like "Anywhere
Banking" "Tele-Banking" "Internet banking" "Web Banking" , e-banking, e-
commerce, e-business etc. have become the buzzwords of the day and the banks that
are trying to cope with the competition are offering innovative and attractively
packaged technology-based services to their customers19.
The importance of effective MIS for control of operations and of maintaining

customer and business/industry databases for strategic planning has also been
realized. As per Muntes (2005) banks are looking at Data warehousing, Data mining,
Business Restructuring etc. as most essential things to have as early as possible and
are taking urgent steps to computerize the operations in their administrative and
controlling offices (viz. head /zonal/regional offices) as well as the data collection
machinery, so as to evolve an effective MIS20. The present level of MIS covers,
basically, information needed for control, performance monitoring, decision making
etc. and encompasses most activities in administrative offices like processing of
statutory returns under Reserve Bank of India Act, monthly/quarterly performance
reports from branches, credit information/BSR, inter-branch transactions, personnel
inventory, provident fund accounting, profit and loss accounts, cash and investment
management, stationery stock accounting, and branch house keeping etc.
2.2.3 Information and Communication Technology (ICT) revolutionizing e-banking

The establishment of nation wide networks by RBI under the stewardship of Institute
for Development of Banking Research and Technology (IDBRT), Hyderabad has
revolutionarized the speed of banking transactions. These networks have integrated
localized bank networks with the entire financial system and have enabled the banks
to interconnect their already-computerized branches. This has ensured providing
comprehensive service to customers and at the same time has given banks better-
centralized control over the branch operations.
The use of electronic mode of payment has increased, both in terms of volume and
value, during 2005-06 compared with the previous year. The share of electronic
transactions constitutes 46.7 per cent in terms of volume and 51.2 per cent in terms of
value in 2006 of the total transaction. Table 2.6 below shows the increase of
19
G Padmanabhan, Chief General Manager, Dept of IT, RBI, “Business Continuity – a new priority for banks”,
Bank Tech Summit, Taj Lands End Mumbai, 22 Sep 2005
20
Sumint Muntes, Chief Operating Officer, HSBC, “Disaster Recovery and Business continuity in banks”, Bank
Tech Summit, Taj Lands End Mumbai, 22 Sep 2005.
32
electronic transactions as compared to paper based transactions in the last four years
showing the wide spread use of technology by banks in India. Reddy (2006) believes
that the increase in electronic banking is a result of unprecedented success of RTGS,
operationalized on March 26, 2004. The number of RTGS branches reached about
23,000 and the volume crossed 200,000 transactions by March 2006. This has resulted
in higher speed and efficiency of inter-bank funds transfer and customer transactions.
Table 2.6 - Paper Based v/s Electronic Transactions21
Volume (in Lacs) Value (in Billion Rs.)

Year
Paper-based Electronic Paper-based Electronic
2002-03 10,139 1,730 134,243 375
2003-04 10,228 2,152 115,959 675
2004-05 11,671 4,220 101,207 42,211
2005-06 12,895 11,330 113,370 118,844
As per RBI report on “Trend and Progress on Banking in India 2005-2006”, published
June 30, 2006 large number of Banks in India have implemented Core Banking
Systems and have adapted electronic Payment and Settlement and systems22.
This revolution in ICT sweeping the nation and the world has resulted in phenomenal
improvement of communication infrastructure and the Internet technologies that has
allowed branches to network at a relatively low and affordable cost with a high degree
of reliability (Shah, 2007)23 .RBI has been instrumental in setting different levels of
networked systems, which have collectively become the backbone for
interconnectivity among banks/ branches enabling automation of areas like funds
transfer, electronic mail etc (Seokumar,2005). The networks and systems that form
the mainstay of e-banking in India listed below:
21
22
The overall turnover through the various payment and settlement systems has risen by almost 300 percent.
This has been mainly due to higher usage of retail payment in the form of electronic clearing services
(ECS), Magnetic Ink Character recognition (MICR) and Non-MICR – RBI report June 2006.
23
Shah Shilpa, Executive, Banknet India, Mumbai, Indian banks moving towards electronic payment systems-
Banknet India, Third Annual Conference on Payment Systems in Banks",10th January 2007.
33
2.2.3.1 BANKNET
A communication network backbone connecting, at present, seven centres viz.
Mumbai, Delhi, Calcutta, Madras, Nagpur, Bangalore and Hyderabad. Set up in 1991
by the RBI, this backbone is meant to facilitate transfer of inter-bank (and inter-
branch) messages within India by Public Sector banks who are members of this
network.
2.2.3.2 'INFINET’ Indian Financial Network

A satellite based wide area network using VSAT (Very Small Aperture Terminal)
technology set up by the RBI in June 1999. The hub and the Network Management
System of the INFINET are located in IDRBT, Hyderabad and is used by a Closed
User Group of the member banks of the network called the "INFINET User Group".
The applications running on INFINET are e-mail, Electronic Clearing Service - Credit
and Debit, Electronic Funds Transfer and transmission of Inter-city Cheque
Realization advices.
2.2.3.3 S.W.I.F.T
Eight Indian banks are part of the international financial messages communication
network, namely, Society for Worldwide Inter-bank Financial Telecommunication
(S.W.I.F.T). It provides reliable and expeditious telecommunication facilities for
exchange of financial message all over the world. The gateway is in Mumbai and
efforts are on to other cities through leased lines/public data network.
2.2.3.4 Electronic Data Interchange (EDI)

EDI is a computer-to-computer transfer of details of commercial or administrative
transactions using an agreed protocol and standard data structure.
2.2.3.5 Electronic Funds Transfer (EFT) System

EFT System hosted and operated by the RBI, permits transfer of funds, upto Rs. 5 lacs
from any account at any branch of any member bank in any city to any other account
at any branch of any member bank in any other city.
34
2.2.3.6 MICR (Magnetic Ink Character Recognition) Clearing
The MICR cheque pre-printed with the bank-branch code and account type in MICR
strip are read by high-speed readers and sorters at Service Branches of member banks
and the National Clearing Centres at Metros / Clearing Houses ensuring speeding up
of clearing work.
2.2.3.7 Electronic Clearing Services (ECS)

ECS enables payment from a single account at a bank branch to any number of
accounts maintained with the branches of the same or other banks.
2.2.3.8 ECS - Debit

This scheme is to facilitate payment to utility companies, like Telephones, Electricity
etc.
2.2.3.9 ATM network - SWADHAN (Shared Payment Network System -SPNS)

The ATMs deliver services like cash withdrawal / deposit, balance enquiry,
depositing cheques for collection, request for transfer of funds, request for cheques
book, etc using a pre-agreed secret Personal Identification Number (PIN), which
uniquely identifies a customer using this network.
2.2.3.10 Real Time Gross Settlement System (RTGS)

RTGS is large values funds transfer system whereby financial intermediaries can
settle inter bank transfers for their own account as well as for their customers. The
system effects final settlements of inter bank funds transfers on a continuous,
transaction- by-transaction basis throughout the processing day. More than 120
scheduled commercial banks and primary dealers are now a part of the RTGS.24
2.2.3.11 Centralized Funds Management System (CFMS)

CFMS provides for a centralized viewing of balance positions of the account holders
across different accounts maintained at various locations of RBI.25
24
RBI plans national settlement system, BS Banking Bureau in Mumbai, May 04, 2005.
25
Modernizing Payment Systems is a Top Priority for Indian Banks, Banknet India’s Conference on Payment
Systems in Banks, Mumbai, January 17, 2006.
35
2.2.3.12 Certification and Digital Signatures
IDRBT is designated as the Controller of Certifying Authorities by the Government of
India for digital signatures. Consequently, the process of setting up of Registration
Authorities (RA) under the CA has commenced at various banks. In addition to the
Negotiated Dealing System (NDS), the ECS and EFT are also being enhanced in
terms of security by means of implementation of PKI and digital signatures using the
facilities offered by the CA.
2.2.3.13 Multi-application Smart Cards

Efforts are in hand to formulate standards for multi-application smart cards to ensure
inter-operable systems to effect money transfers between vendors and banks under the
aegis of the Ministry of Communications and Information Technology, Government
of India.
2.2.3.14 National Electronic Funds Transfer (NEFT)

NEFT has been created, using the backbone of the Structured Financial Messaging
System (SFMS) of the IDRBT, to provide for movement of electronic transfer of
funds in a safe, secure and quick manner across branches of any bank to any other
bank through a central gateway of each bank, with the inter-bank settlement being
effected in the books of account of banks maintained at RBI.
2.2.3.15 National Settlement System (NSS)

NSS supports the clearing and settlement activities throughout member banks and
associated financial institutions.
2.2.3.16 Secured Payment Systems (SPS)

SPS provides a safe, secure, efficient and integrated payment and settlement system
for the country (Reddy, 2003) using RTGS that facilitates the optimum utilization of
funds.26
26
RBI measures - Payment Systems, Extract from the Inaugural Address by Dr. Y. V. Reddy Governor, Reserve
Bank of India at Twenty-Fifth Bank Economists’ Conference (BECON- 2003) on December 11, 2003.
36
2.3 Internet Banking in India
According to Mishra (2005), the Indian Banking industry has come a long way and
the journey ahead, promises to be exciting and eventful. Developments and changes in
Indian economy during the last decade have created an entirely new set of
challenges27. According to Rao (et al, 2003) the application areas for the newer
technology in banks can be by and large divided in two categories28:
a. Customer centered technology applications - the solutions like Internet Banking,

Anywhere branch banking, Mobile Banking, Core Banking Solutions
b. High end (Functionality) applications - encompasses Risk Management solutions,
Straight Through Processing (STP), Credit Monitoring Systems for the data
collections etc.
2.3.1 Internet Banking Promise

As per Uchil (2005), the Internet banking is changing the banking industry and is
having the major effects on banking relationships. Quoting, Morgan Stanley Dean
Witter Internet research Uchil (2005) emphasizes that Web is more important for
retail financial services than for many other industries. Internet banking involves use
of Internet for delivery of banking products & services. As per Rao (et al, 2003) a
successful Internet banking solution promises exceptional rates on savings and easy
online applications with twenty-four hour account access and high quality customer
service with personal attention for all accounts, including personal loans and
mortgages. Besides the Internet banking increases customer loyalty and facilitates
attracting new customers and reduces customer attrition.
2.3.2 Indian Banks on Web

The banking industry in India is facing unprecedented competition from non-
traditional banking institutions, which now offer banking and financial services over
the Internet. The deregulation of the banking industry coupled with the emergence of
new technologies, are enabling new competitors to enter the financial services market
quickly and efficiently (Balasubramanya, 2002). Indian banks are going for the retail
banking in a big way. However, much is still to be achieved. A study conducted by
Indian Institute of Management Lucknow IIML under guidance of Mishra (2005)
shows some interesting facts mentioned below:
27
Mishra A. K., Professor, IIM Lucknow, Internet Banking in India – Part I, Conference paper, Booz Allen &
Hamilton, August 2005
28
Rao Gurram Ramachandra and Prathima Kasula, Internet Banking in India, Mondaq Business Briefing, April
11, 2003.
37
a. Throughout the country, the Internet Banking is in the nascent stage of
development (only 50 banks are offering varied kind of Internet banking services)
b. In general, these Internet sites offer only the most basic services. 55% are so
called 'entry level' sites, offering little more than company information and basic
marketing materials. Only 8% offer 'advanced transactions' such as online funds
transfer, transactions & cash management services
c. Foreign & Private banks are much advanced in terms of the number of sites &
their level of development.
2.3.3 Emerging Challenges in Internet banking

Shore (2002) believes that financial institutions that don't offer home banking will
become marginalized.29 A large sophisticated and highly competitive Internet
Banking Market is expected to develop which following will drive:
a. Demand side pressure due to increasing access to low cost electronic services
b. Emergence of open standards for banking functionality
c. Growing customer awareness and need of transparency
d. Global players in the fray
e. Close integration of bank services with web based E-commerce or even disinter
mediation of services through direct electronic payments (E- Cash)
f. More convenient international transactions due to the fact that the Internet along
with general deregulation trends, eliminate geographic boundaries
g. Move from one stop shopping to 'Banking Portfolio' i.e. unbundled product
purchases.
2.4 Current Trends of BCM Preparedness in International Banks

The banks (particularly in US & Europe) that have faced large scale disasters have
augmented their BCM approach and organization by adding additional features over
and above existing set ups to ensure higher level of continuity. These are summarized
below:
29
Shore Dave, “Web-based solutions can ensure business continuity”, Tech Republic, 20 May 2002,
38
2.4.1 Increased redundancy & multiple Data Center sites
Herring (et al 2002) says banks in US are cautious about increase in operational risk
arising out of use of more highly automated technology, large-scale mergers and
acquisitions, demand of providing large-volumes, increased prevalence of outsourcing
and the greater use of financing techniques.30 They tackle this risk by providing
redundancy for business continuity planning at the level of bank, industry and global
environment facing the danger of cyber-terrorism to the entire financial system.
Increasing disruptions faced by banks have revealed their lack of immunity in event
of disasters and is forcing them to re-evaluate the strength of their backup plans,
renew their focus on preparedness as they rethink their risk management strategies
and bolster their business continuity plans else they face the danger of even getting
extinct, believes Ryods (2007)31. As per him banks are supporting their BCM
structure on hot sites, web-based communications networks and modern imaging
solutions as tools needed to survive a catastrophe. Massaro (2003) enumerates that
recovery within target time during a wide scale disruption requires an appropriate
level of diversity between sites. Back up sites should not rely on same components of
infrastructure such as location, transportation, telecommunications, electricity and
water.32
2.4.2 Increased collaboration with third-party partners

Coles (2007) opines that increasing magnitude and frequency of disruptions arising
out of disasters of various kinds, faced by banks have rendered their internal business
continuity plans inadequate.33 They have to therefore consider collaborating with
third-party partners who have multi site and multi platform capabilities supported on
dependable communication network to seamlessly connect into banks’ data
processing environments to ensure continuity of operations. Large numbers of third
party providers are seeing this as viable business opportunity in USA informs Coles
(2007).
30 Richard J. Herring and Frank Diebold, Operational Risk Poses Challenges to Financial Institutions and
Regulators, Published: July 03, 2002 in Knowledge@Wharton, Wharton School at the University of
Pennsylvania.
31
James Royds, founding partner of InfoSec Associates and past Chairman of Information Security & BS7799
Survive - The Future of Business Continuity Management, Credit Control, House of Words Ltd, Jan 2007.
32
Kerry Massaro, Mapping out BCP guidelines, Wall street Technology magazine, June 2003, pages 21 to 22.
33
Warren Coles, Executive Vice President, PULSE EFT Association, Houstan USA comments in his interview
with Bank systems & Technology, Planning for Continuity, Feb 27, 2006.
39
2.4.3 Well documented and communicated alternate processes
Watanagase (2007) states that banks in Thailand have ensured that their BCP covers
all critical business functions including those of key outsourcers and provide for
detailed procedures to recover operations within specified timeframe after disruption
with provision for alternate resources for operations such as headcounts, IT &
communication systems, office equipment, contracts, insurance policy and ‘Sites”. 34
Alternate Sites are located at a distance which would not be impacted by same mishap
and does not utilize the same sources of utilities. Banks provide regular BCP trainings
for employees and those concerned in operating using alternate processes and
resources. They disseminate information on alternate procedures elaborately to
establish customer relations procedures and methods in the event of a disruption to
reinforce confidence among stakeholders their ability to continue to provide normal
services.
2.4.4 High availability of Solutions and Productivity of employees

Kelly (et..al 2002) observes that progressive banks in developed world decentralized
their locations, dispersed their intellectual capital, and yet maintain the strong bonds
of trust and mutual dedication, which is the foundation of success in their crisis
response.35 These organizations have negotiated the trade-off between security and
profitability, between preparedness and competitiveness. Das Gupta (2002) believes
that ensuring the uninterrupted operation of businesses using highly available
solutions and increased employee productivity and mobility is an issue of increasing
importance more than ever before, not just for large banks but also for medium and
small banks as well.36
2.4.5 Computerized document management

King (2007) informs that most banks in USA have updated their document
management system using modern tools such as ‘OnBase’ to house their loan
documents and images leveraging Web-based technology, such as Westlake to ensure
34
Mrs. Tarisa Watanagase, Governor, Bank of Thailand. BOT Notification No. 118-2550 (23-01-07),Jan 23,
2007
35
John Kelly & David Stark Presented at the Reginald H. Jones Center’s 3rd Annual conference on the Internet
and Strategy- “The Internet and the 21st Century Firm” April 12, 2002(WP 2003-02).
36
Soutiman Das Gupta, “BCP Strategies – Banking in Business continuance”, Network magazine, Express
Computer group, Indian Express, Aug 2002.
40
‘anywhere anytime’ access to data ensuring high degree of continuity from customer
perspective during business disruptions.37
2.4.6 Continuous contact with employees during disasters

Martin (2007) emphasizes that communicating with employees during a disaster is of
top concern to ensure continuity. Bank executives could communicate using satellite
telephones using Voice over Internet Protocol (VoIP) supported on Virtual Private
Networks (VPNs) that maintain high level of privacy at low-cost. During Hurricane
Katrina staff used cell phones and e-mail exchanges through Blackberrys as long as
they could keep the batteries charged.38
2.4.7 Brand value and Customer Confidence

Royds (2007) strongly proposes that rigorous market conditions of present times
demand something more than recompense in the event of disasters. There is a real
need to keep a business up and running in order for it to remain competitive besides
the pressure from regulators to reduce corporate risk exposure. The risk to customer
confidence, brand value, market position and the financial implications of being kept
from doing business for any period of time are too great to be ignored, assets Ryods
(2007).
2.4.8 Appropriateness of BCM in social and economic context

Yodmani (et..al 2001), observes that the advances in ICT and Features of Inter
Operability of varied communication systems have contributed immensely in
mitigating and preventing disasters. The effective application of ICT in ensuring
Business Continuity depends greatly upon their appropriateness for the social and
economic context in which they are applied. Reddy (2002) enforces these thoughts
when he advices the policy makers in banks to match their objectives with those of
the markets providing comfort and assurance thereby taking them into confidence.
This will ensure sustenance of image in the eyes of customers enhancing trust.
37
Jason King, Director of financial services, Hyland Software's Vendor's OnBase content management firm,
Ohio, USA comments in his interview with Bank systems & Technology, Planning for Continuity, Feb 27,
2006, http://www.banktech.com/showArticle.jhtml?articleID=181400621.
38
Pat Martin, Vice President, Corporate Communications, Regions Bank, Birmingham, USA comments in his
interview with Bank systems & Technology, Planning for Continuity, Feb 27, 2006
http://www.banktech.com/showArticle.jhtml?article ID=181400621
41
2.5 Business Continuity Management in Banks in India
There can be no doubt about the immense potential and unbound opportunities offered
by advances in Banking practices and use of technology39. However, there are pre-
requisites and preparations, which have to be made before the full benefits of the tech
economy, can be harvested. The Disaster Recovery (DR) management and Business
Continuity Plans (BCP) have gained significance after the events of September 11,
2001. Considerable emphasis is placed on regular review, updating and testing of
disaster recovery and business continuity plans.
Kamesam (2003) highlighted the use of technology for ensuring continuity in banks
by planning for disaster. He believes that the use of technology in manifold areas of
operations by banks and other institutions have made processes and functions
increasingly reliant on technology that has opened up vistas of operational risks,
which need to be addressed, and disasters planned for if the use of information
technology is to be prevented from backfiring. 40 Herring (et al, 2002) emphasizes that
payment failures and consequent financial disruption could be ignited by technical
failures thereby adding a new dimension of ‘operational risk’ to the existing array and
credit, liquidity, settlement and price risks, which operators, overseers and
participants of payment and settlement systems have to deal with41. All of this places
greater onus on bankers to take appropriate measures against such system failures,
including injecting additional liquidity to troubled institutions and/or systems to avoid
a technical failure from disrupting the entire system42. Kamesam (2003) asserts that
the dimension of technology risk has assumed critical importance post September 11
and RBI has taken BCP very seriously directing banks to implement two sets of
standby arrangements for each of the systems.
As per Das Gupta (2002), RBI has adopted a dual strategy for its Disaster Recovery
System (DRS) / BCP - one for mission critical applications and the other for other
applications so as to ensure that in case of any contingency, operations are resumed
within a minimal time gap of two hours in the case of mission critical applications and
within a day in the case of others43. While both the applications are planned to have
39
European banking industry attitudes towards IT continuity explored, 18th Jan 2006,
http://continuitycentral.com/news02296.htm
40
Kamesam Vepa, Deputy Governor, Reserve Bank of India, Excerpt from Address Delivered at Central Bank
of Sri Lanka, Colombo, August 20, 2003
41
Richard J. Herring and Frank Diebold, Operational Risk Poses Challenges to Financial Institutions and
Regulators, Published: July 03, 2002 in Knowledge@Wharton, Wharton School at the University of
Pennsylvania
42
Core Banking Infrastructure - Sustenance and Deployment, Special Report, Indian Bank’s Association, March
2006, http://www.iba.org.in/iba_ibs.asp#
43
Das Gupta Soutiman, Banking on business continuance, BCP Stratégies, Network Magazine, August 2002
42
off-city recovery and business continuity site/s, the mission critical applications are to
have on-city recovery and continuity site as well. Reddy (2003) indicates that the IT
resources and assets of banks are to be consolidated in the form of Data Centres both
at the Primary Site and at the Recovery and Continuity site/s. Data processing
requirements of the Central Office Departments (CODs) would be provided by the
systems at the Data Centre. Normal day-to-day operations of the Regional Office
(RO) applications and other locations would work independently, i.e., independent of
the Data Centres but would provide means to upload daily transactions to these Data
Centres. In case of an emergency, the affected COD/RO would operate the computer
systems from the Data Centre/s either remotely from the affected location or from its
application from any of the two Data Centres, asserts Das Gupta (2002).
2.5.1 Implementation of Business Continuity Planning in Banks

In the backdrop of growing complexity of financial products and the increased
leveraging of technology and its heightened sophistication, operational risks have
assumed critical importance in recent times. The treatment of operational risks as a
distinct risk category along with credit and market risks in the Basel II framework is a
manifestation of the vital role played by operational risks in impacting risk profile of a
bank. Royds (2007) believes that operational risks can also have a systemic
connotation in the event of contagion through channels like the payment system and
undermine public confidence in the banking system44.
2.5.2 Preparedness status of banks in India

As per Balachandran (2006), banking reforms and entry of multi national as well as
private banks in the Indian market has fueled this process which has been further
hastened by higher disposable income, increase in young high wage earners,
burgeoning middle class and increased dependence of agriculture and manufacturing
on banking. This has brought in newer technology, products, processes, people and
alignment with international standards. Jalan (2006) highlights that banks support
growth of economy by intermediation of funds, managing macro economic balances
and ensuring operations which are underpinning public trust. There is a need to create
a vibrant banking organization that promotes orientation of organizational structure to
market dynamics providing relevant interfaces between market demand and delivery
capability. The cost of operations in Indian Banking is higher in comparison to
44
James Royds, founding partner of InfoSec Associates and past Chairman of Information Security & BS7799
Survive - The Future of Business Continuity Management, Credit Control, House of Words Ltd, Jan 2007
43
International Standards45. This calls for reorganization of structure and processes
supported on sound ICT Infrastructure.
Reddy (2006) indicates that in the last five years, banks witnessed a significant
growth, as a result of which the share of off-balance sheet exposures in total assets
increased sharply to 152.5 per cent at end-March 2006 from 57.7 per cent at end-
March 2002, reflecting the impact of deregulation, risk management operations,
diversification of income and new business opportunities thrown up by advances in
information technology.46 Net profits of public, old private sector and foreign banks
increased by 17.3 per cent during 2005-06 as against the decline of 5.9 per cent last
year. Net profits of new private sector banks declined as compared with the previous
year. The Return on assets (RoA), which is an indicator of efficiency with which
banks deploy their assets, remained almost unchanged. 3.66. Return on equity (RoE),
an indicator of efficiency of banking institutions in using its capital, declined further
to 12.7 per cent in 2005-06, reflecting mainly the impact of a higher capital (Reddy,
2006).47
2.6 Gaps in BCM Implementation in Banks in India

The following are major gaps in BCM implementation in banks in India as com pared
to their western counterparts whose BCM efforts are established and have withstood
the challenges of large disruptions.
2.6.1 Customer focus

Technology is a business driver and not just enabler. Intelligent use of technology
involves sharing of networks and processing power coupled with product innovations,
something most progressive banks have attained. RBI has issued a code of banks
commitment to customers to set standards of customer service and redresal procedure.
45
A comparative analysis indicates that average operating costs of bank in India as a percentage of assets is
2.7% as compared to progressive economies such as USA and Japan is at 1.7 percent – Jalan (Aug 2006).
46 Y.V. Reddy , Governor RBI, Report on trend and progress of banking in India 2005-06 June 30, 2006, Page
77 submitted to the Central Government in terms of Section 36(2) of the Banking Regulation Act, 1949
47 RBI Report on trend and progress of banking in India 2005-06 June 30, 2006, Page 84
44
2.6.2 Small banks face bigger challenge
Balachandran (2006), believes that small banks face inhibitors such as ability to spend
in technology and offering wide range of products at reasonable price as they do not
get advantage of economies of scale48. Resorting to consolidation of existing
infrastructure and resources can reduce this limitation to begin with. Joseph (2003),
based on research conducted by Peripheral concepts infers that most large banks have
comprehensive BCM solutions in place but small banks do not have even plans in
place49.
2.6.3 Higher operating costs

As per Jalan (2006), the average operating costs of bank in India as a percentage of
assets is 2.7% as compared to progressive economies such as USA and Japan is at 1.7
percent. This is due to lack of orientation of organizational structure and processes in
relation to the market demand and systematic use of ICT 50. Banks being the drivers
of growth of economy need to manage operations in a manner that enhances public
trust.
2.6.4 BCM is IT Focus and not comprehensive

As per a report published in Financial Times (June 2005), most banks continue to
emphasize compliance with disaster recovery requirements focusing largely on
enhancing resilience of IT Systems. They do not prepare for a comprehensive
Business Continuity51. Dhawan (2003), summarizing his experience of surveying a
large number of Banking Financial Services and Insurance (BFSI) sector
organizations in India reveals varied levels of preparedness on account of business
continuity amongst organizations that have or are implementing BCM. Most of them
have given serious thought to BCM planning in their IT set-up but not so much in
case of organization and alternate support systems52.
48
M.Balachandran, CMD, Bank of India, Seminar on “Indian Banking Shaping and Economic Powerhouse”,
Mumbai, 18th July 2006.
49
Kovar, Joseph F, Helping SMBs to weather the storm, CMP Media LLC quotes research conducted by Farid
Neema, President, Peripheral Concepts, Santa Barbara , www.CRN.com, pages 56, 57, 28 July 2003
50
Bimal Jalan, Governor, Reserve Bank of India, Indias economy in the new millennium, VBS Publishers Pvt.
Ltd, New Delhi, Aug 2006.
51 Financial Times, June 2005, Business Continuity and Disaster Recovery.
52
Dhawan, Consultant KPMG, comment in the article “Indian IT industry shies from investing in BCM
initiatives”, 7th July 2003, Express computers. Indian Express Group.
45
2.6.5 Conformity to International standards
Various measures initiated by RBI have brought about refinement in regulatory norms
and supervisory process, while providing increased operational flexibility to financial
institutions. Reddy (2006) informs that RBI endeavours to implement best prudential
risk management practices comparable to global standards through a transparent and
consultative process.
2.6.6 Portfolio of products and services

As per Jalan (2006), the growing competition and need for compliance with
International Standards to operate in global environment banks have to evaluate
existing service delivery options and investments in BCM Infrastructure and
Processes. The MNCs and private Banks have wide ranging product and services that
are provided through multiple delivery channels. Large PSBs are now catching up.
However, the smaller banks continue to rely on traditional banking and have limited
offerings.
2.6.7 Deployment of IT in running processes (Banking and non Banking)

Both types of banks have attained high degree of computerization. Core banking
solutions have been implemented in almost 80% of PSBs. However, the non banking
processes have not been computerized fully. Personnel and general administration
there fore continues on partially computerized/manual systems. Private sector and
MNC banks are better placed on this accord.
2.6.8 Availability of state of the art infrastructure in terms of facilities in IT

Large PSBs and almost all private/MNC banks have near world class IT infrastructure
with central data centers and a combination of recovery sites( near and far). The data
centers are equipped with powerful servers, storage systems and security solutions.
Most banks in this segment have adopted modern and contemporary practices such as
Sever and Data consolidation, Enterprise Application Integration and Application
Virtualizations. Small and medium banks have severe limitations in these regards.
Whereas in most cases the branches and offices are computerized and CBS
implemented, the inter branch processes and data movements still takes place through
convention methods owing to lack of appropriate infrastructure.
46
2.6.9 Management of outsourced services
Pereira (2002), believes that the complexity involved in rendering the reliable
technology based solutions leave banks with no choice but to outsource most of their
support activities that are backed by comprehensive Service Level Agreements
(SLA’s)53. Mani (2003) believes that the level of dependence on service providers is
very significant and hence service providers’ health is equally responsible for the
success of BCM plan. The entire supply chain including Service providers like rail,
road, air transport, telecom infrastructure providers, etc has to be fully prepared to
handle crisis so as to support business continuity management. Large banks have
most of their support processes outsourced to reliable agencies who are big and
reputed. These are also backed by comprehensive SLAs that are professionally
managed. Smaller banks have outsourced non-banking activities but to small time
players where both quality and reliability are below par.
2.6.10 Lack of Documentation

Mani (2003) describes that while most banking & finance organizations in India
recognize the importance of having a foolproof business continuity plan as crucial to
business continue but only a meager 29 percent, have a documented, corporate-wide
and tested BCM plan in place. As a contrast to this scenario about 84 percent
organizations in the US have already gone about implementing disaster recovery (DR)
and business continuity (BC) solutions.54
2.7 BCM Implementation Planning
2.7.1 BCM Implementation Challenges

This section presents a BCM Framework based on successful and international
practice in designing and implementing reliable BCP practice and organization in the
banking sector and instructions issued by RBI for Indian Banks on the subject.
Before September 11, 2001 organizations had inherent resistance to fund BCM
Projects. Shore (2002) indicates that the tragic events of September 11, 2001, hit the
financial sector particularly hard with respect to technology and business interruption.
It has been estimated that 30,000 securities positions (defined as trading, sales,
research, and operations positions) were lost in the seven WTC buildings, and another
15,000 to 20,000 positions in the adjacent buildings. It is estimated that it will cost
53
Brian Periera, implementing a Business continuity plan, network magazine, issue of Aug 2002.
54 Rahul Neel Mani, quotes KPMG survey in his article “Indian IT industry shies from investing in BCM
initiatives”, 7th July 2003, Express computers. Indian Express Group.
47
$3.2 billion to replace technology at the affected securities firms.55 As per Shore
(2002), these losses taught hard lessons to companies across the world about the need
for solid disaster recovery (DR) and business continuity (BC) planning. 56
As per Webster (2002), a business can be interrupted by an all-out disaster such as a

hurricane, or it can be brought to its knees by human error -- someone corrupting a
database either accidentally or on purpose”. 57 A business has to be ready for anything,
man-made or natural, catastrophic or relatively minor. The vast majority of things that
take systems off-line fall into the category of human error. Unplanned down time
generally is not due to a disaster (Ambrosio, 2001).58 More organizations in US &
Europe have executed BCM plans that will keep a business running in the event of a
terrorist attack, computer virus or natural disaster. They have formal crisis
management and emergency response plans, and test them at least annually (Deloitt
and Touche, 2005). 59 O’Neill (2005) observes whilst many organizations BCM plans
in place but the management of business continuity remains an area of weakness. 60 It
is therefore pertinent that banks implement and execute comprehensive BCM to
address all discontinuities, small or big, natural or man-made. Bleiberg (2005) says,
“A comprehensive business-continuity plan must enable you to survive as a legal and
financial entity in case of disaster. To do this, the plan must address the entire key
assets that are necessary to continue operations -- process, technology, people as well
as facilities”. 61
2.7.2 Greater need to implement BCM in banks

Croy (2006) observed that several banks on east coast USA that suffered large scale
damages from Katrina could not bring up applications until January 2006. He predicts
that some organizations may never recover62. Citing findings of his research large
number of financial institutions that do not have well organized BCM plan in place
55
Tower Group, a research and advisory firm, study 2002.
56
Shore Dave, Web-based solutions can ensure business continuity, Published: 5/20/02.
57
John Webster, a senior analyst at Illuminata Inc. in Nashua, N.H., Disaster Recovery Journal, September
2002.
58
Ambrosio Johanna, THE INFORMATION ARCHITECT: Disaster recovery: Know what you really need,
Published: 10/25/2001
59
Deloitte & Touché LLP and CPM Global Assurance conducted a survey of 200 corporate and IT managers
from various industries. Fifty percent of respondents said that they have a 20% increase over levels that
were five years ago in 2005.
60
O'Neill Shane, Senior News Writer, DR plans stuck on, 02 Feb 2005
61
Bleiberg Ron, SmartAdvice: Planning Ahead Means A Disaster Needn't Wipe Out Your Business, Aug. 22,
2005
62
Michael Croy, Director of business continuity for Forsythe Solutions Group Bank systems & Technology,
Planning for Continuity, Feb 27, 2006.
URL: http://www.banktech.com/showArticle.jhtml?articleID=181400621
48
Croy (2005) predicts that 90 percent of unprepared companies that suffer 10 days of
data center downtime for any reason will be out of business within a year.
Reddy (2006) emphasizes in his remark in RBI Report 2006 that it is imperative for
banks to prepare for business disruptions and system failures and ensure continuity of
operations. Such plans would provide resilience to banks to tide over natural
calamities. The unprecedented floods in recent times in a few cities and the resultant
reports of electronic delivery channels of some of the banks being affected has further
reinforced the need for robust business continuity plan (BCP) in banks. In recognition
of such eventualities, detailed guidelines were issued by the Reserve Bank in April
2005 requiring commercial banks to put in place business continuity measures within
63
a fixed time frame.
Reddy (2006) advises that banks while maintaining or increasing the level of
protection are to keep the total cost of BCM programs low to retain competitive
advantage. Emphasis must be laid on replicating those processes that enhance
meaningful Business Continuity by ensuring greater value to customers. Pereira
(2002) recommends that BCM plans cover the entire value chain of banking to ensure
that in no condition there is a loss to stake holder value and brand equity. Kapoor
(2005) asserts that BCP must be looked at from the perspective of larger issue of
sustainability or survivability of organizations and not at immediate profitability or
impact64.
Reddy (2006) quoting Mckinsy Consulting65 has advised banks to accelerate the
process of creating of world class supporting infrastructure and adopt alternative
approaches to win the “race for the customer” and build a value-creating customer
franchise. Banks, particularly PSBs have been instructed to fundamentally strengthen
institutional skill levels especially in sales and marketing, service operations, risk
management, the overall organizational performance, ethics and strengthen human
capital to remain ‘continuous and competitive’ from global perspective.
63
64 Sameer Kapoor, Executive Director, PWC comments in interview to Financial Times, June 2005 on
“Business Continuity and Disaster Recovery”.
65
Report “India Banking 2010” submitted by McKinsey Consulting to RBI that was included in RBI Report on
Trend and Progress on Banking in India 2005-2006, RBI Publication, June 30,2006.
49
2.7.3 The importance of Implementing BCM
Ninety four percent of businesses that suffer large data losses go out of business
within 2 years. Forty three percent of them never reopen and 51% close down within
two years being unable to sustain business losses66. Herbane (et al 1997) suggested
that banks need to invest in Business Continuity Planning by creating an organization
and infrastructure, to ensure:
a. Maintain Market Position

b. Preserve confidence of customers, governments and shareholders – Retain good
employees and customers
c. Prevent Liabilities towards Employees, Shareholders and Customer Claims
d. Prevent losses to business.
MacSweeny (2003) defined that BCM is successful business continuity planning

which not only assists in recovering but also ensures continuity of core, strategic,
revenue generating business and delivery unit operations and processes. It would also
assist in continuity of operations of the banks administrative and staff support. The
plan has to include:
a. Prevention – Positioning of those measures and activities that lessen the

possibility of the impact of a discontinuity or an accident occurring in the bank or
any of its delivery/support units.
b. Response – The policies, procedures and actions to be followed in the event of an
eventuality to ensure continuance of business, containment of impact and safety of
personnel, data and equipment.
c. Resumption- The process of planning and implementing resumption of only the
most sensitive (core) banking operations immediately following a disruption using
alternate (if required) site.
d. Recovery – The process of planning and implementing resumption of less
sensitive (core) banking operations immediately following a disruption
e. Restoration – Repair/ Relocation of the primary site and restoration of normal
operations.
66
Disaster Recovery Journal (Volume 15, No.3, Summer 2002).
50
MacSweeny (2003) lists the objectives of a good BCM system:
i. Effectiveness
ii. Efficiency
iii. Ease of implementation
iv. Good Documentation
v. Tested (frequent checks)
vi. Scalability
vii. Well Communicated
viii. Comprehensive – covering critical business operation
2.7.4 BCM Planning

A BCM Planning Framework has been developed based on the experiences cited in
literature. It has been enhanced by the recommendations of senior managements of
banks shared with the researcher during the primary data survey stage and validated
by experts from well known consulting firms in India. A brief schematic is depicted in
figure 2.1 below. The issues related to policy and planning process are enumerated in
paragraphs 2.7.5 and elements of BCM implementation in paragraph 2.7.6.
BCM Plan
Policy Process Elements

Comprehensiveness of Definition & Procedures
BCM plans Documentation of People
Involvement of Senior Processes Technology
Personnel Email & Document Facilities
Processes Management
Organization & People Policies & Procedures
BCM Planning Process Evaluating Plans
Figure 2.1 BCM Planning Framework
51
2.7.5 The BCM Plan
Developing a BCM involves exhaustive planning that requires top management
support and buy-in of the entire organization. The succeeding paragraphs enumerate
Principles of BCM Planning

Policy
Planning Process
2.7.5.1 Principles of BCM Planning

Parthasarthi (2005) has enumerated the BCP methodology as recommended by RBI to
all banks67 advices inclusion of:
a. Identification of critical businesses, owned and shared resources with supporting
functions (the BCP template shall include IT Continuity Plan template)
b. Structured risk assessment based on comprehensive business impact analysis
c. Formulating RTO based on Business Impact Analysis. It may also be periodically
fine-tuned by benchmarking against industry best practices.
d. Critical and tough assumptions in terms of disaster so that the framework would
be exhaustive enough to address the most stressful situations
e. Identification of the Recovery Point Objective (RPO) for data loss for each of the
critical systems and strategy to deal with such data loss
f. Alternate procedures during the time systems are not available
g. Clearly documented and tested processes for shifting to secondary/back-up
systems and sites
h. Risk management by implementing Information System (IS) design and
architecture to attain the bank’s agreed RTOs and RPOs.
i. Minimizing immediate damage and losses
j. Restoring critical business functions, including customer-facing systems and
payment & settlement systems like cash disbursements, ATMs, Internet banking,
call centers, etc.
k. Establishing management succession and emergency powers
l. Addressing Human Resource (HR) issues and training aspects
m. Providing for the safety and well being of people in the branch or at the location at
the time of the disaster
n. Use of external resources/ support
67
Parthasarathi P., Chief General Manager, RBI, letter Ref. RBI/2004-05/420 DBS.CO.IS Audit.No.
19/31.02.03/2004-05 dated April 15, 2005 to All Chairmen / Managing Directors / Chief Executive
Officers of all Scheduled Commercial Banks
52
o. Having specific contingency plans for each outsourcing arrangement based on the
degree of materiality of the outsourced activity to the bank's business
p. Ensuring service providers for critical operations have BCPs in place and also
periodically test the same
q. Compatibility and co-ordination of contingency plans at both the bank and its
service providers
r. Action plans, practical manuals and testing procedures
s. Independent audit and review of the BCP and test results
t. Periodic updating to absorb changes in the institution or its service providers
2.7.5.2 Policy
No matter how good the technology protection that one puts in place, the onus is on
the effective development of policies that will allow organizations to react in
minimizing damage. A plan that is not enforced is not worth the paper that it is
written on.
a. Comprehensiveness of BCM plans
As per a report published in Security magazine, post the September 2001
incidence most large companies have put in place new company wide procedures
to improve their ability to deal with disasters of all kind even though the spending
on business continuity hasn't consistently increased 68. O’Neill (2005), says
“Companies that focus too much on technology have to realize that they are not a
computer center; they are running a business. Replication technologies from
storage vendors are improving, but successful business continuity starts with IT
and business units agreeing on how technology drives the business”.
b. Involvement of Senior Personnel

Senior people with the right level of experience must lead the DR planning effort,
so they can work with business people in a peer-based relationship without getting
intimidated or buried by details they don't understand (Oltsick, 2004). As per
DeZabala, "Only a third of executives in companies that have implemented DR,
believe they have comprehensive BCM governance in place, and only half of
them include their senior executives in the program management." 69. Oltstick
(2004), believes that a lukewarm support from executive management to BCM
exercise can reduce it to a mere corporate nuisance.
68
Security magazine, New York : Rethinking Risk, Published: September 16, 2002
69
Ted DeZabala, principal and national security services leader of Deloitte & Touché, conducted a survey on
large number of companies in UK, commented Financial Services Technology September, 2002.
53
RBI has issued policy guidelines for all banks to maintain appropriate
organizations & structures to deal with major disruptions arising out of natural
calamities.70 As per Killawala, (2006), banks have a duty to provide customers
with uninterrupted access to bank accounts and must facilitate the opening of new
accounts by persons affected by natural disasters; especially so that people can
quickly receive relief and aid given by the Indian government and other agencies.
c. Processes
Changing business processes (internally to the institution and externally among
interdependent financial service providers) and new threat scenarios require
maintenance of viable BCPs. An effective BCP should take into account the
potential for wide-area disasters that impact an entire region and for the resulting
loss or inaccessibility of staff. It should also consider and address
interdependencies, both market-based and geographic, among financial system
participants as well as infrastructure service providers. Maiwald (et al, 2002)
observe that in most cases, Recovery Time Objectives (RTO) are now much
shorter than they were even a few years ago. It is, therefore, pertinent that banks
put in place a BCP including robust information risk management system and
thoroughly test it to verify its full capability against the changing scenario and
assumptions at frequent intervals.
Howarth (2004) in his study of banks in UK found that most of them were ill
prepared to deal with crises caused by physical or electronic disasters. Many of
them had a business continuity plan in place, only just over one-third of those had
suffered an IT disaster over the last five years. Only 50% of them used the
measures that they had put in place in the business continuity plan to solve the
problem.71 The inability to execute well-planned BCM impacts most organizations
that have structured BCM Practice implemented.
d. Organization & People

If while attempting computerization processes manual processes are simply
mimicked full benefits of computerization will not be realized. Mechanism of
processes needs to be accompanied by business process re-engineering and a re-
look at business processes and workflow patterns if inefficiencies in manual
70
Reserve Bank of India provides business continuity instructions to banks, August 11, 2006
71
Compass Management Consulting, Survey Carried out in 2004
54
systems are to be eliminated and the potential of computerization fully realized.
Constant technological change poses a great challenge for human resource
development. Yodmani (et al, 2001) believes that advances in information and
communications technology has implications, in some cases radical implications,
for human resource functioning, attitudes and skill sets. There is a need for
considerable and continuous up gradation of human resource skills and fine tuning
of human resource management strategies with a view to enhancing the level of
knowledge, sharpening skills and also to instill the necessary attitudes and work
culture. 72
2.7.5.3 BCM Planning Process

For financial services organizations, successful contingency plans need to establish
how to provide continued access to business processes while maintaining security and
confidentiality in the event of an incident. It is important to remember that BCM is
concerned with defining a set of business consequences.73 As per Amato-McCoy et
al., (2006), even the best-laid plans can encounter unexpected challenges. Experts
suggest that banks update their business continuity plans on a quarterly basis and
regularly test their continuity frameworks. "Business continuity exercises are a must
to ensure [their] effectiveness. A battery of potential scenarios guide staffs through
mock recovery plans. This ensures their effectiveness." 74
a. Planning
Business Continuity planning is a key pre-requisite for minimizing the adverse
effects of one of the important areas of operational risk – business disruption and
system failures (Maiwald et al., 2002)75. It is imperative that all banks have BCPs
in place to be in readiness to tackle serious business disruptions. As per
Parthasarthi (2005), the responsibility in respect of BCP rests with the Board of
directors and the top management to provide clear policy guidance and direction,
prioritizing critical business functions, allocating sufficient resources, reviewing
test results and ensuring maintenance and periodic updating.
72
Trivedy Ravi, Partner KPMG and Girish. V., BFSI Consultant, Excerpts from meeting held on August 22,
2005 and September 19, 2005 respectively.
73
Hidden threats to enterprise: will your business continuity go according to plan? Report published in Financial
Services Technology June 2003.
74
Romir Bosu, CEO for CompuShare (South Coast Metro, Calif.), a provider of information technology
consulting and solutions for the financial services industry.
75
Maiwald Eric & Seiglein William, Security Planning and Disaster Recovery, McGraw-Hill Professional,
Osborne, USA, Jan 2002, P 235 – 249.
55
b. Planning Process
For financial services organizations, successful contingency plans need to
establish how to provide continued access to business processes while maintaining
security and confidentiality in the event of an incident. It is important to remember
that BCM is concerned with defining a set of business consequences 76
Problems in the primary BCM planning phase tend to center on deficiencies in

project organization, definition or corporate support. A BCM project that isn't
clearly defined at its onset will likely be fraught with problems throughout its life.
Olstick (2004), iterates that the scope and details of the project ought to be
documented, business processed defined, right people identified and schedules are
realistic & clear. There has to be an agreement on the plan from all departments
and parties before marching ahead.
During this phase of a BCM plan, the project team must define business processes
and collect supporting data. Sharp (2003), explains that some BCM planners may
get lost trying to understand complex business processes and trying to put them
into the right context for the plan while others may understand the processes, but
are stymied by poor document management. Many of the snags described here are
due to poor preparation during the project planning process. As per Olstick
(2004), a thorough effort at the beginning of the project will quickly uncover any
areas where data gathering may require some detective work.
c. Definition and Documentation of Processes

All business processes should be documented. Olstick (2004), asserts that the
BCM plan is about the business, not the people on the BCM team. Should the
need arise to train new employees; well-written processes will accelerate that
training. If it should become necessary to outsource an operation while you're
rebuilding your infrastructure, the processes can be used to train outsourced staff
as well (Bleiberg, 2005).
d. Email & Document Management

The management of informal and unstructured data that is the one outside the
purview of formal and structured systems such as Enterprise Resource Planning,
Supply Chain Management, Customer Relationship Management systems etc has
also emerged as major concern. Laura (2002) indicates that after the September 11
76
Hidden threats to enterprise: will your business continuity go according to plan? Report published in Financial
Services Technology June 2003.
56
attack, the FBI discovered that the only copies of some vital paper documents (for
specific investigations) were destroyed with its office in the World Trade Center.
Staff work related documents such as ‘Human Resource’ (HR) records (most of
which remain paper based) are always at point of vulnerability. As per Smith
(2002), organizations must make concerted efforts to move from paper to
electronic documents that are either supported by strong backup and recovery
systems or managed by a service provider.77
Most organizations are increasingly treating e-mail as their document

management system by filing important documents as attachments. E-mail
coupled with paper captures a great deal of important information outside so-
called mission-critical applications.78 Smith (2002) says “E-mail is just the tip of
the iceberg when it comes to extending BCM plans beyond core applications. It
used to be just the applications that touched the customer that were critical, but
now everything is integrated with inventory and fulfillment along the supply
chain."
e. Policies and Procedures

No matter how good the technology protection that one puts in place, the onus is
on the effective development of policies that will allow organizations to react in
minimizing damage. A plan that is not enforced is not worth the paper that it is
written on. As per a report published in Security magazine , post the September
2001 incidence most large companies have put in place new company wide
procedures to improve their ability to deal with disasters of all kind even though
the spending on business continuity hasn't consistently increased 79. O’Neill
(2005), says “Companies that focus too much on technology have to realize that
they are not a computer center; they are running a business. Replication
technologies from storage vendors are improving, but successful business
continuity starts with IT and business units agreeing on how technology drives the
business”.
RBI has issued policy guidelines for all banks to maintain appropriate
organizations & structures to deal with major disruptions arising out of natural
calamities.80 As per Killawala, (2006), banks have a duty to provide customers
77
Smith Laura, The new face of disaster recovery, Published: Mar 2002.
78
Donna Scott of the Gartner Group, Stamford, CT. comments in “Leading Companies Revive Focus on Best
Practices to Bolster Profits in Recessionary Climate”, February 26, 2002.
79
Security magazine, New York : Rethinking Risk, Published: September 16, 2002
80
57
with uninterrupted access to bank accounts and must facilitate the opening of new
accounts by persons affected by natural disasters; especially so that people can
quickly receive relief and aid given by the Indian government and other agencies.
f. Evaluating Plans
Mani (2003) recommends that BCP should take into account the project
management procedures, change management process, data center process,
backup and recovery process based on a sound methodology. The plan needs to be
continuously evaluated and revised whenever the bank forays into new business
tools and areas, either as part of a re-engineering process or for introducing new
products and services. As per Mani (2003), the relevant portion of the BCP
adopted ought to be disseminated to all concerned, including the customers, so
that the awareness would enable them to react positively and in consonance with
the BCP81. The part of the plan kept in the public domain should normally be
confined to information relating to the general readiness of the banks in this
regard.
g. Cost
BCP involves cost implications. While banks may consider cost-effective
strategies of BCP, the strategies considered should provide an adequate level of
comfort and assurance in tackling serious disruptions. Moreover, the mitigating
solution should be commensurate with the nature and complexity of their business
operations. Mani (2003) assets that banks should consider insurance as a risk
mitigation strategy for externalizing risks to a third party so as to reduce financial
exposure in the event of disruptions. However, diligence needs to be exercised in
regard to the nature of insurance and the certainty of payments.
2.7.6 Elements of BCM Plans

The literature survey suggests four elements that make BCM Plans:
Procedures
People
Technology
Facilities
81
Rahul Neel Mani, Indian IT industry shies from investing in BCM initiatives,
http://www.expresscomputeronline.com/20030707/indtrend1.shtml, 7th July 2003
58
2.7.6.1 Procedures
All types of threats and vulnerabilities are identified to reduce risk or Impact of
discontinuity and keep business in operation with minimal disruption and ensure
safety of personnel & equipment, protection of assets and minimize confusion and
uncertainty, quick rebuilding and return to normal processing and re-establishing
market share and customer Confidence. Banks must learn from the incidence and
document actions that can be taken in future82 (Mawson, 2003). Technology and
Procedures under the control of BCM recovery team must be comprehensively
documented giving all details of operating with alternate systems and connecting
application data to recovery servers and systems83 (Brooks, 2003). Banks deploying
comprehensive BCM practice multiple site operations. They mirror their primary sites
to a nearby local site (hot site) in some kind of load balancing configuration. Another
site that is situated much farther away, asynchronous, and possibly maintained by a
managed service provider serves as a cold site. This protection is costly and it usually
means some degree of downtime as BCM teams emulate corporate systems in remote
data centers (Oltsik, 2004). Each site is a source for one other and a target for other,
providing a round-robin sort of high availability, while not wasting any resources on
passive mirroring84 (Ferguson, 2002)
The growing threats and increasing need of secure electronic exchange has
necessitated enforcement of security procedures and encryption to combat cyber
terrorism85 (Boulton, 2005). Banks with higher level of BCM have tightened security
procedures, decentralized computing and storage systems and relocated data centres
ensuring physical separation of technology and business processes to meet RTO
objectives during disruptions86 (Fucito, 2004). Banks are putting together
comprehensive security policy encompassing all organizational assets and IT Systems
with proper assessment of vulnerabilities backed by appropriate technology to protect
them87 (Luft, 2005). They have established relationships with outsourcers that provide
disaster-recovery hot sites given the increasing vulnerability of data centers to
physical damage and ensure continuity by relocating data centers, or moving to a
more distributed data processing or storage architecture (Bleiberg, (2005)
82
Thomas Mawson, Executive Director, DRI international, Virginia, Risk evaluation & Control, Security
Magazine, May 2003
83
Brooks Darryl, Best Practices, Published: Nov 2003,
http://storageMagazine.techtarget.com/magItem/1,291266,sid35_gci935908,00.html
84
Donald Ferguson, an enterprise storage consultant, from EMC, Hopkinton, MA, USA provided his views of
“Configurations in Future” to Smith Laura, in her article “The new face of disaster recovery”, Mar 2002.
85
Boulton Clint, Bank Data Leak Jumpstarts Encryption Talk, March 2, 2005,
http://www.internetnews.com/storage/article.php/3486786
86
Fucito Robert, BNP Paribas, Business Continuity report (2004)
87
Luft David, Proactive plans thwart SMB threats, Published: 15 Jun 2005
59
2.7.6.2 People
Successful BCM Implementation relies on effective use of Key Personnel who
empowered and motivated individuals with good understanding of business processes.
In order to perform during major disasters, banks have accessible detailed
organization chart showing lines of succession with job descriptions for every
position and training levels / certifications for each employee to enable manning of
key positions quickly, should some personnel be unable to perform their tasks after an
event (Bleiberg, 2005). They have well spelt out plan for deploying people to back up
sites in distant remote locations by having alternate transportation arrangement88
(Hunt, 2004). Key people are be assigned to each alternate role to form teams who
will be available and possess wherewithal to perform with speed and efficiency during
a discontinuity89 (Kelly et..al, 2002).
People have been found to perform during disaster situation if they possessed high
stress-tolerance levels and are assured of safety and welfare of their family90 (Barnes,
2005). Communications have played vital role in ensuring business continuity while
operating from remote alternate location, to enable key personnel make contact and
report their locations (O’Neil 2005). Banks must ensure that all appropriate staff is
trained for their respective plan components and be aware of details such as the
locations of emergency power off switches, fire suppressant and alternate power
supply systems, etc to be resilient. (Hunt, 2004)
2.7.6.3 Technology
Technology is a core component for banks for delivery of their services effectively.
Banks that have attained high reliability of systems have deployed dispersed and
distributed IT Infrastructure comprising of n-tier client-server systems, networked
storages and portable data storage platforms of appropriate technology. Their BCM
strategy incorporates applications running on multiple platforms with mirroring and
replication of data with automatic fallback capabilities supported on variety of options
provided by telecom providers to ensure greater reliability and higher continuity.
Data protection technologies recommended by experts and used in banks include

Tapes (Scott, 2002), Electronic Vaulting (Smith, 2002), Remote mirroring, Snapshot
88
Hunt Hal, commented on “Lesson of Hurricane Hugo” on ECT News Network, at 6:00 AM on May 08, 2004
89
and Strategy- “The Internet and the 21st Century Firm” April 12, 2002(WP 2003-02)
90
Barnes Peter, FBCI, Planning for people, March 18, 2005, http://www.continuitycentral.com/feature0186.htm
60
and Replication all provide highest possible levels of RTO & RPO Four principal
hardware delivery platforms deployed to affect BCM infrastructures are: Storage
array, General-purpose server, Purpose-built Storage Appliance and Intelligent
storage-networking switch. The choice of platforms is based on expected levels of
reliability and total cost of ownership. The technologies, products and SLA
requirements and compliance regulations must be reviewed and updated periodically.
The growing threats and increasing need of secure electronic exchange has
necessitated enforcement of security procedures and encryption to combat cyber
terrorism. Banks need to have comprehensive security policy encompassing all
organizational assets and IT Systems with proper assessment of vulnerabilities backed
by appropriate technology to protect them. Many banks have tightened security
procedures, decentralized computing and storage systems and relocated data centres
ensuring physical separation of technology and business processes to meet RTO
Objectives during disruptions.
2.7.6.4 Facilities
Banks must have physical facility protection agreements in place for occupying other
locations from which business can be conducted for an extended period of time
(Bleiberg, 2005). Decision to provide either limited or comprehensive recovery
facilities depends on cost and strength of the service provider in making “redundant”
office space ready to use in case of an incident. BCM site is equally expensive and
complicated, especially when the temporary site has to be maintained to the same
level as the real work environment. This extra cost can be offset somewhat with new
products that exploit Internet based solution provided to staff / partners on their
desktops to possibly allow them to continue working from home locations (Shore,
2002). Availability of electrical power is prime factor in ensuring business continuity
as has been amply established during major disasters experienced by banks in
Mumbai.
2.8 BCM Implementation Framework and Disaster Management

A BCM Implementation Framework has been developed based on the experiences
cited in literature, model of effective BCM enumerated in the Disaster Recovery
Journal (Volume 15, No.3, Summer 2002), Canada and instructions issued by RBI on
the subject to all banks in India during the period 2001 to 2006. The Framework has
been enhanced by the recommendations of senior managements of banks shared with
the researcher during the primary data survey stage and validated by experts from
61
well known consulting firms in India. A brief schematic is depicted in figure 2.2 and
enumerated in detail in Annexure 1.
Banks need to invest in BCM by creating appropriate organization and infrastructure

so as to maintain their market position, preserve confidence of customers,
governments & shareholders and prevent losses to business and liabilities towards
employees, shareholders and customer claims. All types of threats and vulnerabilities
are to be identified to reduce risk or Impact of discontinuity and keep business in
operation with minimal disruption. Successful BCM is the one that ensures
prevention of discontinuities, quick response if they occur, speedy resumption of
critical tasks, early recovery of other non-critical processes and smooth restoration to
normalcy.
62
Preparing to implement a BCM
Formation of BCM Implementation team – Bank
officials and Consultants
Formulation of BCM Budget (One time, Annual
maintenance and Updating costs
Risk Identification (Threats & Vulnerabilities)
Project Initiation
Mission Statement & Objectives
Details of resource requirements
Steering Committee &Reporting Process
Business Impact Analysis (BIA)

Critical Business Processes
Quantifying Organizational risks
Prioritization of risks / vulnerabilities Maintaining & Updating the BCM
Annually or after major
organizational changes
Implementation of new
Designing and developing a BCP
systems
Feasible, realistic and workable BCM plans
Re-training of Staff
Protect critical business processes
Alternate emergency operations and processes
Sequence of resumption / recovery
Steps to operationalize plan
Review and Testing
Types of Tests
Implementation Periodicity of Testing
Establish trained and committed teams Testing Process

Organization for Technical, Operational and
Administrative support
Scheme to move to alternate scheme during
discontinuities
Scheme for recovery to normal scheme
Communication of Allotted Responsibility & Roles
Figure 2.2 BCM Implementation Framework
63
BCM Implementation relies heavily on effective use of Key Personnel who are
It must ensure safety of personnel & equipment, protection of assets and minimize
confusion and uncertainty, quick rebuilding and return to normal processing and re-
establishing market share and customer Confidence. Banks must learn from the
incidence and document actions that can be taken in future.
2.8.1 Embarking on a BCM project

Formation of BCM Implementation team drawn from both the bank and
consultants and having a rich blend of functional and practice experts
Budgeting the BCM Program with provisions to provide adequate funding every
year to account for one time, annual maintenance and updating costs.
Conducting Business Impact Analysis (BIA) and related Insurance needs to
examine the threats, vulnerabilities and possibility of exposure of business to
these.
Traditionally 30% (non-banking) and 60% banking processes (delivery units) of an
organization requires a detailed recovery plan and most areas may not need an
extensive BCM. BCM efforts are to be driven by the respective business units, being
the owners and accordingly the team must do the best to discover the
interrelationships between the core department and other units in bank.
2.8.2 Managing BCM Implementation project

A framework, based on literature survey, is suggested that gives steps to implement
BCM.
a. Project Initiation
Supported by Senior Management objectives must be drawn and project plans
prepared. The plan is to enumerate budget giving details of resource requirements
and reporting process.
b. Business Impact Analysis

Identify and quantify organizational risks and critical business processes and
supporting equipment and systems. The risks / vulnerabilities need to be,
prioritized and then insured by of alternatives and recovery schematic. All
Financial and Operational Impacts must be measured and catered for.
64
c. Designing and Developing a BCP
Business continuity strategy must be in line with organizational strategy and
consistent with agreed business objectives and priorities. The plan must be
feasible, realistic and workable and should be able to effectively counteract
interruptions to business activities and to protect critical business processes from
the effects of major failures or disasters.
A Business continuity planning framework comprising of three sections is
suggested:
BCM Plans must be strengthened by top management supported policy on

incorporating recovery system alternatives with emphasis on the importance of
human factor and alternate emergency operations or technology components and
the processes & drill to rebuild the state of normal operations.
d. Implementation
Banks must establish trained and committed teams to lead, manage and direct the
organization through the crisis and provide necessary technical, operational and
administrative support to move to alternate scheme during discontinuities and
recover to normal scheme once crisis is over. Agreement must be entered into
with appropriate vendors for delivery of replacement service/support within
critical time frames. Allocation of responsibilities, systems and processes must be
worked out and communicated to all concerned.
e. Testing
BCM Plan and operating scheme needs to be tested for efficiency and relevance
from annually or after major organizational changes or an incident. Testing proves
that BCP is feasible and demonstrates the ability of the organization to recover.
f. Maintenance and Updating the Plan

The BCM organization and practice must be updated at least annually or after
major organizational changes, implementation of new systems, networks and
hardware or changes in market conditions / staff levels.
65
2.8.3 Disaster Management
preparedness, response and recovery As per DR Institute, Canada outlines the priority
in which disaster situation needs to be responded is Safety and prevention of injury to
personnel on site first, prevention or limiting damage to facilities and equipment
second and keeping critical business functions operational next. Crisis once triggered
and not responded to appropriately can expand. This is depicted in figure 2.3 below
and enumerated in Annexure 1.
Disaster Management
Disaster Response
Disaster Declaration
Phases of a Crisis
Pre-existing conditions
Crisis Trigger
Crisis Expansion
Crisis Response
Incident Response Team
Response
Prior to an Incident
During an incident
Following an Incident
Crisis Resolution
Impact on People
Managing Media
Figure 2.3 Crises Management
The first objective of DR is to limit the damage and restrict crisis expansion. The team
taking charge during a crisis ought to be sensitized to family issues, stress and health
& safety of the fellow employees. Banks must have an approved incident response
66
plan to prevent pressured decisions that may effect fair and balanced response. A
credible spokesperson must lead the Media and provide Information to avoid
speculations.
2.9 Summary of Findings

The learnings from literature survey highlight the evolution of banking practice and
ingredients of BCM implementation in banks and financial institutions based on the
experiences of those institutions that have confronted disasters and discontinuities as
also the viewpoints o consultants and instructions of regulators.
2.9.1 Banking scenario in India

Banks are drivers of economic growth and are the backbone of financial
infrastructure. Banking system in India functions under the umbrella of RBI, which is
the regulatory, and central bank and operates through three categories Commercial,
Regional and Co-operative. The shape of banking has seen sea changes from
Inception (1870) to pre-nationalization (1949) to nationalization (1966) and rules of
banking have been rewritten.
Development of technology has challenged the traditional banking practices and

service delivery. Banks in India are compelled to align with International best
practices owing to the rise in competition spurred by the entry of foreign and large
private sector banks post liberalization / deregulation. There is a huge scope of
expansion for banks by offering multiple products and services in India owing to
growing population of bankable house holds and increased propensity of urban to take
credit and opportunities for retail financing for housing loans.
Indian banking is in the midst of IT revolution. The increase in volume of banking

transactions and customer expectations has given rise to large-scale computerization
of banking services. As per RBI, eighty percent PSB’s are already computerized and
of which 40 percent have implemented Core Banking Solutions. The private and
foreign banks operate with increasing efficiencies owing to their relying on high
degree of IT deployment which is supported on state of the art IT Infrastructure
thereby bringing about new dimensions in Banking services with products like
“anywhere banking”, “tele-banking”, “internet-banking”, “web-banking”. The public
sector banks however, enjoy advantage of great reach, size and access to low cost
deposits.
67
The advancement in Information and Communication technology has revolutionarized
e banking as it allows bank branches to network at a relatively low and affordable cost
with a high degree of reliability. RBI has created necessary infrastructure and
processes through Institute for Development and Research in Banking Technology to
provide safe and secure integrated payment settlement systems using secure channels
and encryption. The setting up of network and systems such as BANKNET,
INFINET, S.W.I.F.T has facilitated electronic fund transfers, debits and clearances,
reporting and settlement systems. These networks have been the catalyst in
implementation of Real Time Gross Settlement Systems, National Settlement Systems
and Central Funds Management Systems. (Seokumar, 2005)
The measures of deregulation and increased competition has lead to a situation where
the survival of those banks who do not attain higher levels of operations in continuity.
Traditional banking in India is facing unprecedented competition from non-traditional
banking institutions, which offer services electronically. Internet banking is changing
banking relationships by providing exceptional savings, low rate credit cards, ease of
applications and 24-hour access. Banks are increasingly using advance technology to
implement “Customer Centered Applications” and with high-end functionality such as
Risk Management, Credit Monitoring etc. Growing customer awareness, higher
demand for low cost electronic services and convenience and integration of banking
services with e-commerce have resulted in highly competitive internet banking market
and those banks who don’t offer modern banking will become marginalized.
2.9.2 BCM implementation scene in banks in India

Business Continuity planning is a key pre-requisite for minimizing the adverse effects
of one of the important areas of operational risk – business disruption and system
failures. Banks need to put in place a viable BCP including robust information risk
management system and thoroughly test it to verify its full capability against the
changing scenario and assumptions at frequent intervals. Constant technological
change poses a great challenge for human resource development, continuous up
gradation of human resource skills and instilling the necessary attitudes and work
culture.
RBI has issued detailed guidelines to banks to implement BCP to carry out
comprehensive risk assessment and establish infrastructure, organization and
processes to ensure realization of targeted RPOs and RTOs. The plans have to be
supported by getting into agreements with trusted and reliable agencies. The
responsibility in respect of BCP rests with the Board of directors and the top
68
management to provide clear policy guidance and direction. The BCM must be
reviewed and upgraded periodically. Banks must resort to insurance as risk mitigation
strategy for externalizing risks to third party by reducing financial exposure during
disruptions. Reserve Bank has adopted a dual strategy for its Disaster Recovery
System (DRS) / BCP - one for mission critical applications and the other for other
applications. The approach towards Business Continuity is to ensure that in case of
any contingency, operations are resumed within a minimal time gap of two hours in
the case of mission critical applications and within a day in the case of others. RBI
recommends that the IT resources and assets are to be consolidated in the form of
Data Centres both at the Primary Site and at the Recovery and Continuity sites.
2.9.3 BCM Planning and Implementation
The importance of implementing comprehensive BCM by Banks to ensure continuity

of business thereby preventing losses and preserving market position and confidence
of customers has been highlighted in the literature. The BCM plans must articulate
scheme of prevention of discontinuities, response to disasters, resumption of business
and recovery to normalcy. Banks must have comprehensive BCM policies with
support of top management and all functionaries in the bank. These must be
adequately documented and amply communicated to all concerned. The plans must be
reviewed periodically and updated to ensure their relevance at all times.
Sound BCM plans are based on four elements: Procedures – to take actions during
disruptions and resumption to normalcy; People – roles and responsibilities of key
personnel who are aptly trained to meet all contingencies are well defined and
communicated; Technology – the systems must operate using state-of-the-art ICT
infrastructure supported on best international practices; Facilities – Data Centres and
Offices to provide continuous operation of business and systems.
A BCM Implementation Framework based on the literature survey, instructions issued

by RBI, interaction with Experts and model suggested by Disaster Recovery Institute,
Canada has been developed and presented in this chapter. The Implementation
Framework involves: Preparation, Project Initiation, Business Impact Analysis,
Design and Development of BCP, Implementation, Review & Testing and
Maintenance & Upgrades.
69
2.10 Conclusion
The literature survey highlights the experiences of banks, mostly abroad and few in
India, the need for comprehensive BCM plans supported by the entire organization.
The BCM must be operated on reliable and rugged technology infrastructure
supported by well articulated and communicated processes. The importance of people
in successful implementation of BCP has been cited many times. There is evidence of
varying degree of success in achieving continuity through BCM implementation by
various banks.
The salient features of successful BCM implementation have been summarized into
parameters under four clusters of process, people, technology and facilities. These
have to be validated and enhanced by undertaking primary data survey in select
banks. The measures of effectiveness of these parameters in relation to business
continuity need to be worked out.
The literature provides valuable experiences in ensuring continuity in certain aspects

of BCM implementation. There is a need for a comprehensive framework for
planning and implementing BCM and measure its effectiveness. A framework has
been worked out that needs to be evaluated by surveying select banks and critiqued by
Experts. A metrics model to measure effectiveness needs to be developed based on
the learnings from literature and evaluated by primary data survey.
The literature survey supports the following hypothesis:

a. Higher the level of state-of-the-art IT infrastructure more is the reliability of the
BC practice and organizational strength, especially for banks that support
multiple products and services delivered through multiple channels.
b. The success in the implementation of BC practices as envisaged in enhanced
image and reputation of the bank depends on the softer aspects of Operations
such as employee awareness, readiness, empowerment, culture of innovation and
70
CHAPTER 3
RESEARCH METHODOLOGY
3.0 Preamble
There has been phenomenal multiplication of economic growth in last twenty years in
India fueled by the process of globalization and liberalization. This has led to
increased automation and collaboration of economic activities involving businesses
and banks. This phenomenon has ushered in irreversible socio-economic changes in
terms of consumerism and rising customer expectations as regards speed and quality
of service. Banks are the glue between the demand and supply to effect transactions,
mostly electronically and are therefore depended upon heavily by the society. There
are sweeping changes across the world as regards socio-political changes post cold
war era and realignment of political objectives. This has increased imminence of
terrorist attacks that are becoming too frequent posing severe risks to continuity of
businesses, banks in particular. This situation is worsened by increase in frequency of
natural calamities and disasters probably due to global warming and extensive
mechanization. Business continuity therefore is the very fundamental requirement of
any organization that intends to render continued high performance and sustainable.
3.1 Background – BCM Implementation Scenario

The numbers of banks of all categories Public, Private and Foreign, have grown
phenomenally. The percentage presence of private sector banks is higher in urban and
semi urban areas and that public sector banks is higher in rural areas. This gap is
narrowing with increased opportunities in micro financing. There is an increased
focus on retail loans and diversification of credit base. The use of electronic mode of
payment has increased, both in terms of volume and value as a result of
unprecedented success of RTGS. Most banks have implemented Core Banking
Systems and adapted electronic Payment and Settlement and systems
Banks in US & Europe have faced large-scale disasters and hence have augmented
their BCM approach. They have increased redundancy of key resources and switched
to multiple Data Center sites operation by collaborating with third-party partners who
have multi site and multi platform capabilities supported on dependable
communication network. Banks have devised alternate processes that covers all
critical business functions including those of key outsourcers which they have well
documented and communicated. They have disseminated the information on alternate
procedures elaborately to all stakeholders and customers thereby increased their
confidence in banks’ ability to provide normal services during disruptions.
71
Banks are implementing document management and imaging systems using modern
tools to house their loan documents. They have endeavored to ensure high availability
of solutions and productivity of employees while top management is focusing on
improving communication with customers and employees during disruptions to
customer confidence, brand value, market position.
RBI, in recognition of increase in eventualities that might even throw banks out of
business, has issued detailed guidelines directing commercial banks to put in place
business continuity measures with lower cost of BCM programs to retain competitive
advantage total cost of BCM programs low to retain competitive advantage. The have
been asked to accelerate the process of developing world class supporting
infrastructure and adopt alternative approaches to serve the customer by creating a
vibrant banking organization orientated to market dynamics providing relevant
interfaces between market demand and delivery capability. Indian banks have posted
higher ‘Net Profits’ and ‘Return on Assets’ during the last few years and have
improved efficiency of operations significantly. The average cost of operations in
Indian Banking, however, is higher in comparison to International Standards.
BCM effectiveness of banks in India can be achieved through BCM Model that are
deduced from experiences of banks in west but are adapted to Indian conditions and
comprehensive metrics to assess the effectiveness, point at gaps and provide
suggestions for improvements. Both these are absent in literature and highly needed
which is the motivation to conduct the research and present desired deliverables that
will serve the cause of achieving high level of continuity in banks particularly in small
and medium category as they support the financial requirement of bulk of the country.
There is no recognized framework to measure effectiveness of BCM implementation.

JPMorgan Chase, U.S. Bank, Bank of America and fifteen other top-tier banks and
technology companies have teamed with Financial Services Technology Consortium
(FSTC) to undertake Financial Services Resiliency Model Project. This is the first
effort of its kind in creating a framework to benchmark for business continuity in
Banks and Financial Institutions using appropriate metrics.
72
3.2 Non-Existence of Framework for Measurement of BCM effectiveness
There is no recognized framework to measure effectiveness of BCM implementation.
Pioneering effort by Financial Services Technology Consortium (FSTC) in USA is
currently underway to device a metrics.
Wallen (2006) informs about the pioneering effort taken up collaboratively by

JPMorgan Chase, U.S. Bank, Bank of America and fifteen other top-tier banks and
technology companies who have teamed with the Financial Services Technology
Consortium (FSTC) to establish a uniform vocabulary and process improvement
approach. The Resiliency Model Project, which is the first effort of its kind, has taken
on the task of creating benchmarks for business continuity in Banks and Financial
Institutions1. The project says Wallen (2006) endeavours to document goals and
practices of vital operational resiliency processes and develop a draft process
improvement framework, along with requirements for metrics. The framework will be
a listing of capabilities organizations should have to be resilient and will span core
areas such as facilities, technology, data, people and processes. Wallen (2006) further
informs that the project team is taking help of Carnegie Mellon University's Software
Engineering Department in laying out capabilities and establishing goals so as to build
a model to let organizations assess themselves and develop process improvement road
maps for themselves.
Kelly (et..al 2002) believe that crisis recovery is a response to extreme uncertainty
and view it as a form of innovation and suggest that metrics to measure BCM
preparedness are similar to metrics for innovation. Further, the crucial aspect of being
resilient in meeting discontinuities is not the type or currency of technology but the
interface between people and technology and ability of people having high degree of
‘digital culture’ to make the technology work in face of disaster. Das Gupta (2002)
believes that in times to come their customers investors, employees, fiduciaries,
everybody, counter arties, everyone who looks at a bank’s worthiness banks are going
to value them on their preparedness by to meet discontinuities.
1
Charles Wallen, Managing Executive, FSTC's Business Continuity, Standing Committee and Project Director,
Bank systems & Technology, Resilience You Can Measure, Dec 01, 2006.
URL: http://www.banktech.com/showArticle.jhtml?articleID=196513070
73
3.3 Choice of Mumbai as Representative Sample
Mumbai, popularly known as the financial hub of India, has been chosen as a
representative sample as it possesses scale, scope and comprehensiveness of banking
activities. It has the largest concentration of banks, export units, capital markets and
special attention of the government of India. The salient features of Mumbai as a
representative of banking in India are given below.
3.3.1 Largest export / globalization oriented banking activities

The growth of banking over the last few years has been large throughout the locations
in the country. However, as per RBI report 2006 the credit-deposit ratio in six
States/Union Territories, including Andhra Pradesh, Chandigarh, Karnataka,
Maharashtra, Rajasthan and Tamil Nadu was higher than the all-India level. The latest
trend in the banking arena has been setting up of Offshore Banking Units (OBUs) in
Special Economic Zones (SEZs). This symbolizes growth in exports and globalization
of Indian industry. These banks operate like foreign branches of the Indian banks, but
are located in India and provide finance to SEZ units and SEZ developers at
international rates. RBI accorded approvals 10 banks for opening of OBUs. These
include State Bank of India, Bank of Baroda, Union Bank of India, Oriental Bank of
Commerce, Punjab National Bank (PNB) and ICICI Bank. Out of nine OBUs that
were established in Phase I, six were established in SEEPZ, Mumbai .In Phase II of
the five OBUs opened three were in SEEPZ, Mumbai .The government’s decision to
open 64 percent (9/14) OBUs2 clearly indicates that Mumbai accounts for lion share
of commercial activities supported by large numbers and varieties of banks.
3.3.2 Consistent high financial performance

As per the extant policy, RBI inspects Urban Commercial Banks and accords them
grading from I to IV (high to low) depending upon their scheduled status and financial
position. The RBI inspections of last two years have accorded grades I and II
(indicating high performance and financial position) to 340 banks in Mumbai (out of
1147) in 2005 and 301 banks in Mumbai (out of 1176) in 2006. There are only 119
Grade III and IV banks (out of 725) in Mumbai. This indicates healthy status of
commercial activities of Banks in Mumbai as compared to other cities.
2
74
3.3.3 Concentration of control of banking activity in the country
The regulatory bank RBI and the largest PSB headquarters are situated in Mumbai.
The other prominent banks having their headquarters in Mumbai include Union Bank,
Bank of Baroda, UTI Bank, etc from PSBs group, ICICI bank, HDFC Bank, Kotak
Bank, etc from Private Sector Banks and India headquarters of Citibank, HSBC, ABN
Amro, etc from the Foreign banks. There are Regional offices of almost every bank
in India for the Western Region, which accounts for major share of banking in the
country3. The think tank of designing, ensuring execution and constant upgrades of
BCM practices in most banks in India resides at these offices in Mumbai. This
enables a researcher to get a comprehensive view of BCM policies, organizations,
implementation data and lessons from past from the collective organizational
knowledge being present at Mumbai.
3.3.4 Presence of all types of banks

Greater Mumbai has each every type of bank as regards category, size, diversity of
portfolio, customer profile, IT usage and globalization / export potential. “It is only in
the city of Mumbai that one can find banks of all sectors: Private, Public, Foreign &
Cooperative, all banking operations: Savings, Retail, Investment, Corporate &
Development, all sizes large, medium, small and very small (2 officer banks). All
these function under RBI control, which has dedicated divisions to take care of this
unparalleled diversity in Mumbai.”4
3.3.5 Cultural representation of entire country

People from almost all states in the country staff the large varieties of banks in the
city. Mumbai being the true metropolis in the country has settlement of people from
every corner of country5. The cultural diversity present here provides to researcher
insights into behavior of people during normal operations as also crisis. This aspect
was at ample display during unfortunate incidents of “Bomb blast” and “catastrophic
deluges of Aug 2006 and July 2007”. The officials in banks at Mumbai have to
interact with corporate customers and senior managers of other banks in almost entire
country and thus are able to articulate issues and practices as regards BCM planning
and implementation that is valid anywhere in the country.6
3
Comments of Mr Girish V, Principal Consultant, Banking association of India and editor Banking Frontiers,
magazine.
4
Comments of Dr.R.B.Burman, Executive Director, RBI made to the researcher in special meeting organized in
his office on March 20, 2007
5
Comments of Sundaram Kalyan, General Manager (IT) Bank of Baroda, BKC, Mumbai during the meeting on
12 May 2007.
6
Comments of Trivedy Ravi, Partner KPMG, Banking vertical division, during meeting Apr and 16 May 2007.
75
3.3.6 Presence of Central / Regional Data Centers
Central data centers of SBI, ICICI, HDFC, Bank of Baroda, Union Bank, UTI Bank,
Kotak bank are located at Mumbai. These data centers are most advanced units and
have almost every aspect of technology and practice present. The effect of
discontinuity of operations and the impact on banking has been witnessed by these
data centers, their staff and support agencies. They can provide insight into utilization
of technology, the back bone of modern banking, both in normal and alternate modes
of operations as they have the first hand experience not felt by banking outfits
elsewhere in the country.
3.4 Scope of Work

The literature survey highlighted (Chapter 2, paragraph 2.10) the need for the
development of comprehensive framework for implementing BCM. A model to
measure the effectiveness of BCM (metrics) is to be developed by carrying out
primary research in select banks in Mumbai and validating the models by applying it
to sample banks and critique the same with experts. The following is the scope of
work:
3.4.1 Development of an academic model

A framework enumerating components of a successful BCM implementation based on
literature survey and primary research to be developed.
Identification of Parameters Classification of Parameters
Literature Survey Evolution Top Management
Essential Groups Groups
Validation of Parameters Updation Functional Management
Parameters
Clusters
Focus Groups
Validation Parameters
Focus Groups
Model
Figure 3.1 Steps in development of BCM Model
76
3.4.2 Operational and infrastructural issues
Issues related to procedures, policies and infrastructure (IT and facilities) from
operational (organization, processes & people) perspective that are required to ensure
high level of preparedness in Banks to ensure continuity were studied and critical
parameters identified. The study does not look at banking and financial risk and
focuses only on banking operations as regards continuity.
3.4.3 Metrics to measure BCM effectiveness

A framework of metrics to comprehensively measure effectiveness of BCM
implementation with a view to identify gaps and suggest improvements. The metrics
is to identify the BCM effectiveness numerically as regards strengths and
vulnerability on account of critical parameters.
3.4.4 Support to small banks

This study is to help small and medium banks to look at alternate and efficient ways
of planning and implementing BCM solutions to improve continuity. These banks do
not have financial and organizational strength to replicate the models practiced by
large banks.
3.4.5 Focus on softer issues

Most business continuity frameworks define methods to make IT infrastructure and
related facilities and organization dependable and efficient to ensure high state of
business continuity. This does produce results, as almost all processes in banks are IT
enabled. This has also brought about fair amount of standardization amongst banks to
deliver their products and services efficiently using IT. The growing competition as a
result of this and globalization has raised customer expectations above the level of
efficient and timely service. Differentiations therefore (real or perceptions) will come
from managing softer issues of esteem, trust and image.
77
3.5 Research Methodology Framework
The state of BCM implementation in Indian Banks and the gaps therein as compared
to the progressive banks in west and absence of comprehensive BCM implementation
and measurement framework the methodology to undertake research has been worked
out. The scheme is given in figure 3.2 below:
Stage 1
Literature Survey
BCM Implementation Formulation of

Framework (Draft) Hypothesis
Stage 2
Primary Data Survey in selected
Banks in Mumbai
Parameters for
Finalized BCM Hypothesis partly BCM Model &
Framework tested Metrics Identified
Stage 3
Model Development & Testing
Finalized BCM Metrics Hypothesis partly tested
Stage 4
Application of Metrics to select
Banks in Mumbai
Recommendations to
Analysis of Management of Testing of
Findings Banks for High Hypothesis
Business Continuity
Figure 3.2 Research Methodology Framework
78
3.5.1 Survey in select Banks
A survey of select banks in Mumbai was carried out to validate the BCM
implementation framework deduced from literature survey as enumerated in
paragraph 3.2.1 above, test the hypothesis of study and identify parameters that will
form the BCM Model and Metrics of evaluation. The process is enumerated in
succeeding paragraphs.
3.5.1.1 The Methodology Adopted

The methodology adopted for surveying includes:
a. Interviews
Senior officials and supervisor of the target banks were interviewed to gather
macro level information. Preparation for these interviews were made based on the
secondary research carried out and enumerated in Chapter 3 as well as the
guidance received from six consultants who have executed / consulted for variety
of banking projects. The steps followed are enumerated below. These
progressively refined as the researcher gained finer insights after 6 to 8 interviews
were conducted were:
i. The officials to be interviewed were sent objectives of study and broad topics
that are to be discussed along with request for their time at their convenience.
ii. The interview durations ranged from 45 minutes to one and a half hour in their
offices. All respondents were given at least seven days period to go through
the requirements before the interaction.
iii. Most interviews were held late in the evenings or early morning so that the
respondents were at ease and not pressurized by their daily workload
requirements.
iv. For recording interviews “Dictaphone” was used. Paper-pen recording was
resorted to in case of those respondents who had objection to audio recording
of their responses.
v. Information recorded during interviews was collated and sent to the
respondents for validation by emails or hardcopy printouts.
vi. Almost 70 % respondents had sent amendments / alterations which were
incorporated. Others confirmed that recording was as per their views.
79
vii. The responses from officials of the five target banks were then compiled and
sent to selected consultants from leading consulting organizations for their
comments or views. The identity of bank and respondents was kept secret.
Indications to the level (designation) of the official and the type/size
(Private/Public sector & large/medium).
viii. Each response was sent to two different consultants ensuring their views for
different set such as (Public-large, Public medium, Private large, Private-
medium).
ix. Responses / suggestions from consultants were taken into account while
summarizing the findings (given in Chapter 4, paragraph 4.3 ahead)
b. In-depth interactions of functional / mid level executives

This method was adopted to gather details of processes, roles, technology and
facilities deployed at various banks by interacting with functional and mid level
executives. The steps enumerated below were taken owing to the level of
respondents as regards their appreciation of BCM as organizational initiative so
that they could be sure of their responses provided by them.
i. The officials to be interacted were sent objectives of study, technical

terminology based on primary research so as avoid issues related to
‘vocabulary’ and broad topics that are to be discussed along with request for
their time at their convenience.
ii. The interactions with this group of respondents were scheduled in two stages.
In stage one the objectives of survey were explained and their job roles /
responsibility was understood. The question sets were then left with the
respondents to enable them gather information or crystallize their
understanding. The duration of these interactions ranged from 45 minutes to
one and a half hour in their offices.
iii. The second interactions with the respondents were held after seven to ten days
of first interaction. During these interactions responses to questions were
solicited one on one basis. The respondents were requested to provide
organizational / process / architecture diagrams depending on the nature of
information (process/technology) being provided by them. These were
obligated by almost 65 % respondents and are enumerated in the Annexure 2
corresponding to their banks.
80
iv. Most interactions were held late in the evenings or on Saturday afternoons so
that the respondents were at ease and not pressurized by their daily workload
requirements.
v. Most responses were recorded on paper as majority of respondents in this
category had objection / aversion to audio recording of their responses.
vi. Information recorded during these interactions was collated and sent to the
respondents for validation by emails or hardcopy printouts. One copy was also
sent to their supervisors as per the agreed terms and conditions.
vii. Most respondents had confirmed that recording was as per their views. About
50 % sent additional information (data, diagrams ) after going through the
records of their responses.
viii. The responses from officials of the five target banks were then compiled and
sent to the supervisors in the bank concerned for their comments and approval.
Most supervisors gave their consent after going through the final tabulated
responses. However about 15 % asked for a joint meeting with the respondents
to clarify certain perceived anomalies (mostly on processes or specifications of
technology deployed)
ix. The final tabulated responses were then sent to selected consultants from
leading consulting organizations for their comments or views. The identity of
bank and respondents was kept secret. Indications to the level (designation)
and department of the official and the type/size (Private/Public sector &
large/medium) were made.
x. Responses were clustered department wise across banks and sent to two
different consultants ensuring their views for different set such as (Public-
large, Public medium, Private large, Private-medium).
xi. Responses / suggestions from consultants were taken into account while
finalizing the details given in Annexure 2 corresponding to their banks and
summarizing the findings (given in section 4.8 ahead).
c. On Spot Observations
Spot observations were made to gain insights into organization, processes,
business touch points and data centers. The following steps were undertaken:
i. Spots were so chosen as to cover various geographic locations for the target
banks (North Mumbai district, Central Mumbai district, Western Mumbai
district, Eastern Mumbai district & New Mumbai).
81
ii. Offices were chosen so as to cover the range of baking operations (Retail,
Corporate, Investment etc.)
iii. Day timings were so chosen as to cover ‘busy’ or ‘peak’ period and ‘lean’
period while making observations.
iv. Paper based recording was resorted to use of photography was prohibited by
almost all banks.
v. Information recorded during these observations was collated and sent to the
supervisors of the concerned banks for validation by emails or hardcopy
printouts. Almost 55 % of respondents sent their comments that were
incorporated.
vi. The final tabulated responses were then sent to selected consultants from
leading consulting organizations for their comments or views./ The identity of
bank was kept secret. Indications the type/size (Private/Public sector &
large/medium) of the bank were made.
vii. Responses were clustered observation entity wise (Data centers, ATMs,
Branch office, etc.) across banks and sent to two different consultants ensuring
their views for different set such as (Public-large, Public medium, Private
large, Private-medium).
viii. Responses / suggestions from consultants were taken into account while
finalizing the details given in Annexure 3 corresponding to their banks and
summarizing the findings (given in section 4.8 ahead).
3.5.1.2 Basis of Selection of Sample (Respondents)

The following was the basis of selection of sample
a. Banks
The basis of selection of banks was to choose one each from
i. Public Sector – Large (SBI)
ii. Private Sector – Large (ICICI)
iii. Public Sector – Medium (UTI / Axis)
iv. Private Sector – Medium (HDFC)
v. Modern bank – Greater degree of online operations (GTB / OBC)
82
b. Respondents
i. The level (designation) of the official commensurate with category of
information being solicited (strategic, operational, technological).
ii. The period that the respondent has spent in the bank (at least 5 years) and in
the branch (at least 2 years)
iii. Recommendation of the supervisor concerned as regards relevant knowledge
of the respondents in case of functional / mid level executives.
iv. Involvement of the respondent in project work under which such initiatives
were being taken either as a core team member or internal audit team.
v. Willingness of the respondent to participate in the survey. Some respondents
recommended by supervisors did not show interest and hence had to be
replaced.
3.5.2 Model Development

The primary data survey in banks described in paragraph 3.5.1 above validated the
BCM implementation framework as per the details enumerated in Chapter 2,
paragraph 2.8 and Annexure 1. The exercise resulted in identification of fifty three
parameters for measuring BCM effectiveness. These formed inputs to the model
development phase, the methodology for which is described in succeeding
paragraphs. The number of respondents from the select banks is given in Table 3.1
below:
Table 3.1 Respondents for BCM Metrics Model Development
Bank Type Medium &

Large 8 14
Small
Management No. of No. of

Per Group Per Group
Level Respondents Respondents
Top 2 16 1 14
Middle 2 16 2 28
Functional 3 24 2 28
Total Respondents 56 70
Average Respondents 25 40
83
3.5.2.1 Methodology for Development of BCM Model and Metrics
The methodology to develop BCM Model and metrics to assess strength and
vulnerability of BCM intervention in Banks both prior to post implementation is
described in Annexure 3. The Steps taken to develop and test the BCM model
together with metrics to measure effectiveness are enumerated succeeding
paragraphs.
3.5.2.2 Compilation of Factors from literature survey

The factors that drive successful BCM Implementation and operation were compiled
based on:
a. BCM Implementation experiences of major banks in India7 (Shore 2002) as per

the guidelines issued by RBI 8 (Srinivasan 2001).
b. Successful BCM implementations experiences in Finance and banking sector in

North America and Europe
c. BCM status and experience in two large, two medium and one modern bank as
culled out from learnings accrued after an elaborate survey of five target banks in
Mumbai.
d. Experience of managing successful BCM operation in a disaster situation by a

major Public Sector bank in Mumbai .
3.5.2.3 Development of First Level draft

Two senior officials, two supervisory officers and three to four functional mangers of
the target banks were involved in the model development and testing exercise over a
period of five months. The steps followed in development of the model are
enumerated below. The model got progressively refined as the researcher and
respondents gained finer insights after every iteration:
a. The officials to be interacted were sent the set of questionnaire and themes as
mentioned in Annexure 3.
b. An interaction (interview and discussions on measurements of suggested

parameters) was held with the target officials. These interactions ranged from a
durations of forty-five minutes to one and a half hour in their offices / branches..
7
Shore Dave, Web-based solutions can ensure business continuity, Published: 5/20/02,
http://techrepublic.com.com/5100-10878_11-1048802.html?tag=search
8
Srinivasan M. R., Chief General Manager-in-Charge, Internet Banking in India – Guidelines to All Scheduled
Commercial Banks, DBOD.COMP.BC.No.130/ 07.03.23/ 2000-01, June 14, 2001
84
c. Most interviews were held late in the evenings or early morning so that the
respondents were at ease and not pressurized by their daily workload
requirements.
d. Information recorded during these interactions was collated and measures of

parameters progressively defined and amplified. A set of metrics to track
implementation status and monitor the performance of BCM was then created.
e. The model, grouped into five clusters - Organizational pertaining to Soft issues;
Processes; People; Technology; and Hard Organizational issues pertaining to
Facilities 9(Bleiberg 2005) was given shape in terms of elaborations on measures.
f. The draft (first-cut) Model was then sent to a set of four selected consultants from
leading consulting organizations for their comments or views. The identity of
bank and respondents was kept secret. Indications to the level (designation) of the
official and the type/size (Private/Public sector & large/medium) were made.
g. Each response was sent to two different consultants ensuring their views for
different set such as (Public-large, Public medium, Private large, Private-
medium).
h. Responses / suggestions from consultants were taken into account to fine tune the
parameter descriptions. These parameters were grouped in four levels - Planning /
Policy, Tactical, Tools / Methods and Review / Testing for each cluster.
i. The criticality/efficacy for above parameters were recommended to be evaluated

on four measures to ascertain BCM strength and vulnerability – Strength, Threats
Vulnerability and frequency of up gradation of interventions.
3.5.3 Refinement of Model
a. The model was administered to one senior official, one supervisory and two
functional managers to test the efficacy, correctness and completeness. The
sample selection was based on the experience gained by the researcher about the
understanding of the respondent and recommendations made by peers.
b. The researcher weighed the responses by carrying out spot observations by

visiting Offices, Data centers, DR sites and Business touch points for correctness
and completeness.
9
2005, http://www.fileon.com/press/articles/disaster-neednt-wipe-out-business.html
85
c. The observations made were discussed with experts (consultants) to fine-tune the
parameter descriptions and elaborate objectives and measures of strength and
vulnerability of BCM implementation.
d. The model and metrics were evaluated by Focus Group discussions employing the
Delphi technique, with senior bank managers from the selected banks and
consultants from the top consulting companies in India.
3.5.4 The basis of selection of sample (respondents) for Model Refinement
3.5.4.1 Banks
The basis of selection of banks was to choose a balanced combination from
a. Public Sector – Large
b. Private Sector - Large
c. Public Sector / Co-operative – Medium / Small
d. Private Sector – Medium / Small
e. Modern bank – Greater degree of online operations
Table 3.2 Respondents for BCM Metrics Model Validation
Bank Type Large 5 Medium 6 Small 8
Management No. of No. of No. of

Per Per Per
Level Respon Respon Respon
Group Group Group
dents dents dents
Top 2 10 2 12 2 16
Middle 2 10 3 18 3 24
Functional 3 15 2 12 2 16
Total Respondents 35 42 56
Average Respondents 25 30 45
86
3.5.4.2 Respondents
a. The level (designation) of the official commensurate with category of information

being solicited (strategic, operational, technological).
b. The period that the respondent has spent in the bank (at least 5 years) and in the
branch (at least 2 years)
c. Recommendation of the supervisor concerned as regards relevant knowledge of

the respondents in case of functional / mid level executives.
d. Involvement of the respondent in project work under which such initiatives were
being taken either as a core team member or internal audit team.
e. Willingness of the respondent to participate in the survey. Some respondents

recommended by supervisors did not show interest and hence had to be replaced.
3.5.4.3 Experts (Consultants)
a. Relevance of experience of the consultant as regards implementation of BCM

projects particularly in Finance and Banking sector.
b. Experience of consultant in analyzing organizations to bring about change

management and re-structuring.
c. Knowledge of consultants in developing models for deployment of IT on large

scale using variety of platforms and solutions.
d. Knowledge in analyzing and revamping IT infrastructure and facilities for large

scale IT enabled business.
e. Academic and scholarly interests of consultants in creating knowledge work by

writing papers & articles and participation in Seminars & Conferences.
3.5.5 List of Banks That Participated in Model Development and Validation

The Banks have been grouped into categories of Large, Medium and Small depending
on their asset size as reported in 2004. The convention followed by Indian Banking
Association for such categorization is by asset size: Large - more than 10 Billion
USD; Medium – 1 to 10 Billion USD; Small – Less than 1 Billion USD.
87
a. Large Banks
i. State Bank of India

ii. ICICI Bank
iii. Bank of Baroda
iv. HDFC Bank
v. Syndicate Bank
vi. Union Bank
vii. Axis Bank
viii. Bank of India
b. Medium Banks
i. State Bank of Bikaner and Jaipur

ii. State Bank of Mysore
iii. ING Vyasa Bank Ltd
iv. Bank of Maharashtra
v. Dena Bank
vi. Karnataka Bank
vii. Indian Bank
viii. IDBI
ix. Kotak Mahindra
x. Abhudaya bank
c. Small Banks
i. Yes Bank
ii. Dhanlakshmi Bank
iii. IndBank
iv. Saraswat Bank
88
3.6 The Research Objectives
The literature survey brought out limitations of wealth of knowledge as regards
applicability to Indian banks and measurement criteria for effectiveness of BCM
implementations. The objectives to undertake research are enumerated in succeeding
paragraphs.
3.6.1 Applicability of BCM experiences that are western-evolved to India

The BCM experiences both of success and failure are pertaining to banks and
financial institutions in North America and Europe. Most of the published literature
elaborates BCM implementations in US. The financial institutions have been
challenged by either manmade or natural disasters to a noticeable degree only in US
and UK. In India the only few experiences of large scale disasters are in last few years
only and the incidences are very few- Tsunami, Mumbai Rains, Gujarat Earthquake.
Of these the disruptions during Mumbai rains was the only large-scale impacting
incident as far as banking is concerned. This is primarily due to the fact that most
central data centers, Head offices and regional offices are concentrated in Mumbai.
3.6.2 Non-standardization of BCM implementation frameworks

Consultants and banks in UK and US have created the BCM implementation
frameworks. These consulting companies have evolved their own frameworks, which
are progressive and complete but only in certain aspects. Whilst most of them are
complete and comprehensive from technology perspective, they are in varying degree
of success as far as aspects of organization, processes, people and governance are
concerned. The philosophy of most of these frameworks are governed by Basel-II
norms internationally and Central Bank Regulations at national levels. In India RBI
has championed the cause of implementation of BCM through path breaking
initiatives under the aegis of IDBRT with a fair amount of success. The disparity in
availability of infrastructure (telecom and power) however, impedes wide scale
implementation of BCM.
3.6.3 Measurement of BCM effectiveness

The banking sector worldwide has seen phenomenal growth in the last two decades.
Large scale globalization and establishment of free trade between East and West
brought out about phenomenal rise in banking volumes. The industry therefore coping
up meeting requirements of large scale inter bank transactions across the globe by
adopting newer banking practices and using better ICT infrastructure. These have
attained a very high level in the US and UK and improving in Asia. The speed and
volume of growth kept the providers of service and technology as also the consultant
89
in upgrading infrastructure and delivery models for banking. There is no framework
to measure effectiveness of BCM implementation unlike what one finds in the
discipline of engineering and medicine
3.7 Conclusion
The BCM implementation experiences presented in the literature are rich but focus on
North America and Europe. These experiences are mostly highlighting specific
aspects of BCM and DRS and do not provide holistic approach to develop and
implement BCM in Banks. The research methodology suggested in this chapter
transcends following path:
Consolidation of learnings from literature survey into draft framework

Validation of the framework with select banks who have successfully
implemented in India to evolve comprehensive framework and identify
parameters to measure effectiveness
Development of metrics to measure effectiveness of implementation
Application of metrics to select banks for validation
Recommendations to banks (particularly, small and medium) to deploy effective
BCM solutions for sustained continuity.
The research work aims to present a comprehensive BCM Metrics Reality Check
Model that has not been developed as yet. One such model is under development
under the aegis of Financial Services Technology Consortium, USA. Mumbai has
been chosen as representative sample for banks in India as it has largest concentration
of Banking activity in the country where all types and levels of banks take part.
90
CHAPTER 4
BCM SURVEY IN INDIAN BANKS
4.0 Introduction
The rise in economic activity in Asia, particularly India and China, during the last
decade has spurred a surge in banking activities. Technology-driven developments in
the financial markets combined with a shrinking universe and the change in outlook
of society from that of “saving for the future” to “consume to make a better present
leading to brighter prospects” have put pressure on the banking industry to provide
continuous and reliable service. The Reserve Bank of India regulations and guidelines
on implementation of technology require banks to create reliable IT infrastructure and
support procedures to ensure high quality service at all times. “The benefits to be
derived from the use and adoption of technology cannot be exaggerated. Central
Banks the world over have been providing their unstinted support to development of
technological infrastructure and to IT innovations in the banking sector. There is no
doubt in my mind that technology usage is a core component of all future efforts of
central banks to improve their deliverables and to play their defined role more
effectively. No system or institution can hope to benchmark itself against international
standards without making optimal use of technology”, remarked Shri Vepa Kamesam,
Deputy Governor, Reserve Bank of India in his address to the Central Bank of Sri
Lanka, Colombo, on August 20, 2003.
4.1 Objectives of Survey of Banks

The published literature on Business Continuity Management (BCM) deals with
experiences in the banking sector in the U.S. and Europe, and has lesser direct
relevance to banks in India because of differences in culture and infrastructure. A
survey was, therefore, undertaken in selected banks in Mumbai during January 2004 -
April 2006 to study the organizational, procedural, technological and cultural aspects
of current BCM practices. The BCM experiences of the surveyed banks were collated
to provide insights on the “essential ingredients of successful BCM implementation in
banks”.
91
The purpose of the study was to collect data and other information on the following
aspects:
a. The mission and objectives of the bank in the changed environment of increased
competition and rise in customer demands.
b. Does a wider range of products and services that are offered to customers help in
the realization of BCM objectives?
c. Technology infrastructure, both implemented and planned, to meet consumer
demand and improve efficiency and effectiveness.
d. Business continuity organization, infrastructure and processes, - what has been
implemented?
e. Specific learnings to ascertain the factors that affect the operationalizing of BCM.
4.2 The Research Methodology

The details of the survey procedure adopted are enumerated in Chapter 3 paragraph
3.5.1. The basis of selection of sample banks and respondents are also enumerated in
Chapter 3 paragraph 3.5.1. The methodology adopted for surveying includes:
4.2.1.1 Interviews
Senior officials and supervisor of the target banks were interviewed to gather macro
level information. Preparation for these interviews were made based on the secondary
research carried out and enumerated in Chapter 2 as well as the guidance received
from six consultants who have executed / consulted for variety of banking projects.
The steps followed are enumerated in Chapter 3 paragraph 3.5.1. These steps were
progressively refined as the researcher gained finer insights after 6 to 8 interviews
were conducted.
4.2.1.2 In-depth interactions of functional / mid level executives

This method was adopted to gather details of processes, roles, technology and
facilities deployed at various banks by interacting with functional and mid level
executives. The steps enumerated in Chapter 3 paragraph 3.5.1.1 were taken to match
the level of respondents as regards their appreciation of BCM as organizational
initiative so that they could be sure of their responses provided by them.
4.2.1.3 On Spot Observations

Spot observations were made to gain insights into organization, processes, business
touch points and data centers.
92
4.2.2 The Study Plan
The study was planned and conducted in four stages over a period of ten months from
February 2004 to December 2004:
4.2.2.1 Corporate Perspective

Two senior officials in each selected bank of the rank of Vice President and above
were interviewed on several occasions to understand and record the bank’s mission
and vision and its linkage to BCM. Announcements on the bank’s website and other
published communications were also studied.
4.2.2.2 Banking Operations and Products

The range of products and services offered and the related operations practiced in the
banks were studied to understand the various aspects of BCM Implementation. The
methodology followed for this purpose is given below:
a. Interview one senior banking official of the rank of Vice President at the regional /
corporate office.
b. In-depth interaction with two functional managers in two or three branches at
various locations in Mumbai.
c. Spot observations were also made at the following business touch points:
i. Bank branches for process (personal banking, loans, corporate banking, etc.),
speed and effectiveness of banking transactions
ii. ATM outlets to get customer’s perspective about ease of transactions
iii. Back offices to understand the integration of processes and information
support at operating and strategic levels
iv. Online banking websites for internet banking transactions to ascertain ease of
operations, range of products and customer support
4.2.2.3 IT infrastructure
The infrastructure deployed was studied at the following locations by carrying out
visits, on spot observations and interactions with functional mangers, senior mangers
and Data center personnel:
a. Bank branches
b. Corporate / Regional Offices
c. Data Centers (both main and alternate)
93
4.2.2.4 BCM organization and procedures
To understand the policy and operational issues related to BCM organization in the
bank at both corporate offices and branches, the methodology was as follows:
a. Senior officials of the rank of Vice President and above were interviewed.
b. Communications in the form of relevant booklets on regulations and intranet /
banking software solutions were studied in the selected banks.
c. Survey questionnaires were administered at various levels in the selected banks to
evaluate:
i. Critical processes, possible discontinuities and related impacts on business
along with the level of implementation achieved in the bank to meet possible
disruptions.
ii. Aspects of continuity related to space, processes and technology.
4.2.2.5 Survey questionnaires

The survey questionnaires deployed for the study during interviews at various levels
(Top, Middle and Functional) together with summary of responses as regards
percentage respondents who participated, levels of intervention achieved (wherever
applicable) and brief of amplifications provided are tabulated and placed at Annexure
2.
4.2.2.6 Sample size

The sample size ranged from 25 to 40 respondents on an average, at strategic,
operational and technological levels in each bank.
4.2.3 Bank wise Summary of Study

The information collected and collated from the study of banks carried out as per the
detailed methodology enumerated in paragraph 4.2 above is summarized (bank wise)
in Annexure 4. A study was carried out of a real life experience of a prominent bank
in Mumbai in meeting large scale disaster – deluge of July 2005. The case study is
presented in Annexure 5. The information regarding BCM experiences is clustered as
per the perspective of strategy, operations and technology.
4.3 Essential Ingredients of Successful BCM Implementation in Banks

The research highlighted several salient features of successful BCM Implementation.
It was found that most banks address the issue with the organizational focus on strong
technology and facility infrastructure. Most large banks have near world-class facility
94
and technology infrastructure in place as well as the organizational structure and
processes to ensure continuity in the event of disruptions. Banks are also factoring in
their BCM implementation “softer” issues such as customer satisfaction (e.g.,
convenience, ease, feel-good, etc.), esteem (the image of the bank in the market and in
the eyes of customers), and climate (motivation levels of employees and partners).
The “harder” issues such as IT Infrastructure, facilities, procedures, etc. have already
attained a high degree of maturity in most banks. These are taken as “given”.
Therefore banks are now aspiring to attain a higher BCM maturity level by taking
necessary actions to improve the softer aspects noted earlier.
The essential ingredients of successful BCM Implementation as culled out from the
research findings are grouped in three clusters, - Strategic, Operational and
Technological and discussed in this section
4.3.1 Strategic
The Strategic cluster encompasses the following factors that top management should
consider while setting out policy to institute reliable BCM practices.
4.3.1.1 Multiple Delivery Options

“Banks delivering their products and services through a wide range of delivery
channels: Branch Outlets, ATMs, Phone and Internet Banking, Kiosks and Mobile
Devices provide the freedom of choice to customers to transact using the channel they
are comfortable with or which is available to them at ease”1. Such banks are generally
found to be at a higher level of continuity from the customers’ perspective.
4.3.1.2 Customer Focus

“The implementation of core banking and other IT solutions have made the huge
workforce of SBI available to undertake more value-added tasks such as supporting
and helping customers” remarked the Assistant GM, State Bank of India (SBI), the
largest public sector bank in India2 (Phanse 2005). With the IT-enabled self-service
transaction handling systems becoming common place in the banking industry,
differentiation in products and services can only be achieved through a personalized
customer-centric approach. The goodwill of customers results in their showing a
greater degree of tolerance and support when the bank goes through troubled times.
1
http://www.icicibank.com
2
Excerpts from the interviews with Ms. Nayana Phanse, AGM, SBI, Regional Office, BKC Mumbai on 23rd
December 2005 and 18th January 2006.
95
“The business does not stop (apparently) from the customer’s perspective even if
there is a discontinuity that is short-lived. In other words, the tolerance limit of
customers to accept disruptions is more if they are satisfied with the bank’s delivery
systems”3.
4.3.1.3 Concept of “Bank Customer”, Not “Branch Customer”

“HDFC pioneered the concept of customers belonging to the bank and not a branch,
as was the case prevalent then. A customer can transact in any branch of HDFC
anywhere in India (now also abroad)”4. Customers are viewed as “Bank Customers”
and not “Branch Customers” from a BCM perspective.
4.3.1.4 Trust of Society at Large

Banks that serve various levels of society in urban and rural areas as well as in the
personal and business segments enjoy a higher level of trust of society. “SBI is
present, that too very significantly, in personal banking, industrial banking, corporate
banking, rural banking, international banking etc. Almost the entire nation and that
too all levels know the bank by way of personal experiences” remarked a senior
official from SBI5 (Purohit 2006). The participants of economic activity in society,
wherein there is interaction between small, medium and large businesses as also
between the moneyed and not-so-moneyed people, channel their banking relationships
with certain large banks. Such banks enjoy greater trust and faith about their strength
in terms of continuity, particularly, from the financial perspective. The customer does
not feel insecure in investing in banks with larger net worth. Such banks hence enjoy
very high level of continuity in the perception of society at large.
4.3.1.5 Rich Collaboration

Certain banks, for example, HDFC, have successfully entered into profit-sharing
arrangements with a wide range of businesses to implement e-transactions in online
shopping malls, railways, online trading and online auction sites6. These arrangements
provide more outlets to effect transactions. The probability of disruptions is reduced
through increase in the number of banking “touchpoints”.
3
http://www.hdfcbank.com/aboutus/general/Business_Focus.htm
4
http://www.hdfcbank.com/wholesale/default.htm
5
Excerpts from the interviews with Mr. S. S. Purohit, DGM, SBI Zonal Office (West), Mumbai on 28th
December 2005, 24th January 2006 and 16th March 2006.
6
96
4.3.1.6 Trusted Partnership
“A large public sector bank has teamed up with Tata Consultancy Services (TCS), the
total IT solutions company for software project implementation, maintenance and
system administration. The hardware is supplied, supported and maintained by HP.
The network services are maintained and managed by Data Craft. The partnership
with these companies is a comprehensive one and is built on mutual faith and trust” 7.
The partnering organizations such as TCS and HP see synergistic arrangements for
mutual growth and are hence “locked-in” with the bank. Such arrangements are
comprehensive, rugged, robust and scalable, thus ensuring a high degree of
continuity.
4.3.1.7 Centralized Processing

Most large banks resort to central processing of a large number of transactions. “The
infrastructure at the central hubs has adequate alternate and failsafe systems to ensure
high availability and continuity”, remarked the AGM, SBI8 (Phanse 2005). This
allows their employees to devote more time to customer service, as they are relieved
of the back office processing work, which is pushed to central hubs.
4.3.1.8 Range of Customer Segments

Larger banks service a vast range of customer segments. “Differentiated and higher
levels of service are rendered to certain specialty groups (high-value, retired, etc),
thereby ensuring customer lock-in”. This bondage with satisfied customers leads to
greater tolerance on their part, which will support the recovery phase of the bank
when it has a major disruption.
4.3.1.9 Leverage Internal Strengths

Navale (2002) believes that banks that synchronize their operations with the internal
organization culture exhibit a greater resilience for combating eventualities. For
example, if employees are comfortable with Lotus Notes, it would be advisable to use
that tool for the unstructured workflow processes which are not covered by the core
banking solution9 (Navale 2002).
7
“TCS-FNS emerges as most widely deployed core-banking solution in the country”,
http://www.tcs.com/0_media_room/releases/200603mar/TCS_FNS.htm
8
Excerpts from the interviews with Ms. Nayana Phanse, AGM, SBI, Regional Office, BKC Mumbai on 23rd
December 2005 and 18th January 2006.
9
Samrat Navale, e-Finance for Development - An Indian Perspective, Monterrey, Mexico, March 19, 2002
http://r0.unctad.org/ecommerce/event_docs/monterey/mor-icici-india-EFfD.ppt
97
4.3.1.10 A Hybrid Approach of “Old Economy” Manual and IT-Based Systems
“SBI, whilst embracing technology for automation, has retained its culture of the old-
economy days of running business in branches. There are multiple delivery channels
to transact business. However, experience has shown that when disaster hits, you need
people to manage the crisis, particularly as regards emotions that are most important
to defuse the situation. No technology can substitute this”10 (Purohit 2006). Banks in
India ought to have a judicious mix of “manual” and “IT-enabled” processes as there
are limitations of infrastructure, capital for investment and slow-changing mindsets.
4.3.2 Operational
The factors that go into development of operational processes and structure to ensure
higher levels of Business Continuity in banks are discussed below:
4.3.2.1 Automation
“It reduces reliance on human knowledge of processes thereby reducing dependence
on specifically trained personnel and giving greater flexibility to the bank in
utilization of its human capital and also allowing the work force to address more
value-added activities” remarked Munish Mittal, Assistant Vice President of
Information Technology, HDFC Bank 11.
4.3.2.2 Technology for Competitiveness

Banks that endeavor to remain a leader in adopting the latest technology to enhance
efficiency in delivering services such as B-to-B EDI systems show greater resilience.
12
(Ray 2005)
4.3.2.3 Product Innovations

The wider the range of product options, the higher is the probability of continued
business. “HDFC innovated in bringing differentiated products like Private Banking
and Smart Cards. Private banking provides specialized banking, financial and
investment services to high net worth individuals and institutions. Smart Cards have
10
11
http://www.hdfcbank.com/wholesale/prd_glance.htm
12
Ray, Atmadip, (2005), “Banks Gear Up To Set Up Disaster Recovery Centres”,
http://economictimes.indiatimes.com/articleshow/1186027.cms
98
multi-application capability (insurance, e-purse, toll payments, etc.) and can run on
multiple technology platforms” 13.
4.3.2.4 Integration of Diverse Products

Integration of diverse products using enterprise applications improves employee
productivity and increased customer satisfaction by providing a single view across
applications14 .
4.3.2.5 Innovations in Delivery Channels

The bank that innovates in coming up with a wider range of services and products
delivered reliably through multiple channels provides greater accessibility and
availability to their customers. “Internet based self service solutions earn confidence
of customers and improves chances of enhanced cross-selling”15 (Navale 2002).
4.3.2.6 Multi-Channel Integration

A high degree of integration of all channels of delivery improves efficiency and
ensures greater promise as regards continuity owing to regular availability of a
medium for transactions through multiplicity of touchpoints.
4.3.2.7 Finger on the Pulse of Technology

Banks, who embrace technology for automated service delivery, benefit from higher
degree of operating efficiency and continuity. “SBI has teamed up with Reliance
Infocomm to install CDMA based wireless ATMs at remote locations. The bank has
excellent electronic fund transfer solutions using STEPS and SEFT. The bank has
advanced MICR processing equipment. It has Internet-based facility for handling
trade finance transactions for corporate and commercial network branches”, remarked
a senior official of the bank 16 (Prabhakar 2006).
4.3.2.8 Optimal Utilization of Disaster Recovery (DR) Site

“HDFC’s DR site at Chennai is designed to ensure near zero data loss and is manned
24X7. The DR site is online and data from the banking system is replicated every 15
13
14
http://www.icicibank.com/
15
Navale, Samrat, (2002), “e-Finance for Development - An Indian Perspective, Monterrey, Mexico,
16
Excerpts from the interviews with Mr. T. Prabhakar, Dy. General Manager (IT - Technical), SBI Corporate
Centre, Navi Mumbai on 12th January 2006, 10th March 2006 and 7th April 2006.
99
minutes and is designed for a quick changeover”17 (Sirsalewala 2003). The load is
optimally balanced between the main site and the DR site, which takes the operating
load at pre-designated instances. Large numbers of ATMs connect to the DR site for
normal operations with a facility to changeover to the central site when required. This
also keeps the staff as also the systems at the DR site fully functional and attentive.
“There have been instances in installations of other banks wherein the changeover to
DR sites during failure has been delayed making the arrangement questionable”
(Sirsalewala 2003).
4.3.2.9 Physical Security

The access permissions and rights must be defined at various levels - administrators,
operators and trainees - and should be closely regulated for use as well as change of
roles. “The entry to the data center and sensitive areas is highly regulated through use
of ID cards, security strings and biometrics. Movement of personnel and assets is
regulated and logs are kept for monitoring and analysis. All without exceptions are
required to declare contents and purpose of media being carried while moving from
anywhere to anywhere within the organization”, as noted by an official of UTI Bank18
(Kaul 2003).
4.3.2.10 Customer Sensitivity Monitoring

Progressive banks proactively test their employees for customer sensitivity on a
regular basis. “UTI engaged in an initiative called Mystery Customer Shopping,
wherein the project team members simulate an exercise by visiting bank branches as
pseudo customers to observe and measure their behavior. They also visit other banks
and benchmark the observations with their own bank and suggest improvements /
modifications”.
4.3.2.11 Optimizing the IT Workforce

The IT departments of banks, who have experienced success in their BCM
implementation, comprise a rich blend of functional and technical specialists to ensure
smooth flow of operations related to transactions and customer service. The HDFC
experience is a case in point: “The areas of technology operations related to
application support and facilities management are outsourced. The distribution of
17
Sirsalewala, Minu, (2003), “Technology converges at HDFC Bank”,
http://www.networkmagazineindia.com/200305/tech3.shtml
18
Kaul, Hemant, 2003, “Customer Focus Banking. The UTI Bank Experience”,
http://www.som.iitb.ac.in/ppts/hemant.ppt
100
work to the right groups, both internal and outsourced, provides better resilience to
meet any eventuality”19 (Sirsalewala 2003).
4.3.2.12 Location of Assets

“A large bank has taken special care to locate sensitive assets such as server rooms,
communication equipment, data centers and work places in a manner that they are not
affected by small and large accidents such as fire, flooding, etc”20. This aspect is often
neglected and most important assets are generally housed in basements or in places
which could be easily spared, whereas these have to be carefully located to withstand
any unforeseen eventuality. “It is commonplace to find captive power plants, UPSs
and air-conditioning equipments in the basements, which are affected the most in the
unlikely event of flood and earthquakes”21. The major disruptions caused by the
Mumbai deluge of July 26, 2005 are a testimonial to this danger.
4.3.2.13 Incidence Reporting and Monitoring

The practice of timely reporting and monitoring “exceptions” instill the right culture
and resilience in the organization to ensure prevention of incidences, rather than
looking for cures. The UTI practice states: “Our bank, where Vigilance is the
watchword, ensures that all personnel log security incidences regularly. These are
picked up, acted upon and subsequently analyzed by the helpdesk staff. The security
coordinator and a high level committee periodically analyze these reports, identify
loopholes, work out methods to counter them and promulgate them organization-
wide”. 22
4.3.2.14 Internet Discipline

Progressive banks enforce strict guidelines for operators who connect to the Internet
for operations or monitoring to ensure that good practices are followed to prevent
security breaches23 (Ramanathan 2006).
19
20
“TCS-FNS emerges as most widely deployed core-banking solution in the country”,
21
TCS-FNS emerges as most widely deployed core-banking solution in the country”,
22
23
Ramanathan, R.N., (2006), “Transforming a Giant: SBI ensures a smooth transition”, http://www.financial-
insights.com/FI/events/FTA06/downloads/presentations/rn_ramanathan.pdf
101
4.3.2.15 Business Continuity Planning (BCP)
BCP in banks aims at ensuring minimum downturn of business and speedy recovery
of work area and data center sites. It has well-documented and communicated actions
to be taken during a crisis. “The BCP at UTI, developed with the help of TCS and
IBM, is complete and comprehensive, and caters for a large number of discontinuities:
technological, man-made and natural disasters. The plan is reviewed periodically for
corrections and upgrades”.
4.3.2.16 Proprietary versus Open Systems

“UTI’s IT infrastructure is supported on server and storage solutions (IBM pSeries
Power4 plus and SAN) at their central data center in Mumbai. The bank has made
efforts to also create facilities on open systems hardware and software. This is
primarily to leverage the excellent skills in UNIX and Linux present amongst the IT
staff”.24 (Shrikanth 2005) Open systems provide an alternative to proprietary systems,
which makes the organization “highly vendor-dependent”. It also presents options of
running parallel systems at a lower cost but almost as efficient, thus enhancing
resilience for continuity.
4.3.2.17 Relationship with Government Machinery

“SBI manages banking requirements of governments at Centre, State and large cities
(municipal councils). The bank has relationships with most large and medium-sized
corporates” remarked the Deputy GM, SBI25 (Purohit 2006). These relationships
provide good support in the event of disasters as was seen in the recovery of the bank
from major disruptions caused by forces of nature and man-made reasons in the recent
past.
4.3.3 Technological
The following practices are crucial when setting up and operating technological
structures to ensure a high level of continuity in banks.
4.3.3.1 Efficient Data Sharing

Banks should share data across products: banking, loans, investments, etc. This results
in better information systems for bank operations. In addition, customers can obtain
24
G., Shrikanth, (2005), “SERVERS AND WORKSTATIONS: Going FullSteam”,
http://www.dqindia.com/content/DQTop20_05/serversandworkstations/2005/105071808.asp
25
102
an integrated view of their business with the bank, creating both “real” and “virtual”
continuity26.
4.3.3.2 Reliable Data Protection

IT-enabled operations of gigantic volumes, such as those experienced at the data
center of a bank, can only be sustained by providing appropriate protection. The
enterprise servers coupled with appropriate positioning of security infrastructure
should provide data protection at various levels while transactions are in process27.
4.3.3.3 Balanced Portfolio of Applications

“The bank using the right combination of standard core banking solution from quality
software providers and in-house developed tools, which provide higher efficiency and
are more comfortable for the workforce, is less dependent on a particular vendor. This
ensures higher degree of Business Continuity”, remarked a senior official of ICICI
Bank 28 (Adepu 2006).
4.3.3.4 Best-In-Class IT Infrastructure

The IT infrastructure ought to be scalable and should deploy the latest technology.
“The use of latest technology ensures faster response, higher security, better
accessibility, higher productivity and uninterrupted business. The infrastructure ought
to be built using best-in-class servers, highest-level available security scheme and a
rugged and reliable mesh network to support high-speed and secure data
transmissions”, as noted by the ICICI bank official (Adepu 2006).
4.3.3.5 Data Center Availability and Disaster Recovery

The dynamic requirements of progressive banks necessitate the establishment of
quality and world class data center(s) together with a Disaster Recovery site to
provide a highly reliable and efficient IT setup that ensures availability and data
protection. “The hardware, software and data communication setup needs to be
26
“Boosting Datacenter Availability for Largest Private Bank in India with the Help of Symantec”,
http://eval.veritas.com/downloads/sus/ICICI_Bank.pdf
27
28
Excerpts from the interviews with Mr. Bondaiah Adepu, Manager – IT, Global Trust Bank 22nd February
2006 and 27th April 2006.
103
maintained by partners who have the ability to solve a whole class of problems and
not just the elements provided and supported by them” 29 (Ray 2005).
4.3.3.6 Disaster Recovery Setup

“SBI’s main data center is at Belapur, which houses the central database in a
hierarchical client server setup. The bank’s disaster recovery setup is at Chennai. The
DR setup at Chennai is designed for a Recovery Time Objective (RTO) of five hours.
The DR site is manned 24X7 and has adequate changeover facilities”30 (Ramanathan
2006). The data center was hit briefly during the Mumbai floods, which affected
banking operations throughout the bank since most banking solutions are now
Internet-based. “The problem was with the location of power supply units in the
basement which got flooded and hampered process of recovery” according to the
DGM, SBI31 (Prabhakar 2006).
4.3.3.7 Shared Storage Options

Banks have to handle humongous growth of data, particularly, when using a common
database across products and services and multiple delivery channels. This
necessitates deployment of fast but reliable data storage both for online operations and
backups. The bank storage, therefore, has to be a perfect blend of disk and tape-based
online storage-cum-backup arrangements using heterogeneous platforms which are
monitored by advanced tools.
4.3.3.8 Systems Administration

Banks ought to invest regularly in training the technical staff on key aspects of
network and systems administration to ensure smoothness of operations32.
4.3.3.9 Backup
Storage on Network Attached Storage (NAS) enhances recovery capabilities as the
storage device can be located anywhere on a Local Area Network (LAN) and these
devices have all the functionalities of a server. “A large bank that currently deploys
29
30
Ramanathan, R.N., (2006), “Transforming a Giant: SBI ensures a smooth transition”, http://www.financial-
insights.com/FI/events/FTA06/downloads/presentations/rn_ramanathan.pdf
31
Excerpts from the interviews with Mr. T. Prabhakar, Dy. General Manager (IT - Technical), SBI Corporate
Centre, Navi Mumbai on 12th January 2006, 10th March 2006 and 7th April 2006.
32
104
SAN is also contemplating installation of NAS. The bank enforces strict policy of
regular backups”33 (Sirsalewala 2003).
4.3.3.10 Database Security

This is implemented by configuring and executing integrity checks at multiple levels:
user level, application level and data administration level34.
4.3.3.11 IT Security
IT security should be implemented at both the systems and user levels. The system
level security is implemented at the network level by installing catalyst switches and
Intrusion Detection System (IDS). Intra- and inter-application level security is
implemented through access control using authentication at application ports and
firewalls. This creates VLANs for applications running on various delivery channels.
“UTI enforces access control using the model of PKI deploying “certifying authority
servers” for administering “session keys” and “registration authority servers” for
generating digital signatures” 35 (Shrikanth 2005).
4.3.3.12 Speedy Server Rebuilding

The multiplicity of operations across diverse platforms makes server rebuilding an
essential requirement. “The Net Backup Bare Metal Restore Option has enabled ICICI
to reduce server rebuilding time by almost 50 percent”.36 (Ray 2005)
4.3.3.13 Redundancy of Hardware and Network

Building appropriate redundancy improves continuity levels. “HDFC’s infrastructure
has redundant hardware and systems to ensure a higher degree of continuity. Each
branch connects to a regional hub as well as to a central data center with a quick
changeover option. There are multiple data links, both leased and private, to facilitate
data transfer”37 (Sirsalewala 2003).
33
34
35
G., Shrikanth, (2005), “SERVERS AND WORKSTATIONS: Going FullSteam”,
36
37
105
4.3.3.14 Network Management
Managing networks using remote control systems enables IT staff to install, manage,
de-install and upgrade software from a central location thereby improving efficiency
of Network Management and enhancing continuity. “HDFC deploys Unicenter remote
control solution to manage its network which has resulted in high efficiency in
managing the infrastructure and savings. The solution being network-based and with
alternate pathways in it comes handy while recovering systems from failure
remotely”,(Sirsalewala 2003).
4.3.3.15 Internet Banking Software

Web-based banking solutions provide multi-exchange, multi-segment, multi-currency,
single-window and intelligent decision support system for proactive client
management. “The customizable and user-friendly environment provided by Internet-
based banking solutions prevents blockages of transactions due to lack of information
and thus enhances continuity” 38 (Pandey 2006).
4.3.3.16 Server and Storage Consolidation

Currently most large banks are bringing in state-of-the-art infrastructure practices
such as server virtualization and consolidation to reduce the clutter of servers. This is
effected by better utilization of servers located anywhere in the setup, not just the
central data center, which are made to work as central servers (virtually). “This
provides greater degree of resilience, as all eggs are not in one basket, i.e., all servers
in the central data center”, (Sirsalewala 2003).
4.4 Learnings from Case Study

The success of SBI in meeting the catastrophic floods that submerged the city of
Mumbai on July 26, 2006, wherein the bank recovered back to life within 36 hours
whilst others remain crippled for almost 5 day, can be attributed the following
strengths:
4.4.1 People and Procedures

The employees displayed high sense of belonging and shouldered responsibility
during the disaster and provided continuity. This is attributed to the rich culture of
empowerment and enablement, clear definition and communication of policy and
38
Excerpts from the interviews with Mr. Dinesh Pandey, AGM, SBI on 4th April 2006 and 26th June 2006.
106
procedures and regular job rotation, training and interaction of employees with senior
management. This ensured that employees are aware of functioning of other
departments enabling them to take up roles of those who are absent and ensure
continuity. The implementation of Core banking solution removed load of back office
processing allowing staff to focus on delivery and support thereby enhancing service
levels and more personal contact with customers.
4.4.2 IT infrastructure
SBI has world class IT infrastructure at Central Data Center at Belapur as also in the
other Regional Data Centers. These are well equipped with safety and environment
control management systems supported by third party agencies. The systems are
based on advanced practices and professionally managed. These centers have remote
management capabilities and are organized in a manner that they replicate each
other’s data and systems, in real time and asynchronous modes, as near and far sites
and can substitute each other if one is not functioning.
4.4.3 DR organization
The DR organization is suited to ensure faster recovery during disruptions. This is
achieved by ensuring that alternate sites are loaded with real transactions regularly to
keep them DR ready. In case of disasters the emergency organization (Controller and
support staff) comes into force to run the data centre from alternate locations as per
specified and well-rehearsed procedure. Emergency procedures and details of layout
of all emergency equipment and continuous breakdown drills, access controls to
various locations, cash lockers, availability of duplicate/alternate keys and emergency
power supply etc are communicated to all concerned.
4.5 Status of BCM Essentials in Banks – A Snapshot

The essential ingredients described in Section 4.8 under “Strategic”, “Operational”,
and “Technological” clusters, were re-visited by obtaining focused responses from the
26 senior officials of the selected banks to objectively ascertain the status of these
ingredients “as they exist” and “as they should be”. The findings are summarized
below for each of the three clusters and inferences drawn indicated.
107
4.5.1 Strategic
Table 4.1 Importance / Criticality Status – Strategic Ingredients
Importance/ Status in
Srl. Essential Ingredient Criticality Bank
(% Respondents)
1. Multiple Delivery options 90 65
2. Customer Focus 85 80
3. Concept of “Bank Customers” 80 65
4. Trust of Society at Large 80 50
5. Rich Collaboration 75 55
6. Trusted Partnership 75 55
7. Centralized Processing 75 65
8. Range of Customer Segments 65 50
9. Leverage Internal Strengths 55 40
10. Hybrid Approach of “Old Economy” 50 40
Manual and IT-Based Systems
“Customer Focus” is the only essential ingredient where the current Status has
matched the perceived Importance / Criticality. This is true to a slightly lesser extent
with regard to “Centralized Processing”. Stark differences are seen for five other
ingredients, #s 1, 3, 4, 5 and 6, where the Status is at a much lower level than the
highly-rated Importance / Criticality of that ingredient. Three of the ingredients, #s 8,
9 and 10, were rated lower than the others in terms of Importance / Criticality; and,
the current Status of these ingredients is also low.
108
4.5.2 Operational
Table 4.2 Importance / Criticality Status – Operational Ingredients
Essential Ingredient Criticality Bank
(% Respondents)
1. Automation 90 80
2. Technology for Competitiveness 90 75
3. Product Innovations 80 70
4. Integration of Diverse Products 85 65
5. Innovations in Delivery Channels 85 65
6. Multi-Channel Integration 90 70
7. Finger on the Pulse of Technology 80 65
8. Optimal Utilization of DR Site 70 70
9. Physical Security 70 80
10. Customer Sensitivity Monitoring 70 55
11. Optimizing the IT Workforce 65 55
12. Location of Assets 65 65
13. Incidence Reporting and Monitoring 60 60
14. Internet Discipline 55 50
15. Business Continuity Planning 55 50
16. Proprietary versus Open Systems 50 50
17. Relationship with Government 50 40
Machinery
Ingredients 1, 2, 3, 4, 5, 6 & 7 are all rated highly with regard to Importance /

Criticality, whereas Status reasonably matches this requirement only for
“Automation”. For the other 6 ingredients rated highly, the Status is only at a
moderate level.
Interestingly, “Physical Security” is the only ingredient where the Status is rated
higher than Importance / Criticality.
Four of the ingredients, #s 14, 15, 16 & 17, received a low Importance / Critical rating
that is matched by the current Status in the bank.
109
4.5.3 Technological
Table 4.3 Importance / Criticality Status – Technological Ingredients
Essential Ingredient Criticality Bank
(% Respondents)
1. Efficient Data Sharing 90 80
2. Reliable Data Protection 90 85
3. Balanced Portfolio of Applications 85 70
4. Best-In-Class IT Infrastructure 80 65
5. Data Center Availability and DR 80 70
6. Disaster Recovery Setup 80 70
7. Shared Storage Options 75 65
8. Systems Administration 75 75
9. Backup 75 80
10. Database Security 75 75
11. IT Security 70 70
12. Speedy Server Rebuilding 65 60
13. Redundancy of Hardware and Network 65 55
14. Network Management 65 55
15. Internet Banking Software 55 50
16. Server and Storage Consolidation 55 50
“Efficient Data Sharing” and “Reliable Data Protection” are two highly rated
ingredients with regard to Importance / Criticality, which are also matched reasonably
by the current Status in the selected banks. Four ingredients, “System
Administration”, “Backup”, “Database Security” and “IT Security”, on the other
hand, stood out since the Status is rated on par or even a little higher than Importance
/ Criticality for these ingredients.
Several essential Technology ingredients, item #s 3, 4, 5, 6 and 7, received a high

rating with regard to Importance / Criticality but the “Status” was rated lower. Five
other ingredients, #s 12, 13, 14, 15 and 16, received a moderate to low Importance /
Criticality rating; and, the Status for these ingredients show a reasonable match.
110
The BCM practice prevalent in large and medium banks surveyed for the purpose of
this study can be summarized in three categories (Strategic, Operational and
Technology) as below:
4.6.1 Strategic
a. The mission and vision are well defined and communicated in private sector
banks. These, though well-defined, are not adequately communicated or
comprehended by all levels (particularly functional level) in case of PSU banks.
b. Most large and medium banks provide extensive portfolio of products and
services involving Multiple Delivery options. The level of multi-channel
integration is higher in case of private and modern banks though the other banks
are now attributing importance to this aspect and are catching up. Large banks
service wider range of customer segments as compared to medium banks. All
banks have realized the importance of multi-portfolio, multiple delivery and
multi-customer products and service to be driver of higher level of continuity.
c. There is high degree of automation in all medium and large banks as far as core-
banking system is concerned. The integration of diverse products is achieved to a
higher degree in private and modern banks. Other banks are now making efforts in
this direction. Integration and automation of systems is considered crucial to
business continuity by most banks.
d. Technology is regarded as backbone of higher efficiency, effectiveness and

competitiveness in most banks. Efforts are being made to keep the technology
current and relevant. This is true for core banking solutions in all large and
medium banks. There is higher dependence on technology in case of private sector
banks. Public sector banks pursue a hybrid approach where in there is still faith in
“Old Economy” manual systems working symbiotically with modern IT-Based
Systems.
e. There is high degree of innovation in providing better and efficient service by

most banks. This is achieved by providing value added and multiple services to
the customers.
f. There is a drive towards implementation of quality standards (Basel II norms)

along with mandatory RBI instructions. The levels are varying from high to
moderate in private and public sector banks respectively.
g. BCP is practiced in most banks with varying degree of sincerity and effectiveness.
Criticality of processes as regards continuity is appreciated but not clearly
111
articulated. BCM is not found to be clearly integrated with normal operating
procedures when it comes to actual operations.
h. Banks do not have appropriate measures of effect of disruptions on their

customers and the degree of their “tolerance limit” (the point at which customers
get unduly worried after a disruption takes place as regards service or security of
their investments. Modern banks that follow the approach of “Bank Customers”
and not “Branch Customers” (i.e. transactions can be honored by any branch of
the bank) are better off in this regard. There is an increased attention towards
“customers’ satisfaction”.
i. The sensitivity to issues of brand management & image are found to be lower in
public sector banks. Issues related to maintaining good public relations and
ensuring implementation of succession planning in the event of discontinuities is
not formalized or adequately communicated in most banks. This is considered to
be an important factor in achieving greater level of “Trust of Society at Large”.
j. Knowledge Management practice is only ‘good to have item on banks’ agenda.

No specific efforts are made by banks to gather benchmarking data of
contemporary banks to monitor their own performance.
k. Most banks carry out reviews of their BCM practice annually and communicate
upgrades / modifications through intranet and internal publications.
4.6.2 Operational
a. Most banks have fairly good assessment of effect of non-availability of key

personnel on maintaining higher levels of continuity. In most cases quantification
of impacts (operational, financial and image) are not adequately comprehended.
b. Most banks have, as a part of BCP, enunciated procedure to effect “manual

workaround” as an alternate to technology driven processes. These however, are
not communicated and rehearsed. Large PSU banks have written down
instructions, which are issued in the form of a booklet to functional managers.
c. Sensitivity to good customer service is appreciated by most banks but not to the
extent of desired levels. The efforts to assess and improve performance as regards
efficiency and customer service was found only in few cases where banks made
formal and planned efforts to carry out “Customer Sensitivity Monitoring”
deploying specific tools and methodology.
d. The safety procedures to be adopted in the face of eventualities have been worked
out. There is however a need for better elaboration, communication and training to
ensure compliance. The implementation of safety instructions has not been
112
challenged in India to a significant level, thereby, leaving skepticism about
vibrancy of Disaster Recovery Setups.
e. Most banks resort to outsourcing of non-core functions. Modern banks have,

however, instituted an efficient and specific contracting scheme to manage
outsourcing using software. Banks are putting together collaborations in the area
of owning & managing assets and IT infrastructure with trusted partners.
f. Most banks are sensitive to changes in market or regulatory conditions. The public
sector banks have an advantage of better relationship with government and civic
machinery, which comes handy in recovering from disruptions.
g. Incidence reporting and logging instructions exist in most banks. These are
however, not adequately communicated and comprehended.
h. There is increased awareness in banks in providing regular training to their

employees on emergency procedures. There ought to be a reward (as also
punishment) system to ensure high degree of performance in this regard.
i. The knowledge workforce (particularly IT staff) needs to be deployed optimally.

The discipline in using IT assets for operations and communications, though
satisfactory, can be improved.
j. All banking operations documents are automated in most banks. The level of
automation of internal management systems (assets, HR…) is low in public sector
banks.
4.6.3 Technological
a. Most banks have implemented Core Banking Solution (Finacle, Spectranet, FNS),
Internet Banking and CRM solutions thereby implemented a balanced portfolio of
applications across products and delivery channels. There is a greater reliance on
proprietary solutions for banking applications except in few cases where banks
have gone in for a combination of proprietary and open systems.
b. Most banks have near state-of-the-art IT infrastructure housed in modern Data

Centres and advanced Hardware, Storage and Backup systems. There is high
degree of reliability ensured by efficient data sharing systems, server and storage
consolidation, data protection and redundancy of hardware and network.
c. There is a higher degree of continuity for banking operations in the case of large
and medium banks owing to the RBI sponsored NIFNET, which ensures sufficient
redundancies to sustain inter-banking operations (RTGS, EFT, SFMS, etc).
113
d. The disaster recovery setup is fairly advanced (particularly in case of private
sector banks) by implementation of “near & far” and “hot & cold” sites that work
in conjunction with the main Data Centres. Banks have optimized utilization of
their Data Centres by relocating assets and more frequent use of DR sites for
selected operations.
e. All banks have well-managed (mostly outsourced) bandwidth with alternate/

redundant modes of telecommunications (private, public and combination). Most
banks have advanced bandwidth management and security systems provided by
the best in class agencies.
f. Security policy in banks is reasonably documented and implemented. Most banks

have comprehensive applications to take care of security of applications and
databases.
g. The Physical Security of Data Centres, ATMs and other business touch points is
found to be implemented using computerized and modern access control and
security systems (fire and damage control). There is extensive use of automation
tools for facilities management. There however, need to be reviewed more
frequently.
h. Banks have put together efficient teams (in-house or outsourced) to carry out tasks
related to Systems Administration, Backing up, Network Management, IT
Security and also current practices of optimization such as Speedy Server
Rebuilding. The skill levels achieved are of a high level.
i. The aspect of insuring assets, both IT and non-IT was found to be lacking or
minimal.
4.7 Conclusion
The level of understanding of factors that are regarded crucial to successful BCM
implementation by large and medium banks and the current degree of achieving them
so as to achieve higher levels of continuity, are summarized below:
4.7.1 Considered highly crucial and implemented to higher degree of effectiveness
Banks endeavor to achieve high level of customer satisfaction by providing multiple

innovative products and services delivered through multiple delivery channels. They
have to deploy current and dependable technology to achieve higher efficiency,
effectiveness and competitiveness. This is ensured by high degree of automation in
114
core banking processes and building efficient value added services that are IT enabled
on these processes.
4.7.2 Considered highly crucial but implemented to moderate degree of effectiveness
IT infrastructure involving Data Centres, Servers, Storage and Backup systems must
be of high quality and reliability and kept current by deploying modern practice of
efficient data sharing, server & storage consolidation, data protection and redundancy
of hardware and network. Physical Security of sensitive assets must be ensured using
computerized and modern access control and security systems. The services offered
by banks must be integrated using Internet and advanced CRM solutions. These
features are present to a high degree in Private and foreign banks and now receiving
the attention of banks’ management and being improved in Public sector banks.
4.7.3 Considered moderate and implemented to moderate degree of effectiveness
Allocation of roles & responsibilities to key personnel in running alternate processes

is crucial to maintain higher levels of continuity during disruptions. The performance
levels of the workforce must be kept high in normal times to ensure they handle
emergency situations efficiently during disruptions. Procedure to affect “manual
workaround”, adopt “correct safety procedures” and “Incidence reporting and
logging” in the face of eventualities must be defined elaborately and communicated to
all concerned. These are found to be at staggering levels in most banks.
Comprehensive BCM organization must be put in place by identification of

vulnerability of critical processes with quantification of their impact and alternate
method of ensuring their continuity. These must be well documented and
communicated to all concerned. BCM must be reviewed regularly to assess and
improve of efficiency, customer service, security policy and practice. Banks to have
BCM plans and organization but operationalizing them in face of eventualities needs
to be desired.
4.7.4 Considered moderate and implemented to average degree of effectiveness
The level of adherence to international quality standards (Basel II) and insurance of
IT and non-IT assets in most banks is found to be below what is practiced by banks in
advanced countries. The practice of forging collaborative relationships with trusted
partners and civic machinery in owning and managing IT infrastructure assets for
sustained and continuous high performance is almost absent. There is very little
115
sensitivity to issues of brand management & image that give rise to increased faith in
bank’s ability to recover during disasters.
4.7.5 Validation of BCM implementation Model
The framework to implement BCM (from planning to execution) including recovery

to normalcy after encountering an eventuality formulated from the learnings of
literature review was validated and enhanced during the interactions with bank
officials during the above described survey. The comprehensive BCM Model based
on literature survey, particularly, the experiences of Business Continuity & Disaster
Recovery Institutes, Canada and the implementation experiences of Banking,
Financial Systems & Insurance (BFSI) Consultants and Chief Information Officers
(CIOs) of banks who have been engaged in spear heading BCM projects, has been
enumerated in Annexure 1.
4.7.6 Parameters for BCM Model Development
The survey of banks of enabled identification of fifty three parameters – ten at

strategic level, sixteen at operational level and seventeen at technological level. These
parameters were articulated based on the actual experiences of five major banks at
Mumbai who have implemented BCM (though to varying degrees of levels of
execution). All of them conformed to the suggestions mentioned in literature to a
large extent with variations in mode of operations that is due to differences in
infrastructure and banking habits prevalent in India. These parameters and other
observations made by respondents together with learnings from literature form the
basis of Model development described in Chapter 5.
4.7.7 Agreement with hypothesis
The findings of the survey summarized in paragraphs 4.7.1 to 4.7.4 above are in
agreement with the first two hypothesis of study as below:
Attaining customer satisfaction by providing multiple innovative products and

services delivered through multiple delivery channels. This requires IT
infrastructure (Data Centres, Servers, Storage and Backup systems etc) of high
quality and reliability and deploying modern practice of efficient ICT
management.
116
The findings point at clear definition and communication of Procedure to affect
“manual workaround”, adopt “correct safety procedures” and “Incidence
reporting and logging” in the face of eventualities, to be pre-requisites of
successful BCM.
The issues related to collaborative relationships with trusted partners and civic
machinery and sensitivity to issues of brand management & image that give rise
to increased faith in bank’s ability to recover during disasters are finding
attention of senior management though the degree of attainment is low.
117
CHAPTER 5
BCM MODEL FOR BANKS IN INDIA
5.0 Preamble
This chapter addresses the issues pertaining to development and implementation of
Business Continuity Management (BCM) solutions for banks in India. The BCM
model to carry out a ‘Reality Check’ in banks before implementing BCM, to decide
on the right strategy and to assess the ‘post-implementation’ effectiveness, is
described in this chapter.
5.1 The Need for Business Continuity Management

Banks have formally been in existence for over 200 years. In the post-
industrialization era, they have become the hub of economic activity. This was
witnessed widely in the commercial sector or what may be termed as B2B (Business-
to-Business). Banks also had a significant growth in the development of society at
large by way of bringing about changes in attitude of customers by providing efficient
personal banking solutions that motivated them to appreciate virtue of owning assets
as individuals to the one in public domain. Advancements in technology, particularly
computerization and data communication, brought in an unprecedented dynamism to
the banking business. There have been changes in the outlook of society from that of
protectionism (saving assets for a rainy day) to that of entrepreneurial consumerism.
Investments, which were treated as expenditures earlier, are now viewed as the means
to maximize wealth and attain higher levels of advancement. The trend has evolved in
terms of generating funds from loans for housing and healthcare to education and,
today, even for entertainment and leisure!
The banking industry is challenged to address the varied needs and expectations of
diverse segments of society (such as youth, working people and retired personnel)
and business. Businesses may range from small to medium to large, from process to
discrete industry, from rural to urban, from national to global and so on. Each
segment has unique demands for a customized range of products and services,
combined with convenience, at low cost, “any time, anywhere”.
This paper proposes a model to design, implement, assess, and upgrade a business
continuity plan for banks. The key factors for a successful BCM implementation
have been identified based on an analysis of experiences by major banks in India. In
this context, the issue of BCM has been addressed in part by two other models: BCP -
Business Continuity Planning, and DR - Disaster Recovery. However, it is submitted
118
that the two put together do not provide the solution for BCM. They have helped a
great deal in streamlining organizational processes and infrastructure to ensure
continuity and were, perhaps, complete in a non-globalized, less competitive world.
But, today, there are newer challenges in the form of higher degree of expectations in
service levels, which transcend transactions and encompass issues dealing with
emotive faith and trust.
5.2 Methodology for Development of BCM Model and Metrics

The methodology to develop BCM Model and metrics to assess strength and
vulnerability of BCM intervention in Banks both prior to post implementation is
described in Chapter 3 paragraph 3.5.2 and Annexure 3. The basis for selection of
samples – banks, respondents in banks and experts who participated in the exercise is
enumerated in Chapter 3 paragraph 3.5.4.
The Steps taken to develop and test the BCM model together with metrics to measure
effectiveness are enumerated in Chapter 3 paragraphs 3.5.2 and 3.5.3 respectively.
These include:
a. Compilation of parameters from literature survey and primary data survey

described in Chapters 2 and 3 respectively.
b. The model development exercise was undertaken over a period of five months
with involvement of two senior officials, two supervisory officers and three to
four functional mangers of the target banks were involved in the model
development and testing exercise The steps followed in development of the
model are enumerated in Chapter 3 paragraph 3.5.3. The model got
progressively refined as the researcher and respondents gained finer insights
after every iteration.
c. The model was refined by administering it to bank officials at various levels
and critiqued by experts and consultants iteratively as per steps enumerated in
Chapter 3 paragraph 3.5.3
5.3 The BCM Model

The five components of the BCM model are briefly described in the subsequent
paragraphs:
119
5.3.1 Organizational
The bank must be clear in its vision and direction. The findings of the survey
highlight the importance of clear articulation of the strategic objectives with respect
to:
a. The markets and geographies to be served.
b. The scale, i.e. volumes, to be achieved each year.
c. The diversity of portfolio of products and services to be offered in line with the
demands of the segments being served.
d. The multiplicity of channels to be deployed for delivering products and services.
e. Innovative methods of differentiating products and services with a view to
enhance value to customers in a cost-effective manner.
f. The organization required to meet the above objectives.
g. The infrastructure building blocks required to meet the objectives in terms of
Information Technology, Communications, Security and Convenience.
5.3.2 Processes
This relates to processes for ensuring continuity of banking transactions, and not the
rules and regulations (banking or legal) governing those operations. The following
procedures need to be designed, communicated, practiced and reviewed periodically
to ensure continuity.
a. Alternate processes – Most banking processes are IT-enabled or automated. This

necessitates a clear cut scheme of alternate processes that can be resorted to in the
event of a technical disruption1 (Trivedy, 2006). Certain banks have a well
documented “Plan B”.
b. Responsibilities: Procedures to outline in clear terms who is to take
responsibility of a particular role which may be at a higher level than, or different
from, than his/her normal role in the event of the right person not being available
for whatever reason.
c. Options to Customers and the sequence in which they can resort to alternate
processes, channels, outlets etc. ought to be communicated, and a sensitivity
check made from time to time.
d. Alternate Channels of Delivery: All stakeholders, internal and external, should be
aware and comfortable to switch to alternate channels of delivery, for example,
from Branch to ATM to Internet.
1
Trivedy Ravi, Partner, KPMG and Girish V., Banking, Financial Services & Insurance, Consultant, Excerpts
from interviews, April 15, 2006
120
e. Alternate methods of communication to transact business or obtain information:
Paper-based, Internet-based, Voice-based or through third party such as call
centers and media agencies (television, newspapers, etc.) for informing clients
about alternative processes that have been put in place.
f. Support to Customers through multiple methods of providing support to
customers by way of self-service systems like AVR (Advanced Voice
Recognition), Websites, assisted call center help, customer relationship executives
and associate partners.
5.3.3 People
This is the most important and critical resource to ensure continuity of businesses on
both the demand and supply side. We identify four categories of people who should
be involved and be responsible to ensure business continuity. The “Soft
Requirements” for these stakeholders to engage in a collaborative manner to ensure
continuity are also outlined.
a. Employees: The knowledge, commitment and motivation of employees at all
levels in the bank are paramount to ensure business continuity2 (Bleiberg 2005). It
is essential that all employees perform their designated functions correctly,
efficiently and effectively. Banks have an excellent record in operationalizing the
concept of “job rotation” better than any other kind of business that the authors
have been involved with. This ensures that employees possess an acceptable level
of knowledge of related functions along with their primary function, where they
are expected to be experts3 (Trivedy, 2006). Our survey, however, highlighted
variances in realization of some softer aspects, particularly at the operating level.
These are:
i. Empowerment: To take decisions not only pertaining to authorization and
limits, but also in dealing with situations supposedly outside the realm of
authority to meet the contingency4 (Oltsik 2004). This can however be
authorized ex-post facto.
ii. Commitment: To fulfill customer’s requirements and not just completion
of a task
iii. Motivation: This is an important factor wherein each employee perceives
himself/herself to be the owner of the business, and runs it as if he/she has
a personal stake in its successes.
2
2005, http://www.fileon.com/press/articles/disaster-neednt-wipe-out-business.html
3
Trivedy Ravi, Partner, KPMG and Girish V., Banking, Financial Services & Insurance, Consultant, Excerpts
from interviews, April 15, 2006
4
Oltsik Jon, Hot spots: So much can go wrong with disaster recovery. What can you do to ensure all goes well?,
Published: Jun 2004, http://storagemagazine.techtarget.com/magItem/1,291266,sid35_gci969972,00.html
121
b. Customers: They are the very reasons for which the business exists and, hence,
are the most important link for business continuity. The following aspects are
essential for effective engagement of customers while transacting business.
i. Awareness: The bank must make the customers aware about the products
and services in terms of offerings, limitations, regulations etc. This is the
task of every employee who interacts with the customer for whatever
duration and for whatever purpose5 (Hunt 2004).
ii. Esteem: Customers should be made to feel important and worthy,
irrespective of the value or importance of the transaction. Operational
responsiveness is only one part of the story. It has to be complemented
with visibly evident disposition of the employees in terms of courtesy and
care.
iii. Trust: Sustained performance, cordial treatment and ethical and upright
disposition ensure high level of trust which translates into tolerance on
part of the customers in the event of business discontinuity6 (Purohit
2006).
c. Business Partners: The terms “Vendors”, “Suppliers” and “Contractors” are passé
in present times. The correct term for representing all those who contribute
towards the success of your business is “business partners”. They may be
involved in facilities management, supplying provisions and consumables,
maintaining IT Infrastructure or bandwidth. Irrespective, they are all more than
equal partners in the business. Their performance and commitment, including a
high degree of ownership, are the mainstays of supporting the business during
unforeseen disruptions7 (Shore 2002). The following elements have to be
considered in this regard:
i. Service Level Agreements (SLAs): Well-defined and justified terms and

conditions that form the SLAs are the backbone of a fruitful relationship
with business partners.
ii. Empathy: Banks need to be alive to the concerns, both operational and
commercial, of their business partners to harness above-par performance
and extra efforts needed during unexpected contingencies.
5
Hunt Hal, Lesson of Hurricane Hugo: Plan Recovery, 08/05/04 6:00 AM PT, Part of the ECT News Network,
http://www.crmbuyer.com/story/35561.html
6
Purohit S. S., DGM, SBI Zonal Office (West), Mumbai on Excerpts from the interviews, 28th December 2005,
24th January 2006 and 16th March 2006.
7
Shore Dave, Sept. 11 teaches real lessons in disaster recovery and business continuity planning, Published:
5/17/02, http://techrepublic.com.com/5100-10878_11-1048799.html?tag=search#
122
iii. Sense of Belonging: Business partners must feel a sense of belonging to
the banks, which can be created by non-discriminatory treatment to them
on the same lines as the bank’s own employee in terms of working space,
usage of common facilities, and other related factors.
d. External Stakeholders: These comprise the government (central, state and

municipal), regulatory bodies, professional associations, and media. An excellent
working relationship in an atmosphere of trust with these stakeholders may also
be crucial to find the requisite support for continuing your business as regards
operational logistics and image. The following are essential to maintain
relationships with these stakeholders:
i. Continued good performance
ii. Transparency and honesty of purpose
iii. Regular interaction with them on professional and social forums
iv. Regular engagement in symbiotic relationship, such as specialized service
in terms of dedicated outlets etc.
5.3.4 Technology
There have been significant advances in the usage of technology in the banking sector
in general. Our survey does indicate that there are higher levels of maturity and
excellence achieved in the selected banks, who have invested heavily in installing
near world class IT infrastructure8 (Staimer 2005). Broadly the technology usage in
banks can be grouped as follows:
a. Banking Applications at Service Points: Core Banking System, Internet Banking,
Phone Banking, and Mobile Banking
b. Electronic Banking: ATM’s, Smart Cards, Credit Cards, Debit Cards, and Prepaid
Cards
c. Back Office Processing and Administration: Intra Branch end of the day (EOD)
transactions, Intranet, Mail Messaging Systems, Online Help, and Magnetic Ink
Character Recognition (MICR) Processing
d. Inter Branch Transaction handling: Real-Time Gross Settlement (RTGS), and
Electronic Funds Transfer (EFT)
e. Data Communications: Intra Branch Network and Inter Bank Network
f. Data Center Management: Main Data Center and Disaster Recovery Site (Servers,
Storage, Backup Systems, Switches, Systems Software, Application Software)
8
Staimer Marc, Data determines the right disaster recovery, Issue: Jan 2005,
123
g. Security: User Level Security - Access Permissions, Authorizations, Application
Security - Transactional & Inter Application Security, Systems Security – System
– Administration Level & Perimeter Security, and Physical Security - Access
Control, System Logs, Fire and Damage Control
h. Technical Support: Help Desk, Documentation, Performance Monitoring, and
Upgrades
5.3.5 Facilities Management

The facilities include physical space, amenities, communication and transportation. It
was observed during the survey that, on more than 80% occasions, the discontinuities
were on account of non-technical disruptions such as absence of key personnel,
sudden increase of loading and other infrastructure-related disruptions, for example,
power failure, public network links outage, traffic congestion etc9 (Hunt 2004). This
is true even in medium to large banks whose IT Infrastructure and automation
standards are near world class. Still they face problems due to scale and scope of their
products and services offerings. Better Facility Management is therefore, a key issue
to be dealt with by banks. Six components have been identified under this head:
a. Physical Space: Front Offices, Office Spaces, Data Centers, Secured Spaces
(Vaults), Engineering Maintenance Spaces, etc (Hunt 2004).
b. Office Equipment
c. Amenities: Catering Services, Aesthetics & Comfort, and Entertainment &
Information10
d. Power Supply: Captive Power Generators and Uninterrupted Power Supply (Hunt
2004)
e. Communication: Telephone, Wireless Links, Media, and Calling trees11
f. Transportation: To commute personnel and equipment to alternate sites in the
event of disaster
5.4 The Business Continuity Reality Check

A metrics to measure the business continuity parameters for each of the five
components of the BCM Model outlined in Section 3: Soft Organizational Issues,
Processes, People, Technology and Facilities has been developed. For each
component, specific measures were defined to capture the relevant issues at four
9
Hunt Hal, Lesson of Hurricane Hugo: Plan Recovery, 08/05/04 6:00 AM PT, Part of the ECT News Network,
10
Security 2002: Rethinking Risk, Published: September 16, 2002,
http://www.cioinsight.com/article2/0,1540,537635,00.asp
11
Security 2002: Rethinking Risk, Published: September 16, 2002,
124
different levels (clusters A-D) as given in the table 5.1 below. These are the row
headings in the BCM Metrics Model described in Exhibit 5.1 (Table 5.6)
Table 5.1 The BCM Reality Check Metrics – Clusters (Rows in the Model)
Cluster Description of the parameter group

Number
A (n) Corporate Planning / Policy Level – This is to ascertain the policy

decisions taken by Bank’s top management as regards degree of
preparedness from continuity perspective. The top management sets the
performance expectations in terms of quality of service to be rendered
enumerating response time parameters for various transactions (Personal
Banking, Loans, etc.) On technology front, these get translated into
Recovery Time Objective (RTO), Recovery Point Objective (RPO), etc.
B (n) Tactical / Organizational level – The organization structure and processes

implemented in the bank in accordance with the policy guidelines. This
also includes the alternate organization, processes and infrastructure
together with outsourced arrangements to cater for emergency situations
causing interruptions to business.
C (n) Tools / Methods – The IT Infrastructure and operating instructions that are
pressed into action once discontinuity is declared. This also includes
instructions to switch over to “contingent mode” in terms of alternate
facilities, movement of people and modus operandi to transact business
and reverting back to normal operations once the contingency is over.
D (n) Up gradation / Review / Testing Mechanism – The culture prevalent and

processes adopted by the bank to review / test the BCM organization and
effectiveness and upgrade the same on regular basis or as and when
deemed necessary.
n is the serial number of the parameter in the group
Each of the parameter is evaluated on four criteria of effectiveness to assess the

reality status given in table 5.2 below. These are the column headings, for large and
medium banks, BCM Metrics Model described in Exhibit 5.1 (Table 5.6)
125
Table 5.2 Evaluation Criteria Measures (Columns in the Model)
Evaluation Evaluation Criteria description
Criteria
index (to assess the level of parameter being measured)
P Strength / Preparedness of the bank in addressing the requirement of

the parameter on a scale of 0 to 5 (0 Very Low, 1 Low, 2 Moderate,
3, Satisfactory, 4 High, 5 Very High)
R Threats / Challenges (internal & external) faced by the bank in
meeting the requirements of the parameter (0 negligible, 1 Very
Low, 2 Low, 3, Moderate, 4 High, 5 Very High)
V Vulnerability – Probability of the occurrence of the threat / challenge
as experienced by the bank on a scale of 0 to 1 (Low probability to
High probability)
T Up gradation Factor – Does the bank upgrade/test/review the state
of preparedness of the factor on a regular and systematic basis on a
scale of 0 to 1 (Somewhat & Occasional to Highly organized and
Regular)
A total of 107 parameters for the four clusters in Table 5.1 were measured by
surveying 35-46 respondents in the target large and medium banks. Table 5.3 below
shows the number of metrics for each Component and Level (Clusters). Details of
each metric together with summary of values are available in Exhibit 5.1 (Table 5.6).
Table 5.3: Number of Cluster Wise Parameters at 4 levels in BCM Metrics

Organ- Total
Tech- Facil-
Component Level izational Process People Para-
nology ities
(Soft) meters
1. Corporate
Planning / Policy 9 14 2 10 3 38
Level
2. Tactical /
Organizational 7 6 8 12 4 37
Level
3. Tools / Methods 3 1 5 3 3 15
4. Up-gradation /
Review / Testing 2 4 3 3 5 17
Mechanism
Total Parameters 21 25 18 28 15 107
Each of these metrics was assessed by respondents (35 to 46) in the selected banks
according to four criteria to measure Effectiveness:
126
a. Strength / Preparedness, (shortened as P), of the bank in addressing the issue
specified in the metric on a scale of 0 to 5
0 - Very Low; 1 – Low; 2 – Moderate; 3 – Satisfactory; 4 – High;
5 - Very High
b. Threats / Challenges, (shortened as R), both internal and external, faced by the
bank in meeting the requirements of the metric
0 – Negligible; 1 - Very Low; 2 – Low; 3 – Moderate; 4 – High;
5 - Very High
c. Vulnerability, (shortened as V), of the bank in terms of the Probability of
Occurrence of the threat or challenge in the bank on a scale of 0 to 1: 0 –
Negligible and 1 – Near Certain
d. Up-gradation Factor, (shortened as T), does the bank upgrade/test/review the

state of preparedness on a regular and systematic basis on a scale of 0 to 1:
Somewhat & Occasional to Highly Organized and Regular
5.4.1 Application of the Metrics

The metrics were administered to 8 large and 14 small and medium banks in Mumbai
at three management levels: Top Management, Middle Management and Functional
Management. The data was normalized to smoothen stray responses due to
incomplete knowledge or not understanding the genesis of the parameter in question.
The summary data tabulated at the end of phase I of survey is placed at Exhibit 5.1
(Table 5.6). The responses were analyzed to understand the prevailing status in each
bank with emphasis on seriousness and completeness of the BCM implementation as
well as its effectiveness. The gap areas were then identified along with the degree to
which they need to be addressed by bank management in order to keep their BCM
current and effective.
The following steps outline the analysis of the data obtained in the surveys to
compare Strengths / Preparedness against Vulnerability:
Step 1: Calculate “Resilience Indicator” (RI) as shown below:

RI(F) = P(F) * T(F)
where,
RI is the Resilience Indicator
F is the Parameter or Metric in question
P is the Preparedness
T is the Up-gradation Factor
127
Step 2: Calculate “Vulnerability Indicator” (VI) as shown below:
VI(F) = R(F) * V(F)
where,
VI is the Vulnerability Indicator
F is the Parameter or Metric in question
R is the Threat / Challenge
V is the Vulnerability
These Indicators were then compared for Large and Small banks to evaluate their
relative positioning on each parameter.
5.4.2 Data Analysis and Findings

The scores for P, R, V and T (defined above) were calculated for the metrics relating
to each of the five components for Large banks as compared to Small banks. The
Resiliency and Vulnerability Indicators were then determined, again for each of the
five components for Large banks vs. Small banks. The key findings are summarized
in this section.
a. Small banks are more Vulnerable than Large Banks on all the factors except
“Organization” as can be seen in table 5.4 below:
Table 5.4: Composite Resilience and Vulnerability Indicators
Average of Resilience Average of Vulnerability

Component (RI) (VI)
Large Small Large Small
Organization 3.23 2.47 1.34 1.46
Procedure 3.36 2.67 0.65 2.61
People 3.54 2.51 0.64 2.85
Technology 3.40 3.92 0.55 3.31
Facilities 2.43 4.06 0.26 3.37
Overall 3.24 3.12 0.71 2.71
Interestingly, the Resilience of Small banks is higher than Large banks with
regard to “Facilities” and, to a lesser extent, “Technology”.
128
On the whole, Large banks are less vulnerable (0.71 score) than Small banks
(2.71 score), which is logical given that Large banks have the funds to invest in
organization, infrastructure and technology to establish reliable and rugged
processes to counter any eventuality.
b. The Average Vulnerability Indicator (VI) for each of the three components -
Organizational, Facilities and Technology – is shown below for Large and Small
banks:
Table 5.5: Overall Vulnerability Indicators
Bank Average of Vulnerability (VI)
Organization Facilities Technology
Large 1.34 0.26 0.55
Small 1.46 3.37 3.31
Large banks are more vulnerable to discontinuity on account of Organizational

issues as compared to Facilities and Technology. Small banks are more
vulnerable with respect to Facilities and Technology. “The Organizational issues
are far more complex in Large banks owing to size, hierarchy, expanse and
diversity making them more vulnerable. It is often said that it is difficult to make
‘elephants dance’. The Small banks, on the other hand, are unable to put in place
world-class facilities and technology as it involves sizable investment that cannot
be met within their operating budgets”12 (Narain & Girish 2006).
c. The Average Resilience (RI) for Facilities Management issues for Large and
Small banks were calculated to be 2.43 and 4.06 respectively. Large organizations
are, hence, less resilient with regard to Facilities management as compared to
Organization and Technology. The lesser resilience of Large banks in managing
facilities is largely due to their size and expanse (all over the country). Small
banks, on the other hand, have mostly state-level operations, and have facilities
which are fairly compact, and can, hence, be managed easily. Large banks have
strong organizational structures, adequately manned departments as well as well-
documented and well-communicated procedures as compared to their smaller
counterparts.
12
Shri Narain and Girish V., Banking Consultants, Excerpts from Meeting in June 2006.
129
5.5 Conclusion
This chapter presented a framework for carrying out reality check using metrics. The
BCM reality check metrics measures and evaluates parameters in five clusters
(Organization, Procedure, People, Technology and Facilities) at four levels
(Corporate, Technical, Methods/Tools and Review/Testing). These parameters are
measured for strength/preparedness (P) and Threats/Challenges(R) on a scale of 0-5
(low-high). These are further qualified by measuring vulnerability of threats (V) and
upgradation of preparedness (T) on a scale of 0-1 indicating low-high probability and
frequency respectively.
The inferences from application of the metrics are drawn by calculating two factors:
Resilience indicator (RI)= P*T and Vulnerability Index (VI) = R*V. These two
factors indicate the levels of strength and vulnerability of the bank from BCM
perspective from each of the parameter in the clusters. The summations of these two
indicators for clusters indicate the status at the cluster level.
The application of the model to banks in India has given insights into the gaps that
exist in otherwise seemingly comprehensive BCM implementations. The BCM
organization and practice needs to be monitored regularly to ensure its relevance
under contemporary conditions. The model serves as a “barometer” to do a reality
checks and apply corrections where necessary. The test results of the metrics indicate
that large banks are more resilient and less vulnerable. Small banks are highly
vulnerable on account of technology and facilities. Both categories of banks are
equally vulnerable from the perspective of organizational readiness and thus merit
more management definition on softer issues of customer service and image.
Large banks are more vulnerable to discontinuity on account of Organizational issues

as compared to Facilities and Technology. Small banks are more vulnerable with
respect to Facilities and Technology. Large organizations are, hence, less resilient
with regard to Facilities management largely due to their size and expanse (all over
the country). Small banks operate mostly at state-level operations and have facilities
that are fairly compact which can be managed easily. The Resilience of Small banks
is higher than Large banks with regard to “Facilities” and, to a lesser extent,
“Technology”.
The trends in banks in India suggest the following conclusions that relate closely to
the research hypothesis:
130
a. Banks with reliable and the state of the art Facilities and Technologies are better
poised to handle business disruptions.
b. More management attention will have to be focused on softer issues of service
delivery such as trust of customers, image in the industry, and participation of all
stakeholders as owners.
131
Exhibit 5.1 (Table 5.6) - The BCM Reality Check Metrics
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Sr.No BCM Parameters
Testing
Testing
P R V T P R V T
ORGANIZATIONAL
Clear Definition and Communication of Vision and

A1 4.50 1.67 0.10 0.50 4.00 3.33 0.50 0.50
Mission
Performance Objectives (e.g. Growth in volumes
A2 and diversity ) enunciated and communicated to 4.50 1.67 0.50 0.80 4.00 3.33 0.50 0.50
all concerned.
A3 Portfolio of Products and Services 4.50 0.83 0.10 0.85 3.00 1.67 0.50 0.90
Multiple Delivery Channel Alternatives deployed or

A4 4.50 0.83 0.10 0.80 3.00 1.67 0.10 0.25
planned to deploy. E.g.
A5 Participative Governance 4.50 4.17 0.65 0.85 5.00 0.33 0.20 0.30
A6 Social Sensitivity 4.80 4.17 0.80 0.85 3.00 4.17 0.20 0.90
Socializing, Planning and Learning from Review of

Results and Performance (Bank and Individuals)
A7 3.50 1.67 0.50 0.60 3.00 1.67 0.20 0.90
and Communicating Results to foster esteem and
motivation amongst employees.
A8 Cultural Change- Agility of bank to adopt changes 4.25 3.33 0.80 0.85 4.00 5.00 0.30 0.80
A9 Promotional Model and Brand Management 3.50 0.67 0.45 0.55 2.00 0.17 0.20 0.30
Business Impact Analysis and Risk Evaluation for

B1 4.00 3.33 0.60 0.80 4.00 3.33 0.80 0.70
Critical Process to identify impact on business
Rationalizing Organization – Roles and

B2 4.00 3.33 0.30 0.60 5.00 3.33 0.50 0.50
Responsibilities
B3 Allocation of Budget for BCM 4.50 3.67 0.20 0.80 4.00 0.33 0.20 0.95
Process Reviews – Top driven exercise with

B4 4.25 1.67 0.10 0.80 3.00 1.67 0.20 0.50
involvement of concerned stake holders.
B5 Relationship with Business Partners 4.80 3.67 0.70 0.80 4.00 4.17 0.50 0.90
B6 Review of Outsourced Activities and Relationships 4.50 3.33 0.70 0.85 3.00 4.17 1.00 0.80
Knowledge Management to assess environment for

B7 competitive positioning and organizational climate 3.00 0.83 0.10 0.40 3.50 0.83 0.10 0.50
for improvement
C1 Alternate Processes – Organization and Cost 4.00 3.33 0.20 0.90 3.00 1.67 0.50 0.50
Communication of Alternate Processes in the

C2 4.50 1.67 0.10 0.90 4.00 3.33 0.50 0.50
organization
C3 Insurance of Equipment and Personnel 5.00 3.75 0.80 0.90 5.00 5.00 1.00 1.00
Implementation of BCM in the organization of
D1 3.00 3.33 0.50 0.50 3.50 2.50 1.00 0.70
partners
D2 Insurance of Outsourced Partner Assets 4.00 3.33 0.80 0.95 5.00 5.00 0.50 0.90
132
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Testing
Testing
P R V T P R V T
PROCEDURAL
A1 Contingency Plans 4.50 4.17 0.20 0.80 5.00 4.17 0.80 1.00
A2 Emergency Action Plan 4.50 3.33 0.20 0.80 4.00 3.33 0.80 0.80
A3 Service Level Agreements 4.75 3.33 0.10 0.90 3.00 4.17 0.70 0.50
A4 Documentations 4.75 3.33 0.10 0.90 3.00 4.17 0.80 0.80
A5 Security Rules 4.50 2.50 0.95 0.80 5.00 5.00 1.00 1.00
A6 Safety Rules 4.25 1.67 0.95 0.60 4.00 3.33 0.50 0.80
A8 Health Rules 3.00 1.67 0.20 0.80 3.00 4.17 0.50 0.50
Application of Security Policy across the
A9 4.50 2.00 0.40 0.85 3.00 4.17 0.50 0.50
organization
Review of Vulnerability of Critical Processes and

A10 4.50 1.67 0.40 0.85 4.50 4.67 0.75 0.80
Analysis of Recovery.
Integration of Business Continuity Procedures with
A11 4.00 1.67 0.40 0.85 4.00 3.75 0.60 0.60
normal business processes
A12 Compliance of RBI Regulations 4.80 2.50 0.10 0.65 4.00 4.67 0.50 0.50
Compliance of Security and Safety Procedures in

A13 3.50 2.50 0.20 0.60 4.00 4.17 0.50 0.90
accordance with ISO 27001
A14 Standardization of Processes 4.75 2.50 0.20 0.80 3.50 4.67 0.50 0.80
B1 Incident Reporting 4.60 2.50 0.20 0.65 4.00 4.17 0.80 0.70
B2 Incident Logging 4.00 0.83 0.10 0.80 4.00 1.67 0.10 0.10
B3 Handling Media in the event of an accident. 4.00 3.33 0.10 0.80 4.00 4.17 0.80 0.80
Risk Awareness Reality Check Up in the
B4 4.00 3.33 0.20 0.90 4.00 4.17 0.80 0.90
Organization
B5 Security for Outsourced Partners 4.50 3.33 0.20 0.95 3.50 4.67 0.50 0.90
Market/Environment Information Gathering for
B6 4.00 1.67 0.50 0.80 3.50 1.67 0.30 0.30
incorporation in BCP
C1 Data Replication 5.00 1.67 0.50 0.85 4.00 4.67 1.00 1.00
D1 Testing Schedules for Processes 4.50 1.67 0.50 0.95 4.00 4.67 0.50 0.70
D2 Process Updates (Changes) 4.50 1.67 0.50 0.95 3.00 3.33 0.30 0.50
Knowledge Management to track customer

D3 3.00 0.83 0.10 0.50 3.00 5.00 0.80 0.60
behavior, to take proactive actions during disasters
Knowledge Management to assess efficacy of

D4 alternate processes in operation and suggest 3.00 0.83 0.10 0.50 3.50 3.33 0.60 0.60
improvements
133
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Testing
Testing
P R V T P R V T
PEOPLE
A1 Crisis Management Team (Multi Functional Team). 4.50 1.67 0.40 0.95 5.00 4.67 0.90 1.00
A2 Deployment Management Team 4.50 1.67 0.40 0.95 4.50 4.17 0.50 0.70
B1 Key Personnel 4.50 2.50 0.35 0.85 5.00 4.67 0.50 0.50
B2 Security Roles and Responsibilities 4.75 1.33 0.80 0.95 4.00 4.17 0.70 0.80
B3 Safety Roles and Responsibilities 4.75 1.33 0.80 0.95 4.00 5.00 0.80 0.50
B4 Risk Awareness and Preparedness tests 4.50 0.83 0.10 0.80 4.00 5.00 0.80 0.50
Tolerance Limit – Assessment and Enablement
B5 4.50 0.83 0.10 0.80 4.00 5.00 0.80 0.50
(Employees)
B6 4.50 0.83 0.10 0.80 2.50 4.67 0.50 0.50
(Partners)
B7 3.50 1.67 0.40 0.95 3.50 4.67 0.80 0.50
(Customers)
Training and Education of Stake Holders in running
B8 4.00 0.83 0.20 0.85 3.50 0.83 0.80 0.80
alternate procedures
C1 HR Process Reviews 4.00 0.83 0.20 0.85 2.25 3.33 0.10 0.10
C2 Actions against Defaulters 3.50 0.50 0.20 0.90 3.25 4.67 0.90 0.90
C3 Social Sensitivity 4.50 0.33 0.30 0.90 4.50 4.17 0.80 0.70
Adaptation of Technology and Culture of Self Help
C4 4.00 1.50 0.40 0.95 4.50 4.17 0.80 1.00
– Employees, Customers, Partners
Knowledge Management to track performance of
C5 individuals in situations other than routine 3.00 3.33 0.65 0.95 3.50 4.67 0.60 0.60
operations
D1 Succession Planning 3.50 3.33 0.60 0.90 3.00 5.00 0.50 0.60
Reward System for Outstanding Contributions
D2 2.00 0.33 0.10 0.80 3.50 4.67 0.80 0.80
(Merit Based Promotions and Incentives)
D3 Culture of Shared Values 3.00 1.67 0.60 0.95 4.00 1.67 0.50 0.50
134
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Testing
Testing
P R V T P R V T
TECHNOLOGY
Architecture of IT Solutions blending proprietary &

A1 open source systems and web based & centralized 4.50 1.67 0.70 0.90 4.00 4.17 0.80 0.90
applications
A2 Enterprise Application Integration 4.50 1.67 0.70 0.90 5.00 4.17 0.60 0.75
A3 Data Integrity 4.50 1.67 0.70 0.90 5.00 4.67 0.90 0.90
A4 Data Architecture Review 2.00 3.33 0.70 0.80 3.50 4.17 0.50 0.80
A5 Replication 4.80 0.83 0.30 0.80 5.00 4.67 0.95 1.00
A6 Delivery Channel Integration 4.50 0.83 0.20 0.80 4.00 5.00 0.90 1.00
A7 Standardization of Equipments and Applications 4.50 3.33 0.75 0.80 5.00 3.33 0.90 1.00
System Administration - Monitoring, Tuning and
A8 4.00 2.50 0.50 0.80 5.00 3.33 1.00 1.00
Maintaining using automated tools
Applications Monitoring, Tuning and Diagnostics
A9 4.00 2.83 0.20 0.60 5.00 3.33 0.90 0.80
using automated tools
Alternatives for Displaying information in Public
A10 domain – website and media channels (TV and 4.50 0.17 0.20 0.70 3.50 1.67 0.50 0.50
Print).
B1 Server Consolidation 4.90 0.33 0.10 0.90 4.00 4.17 0.80 1.00
B2 Storage Consolidation 4.50 0.33 0.10 0.90 4.00 4.67 0.85 0.95
B3 Back Up Systems 5.00 0.33 0.10 0.90 4.00 4.17 0.90 1.00
B5 ATM Operations and Security 4.50 0.33 0.10 0.90 4.00 4.17 0.90 1.00
Alternate arrangements for specialized /
B6 automated delivery mechanisms- ATM’s, POS 4.00 0.33 0.10 0.90 3.50 5.00 0.90 1.00
terminals, Kiosks.
B7 Phone Banking Operations and Security - 0.33 0.10 0.60 4.00 4.67 0.90 1.00
B8 Internet Banking Operations and Security 4.50 0.33 0.10 0.80 4.00 4.67 0.90 1.00
Specialized inter banking operations- fail safe
B9 4.50 0.33 0.10 0.80 2.50 4.67 0.90 1.00
mechanisms and alternatives
Review of Vulnerability Analysis of Critical
B10 4.50 0.33 0.10 0.80 4.00 4.67 0.50 0.85
Hardware, Applications, Data Communications
Knowledge Management to track utilization and
B11 4.50 0.33 0.10 0.80 5.00 3.33 0.50 1.00
performance of hardware and applications
B12 Infrastructural Renewal 4.50 0.33 0.10 0.80 5.00 4.17 0.90 1.00
C1 Network Bandwidth Provisioning and Utilization 4.50 4.17 0.35 0.90 4.00 4.67 0.75 0.75
Network Monitoring and Maintenance using
C2 4.75 2.50 0.35 0.90 4.00 2.50 0.70 1.00
automated tools
Intra Bank Communication System Portfolio –
C3 4.75 0.33 0.50 0.60 3.00 2.50 0.50 0.40
Intranet, voice based, messaging system.
D1 User Access Control 4.50 2.50 0.20 0.60 5.00 4.67 0.80 1.00
D2 Database Security 4.90 2.50 0.20 0.60 5.00 4.67 0.90 1.00
D3 Application Security 4.90 2.50 0.20 0.60 5.00 4.67 0.90 1.00
135
LARGE SMALL
Strength/Prep
Strength/Prep
Vulnerability
Vulnerability
Challenges
Challenges
Threats /
Threats /
aredness
aredness
Testing
Testing
P R V T P R V T
FACILITIES
A1 Workplace 4.65 0.17 0.60 0.20 4.00 3.33 0.90 0.80

A2 Central Data Centre 4.50 0.33 0.90 0.90 5.00 4.67 0.95 1.00
A3 Recovery Center Locations 4.50 0.83 0.40 0.90 5.00 4.67 0.60 1.00
B1 Communication 4.50 0.17 0.10 0.90 4.00 3.33 0.40 0.70
B2 Resource Location in Disaster 3.50 1.67 0.50 0.80 4.00 4.67 0.80 1.00
B3 Safety Equipment and Maintenance 4.60 1.33 0.40 0.80 4.00 4.67 0.80 0.80
Facility (Power, Fire and flooding, Access Control)
B4 Management - Monitoring, Tuning and Maintaining 4.00 2.50 0.20 0.70 5.00 4.67 0.95 1.00
C1 Transportation 4.75 0.33 0.50 0.60 3.50 3.33 0.90 0.50

C2 Data Center Security 4.75 0.33 0.10 0.20 5.00 4.67 0.90 1.00
C3 Data Center Safety 4.75 0.33 0.10 0.20 5.00 4.67 0.90 1.00
D1 Security Planning in Disaster 4.80 0.67 0.30 0.30 4.00 4.67 0.80 1.00
D2 Infrastructural Renewal 4.80 0.83 0.20 0.30 5.00 4.67 0.80 1.00
D3 Review of Vulnerability Analysis of Critical Assets 3.00 0.83 0.10 0.80 5.00 4.67 0.80 1.00
Training and Education of Stake Holders in
D4 4.25 0.83 0.20 0.60 4.00 3.33 0.60 0.75
handling emergency/safety equipment in crisis.
D5 performance of assets in Normal and other than 3.00 0.83 0.50 0.50 4.00 3.33 0.75 1.00
normal situations
136
CHAPTER 6
APPLICATION OF BCM MODEL AND METRICS
6.0 Preamble
The generic BCM Model developed and tested for sample banks has been enumerated
in Chapter 6. The model comprises of five clusters of parameters (Organization,
Procedures, People, Technology and Facility) as per the details given in article 6.4.
The model was applied to five large, six medium and eight small banks in Mumbai at
the three levels of management: top, middle and functional. The details of the
parameters cluster wise are enumerated in Exhibit 6.1 (Table 6.9). The total number
of respondents for all the banks and levels of management was close to 100. The data
collected from various banks was collated and analyzed for preliminary findings.
These were then discussed in two or three iterations with banks and respondents for
standardization. The conclusions derived from comparison of large banks and MSRBs
formed the basis of recommendations for the later. The methodology adopted,
analysis of data and conclusions are enumerated in the succeeding paragraphs.
6.1 Methodology
The following steps were adopted for collecting & analyzing data and working out
inferences:
6.1.1 Identification of Samples

6.1.1.1 Banks
The basis of selection of banks was to choose based on:
a. Asset Size (in billion US Dollars)

Large – 10 or more
Medium – More than 1 & less than 10
Small – 1 or less
b. Sector- a mix of Public, Private & Co-operative
c. Geographic spread – Northern, Central, Southern, Eastern, Western and Navi
Mumbai regions
137
d. Age – Old & New (instituted in last ten years or later)
6.1.1.2 Respondents
The respondents were selected from the target banks as per the steps given below:
a. A presentation was made to the senior officials in corporate / regional offices of

the target banks. The purpose of the study, the details of the model and research
methodology was explained.
b. Formal approvals were taken, where necessary, to conduct the study and request
for identification of officials at top, middle and functional levels from the target
banks. The banks were requested to nominate representatives based on the under
mentioned criteria:
The level (designation) of the official commensurate with category of
information being solicited (strategic, operational, technological).
The period that the respondent has spent in the bank (at least 5 years) and in
the branch (at least 2 years)
Recommendation of the supervisor concerned as regards relevant knowledge
of the respondents in case of functional / mid level executives.
Involvement of the respondent in project work under which such initiatives
were being taken either as a core team member or internal audit team.
Willingness of the respondent to participate in the survey.
c. The list of officials (most banks have not permitted to disclose identities of those
involved) was received from banks together with contact details.
d. The recommended executives were contacted in groups (bank-wise & office-wise)
for explanation of the model. These interactions ranged from a durations of forty-
five minutes to one and a half hour in their offices / branches and involved an
effort of almost four months, during the period February to September 2005,
before final set of respondents could be mustered.
138
6.1.1.3 Experts (Consultants)
a. Relevance of experience of the consultant as regards implementation of BCM
projects particularly in Finance and banking sector.
b. Experience of consultant in analyzing organizations to bring about change
management and re-structuring.
c. Knowledge of consultants is developing models for deployment of IT on large
scale using variety of platforms and solutions.
d. Knowledge in analyzing and revamping IT infrastructure and facilities for large
scale IT enabled business.
e. Academic and scholarly interests of consultants in creating knowledge work by
writing papers & articles and participation in Seminars & Conferences.
6.1.2 Data Collection

The data collection and standarization exercise took an effort of about six months
during the period September 2005 to May 2006. The summary of data aggregated
bank wise (large and SMBs) for the three levels of management is placed at Exhibit
6.2 (Table 6.10). The steps for collecting and collating the data are given below:
a. The nominated officials were given the questionnaire (the model) to collect the
responses on various parameters of the five clusters. They were asked to give the
responses by filling in the questionnaires in offline mode.
b. Visits were made to the banks to clarify doubts of the respondents twice a week
covering three banks and about 9 respondents. These interactions were generally
held late in the evenings or early morning so that the respondents were at ease and
not pressurized by their daily workload requirements.
c. The data collected from questionnaires was updated in the computer database on a
progressive basis. Information recorded during the interactions to amplify / clarify
responses was used to update / modify the measures of parameters progressively.
d. The recorded (and corrected) responses, on print outs, were sent to the
respondents and their supervisors for confirmation as regards measures /
amplifications as also for completing information.
e. The responses were then collated on receiving the feedback from respondents.
Summary of the measures were made in excel sheets. These were grouped level of
respondent and statistical parameters (min, max, mean, range, standard deviation)
inscribed for the group of observations.
139
6.1.3 Standardization
The collated data was standardized using the following steps and procedure:
a. The collated and summarized responses were discussed with a set of officials
drawn from the three levels of management in meetings conducted bank wise. The
office / branch were so chosen as convenient to the group and permitted by the
senior management. In certain cases these meetings had to be repeated.
b. The responses were then updated as per the discussion during the group meetings
and statistical summary prepared. These were sent to an expert group formed of
senior officials (1 or 2) of the bank and consultants (2 or 3) to comment on the
variances and extreme observations in particular.
c. These comments were then discussed with the respondents to understand their
reasons for the level of measures indicated. Some of them re-visited the responses
and suggested amendments. These were then incorporated and set of observations
collated and summarized group-wise (top, middle and functional) for each target
bank.
d. The bank-wise responses grouped and summarized in one excel sheet for all banks
and sent to an expert group comprising of senior officials from RBI and
consultants from leading consulting companies employing the Delphi technique.
e. Responses / suggestions from consultants were taken into account to normalize
the values by taking weighted means of measures (Strength, Threats Vulnerability
and frequency of up gradation of interventions) correcting them for large
variances where recommended by experts.
f. The researcher further evaluated the responses (measures by carrying out spot
observations by visiting Offices, Data centers, DR sites and Business touch points
for correctness and completeness. These were discussed with experts to further
fine-tune the parameter measures and elaborate on reasons of the respondents
while assessing the measures.
6.1.4 Computation of BCM Indicators

The data aggregated was used to compute the Resilience Indicators and Vulnerability
Indices for the two segments of banks and the three levels of management. Using the
computation mentioned below arrives at the indicators:
140
Resilience Indicator (RI) = P * T
Where,
P is the Strength of Preparedness of the bank for the parameter in question on
a scale of 0 to 5 (low to extremely high)
T is the Upgradation / Review factor indicating the efforts made by the bank
to review the preparedness and upgrade periodically on a scale of 0 to 1.
Vulnerability Index (VI) = R * V

Where,
R is the impact on business by the threat posed by the factor from continuity
perspective on a scale of 0 to 5 (low to high)
V is the probability of occurrence of the threat posed by the factor on a scale
of 0 to 1.
The resilience indicators and vulnerability indices for the three levels of management
of the two target bank segments together with average, maximum, minimum, variance
and standard deviation of the parameters and clusters is given at Exhibit 6.3 (Table
6.11).
6.1.5 Macro Analysis

The BCM performance indicators computed in Exhibit 6.3 (Table 6.11) were grouped
for the three levels of management cluster wise and overall reliability indicators and
vulnerability indices were computed. Correlation was worked out between the
indicators computed as per the responses of the three levels of management. The
details are provided in Exhibit 6.4 (Table 6.12).
6.1.6 Factor Assessment

The factors that go into design, implementation and maintenance of rugged and
reliable BCM solutions grouped in the five clusters were then analyzed to assess
criticality. This was done first for the three levels of management (top, middle and
functional) and then aggregated to classify the factors as per their relative strengths of
criticality for effectiveness of BCM solutions. The following are the categories:
141
Table 6.1 Strength of criticality
Srl. Category Type Resilience Indicator Vulnerability Index
1 Critical Low High

2 Important High High
3 Essential High Low
4 Desirable Low Low
The classification of parameters based on the degree of criticality (cluster wise) for
the three levels of management of target banks is given in Exhibit 6.5 (Table 6.13).
6.2 Application of the Model – Cluster Analysis

The deductions arrived at in Exhibit 6.4 (Table 6.12) can be summarized for the
following trends observed in the target banks:
Large banks have higher degree (15%) of average resilience (3.30) as compared to
smaller banks (2.50). The smaller banks however experience a wider range of
resilience (4.89 to 0.52) as compared to larger banks (4.49 to 1.5). This is evident
from the fact that larger banks have more formal organization with a longer history
and have therefore standardized the strategic policy implementation across branches
and units. The smaller ones are in the process of settling down. This is further
corroborated by large variance on most resilience parameters (1.3 on average) for
small banks as compared to large ones (0.6). The larger banks are slightly lesser
vulnerable on account of this factor (1.39 for large vs. 1.49 for small). Interestingly,
the vulnerability is perceived higher by the middle and functional management of
both segments of banks whereas preparedness is considered higher by the top
management.
6.2.2 Procedure
Large banks were found to be more resilient from this perspective (3.43 vs. 2.60). The
smaller banks showed much higher vulnerability compared to the smaller banks (2.49
142
vs. 0.90). The perceptions of the top management compared to the other levels
favored better resilience and lesser vulnerability as found for the cluster –
organization. The better preparedness of larger banks stems from their experience and
organizational strength in implementing processes supported by focused
organizational structure. The smaller banks are trying to catch up as they need to
constantly add to the portfolio of products and services with lesser organizational
strength to match their larger counterparts. Most small banks have still large number
of processes that are not automated, which is not the case with large banks.
6.2.3 People
The trends observed are similar to those explained above for the cluster – procedure
and for identical reasons. Large banks are more resilient (3.54 vs. 2. 45) and less
vulnerable (0.86 vs. 2.81) compared to their smaller counterparts. Small banks seem
to have more problems with staffing as compared to large banks and hence the
vulnerability on people issues. In this case too, the middle and functional
managements register higher concerns than the top.
6.2.4 Technology
Smaller banks perceive to be a shade more resilient than large banks (3.80 vs. 3.55) as
regards resilience of technology infrastructure is concerned. The dependence of large
banks is higher on technology given the greater degree of automation and hence the
lower resilience. Smaller banks are however, highly vulnerable on this parameter
(3.35 vs. 0.72). This is logical given the fact that large banks have near world-class
and state-of-the-art technology infrastructure. They also have better central and
remote control facilities for performance monitoring and tuning. Most small banks
have stand-alone systems that are networked with low cost technology solutions. This
together with inadequacy of trained technical staff makes them highly vulnerable. The
perceptions of middle and functional managers indicate better preparedness and lesser
vulnerability on account of technology as compared to the top managers – opposite to
what is experienced in case of organization, procedure and people.
143
6.2.5 Facilities
The smaller banks have reported better resilience as regards facility management
compared to large banks (4.02 vs. 2.59) but are more vulnerable (3.26 vs. 0.41). The
large banks have wide spread facility infrastructure in terms of offices, business
outlets, data centers and DR sites (near and far). Smaller banks do not have such wide
spread facilities and are mostly located in residential societies and thus are more
resilient. They are however more vulnerable as they do not have efficient facility
management infrastructure and organization that large banks can afford given their
volumes and scale of operations.
6.3 Observation and Inferences

The correlation of the Resilience Indicators (RIs) and Vulnerability Indices (VIs)
together with the statistics of values in terms of Average, Variance, Standard
Deviation, Maximum and Minimum Values given in the Exhibit 6.4 (Table 6.12).
These can be used to draw inferences about sensitivity of data (responses) and its
reliability / vulnerability in the context of BCM applications. The succeeding
paragraphs highlight the observations / inferences.
6.3.1 Organization
The managements of large and small banks seem to confirm significantly with one
another as regards Preparedness (RI) (correlation 0.8) and also agree that its value is
high (3.3 on an average). There is lesser agreement on the issue of Vulnerability in
both segments of banks (0.35 average). There is significant difference about the
perception of vulnerability between the three levels of management wherein the
middle and functional management rate vulnerability higher than the top
management. There is wide range of variation between the perception of vulnerability
ranging from 0 to 4.96, whereas the average values of vulnerability are not very high
(1.4 on an average). This indicates that on issues related to organizational strategy and
policy formulation all agree that the preparedness in this regards is of importance for
effective BCM, however, most do not (except for some functional managers in small
banks) consider it to be challenging and probable.
144
6.3.2 Procedure
There is significant uniformity amongst the top, middle and functional managements
of both segments of banks regarding high degree of preparedness amongst them.
There is however significant variation in the values of RI i.e. the extent of
preparedness between the three levels in that the top level perceives better
preparedness compared to the other two (3.13 to 2.42). There is also large variation in
the minimum and maximum values of preparedness from 0.30 to 4.98. All levels of
management in large banks rate the vulnerability (VI) far lower than their
counterparts in smaller banks (0.9 in large vs. 2.49 in small banks). There is a diverse
opinion about vulnerability in both segments of banks amongst the functional
management typified by the negative correlation of RI and VI for this group. The
smaller banks rate their preparedness as lower than larger banks by almost 25% and
feel that their vulnerability is almost 2.5 times that of large banks. The smaller banks
therefore, need to focus in organizing their procedures particularly as regards to
alternate system operations and communications in the event of disaster /
discontinuity. The larger banks seem to be geared up to take on the eventualities on
this score.
6.3.3 People
There seems to be greater agreement (co-relation 0.9) between the respective
management levels of both segments of banks as far as resilience on this issue is
concerned. However, there is a far less agreement across the different levels of
management (co-relation 0.3) in both segments. Interestingly, the levels of
management when responded individually rated preparedness as moderate (RI 2.5
average) whereas collectively they have rated this factor as high (RI 3.5). The large
banks perceived themselves as less vulnerable (VI 0.86) compared to their
counterparts (VI 2.81). On account of this factor, the middle management of both
segments of banks come out strongly in expressing concerns about vulnerability in
their respective segments. However, there is a lesser agreement (Co-relation: - 0.3)
between the preparedness of large banks and vulnerability of small banks as perceived
by the middle level management. There is a slight disagreement (Co-relation: - 0.08)
between the middle managements of both segments of banks as regards vulnerability
of their respective segments. In the overall picture, the larger banks are almost 20%
145
more resilient (RI 3.5 v/s 2.5) and 40% less vulnerable (VI 0.8 v/s 2.8) as compared to
their counterparts. The top and middle management of small banks perceived both
preparedness and vulnerability to be moderate (RI 2.38 v/s VI 2.85) whereas the
functional management perceives vulnerability to be lesser than preparedness (RI 2.78
v/s VI 2.46). This seems to be logical that given the size of small banks, people are
deployed on variety of tasks and thus get better equipped to handle most functions
that comes handy in meeting up eventualities. The large banks have specialists to
handle tasks and thus are not exposed to a greater degree of variety of tasks. The
smaller banks are more vulnerable for the same reason that non-availability of a lesser
percentage of workforces can affect a variety of functions whereas in large banks the
shear numbers provide resilience even with high percentage of non-availability of
workforce.
6.3.4 Technology
There is very high agreement amongst the top management (Co-relation 0.9), high
agreement (Co-relation 0.75) amongst the middle management and comparatively
moderate agreement (Co-relation 0.4) amongst the functional management across the
two segments. However, there is low agreement on the issue of technological
preparedness (Co-relation 0.11) between the two bank segments. The functional
management of large banks seems to differ significantly (Co-relation: - 0.35) on the
issue of preparedness (RI 3.89) against vulnerability (VI 0.71). There seems to be
moderate disagreement between the middle and functional management on the issue
of vulnerability between the two bank segments (Co-relation: - 0.1). In the overall
picture, the agreement varies from low to moderate across all levels of management of
both segments on account of preparedness and vulnerability on people issues.
Interestingly, smaller banks perceive themselves to be slightly more resilient (RI 3.8
v/s 3.5) but approximately 50% more vulnerable (VI 3.35 v/s 0.72) as compared to
large banks. The smaller banks perceive themselves as slightly better prepared (RI
4.97 v/s 4.64 max) but far more vulnerable (VI 4.56 v/s 2.25 max) as compared to
large banks. The dependence of smaller banks on technology is far less as compared
to large banks due to lesser degree of automation in various functions as most small
banks do not have fully integrated front end and back office operations. The larger
banks however have state of the art technology solutions that address their scale and
146
scope of operations. They also have rugged and reliable systems in terms of data
storage, transfer and security supported on professionally managed data centers and
DR sites with alternate bandwidth arrangements. This makes then highly resilient and
less vulnerable. The higher degree of vulnerability of small banks is due to their
inability to invest in state of the art data centers and data transfer arrangements. In the
event of major discontinuities, most offices get disconnected from each other making
them highly vulnerable from continuity perspective.
6.3.5 Facility
There is very high agreement amongst the top management (Co-relation 0.86), high
agreement (Co-relation 0.74) amongst the middle management and moderately high
agreement (Co-relation 0.6) amongst the functional management across the two
segments. However, there is very low agreement on the issue of facility vulnerability
(Co-relation 0.009) between the two bank segments as far as middle level
management is concerned. The functional management of small banks seems to differ
significantly (Co-relation: - 0.24) on the issue of preparedness (RI 1.48) against
vulnerability (VI 0.50). In the overall picture, there is greater level of disagreement
from low to moderate across all levels of management of both segments on account of
preparedness for facility issues. There is a large disagreement displayed not only in
terms of preparedness (Co-relation: -0.120) of smaller banks as compared to larger
banks but also in vulnerability (Co-relation: -0.205) in the same segment. As far as
large banks are concerned, the vulnerability of the banks as regards to their
preparedness is critical (Co-relation: -0.020) and this issue needs to be addressed with
utmost concern. Interestingly, the resilience of both the bank segments in terms of
preparedness is approximately similar (RI 4.93 v/s 4.91) but smaller banks are
extremely vulnerable as compared to larger banks (VI 4.23 v/s 1.47). The smaller
banks seem to be more resilient as compared to larger ones as the demand on facilities
is not as complex and high as large banks going to scale and scope of operations.
However, the absence of exhaustive facility maintenance, arrangements are making
smaller banks highly vulnerable. Given the large capital expenditure requirement to
create and maintain the facilities, the option that smaller banks have is to form
consortiums to address the issue.
147
6.4 Statistical Analysis of Findings
The statistical analysis of data on ‘Resilience’ and ‘Vulnerability’ (Exhibit 6.3, Table
6.11) revealed that the skew in distribution of responses for various levels of
management was found to be close to zero, as in a normal distribution. The test results
are placed at Annexure 8. Further, the correlation coefficients for the two sets of
results, viz standardized scores and percentiles, yielded very high correlation. The
credence to use of ‘Percentiles’ instead of ‘Standardized’ results was thus established.
The test also indicated that an 80 percentile score is at around one standard deviation
or above the mean, which captures nearly 16% of the responses in the ‘high’ values.
Hence an 80 percentile is being considered as a 'high' and a 20 percentile signifies a
'low' category.
The responses from the various levels of the management of the two segments were
therefore given percentiles scores using ‘Statpro’ package to rank them within the
clusters. This was done so as to ascertain relative importance the banks attribute to the
factors in the given clusters (Organization, Procedure, People, Technology and
Facility). The factors (RI and VI) were then marked as high importance (Percentiles
scores more than 0.80) and low importance (Percentiles scores less than 0.20) cluster
vise. Based on these markings, the parameters were categorized into four types from
the standpoint of criticality to implement BCM – Management level wise for both
bank segments.
Table 6.2 Criticality of factors
Parameter Type Vulnerability Indicator VI
Criticality Level High Low

Resilience
High Important Essential
Indicator
Low Critical Desirable
Divergent Views Divergent
The parameters were then marked as critical, essential, important and desirable for all
the management levels of the two segments of banks. The details are at appendix 5.
148
The Criticality of factors for the two segments of the banks were then ascertain based
on the markings of the factors by various management levels. A brief analysis of the
criticality of the factors for small banks was carried out and contrasted against the
larger banks. This and remarks on divergent views on the issues of criticality as
perceived by the two bank segments is given in the succeeding paragraphs.
6.4.1 Organization
The performance objectives in terms of growth in volumes and diversities (A2) of
small banks is very critical as they are less prepared and highly vulnerable as
compared to the larger banks which have essential criticality level with high
preparedness and low vulnerability. When we analyze the factor of review of
outsourced activities and relationships (B6), we infer that smaller banks are in very
critical condition as they are highly vulnerable and very less prepared as compared to
larger banks. There is a greater disagreement in terms of communication of alternate
processes (C2) in the organization in both segments of banks. The smaller banks are
less prepared and more vulnerable whereas the larger banks are considering it to be
essential and hence are less vulnerable and highly prepared. There is a level of
agreement on the factor of implementation of BCM in partner organization (D1) in
both the bank segments as this is highly critical and both segments are less prepared
and highly vulnerable. Thus, if we analyze the overall critical factor, we find that both
bank segments are having the divergent views on the factors of Clear definition and
communication of Vision and Mission (A1) and their Performance Objectives (A2).
Similarly, there is a greater level of disagreement on the issues of Participative
Governance (A5), Cultural Change (A8), Business Impact Analysis and Risk
Evaluation (B1), Rationalizing Organization (B2), Review of Outsourced activities
and Relationships (B6), Alternate Processes (C1) and Communication of Alternate
processes in the organization (C2) as the banks are having divergent views on this
matter. Closer analysis of the data reveals that whenever larger banks are more
prepared, they are less vulnerable for various issues except for the fact that in terms of
Social Sensitivity (A6), the larger banks are much more prepared (RI 4.16) and at the
same time they are also highly vulnerable (VI 3.22). When smaller banks are analyzed
it is very obvious that they are very less prepared (RI 2.30) for Review of outsourced
activities and relationships (B6) and highly vulnerable for this particular factor (VI
149
4.15) and our suggestion for this particular to the banks is that they should be better
prepared for this particular matter.
6.4.2 Procedures
There seems to be a disagreement on the issue of Service Level Agreements (A3)
between small banks and large banks wherein the small banks are less prepared and
highly vulnerable and are falling in critical zone for this matter whereas larger banks
are finding this factor as essential and hence they are highly prepared and less
vulnerable. The observation in terms of Documentations (A) of the procedures is very
differing for small banks and large banks. The small banks are less prepared and
highly vulnerable for mishandling of the documentation issues whereas the larger
banks are considering the criticality level of this issue as important wherein even
though they are highly prepared, they are again highly vulnerable for this matter. On
the issue of Knowledge management to track customer behavior, to take proactive
actions during disasters (D3), the smaller banks are again less prepared and highly
vulnerable whereas the larger banks are finding it to be the most desirable in terms of
criticality level. Also on the issue of safety rules (A5), the disagreement is there in
both the bank segments where smaller banks are considering the criticality level as
important as they are highly prepared and highly vulnerable for this factor and the
larger banks are displaying the situation as critical because they are less prepared for
security breaching and highly vulnerable on this factor. The overall picture of the
critical factors for both bank segments show that on the factors of Application of
Security Policy across the organization (A7), Compliance of RBI Regulations (A10),
Incident Logging (B2), Market/Environment Information Gathering for incorporation
in BCP (B6), Testing Schedules for Processes (D1) and Knowledge Management to
track customer behavior, to take proactive actions during disasters (D3), the situation
is highly critical and both the segments are less prepared and highly vulnerable for
miss happenings. For the factors of Contingency Plans (A1), Emergency Action Plans
(A2), Data replication, both bank segments are considering the criticality level to be
important because not only they are highly prepared but vulnerabilities are also very
high.
150
6.4.3 People
The people factor is an important factor while studying Business Continuity
Management in both segments of the banks. The factors of Risk Awareness and
Preparedness Tests (B4) and Tolerance Limit of Employees (B5) are very critical for
small banks as they are less prepared and highly vulnerable but in case of large banks,
the criticality level is essential as this segment is less vulnerable due to high
preparedness. Again on the issues of Tolerance limit of Customers (B7) and Actions
against Defaulters (C2), small banks are displaying high criticality as they are less
prepared and highly vulnerable against these attacks. There is a greater level of
agreement in both the segments of the banks for the deployment of management
teams as both consider it to be an essential factor with high preparedness and low
vulnerability. Again the factor Crisis Management Team (A1) is important for both
the banks with high preparedness and high vulnerability. The smaller banks are not
only better prepared but also very much vulnerable on the issue of Reward System for
Outstanding Contributions (D2) whereas this issue is desirable for larger banks as
they are less prepared and less vulnerable. In the overall picture, the issues of Key
Personnel (B1), Tolerance limit of Employees (B5), Tolerance limit of Customers
(B7), Actions against defaulters (C2) and Succession Planning (D1), both the bank
segments are displaying the conditions to be very critical as their resilience indicator
is low and at the same time their Vulnerability indicator is high and hence a lot of
attention is needed for improvement in this area. For Security Roles and
Responsibilities (B2), Safety Roles and Responsibilities (B3), Risk Awareness and
Preparedness Tests (B4), Social Sensitivity (C3) and Knowledge Management (C5)
both segments are having divergent views on people issues for these factors. Crisis
Management Team (A1) and Deployment Management Team (A2) factors are
important with high preparedness and high vulnerability in both segments of the
banks.
6.4.4 Technology
The criticality level of small banks on the issues of Alternate arrangements for
specialized/automated delivery mechanism (B6), Phone Banking operations and
Security (B7) and Specialized inter banking operations (B9) is highly critical as they
are not having the latest technology and are not prepared and at the same time highly
151
vulnerable for any kind of misshapenness. For all these factors, larger banks have
latest technologies and hence they are less prepared and less vulnerable and thus level
of criticality is desirable for this particular segment. For factors like Data Integrity
(A3), Replication (A5), Internet Banking operation and Security (B8), Infrastructural
renewal (B12), User Access Control (D1) and Data Security (D2), the small banks are
considering the criticality level as important and the resilience indicator for these
factors is high but at the same time they are highly vulnerable with high vulnerability
Indicator. The factors Standardization of Equipments and Applications (A7), System
Administration (A8), Application Monitoring, Tuning and Diagnostics (A9),
Knowledge Management to track Utilization and performance of hardware and
applications (B11) and Application Security (D3) are factors that are considered as
having Essential Criticality level for which the banks are highly prepared but are at
the same time less vulnerable. For the same factors, the large banks are having critical
conditions for which they are less prepared and highly vulnerable. If Overall picture
of Technology issue is analyzed then we can come to a conclusion that Architecture of
IT Solutions (A1), Data Architecture Review (A4), Application Monitoring, Tuning
and Diagnostics (A9), Alternate arrangements for specialized/automated delivery
mechanism (B6), Phone Banking Operations and Security (B7), Specialized Internet
Banking Operations (B9) and Intra Bank Communication System Portfolio (C3) are
some of the factors for which the condition is highly critical and both the segments of
the banks are less prepared and highly vulnerable for Technology vulnerabilities. For
Server consolidation (B1), Backup Systems (B3) and Knowledge Management (B11)
factors, both the segments of the banks are considering the criticality level as essential
wherein they are highly prepared and less vulnerable. For all the other factors, both
the segments of the banks is having divergent views and has greater level of
disagreements in the implementation of technological issues.
6.4.5 Facilities
The smaller banks seem to be in critical condition for factor Safety Equipment and
Maintenance (B3) wherein they are not prepared and are susceptible for higher
vulnerabilities as compared to large banks. Similarly for factors Central Data Center
(A2), Facility Management (B4), Data Center Security (C2), Data Center Safety (C3),
Infrastructural Renewal (D2) and Review of Vulnerability Analysis of Critical Assets
152
(D3) the smaller Banks’ criticality level is important because even though they are
highly prepared, the level of vulnerability is also comparatively high. For factors
Recovery Center Locations (A3), Communication (B1) and Knowledge Management
(D5) the small banks are high prepared with low vulnerabilities. In the overall picture,
both the segments of the banks are in critical condition for the factors Workplace
(A1), Resource Location in Disaster (B2), Transportation (C1), Training and
Education of Stake holders in handling emergency/safety equipments in crisis (D4)
and knowledge management to track utilization and performance of assets (D5)
where these segments are less prepared and highly vulnerable for the miss handling of
the facility issues. For factors Central Data Center (A2), Facility Management (B4),
Infrastructural Renewal (D2) and Review of Vulnerability Analysis of Critical Assets
(D3) both the bank segments are having important criticality level as on these factors,
the banks are highly prepared and at the same time highly vulnerable. There is a
greater level of disagreement on the issues of Recovery Center Locations (A3),
Communication (B1), Safety Equipment and Maintenance (B3), Data Center Security
(C2), Data Center Safety (C3), and Security Planning in Disaster (D1) as the banks
are having divergent views on these factors and both segments feel that their way of
implementation of facilities is proper and up to the mark and thus, these issues need to
be concerned.
6.5 Critical Factors for BCM Implementation in MSRB

The summary of critical factors for the three categories (Critical – Low
Resilience, High Vulnerability; Important – High Resilience, High Vulnerability;
Essential – High Resilience, Low Vulnerability) for the five clusters in respect of
MSRBs is given in the table below. This has been worked out based on the analysis
in articles 6.3 and 6.4 above. The resilience and vulnerability levels found in MSRBs
compared to large banks is also indicated. These factors ought to occupy management
attention while designing and implementing BCM Solutions.
153
6.5.1 Organization
Table 6.3 CSFs - Organization

Resilience
Vulnerability
Para- Compared
Description Compared to
meter to Large
Large Banks
Banks
Performance Objectives (e.g. Growth in volumes
A2 and diversity ) enunciated and communicated to Good Moderate
all concerned.
C2 Good High
organization
Implementation of BCM in the organization of
D1 Excellent Moderate
partners
Review of Outsourced Activities and
B6 Good Very High
Relationships
Clear Definition and Communication of Vision
A1 Very Good High
and Mission
Business Impact Analysis and Risk Evaluation for
B1 Critical Process to identify impact on business in Good Moderate
terms of
D2 Insurance of Outsourced Partner Assets Excellent High
Extremely
C3 Insurance of Equipment and Personnel Excellent
High
B5 Relationship with Business Partners Good Moderate
B3 Allocation of Budget for BCM Very Good Low
Multiple Delivery Channel Alternatives deployed
A4 Good Low
or planned to deploy. E.g.
A6 Social Sensitivity Better Moderate
A3 Portfolio of Products and Services Good High
A8 Cultural Change- Agility of bank to adopt changes Better Low
154
6.5.2 Procedure:
Table 6.4 CSFs - Procedure

Resilience
Vulnerability
Para- Compared
meter to Large
Large Banks
Banks
A3 Portfolio of Products and Services Good High
Multiple Delivery Channel Alternatives
A
deployed or planned to deploy. E.g. Good High
Knowledge Management to track customer
D3 behavior, to take proactive actions during Extremely
disasters Poor High
Clear Definition and Communication of Vision
A1
and Mission Very Good Very High
Performance Objectives (e.g. Growth in
A2 volumes and diversity) enunciated and
communicated to all concerned. Good High
Extremely
A4 Participative Governance
Very Good High
A8 Promotional Model and Brand Management Good Very High
Extremely
B1 Relationship with Business Partners
Good High
Knowledge Management to assess environment
B3 for competitive positioning and organizational
climate for improvement Good Very High
B4 Alternate Processes – Organization and Cost Good High
B5
organization Very Good High
Implementation of BCM in the organization of Extremely
C1
partners Good High
A5 Social Sensitivity Good Moderate
A11 Allocation of Budget for BCM Good High
155
6.5.3 People
Table 6.5 CSFs - People

Resilience
Vulnerability
Para- Compared
meter to Large
Large Banks
Banks
B4 Risk Awareness and Preparedness tests Low High
Tolerance Limit – Assessment and Extremely
B5 Very Low
Enablement (Employees) High
Tolerance Limit – Assessment and
B7 Low Very High
Enablement (Customers)
Extremely
C2 Actions against Defaulters Moderate
High
Crisis Management Team (Multi Functional Very Extremely
A1
Team). Good High
Reward System for Outstanding
Very
D2 Contributions (Merit Based Promotions and Very High
Good
Incentives)
A2 Deployment Management Team Moderate High
B2 Security Roles and Responsibilities Good High
Training and Education of Stake Holders in
B8 Good High
running alternate procedures
Adaptation of Technology and Culture of Self Very
C4 Very High
Help – Employees, Customers, Partners Good
156
6.5.4 Technology
Table 6.6 CSFs - Technology

Resilience
Vulnerability
Para- Compared
meter to Large
Large Banks
Banks
Alternate arrangements for specialized /
B6 automated delivery mechanisms- ATM’s, POS Low Extremely
High
terminals, Kiosks.
B7 Phone Banking Operations and Security Good Very High
Specialized inter banking operations- fail safe
B9 Low Extremely
mechanisms and alternatives High
A3 Data Integrity Excellent Extremely

High
A5 Replication Excellent Extremely
High
B8 Internet Banking Operations and Security Excellent Extremely
High
B12 Infrastructural Renewal Excellent Extremely
High
D1 User Access Control Excellent Extremely
High
D2 Database Security Excellent Extremely
High
Standardization of Equipments and
A7 Excellent Low
Applications
System Administration - Monitoring, Tuning
A8 Excellent Moderate
and Maintaining using automated tools
Applications Monitoring, Tuning and
A9 Excellent High
Diagnostics using automated tools
B11 Excellent High
performance of hardware and applications
D3 Application Security Excellent High
157
6.5.5 Facilities
Table 6.7 CSFs Facilities

Resilience
Vulnerability
Para- Compared
meter to Large
Large Banks
Banks
B3 Safety Equipment and Maintenance Low High
Extremely
A2 Central Data Centre Excellent
High
Facility (Power, Fire and flooding, Access
Extremely
B4 Control) Management - Monitoring, Tuning Excellent
High
and Maintaining using automated tools
D2 Infrastructural Renewal Excellent High
Review of Vulnerability Analysis of Critical
D3 Excellent High
Assets
A3 Recovery Center Locations Excellent High
B1 Communication Good Moderate
Knowledge Management to track utilization
Moderately
D5 and performance of assets in Normal and other Excellent
High
than normal situations
6.5.6 Recommendations to MSRB’s to address vulnerabilities

The data-analysis given in paragraph 6.4 and 6.5 above is used to work out
recommendations to MSRB’s for countering vulnerabilities and improving their
resilience. These recommendations are grouped as per the five clusters to specifically
highlight “highly vulnerable” and “moderately vulnerable” BCM parameters in
respect of MSRBs. The recommendations are generic in nature which will have to be
defined specifically for the bank to which the model is being applied after considering
all minute details.
158
Table 6.8 Cluster wise recommendations to MSRBs
Recommendations to management to effect
Parameter of vulnerability
interventions to make MSRBs resilient and
Sr.No to be addressed to improve
come up to levels of large banks in this
resilience for continuity
regard
1. Organization
Highly vulnerable
a. Adaptation of Automation The banks need to create adequate
Technology and imbibing infrastructure for automation in a
Culture of “ Do it yourself” collaborative (outsourced) arrangement with
using Technology for “ providers” who will take care of
Employees investments and risks both for installation
Customers and operations whilst the bank pays for the
Partners – IT, Facilities, time /volume utilized (on demand).
Services, Insurance, The staff needs to be appropriately trained
Safety Roles and and retrained and kept motivated.
Responsibilities Clear directions about roles and
responsibilities during disaster situations
that need to be communicated on intranet as
well as “rule books.”
b. Improved Awareness Better training and motivation by providing
and Enablement of challenges and rewarding performance.
employees ensuring Sensitivity checks carried out randomly in
better preparedness of various outlets by a central team to record
employees . levels of performance and suggest
Greater “Tolerance improvements where necessary.
Limit” of customers to Regular communication by way of bulletins
withstand disruptions and socializing events to appraise customers
without getting ruffled . of new initiatives taken to upgrade service
Regular assessment of levels to them.
sensitivity of both
employees and
customers for the above
two.
c. Regular Tracking of Setting up an up gradation of benchmark
performance of all that are objectively measurable in terms of
individuals at various response times, volume handled, service
levels, roles and rendered etc.
locations in normal Appropriate corrective actions in respect of
operating conditions those not found to perform at par during
Recording performance normal operations.
displayed during De-briefing after disruptions (Knowledge
situations of disruptions Management) and recording performance
for responses in terms of during that situations.
speed and correctness. Outstanding contributions be appropriately
rewarded and below par performances to be
discussed with concerned individuals and
corrected.
159
d. Crisis Management Team Organization that will become operative during
(Multi Functional Team emergency situations defining clear roles and
responsibilities with allocation of alternative
tasks to be clearly defined. This needs to be
adequately communicated by way of intranet,
secure website and rule books placed in
accessible locations.
Moderately vulnerable
e. Enunciation and These banks need to formalize processes to
Communication of communicate growth targets and report
Performance Objectives performance regularly and effectively to all
(e.g. Growth in volumes stakeholders i.e employees, customers and
and diversity) to all partners.
concerned. This will enhance confidence and esteem
Relationship with among them that will be the driver of
Business Partners to adapting newer systems as also participative
foster ability to adopt relationships in growing and furthering
changes. business.
Rationalizing The roles and responsibilities of all
Organization – Roles functionaries internal and external need to
and Responsibilities be rationalized to provide more resilience to
embrace change and growth. These need to
be communicated by way of intranet,
internet and rulebooks.
f. Business Impact Analysis Systems and processes need to be put in place
and Risk Evaluation for to carry out business impact analysis on a
Critical Process to identify regular basis preferably by a team comprising
impact on business. of internal and external consultants. The risk
profile keeps changing in the present day
banking environment owing to changes in
technology, regulations, delivery alternatives,
customer preferences and competition.
2. Procedure
Highly vulnerable
a) Documentations This aspect does not receive adequate attention
Contingency Plans as organization is loaded with operational tasks.
Emergency Action Plan These are extremely important to manage
Security Rules operations during disruptions and recovering
Safety Rules back to normalcy after eventuality is over.
Service Level These documentation need to be adequately
Agreements communicated using all methods (electronic
and paper-based).
b) Knowledge Management There is a tendency of not recording
to track customer parameters of responses, efficiency and
behavior and effectiveness of actions taken in meeting
Employee responses disruptions and effecting recovery. These
during disasters. are due to lack of attitude and also to an
Review of Vulnerability extent owing to organizational issues. A
160
of Critical Processes and dedicated team is to be nominated (using
Analysis of Recovery internal and external consultants) and tasked
from perspective of with this responsibility.
response time and Formats for data gathering need to be
efficiency. created and communicated. These are to be
used post-recovery and during regular
reviews. It is recommended that reviews be
conducted by yearly. The task of analysis
must be entrusted to external consultants.
The findings must be discussed in annual
meetings and instructions issued thereafter.
c) Incident Reporting There has to be a formal structure and
Handling Media in the process to report incidents to appropriate
event of an accident. levels (escalations) and outsourced /
Risk Awareness Reality collaboration partners (a necessity in their
Check Up in the case as most support may be from outside
Organization. the organization). The methodology should
be conducive to data-entry and analysis.
The media-handling function can also be
done by an agency with appropriate SLA in
operation.
There should be an annual reality check
using a metrics, drawn on the lines of one
suggested in this study, modified as per the
“environment”.
d) Compliance of Security and They should go in for this certification
Safety Procedures in religiously to attain requisite standards on
accordance with ISO 27001. account of security and safety. They should
be reviewed yearly for up gradations.
It is generally expensive to sustain these
initiatives. It is therefore recommended that
these banks should form a consortium that
engages the audit agencies on behalf of the
member banks to reduce financial liability.
e) Integration of Business The operating documents and rule books
Continuity Procedures ought to have sections on alternate
with normal business processes and organization that are to be
processes. operative in the event of disruptions.
Testing Schedules to There should be a schedule to test all the
assess efficacy of alternate processes by conducting
alternate processes in simulation exercises that will keep the
operations. employees in a state of readiness to meet
disruptions.
For both above the “consortium approach”
is recommended.
3. People
Highly vulnerable
161
a) Maintaining High levels These can be achieved by :
of “ Risk Awareness”, Clarity on Roles and Responsibilities that
and “Preparedness” for are well defined and adequately
employees communicated.
Achieving greater Just and proper performance review
“Tolerance Limit” for mechanisms and reward systems.
customers and business Regular training and retraining.
partners. Providing exposure to “best &
contemporary” practices in banking globally
by way of formal and informal interactions
with other banks.
Appropriate correction mechanisms for
those not performing at par.
Regular informative and social interactions
with customers and business partners.
b) Performance of Crisis Reward System for Outstanding
Management Team (Multi Contributions (Merit Based Promotions and
Functional Team). Incentives),
The performance of Crisis Management
Team is to be recorded and analyzed after
every disruption situation. Objective
measures must be applied to gauge
performance levels, effectiveness and
efficiency. Their must be a formal
debriefing session sponsored by the top
management , to accrue learnings and
improve organization and processes.
Outstanding performers must be suitably
rewarded.
c) Fostering culture of “self The organizational initiatives that should be
dependency” and undertaken are enumerated in Section 1 and
adaptability to change. 2 above.
The esteem and self-belief arising out of
high performance and respectable public
image are catalysts in fostering sustaining a
culture of self-dependency and adaptability
in addition to organizational methods.
d) Deployment Management The key personnel who would own the
Team- Roles and process of countering emergency situations
Responsibilities of Key with alternate processes and participate in
Personnel the recovery to normalcy ought to be clear
about roles, responsibilities and deployment
during emergency.
They need to be “accepted” by their peers as
“leaders” in the situation. This can be
brought about by dissemination of
appropriate information about them
162
organizationally as well as by their own
conduct of exemplary performance during
normal conditions.
e) Enablement of all This is required to facilitate assumption of
stakeholders (Customers, responsibility by all stakeholders in working
Employees and Business the alternate organization and processes
Partners). during disruptions.
True Enablement is realized by ability to
communicate and trust by all involved in
addition to awareness of rules and
procedures.
4. Technology
Highly vulnerable
a) Arrangements for It is recommended that these banks form a
specialized / automated consortium that provides these delivery
delivery mechanisms- systems on usage cum retainer basis.
ATM’s, POS terminals, This would provide greater efficiency as
Kiosks, Phone Banking regards response time and reliability is
Operations and Security concerned. The provider will have the
advantage of economy of scale and would
therefore be able to create and maintain
state of the art infrastructure and also take
away risk and requirement of capital from
bank’s perspective.
Given the ruggedness of modern day data
security and transmission systems, secrecy
of data and can be reliably effected together
with appropriate SLAs.
b) Technology Infrastructure It is recommended that these banks form a
Solution Architecture consortium that provides these delivery
Hardware (Central and systems on usage cum retainer basis.
units) This would ensure that infrastructure will
Applications ( Core & always remain contemporary and reduced
support) cost of operations, maintenance and
Utilization and upgrades.
performance Reduce requirement of capital expenditure,
Database & Application risk. Skilled Technology manpower ( not a
Security core competence of banks ).
Backups (Central and Secrecy of data and operations can be
units) reliably effected by use advanced
Alternate systems monitoring and control system ( all with
Review of Vulnerability. remote operations capabilities) together
Knowledge Management with appropriate SLAs.
to track performance and Review of performance and requisite
effect upgrades upgrades to be carried out by a team of
consortium (internal) and external
(professional) consultants.
c) Data Communications & It will be highly profitable for these banks
163
Security form a consortium and tie up with leading
Network Bandwidth Data communication providers ( both
Provisioning ( LAN – private & public sector ) that provides these
units & WAN inter services on usage cum retainer basis.
units) This would ensure availability of latest in
Access Control & class Data communication infrastructure,
Security reduced requirement of capital and cost of
Performance tuning & operations, maintenance & upgrades and
Administration reduced requirement. Skilled technical
Review of Vulnerability. manpower
Knowledge Management to Secrecy of data and operations can be
track performance and effect reliably effected by use advanced
upgrades monitoring and control system ( all with
remote operations capabilities) together
with appropriate SLAs.
Review of performance and requisite
upgrades to be carried out by a team of
consortium (internal) and external
(professional) consultants.
d) Specialized inter banking Consortium exist for inter banking
operations- Delivery operations using IBRD (Hyderabad) ‘s
Channel Integration and NIFNET. This service is utilized for most
Security, fail safe inter banking operations and reconciliation.
mechanisms and alternatives The cost at the moment are high from
international standards.
The consortium approach will provide better
negotiating power to MSRBs to subscribe to
this as the scale will justify costs that will
get distributed across members.
It will also provide private players to get
interested in providing these services as
“value added component to their service
delivery models.
e) Standardization of Consortium based approach can provide
Equipments and opportunity to standardize equipment across the
Applications, System member banks that will provide both efficiency
Administration - and reduction in total cost of ownership.
Monitoring, Tuning and
Maintaining using
automated tools
f) Applications Monitoring, Consortium approach described above is
Tuning and Diagnostics recommended to address this requirement.
Network Monitoring and
Maintenance using
automated tools
g) Enterprise Application Consortium approach described above is
Integration recommended to address this requirement.
164
5. Facilities
Highly vulnerable
a) Central Data Center, Creating and maintaining world class Data
Security, and Safety Center is almost prohibiting proposition for
Safety Equipment and MSRBs.
Maintenance, Facility Consortium approach together with all its
(Power, Fire and advantages of efficiency, effectiveness and
flooding, Access cost, already described above is
Control) Management - recommended.
Monitoring, Tuning and The consortium should have a set of Data
Maintaining using centers that will serve a group of member
automated tools, banks ( number of members in a group
based on collective load ) in a geography.
These will have different status of operation
for the groups. A data center will serve as
“Near Site” for say Group 1, Main Site for
Group 2 and DR Site for Group 3 at the
same time to justify the investment and
thereby reducing total cost of ownership.
Security and safety of these centers can be
made world class by installing latest
technology paid up by the groups.
Typically a group in each category (Near,
Far& DR sites) could be from 10-15
MSRBs.
b) Transportation of Personnel Arrangements to be made, again in
and Equipment to Disaster consortium approach to identify few
Site Location. locations in safe areas that can be used as
Recovery back to Workplace emergency locations when the need arises.
location. These locations can be used for training the
staff by the consortium during normal
situations with capability of getting
converted to alternate locations during
emergency.
The transportation of personnel and
necessary equipment to alternate location
can be outsourced to a logistics agency,
which can be paid on retainer ship cum
usage payment model.
c) Infrastructural Renewal, Review of critical assets that constitute facilities
Review of Vulnerability of including security and safety to be carried out
Critical Assets/Security and by a team of consortium (internal), outsourced
renewal / up gradations of agencies & partners and external (professional)
facilities. consultants to recommend and implement
upgradations when and where necessary.
165
d) Knowledge Management to This is to be done at consortium level for all
track utilization and member banks. A professional agency can be
performance of assets in employed to effect this. It will serve dual
Normal and other than purpose of third party professional audit (by
normal situations agencies that are approved by government) and
analysis of warehoused data to indicate trends
and improvements.
e) Training and Education of This is to be done at consortium level for all
Stake Holders in handling member banks. A professional training agency
emergency/safety equipment can be employed to effect this.
in crisis.
6.6 Summary of Critical Factors
6.6.1 Overall Comparative Status

Large banks are more resilient (RI – Large (L) 3.3 v/s Small (S) 2.5) on account of
parameters related to Organization, Procedure and People owing to well-established
and managed systems. Small banks show a comparable resilience (L 3.55. S 3.80) on
account of technology as their infrastructure is more than adequate for the scale and
scope f their operations. Large banks are less resilient on Facilities (L 2.59, S 4.02)
owing to their size and scale and hence greater demand on facilities. Small banks are
highly vulnerable on account of Procedures (L 0.9, S 2.49), Technology (L 0.72, S
3.35) and Facilities (L 0.41, S 3.26). These aspects need to be focused keenly while
they design their BCM implementations. Large banks are more vulnerable on account
of People (L 2.81, S 0.86) due to volumes and expanse of operations needing more
people, not the case with Small banks that cater to localized customers.
6.6.2 Management comprehension of BCM

The managements of both categories of banks agree significantly (Correlation 0.8) on
the state of ‘preparedness’ on account of organizational (strategy and policy) in their
banks. However there is lesser agreement (correlation 0.3) on the issue of
‘vulnerability’ as the reported levels range from 0 to 4.96 on a scale of 5.0. This
indicates unclear perceptions of ‘vulnerability’ in both categories of banks, as banks
in India have not been challenged significantly in this regard.
There is a higher clarity on the state of ‘preparedness’ and ‘vulnerability’ on issues

related to Procedures in both categories. The management in small banks perceives
greater vulnerability on account of Procedures to meet discontinuities. This is the area
of concern and focus for small banks.
166
There is a lesser agreement across the different levels of management (top, middle
and functional) regarding ‘preparedness’ on account of People issues in both
categories of banks.
The top management seems to perceive healthy state on this accord whereas the
middle management in both categories hold greater concerns regarding higher
‘vulnerability’ on account this issue (Training, Motivation, Deployment etc). The
functional management perceives ‘preparedness’ to be better and less vulnerable since
the problem conceived by them is local and hence smaller in scale and scope.
The top and middle management of both the categories of bank agree significantly on
issues related to Technology as far as ‘preparedness’ is concerned but differ
significantly on state of ‘vulnerability’. The functional management of larger bank
perceives lower vulnerability than their counter parts of smaller banks but it is other
way round when it comes to the state of ‘preparedness’. This is predominantly due to
greater dependence of larger banks on technology. Therefore, despite their better
infrastructure, they perceive themselves more vulnerable. The smaller banks are less
resilient on this account due huge ‘Total cost of ownership’ in creating and operating
quality IT Infrastructure.
There is a greater level of disagreement across all levels of management of both

segments of bank as regards ‘preparedness’ of issues related to Facilities is concerned.
The smaller banks are more resilient owing to lesser demand (hence pressure) of
volumes and diversity of products/services offered by them. The absence of adequate
infrastructure makes the smaller banks far more vulnerable that are unable to create
appropriate facilities due to lack of financial strength.
6.6.3 Critical Success Factors for BCM in Small banks

The following are considered as critical success factors by small banks in achieving
reliable BCM Organization & Infrastructure and its operation & maintenance.
a. Clear definition and communication of mission and vision.

b. Brand Management and maintaining relationship with all support organizations
(Regulatory and civic bodies).
c. Growth in volumes in diversity of products enlarging portfolio using multiple
delivery options (Internet, Phone banking, ATMs).
167
d. Elaborate business impact analysis of critical processes.
e. Enunciation and communication of alternate processes (to critical processes).
f. Better documentation of alternate procedures and instructions on safety.
g. Comprehensive Service Level Agreements with reliable outsourced agencies to
provide support as regards Technology, Infrastructure and Facilities.
h. Elaboration of operating BCM as regards incidence logging and taking proactive
actions during disasters and communicating the same to all concerned.
i. Training of Employees to improve “Risk Awareness and Preparedness”.
j. Clear organization of “Crisis Management Team (Multi Functional)” and
communication to all concerned.
k. Testing of BCM efficacy by regular drills.
l. Clear instructions and communication scheme to muster key personnel during
disasters and effect succession planning
m. Measurement of performance and reward systems.
n. Enhancement of IT Infrastructure for better data and applications management
ensured by reliable system with redundancy.
o. Alternate arrangements for IT Enabled transactions across product and service
offerings.
p. Efficient IT based tools and systems for managing operations and security of
networks, applications and databases.
q. Efficient backup hardware, systems and procedures.
r. Knowledge Management and regular audit of IT Infrastructure & Operations for
improvements.
s. Better data center infrastructure with modern access control and support systems.
t. Provision of alternate sites to migrate operations in event of disasters.
u. Deployment of modern safety equipments (automated and IT enabled).
v. Arrangements for alternate spaces and transportation of key personnel.
w. Insurance of assets (People, IT and Equipments).
168
6.6.4 Recommendations for successful BCM in Small banks
The MSRBs are performing effectively in their target segments, which cater mostly to
local population. They have limited portfolio of products and services as compared to
large banks. There is growing expectation of customers in terms of response time and
variety of service delivery options for which large banks are adequately prepared. The
MSRBs are less resilient and more vulnerable on issues of organization policies,
procedures and people issues. They also have humble infrastructure related to IT and
Facilities that is making them fall short on customer expectations as well as makes
them more vulnerable in disruptive situations. The following therefore are brief
recommendations to MSRBs to improve their resilience from continuity perspective.
a. Enhance products and service delivery options by resorting to high degree of
automation both for delivery as well as back office operations.
b. Clear definition of roles and responsibilities that are well documented and
communicated using electronic and paper media to facilitate operationalize
alternate process supported by emergency organizations in event of disaster.
c. Enhance awareness, preparedness and tolerance limits of employees and partners
by way of appropriate training interventions and motivation brought about by
suitable reward system.
d. Augment technology infrastructure both IT and Facilities by forming consortiums
that will collectively outsource asset provisioning, operations and maintenance to
support automated operations.
e. Consortiums can provide these to member banks on retainer cum usage basis
costing model that will reduce total cost of ownership and would improve
efficiency and effectiveness of operations owing to installation of best in class
hardware and software systems that will become affordable.
f. They need to raise the bar in terms of performance and producing results making
them competitive. They must practice transparency in communications to all
stakeholders to improve their esteem and thus resilience.
g. There is a need to foster a culture of adapting to changes and focusing on
enhancing value to customer by way of wider range of services delivered
efficiently and effectively.
169
6.7 Conclusion
Large banks are more resilient on account of parameters related to Organization,
Procedure and People owing to well-established and managed systems but are less
resilient on Facilities owing to their size and scale. Small banks show a comparable
resilience on account of technology, as their infrastructure is more than adequate for
the scale and scope of their operations but are highly vulnerable on account of
Procedures, Technology and Facilities. Large banks are more vulnerable on account
of People due to volumes and expanse of operations needing more people, not the
case with Small banks that cater to localized customers. The smaller banks are more
resilient on account of Facilities owing to lesser demand (hence pressure) of volumes
and diversity of products/services offered by them. The absence of adequate
The managements in two categories of banks perceive that they are less vulnerable
possibly because banks in India have not been challenged significantly in this regard.
Those in small banks perceive greater vulnerability on account of Procedures to meet
discontinuities and view it with concern. The top management seems to perceive that
their staff is well prepared to meet any contingency but the functional management
see this to be an area of concern. The functional management in larger banks
perceives greater vulnerability on account of technology due to greater dependence of
larger banks on technology despite their better infrastructure. The smaller banks are
less resilient on this account due huge ‘Total cost of ownership’ in creating and
operating quality IT Infrastructure.
There is a greater level of disagreement across all levels of management of both

segments of bank as regards ‘preparedness’ of issues related to Facilities is concerned.
The SMBs are performing cater mostly to local population and have limited portfolio
of products and services as compared to large banks. They are unable to match the
growing expectation of customers in terms of response time and variety of service
delivery options due their humble IT infrastructure, facilities and organizational
strengths. The SMBs therefore are recommended to improve their resilience from
continuity perspective by resorting to following:
170
Enhance products and service delivery options by resorting to high degree of
automation both for delivery as well as back office operations.
Well defined, documented and communicated roles and responsibilities that are
well documented and communicated using electronic and paper media to facilitate
operationalize alternate process supported by emergency organizations in event of
disaster.
Enhance awareness, preparedness and tolerance limits of employees and partners
by way of appropriate training interventions and motivation brought about by
suitable reward system.
Augment technology infrastructure both IT and Facilities by forming consortiums
Consortiums can provide these to member banks on retainer cum usage basis
costing model that will reduce total cost of ownership and would improve
efficiency and effectiveness of operations owing to installation of best in class
hardware and software systems that will become affordable.
They need to raise the bar in terms of performance and producing results making
them competitive. They must practice transparency in communications to all
stakeholders to improve their esteem and thus resilience.
There is a need to foster a culture of adapting to changes and focusing on
enhancing value to customer by way of wider range of services delivered
efficiently and effectively.
The above conclusion reinforces the following hypotheses (as concluded in Chapters
2, 4 and 5):
a. Higher the level of state-of-the-art IT infrastructure more is the reliability of the
BC practice and organizational strength, especially for banks that support
multiple products and services delivered through multiple channels.
b. The success in the implementation of BC practices as envisaged in enhanced
image and reputation of the bank depends on the softer aspects of Operations
such as employee awareness, readiness, empowerment, culture of innovation and
The results of application of BCM reality check model to select banks in Mumbai
enforce the hypothesis:
Small banks are less resilient to meet major disruptions as compared to large
banks on account of technology and facilities due to their inability to invest in
state-of-the-art IT infrastructure and establish reliable and communicated
procedures for alternate operations.
171
Exhibit 6.1 (Table 6.9) - Cluster-Wise Details of BCM Parameters
Srl. BCM Parameter
ORGANIZATIONAL
A1 Clear Definition and Communication of Vision and Mission

Performance Objectives (e.g. Growth in volumes and diversity ) enunciated and communicated
A2
to all concerned.
A3 Portfolio of Products and Services
A4 Multiple Delivery Channel Alternatives deployed or planned to deploy. E.g.
A5 Participative Governance
A6 Social Sensitivity
Socializing, Planning and Learning from Review of Results and Performance (Bank and
A7
Individuals) and Communicating Results to foster esteem and motivation amongst employees.
A8 Cultural Change- Agility of bank to adopt changes
A9 Promotional Model and Brand Management

Business Impact Analysis and Risk Evaluation for Critical Process to identify impact on
B1
business .
B2 Rationalizing Organization – Roles and Responsibilities
B3 Allocation of Budget for BCM
B4 Process Reviews – Top driven exercise with involvement of concerned stake holders.
B5 Relationship with Business Partners
B6 Review of Outsourced Activities and Relationships

Knowledge Management to assess environment for competitive positioning and organizational
B7
climate for improvement
C1 Alternate Processes – Organization and Cost
C2 Communication of Alternate Processes in the organization
C3 Insurance of Equipment and Personnel
D1 Implementation of BCM in the organization of partners
D2 Insurance of Outsourced Partner Assets
172
Srl. BCM Parameter
PROCEDURES
A1 Contingency Plans
A2 Emergency Action Plan
A3 Service Level Agreements
A Documentations
A4 Security Rules
A5 Safety Rules
A6 Health Rules
A7 Application of Security Policy across the organization
A8 Review of Vulnerability of Critical Processes and Analysis of Recovery.
A9 Integration of Business Continuity Procedures with normal business processes
A10 Compliance of RBI Regulations
A11 Compliance of Security and Safety Procedures in accordance with ISO 27001
A12 Standardization of Processes
B1 Incident Reporting
B2 Incident Logging
B3 Handling Media in the event of an accident.
B4 Risk Awareness Reality Check Up in the Organization
B5 Security for Outsourced Partners
B6 Market/Environment Information Gathering for incorporation in BCP
C1 Data Replication
D1 Testing Schedules for Processes
D2 Process Updates (Changes)
D3 Knowledge Management to track customer behavior, to take proactive actions during disasters
Knowledge Management to assess efficacy of alternate processes in operation and suggest
D4
improvements
173
Srl. BCM Parameter
PEOPLE
A1 Crisis Management Team (Multi Functional Team).
A2 Deployment Management Team
B1 Key Personnel
B2 Security Roles and Responsibilities
B3 Safety Roles and Responsibilities
B4 Risk Awareness and Preparedness tests
B5 Tolerance Limit – Assessment and Enablement (Employees)
B6 Tolerance Limit – Assessment and Enablement (Partners)
B7 Tolerance Limit – Assessment and Enablement (Customers)
B8 Training and Education of Stake Holders in running alternate procedures
C1 HR Process Reviews
C2 Actions against Defaulters
C3 Social Sensitivity
C4 Adaptation of Technology and Culture of Self Help – Employees, Customers, Partners

Knowledge Management to track performance of individuals in situations other than routine
C5
operations
D1 Succession Planning
D2 Reward System for Outstanding Contributions (Merit Based Promotions and Incentives)
D3 Culture of Shared Values
174
Srl. BCM Parameter
TECHNOLOGY
Architecture of IT Solutions blending proprietary & open source systems and web based &
A1
centralized applications
A2 Enterprise Application Integration
A3 Data Integrity
A4 Data Architecture Review
A5 Replication
A6 Delivery Channel Integration
A7 Standardization of Equipments and Applications
A8 System Administration - Monitoring, Tuning and Maintaining using automated tools
A9 Applications Monitoring, Tuning and Diagnostics using automated tools

Alternatives for Displaying information in Public domain – website and media channels (TV
A10
and Print).
B1 Server Consolidation
B2 Storage Consolidation
B3 Back Up Systems
B5 ATM Operations and Security

Alternate arrangements for specialized / automated delivery mechanisms- ATM’s, POS
B6
terminals, Kiosks.
B7 Phone Banking Operations and Security
B8 Internet Banking Operations and Security
B9 Specialized inter banking operations- fail safe mechanisms and alternatives
B10 Review of Vulnerability Analysis of Critical Hardware, Applications, Data Communications
B11 Knowledge Management to track utilization and performance of hardware and applications
B12 Infrastructural Renewal
C1 Network Bandwidth Provisioning and Utilization
C2 Network Monitoring and Maintenance using automated tools
C3 Intra Bank Communication System Portfolio – Intranet, voice based, messaging system.
D1 User Access Control
D2 Database Security
D3 Application Security
175
Srl. BCM Parameter
FACILITIES
A1 Workplace
A2 Central Data Centre
A3 Recovery Center Locations
B1 Communication
B2 Resource Location in Disaster
B3 Safety Equipment and Maintenance

Facility (Power, Fire and flooding, Access Control) Management - Monitoring, Tuning and
B4
Maintaining using automated tools
C1 Transportation
C2 Data Center Security
C3 Data Center Safety
D1 Security Planning in Disaster
D2 Infrastructural Renewal
D3 Review of Vulnerability Analysis of Critical Assets
D4 Training and Education of Stake Holders in handling emergency/safety equipment in crisis.

Knowledge Management to track utilization and performance of assets in Normal and other than
D5
normal situations
176
Exhibit 6.2 (Table 6.10) - Resilience Indicator and Vulnerability Index (Cluster-wise)
Strength/Prepardness - P (L-Large Bank) Threats/Risks - R (L- Large) Vulnerability Quotient - V (L-Large) Upgrades /Improvements - T (L-Large)
Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall Top Middle Functional Overall
Srl.
PLT RLT PLM RLM PLF RLF PL RLT RLT RLM RLM RLF RLF RL VLT RLT VLM RLM VLF RLF VL TLT RLT TLM RLM TLF RLF TL
ORGANIZATION
A1 4.6 8.0 4.5 13.0 4.3 4.0 4.5 1.0 11.0 3.0 4.0 2.0 6.0 1.7 0.1 8.0 0.5 13.0 0.1 4.0 0.3 0.4 11.0 0.5 4.0 0.5 6.0 0.4
A2 4.6 18.0 4.0 3.0 4.3 2.0 4.5 3.3 8.0 1.0 7.0 0.5 6.0 1.7 0.2 18.0 1.0 3.0 0.5 2.0 0.3 1.0 8.0 0.7 7.0 0.8 6.0 0.8
A3 4.9 6.0 4.5 11.0 4.0 5.0 4.5 2.6 10.0 1.3 4.0 1.0 6.0 1.9 0.3 6.0 0.1 11.0 0.1 5.0 0.2 0.9 10.0 0.8 4.0 0.9 6.0 0.9
A4 4.7 6.0 4.3 5.0 4.5 12.0 4.5 2.6 10.0 1.0 4.0 0.5 6.0 1.7 0.1 6.0 0.4 5.0 0.1 12.0 0.2 0.7 10.0 0.9 4.0 0.8 6.0 0.8
A5 4.9 6.0 4.5 13.0 4.0 5.0 4.5 4.2 10.0 4.0 4.0 4.5 4.0 4.2 0.4 6.0 1.0 13.0 1.0 5.0 0.8 0.8 10.0 0.9 4.0 0.9 4.0 0.8
A6 4.9 10.0 4.3 2.0 4.8 12.0 4.8 3.9 13.0 4.5 7.0 3.5 2.0 4.1 0.9 10.0 0.8 2.0 0.7 12.0 0.8 0.9 13.0 0.8 7.0 0.9 2.0 0.9
A7 4.2 5.0 3.0 7.0 3.5 11.0 3.5 1.5 13.0 1.5 3.0 2.0 8.0 1.6 0.5 5.0 0.5 7.0 0.5 11.0 0.5 0.9 13.0 0.5 3.0 0.6 8.0 0.8
A8 4.8 8.0 4.3 12.0 3.5 4.0 4.3 3.4 13.0 3.3 4.0 3.5 1.0 3.4 0.4 8.0 0.7 12.0 1.0 4.0 0.7 0.8 13.0 0.6 4.0 0.9 1.0 0.8
A9 4.2 5.0 3.5 12.0 3.0 7.0 3.5 1.2 11.0 1.5 6.0 1.0 6.0 1.2 0.3 5.0 0.6 12.0 0.5 7.0 0.5 0.9 11.0 0.3 6.0 0.6 6.0 0.6
B1 4.2 19.0 3.5 2.0 3.0 2.0 4.0 3.7 9.0 3.5 3.0 3.0 9.0 3.4 0.6 19.0 0.6 2.0 0.7 2.0 0.6 1.0 9.0 0.7 3.0 0.8 9.0 0.9
B2 4.7 8.0 4.0 11.0 3.0 5.0 4.0 5.0 6.0 2.5 9.0 3.0 6.0 3.4 0.3 8.0 0.3 11.0 0.3 5.0 0.3 0.9 6.0 0.5 9.0 0.6 6.0 0.6
B3 4.8 4.0 4.5 15.0 4.3 4.0 4.5 3.8 10.0 3.0 2.0 3.7 8.0 3.7 0.2 4.0 0.1 15.0 0.3 4.0 0.2 0.9 10.0 0.6 2.0 0.8 8.0 0.8
B4 4.4 9.0 3.5 1.0 4.3 13.0 4.3 1.3 11.0 2.5 6.0 1.7 7.0 1.7 0.0 9.0 0.2 1.0 0.1 13.0 0.1 0.8 11.0 0.6 6.0 0.8 7.0 0.7
B5 4.9 10.0 4.8 12.0 4.3 2.0 4.8 3.3 10.0 3.7 8.0 4.5 5.0 3.7 0.7 10.0 0.8 12.0 0.5 2.0 0.7 0.8 10.0 0.9 8.0 0.8 5.0 0.8
B6 4.2 5.0 4.5 14.0 4.8 4.0 4.5 3.7 8.0 3.5 3.0 3.0 8.0 3.4 0.6 5.0 0.8 14.0 0.8 4.0 0.7 0.9 8.0 0.8 3.0 0.8 8.0 0.8
B7 3.7 6.0 3.0 11.0 2.5 6.0 3.0 0.8 12.0 1.5 6.0 1.0 4.0 1.0 0.1 6.0 0.1 11.0 0.1 6.0 0.1 0.6 12.0 0.3 6.0 0.4 4.0 0.5
C1 3.9 14.0 4.3 4.0 4.5 2.0 4.0 3.5 12.0 2.5 5.0 3.5 5.0 3.3 0.2 14.0 0.3 4.0 0.5 2.0 0.2 1.0 12.0 1.0 5.0 0.9 5.0 0.9
C2 4.3 6.0 4.5 14.0 4.8 3.0 4.5 1.3 10.0 3.0 4.0 2.0 6.0 1.8 0.3 6.0 0.1 14.0 0.1 3.0 0.2 1.0 10.0 0.8 4.0 0.9 6.0 0.9
C3 5.0 22.0 4.7 2.0 4.3 1.0 4.9 3.3 8.0 4.0 6.0 4.5 4.0 3.8 0.7 22.0 1.0 2.0 0.9 1.0 0.7 0.9 8.0 1.0 6.0 0.9 4.0 0.9
D1 3.0 6.0 3.0 14.0 3.3 3.0 3.0 3.2 10.0 3.3 6.0 4.0 2.0 3.3 0.6 6.0 0.7 14.0 0.3 3.0 0.6 0.7 10.0 0.3 6.0 0.5 2.0 0.5
D2 3.9 7.0 4.0 10.0 4.5 3.0 4.1 4.3 8.0 3.0 6.0 2.5 6.0 3.4 0.5 7.0 0.8 10.0 1.0 3.0 0.7 1.0 8.0 1.0 6.0 0.9 6.0 1.0
177
Srl.
OPROCEDURE
G O
A1 4.9 9.0 4.5 8.0 4.0 7.0 4.5 3.3 8.0 5.0 6.0 4.5 7.0 4.2 0.5 9.0 0.1 8.0 0.1 7.0 0.3 0.9 8.0 0.8 6.0 0.8 7.0 0.9
A2 4.5 11.0 4.3 6.0 4.8 6.0 4.5 3.3 8.0 3.0 6.0 3.5 7.0 3.3 0.1 11.0 0.2 6.0 0.5 6.0 0.2 1.0 8.0 0.8 6.0 0.8 7.0 0.9
A3 4.9 10.0 4.8 12.0 4.0 1.0 4.8 2.9 10.0 3.7 8.0 3.3 6.0 3.3 0.2 10.0 0.1 12.0 0.1 1.0 0.1 0.8 10.0 0.8 8.0 0.9 6.0 0.8
A 4.9 18.0 4.5 3.0 4.3 2.0 4.8 3.5 12.0 4.0 4.0 3.5 4.0 3.6 0.4 18.0 0.1 3.0 0.1 2.0 0.3 0.9 12.0 0.7 4.0 0.9 4.0 0.9
A4 4.9 7.0 4.5 11.0 4.0 5.0 4.5 2.8 11.0 2.5 5.0 2.0 6.0 2.5 1.0 7.0 0.9 11.0 0.9 5.0 0.9 1.0 11.0 0.9 5.0 0.8 6.0 0.9
A5 4.4 5.0 4.3 16.0 3.8 2.0 4.3 2.8 8.0 1.5 6.0 1.0 7.0 1.8 1.0 5.0 0.8 16.0 1.0 2.0 0.9 0.9 8.0 0.4 6.0 0.6 7.0 0.6
A6 3.1 19.0 2.7 3.0 2.5 2.0 3.0 2.3 10.0 1.8 6.0 1.5 7.0 1.9 0.3 19.0 0.1 3.0 0.2 2.0 0.3 0.6 10.0 0.9 6.0 0.8 7.0 0.7
A7 4.6 15.0 4.3 5.0 4.0 2.0 4.5 3.5 8.0 1.0 6.0 1.5 6.0 2.2 0.4 15.0 0.3 5.0 0.5 2.0 0.4 0.9 8.0 0.7 6.0 0.8 6.0 0.8
A8 4.4 15.0 4.3 4.0 4.8 5.0 4.5 3.8 12.0 2.0 5.0 1.0 7.0 2.6 0.4 15.0 0.4 4.0 0.1 5.0 0.4 0.9 12.0 0.7 5.0 0.8 7.0 0.8
A9 4.1 13.0 4.3 2.0 3.7 3.0 4.0 3.3 12.0 2.0 5.0 1.5 7.0 2.5 0.5 13.0 0.9 2.0 0.4 3.0 0.5 0.9 12.0 0.8 5.0 0.8 7.0 0.9
A10 4.8 9.0 4.8 14.0 4.3 1.0 4.8 4.5 12.0 3.0 5.0 2.5 7.0 3.6 0.1 9.0 0.1 14.0 0.1 1.0 0.1 1.0 12.0 0.4 5.0 0.6 7.0 0.8
A11 3.3 10.0 4.0 4.0 3.5 9.0 3.5 2.5 12.0 3.0 6.0 1.5 6.0 2.4 0.1 10.0 0.1 4.0 0.5 9.0 0.3 0.8 12.0 0.7 6.0 0.6 6.0 0.7
A12 4.9 10.0 4.8 11.0 4.3 2.0 4.8 2.9 10.0 2.5 6.0 2.0 6.0 2.5 0.6 10.0 0.1 11.0 0.1 2.0 0.3 0.9 10.0 0.6 6.0 0.8 6.0 0.8
B1 4.3 12.0 4.8 9.0 5.0 4.0 4.6 2.9 10.0 2.0 6.0 2.5 6.0 2.5 0.2 12.0 0.2 9.0 0.2 4.0 0.2 0.9 10.0 0.5 6.0 0.7 6.0 0.7
B2 4.1 17.0 3.5 4.0 4.5 2.0 4.0 1.4 12.0 2.0 4.0 2.3 4.0 1.7 0.1 17.0 0.2 4.0 0.3 2.0 0.1 0.9 12.0 0.8 4.0 0.8 4.0 0.8
B3 4.8 5.0 4.0 15.0 3.0 4.0 4.0 3.8 10.0 3.5 6.0 3.0 7.0 3.5 0.2 5.0 0.1 15.0 0.1 4.0 0.1 1.0 10.0 0.9 6.0 0.9 7.0 0.9
B4 4.6 7.0 4.0 11.0 3.0 4.0 4.0 3.9 13.0 2.5 4.0 2.5 4.0 3.4 0.1 7.0 0.5 11.0 0.2 4.0 0.3 0.9 13.0 1.0 4.0 0.9 4.0 0.9
B5 4.7 6.0 4.5 13.0 4.0 3.0 4.5 3.0 9.0 3.0 6.0 3.5 8.0 3.2 0.1 6.0 0.4 13.0 0.5 3.0 0.3 0.3 9.0 0.9 6.0 0.9 8.0 0.7
B6 3.3 5.0 3.8 4.0 4.3 14.0 4.0 1.3 11.0 2.5 6.0 2.0 6.0 1.8 0.3 5.0 0.5 4.0 0.8 14.0 0.6 0.9 11.0 1.0 6.0 0.8 6.0 0.9
C1 5.0 21.0 4.5 1.0 4.3 1.0 4.9 2.2 9.0 2.0 4.0 1.7 6.0 2.0 1.0 21.0 0.4 1.0 0.1 1.0 0.9 0.9 9.0 0.8 4.0 0.8 6.0 0.8
D1 4.2 6.0 5.0 4.0 4.5 13.0 4.5 2.2 8.0 1.8 7.0 2.0 7.0 2.0 0.6 6.0 0.7 4.0 0.4 13.0 0.5 0.8 8.0 1.0 7.0 0.9 7.0 0.9
D2 4.6 8.0 3.7 2.0 4.5 14.0 4.5 1.2 13.0 2.5 4.0 3.0 3.0 1.8 0.4 8.0 0.3 2.0 0.9 14.0 0.7 0.9 13.0 0.8 4.0 0.9 3.0 0.9
D3 3.1 15.0 3.3 4.0 2.5 5.0 3.0 1.3 12.0 1.3 5.0 1.8 5.0 1.4 0.2 15.0 0.1 4.0 0.1 5.0 0.2 0.7 12.0 0.3 5.0 0.5 5.0 0.5
D4 2.8 13.0 2.8 3.0 3.5 7.0 3.0 1.2 12.0 1.3 5.0 1.8 5.0 1.3 0.4 13.0 0.1 3.0 0.1 7.0 0.3 0.9 12.0 0.2 5.0 0.5 5.0 0.6
178
Srl.
O GPEOPLE O
A1 4.5 14.0 4.5 9.0 4.0 1.0 4.5 3.3 8.0 1.5 6.0 1.0 6.0 2.1 1.0 14.0 0.1 9.0 0.1 1.0 0.6 1.0 8.0 1.0 6.0 0.9 6.0 1.0
A2 4.8 11.0 4.4 4.0 3.7 3.0 4.5 2.2 12.0 1.3 6.0 1.5 6.0 1.8 0.1 11.0 0.9 4.0 0.6 3.0 0.4 0.9 12.0 0.9 6.0 0.9 6.0 0.9
B1 4.8 13.0 4.3 5.0 4.1 6.0 4.5 4.0 8.0 2.3 8.0 2.0 6.0 2.8 1.0 13.0 0.1 5.0 0.2 6.0 0.6 0.9 8.0 0.6 8.0 0.8 6.0 0.8
B2 4.9 9.0 4.8 6.0 4.6 7.0 4.8 3.0 8.0 1.5 6.0 2.0 6.0 2.3 0.9 9.0 0.5 6.0 0.8 7.0 0.8 1.0 8.0 1.0 6.0 0.9 6.0 1.0
B3 4.8 12.0 4.9 5.0 4.7 5.0 4.8 3.0 8.0 1.5 6.0 0.5 6.0 1.8 1.0 12.0 0.9 5.0 0.7 5.0 0.9 1.0 8.0 0.9 6.0 0.9 6.0 0.9
B4 4.5 10.0 4.7 8.0 4.4 5.0 4.5 2.0 8.0 1.5 6.0 0.5 6.0 1.4 0.3 10.0 0.1 8.0 0.1 5.0 0.2 0.9 8.0 0.7 6.0 0.8 6.0 0.8
B5 4.9 8.0 4.7 6.0 4.0 9.0 4.5 2.0 8.0 1.5 6.0 0.5 6.0 1.4 0.4 8.0 0.1 6.0 0.1 9.0 0.2 0.9 8.0 0.8 6.0 0.8 6.0 0.8
B6 4.9 10.0 4.4 4.0 4.0 5.0 4.5 2.0 8.0 1.5 6.0 0.5 6.0 1.4 0.4 10.0 0.1 4.0 0.1 5.0 0.2 0.9 8.0 0.9 6.0 0.8 6.0 0.9
B7 3.9 13.0 3.2 4.0 3.0 4.0 3.6 3.0 8.0 1.5 6.0 0.5 6.0 1.8 0.6 13.0 0.2 4.0 0.5 4.0 0.5 1.0 8.0 0.9 6.0 0.9 6.0 0.9
B8 4.3 8.0 3.8 5.0 3.5 4.0 4.0 1.5 8.0 1.5 6.0 0.5 6.0 1.2 0.1 8.0 0.2 5.0 0.1 4.0 0.1 0.9 8.0 0.7 6.0 0.8 6.0 0.8
C1 4.4 10.0 4.0 3.0 3.7 5.0 4.1 1.5 8.0 1.5 6.0 0.5 6.0 1.2 0.2 10.0 0.7 3.0 0.2 5.0 0.3 0.9 8.0 0.7 6.0 0.8 6.0 0.8
C2 3.9 11.0 3.5 6.0 3.2 5.0 3.6 3.3 8.0 2.0 5.0 1.0 5.0 2.3 0.5 11.0 0.1 6.0 0.1 5.0 0.3 0.9 8.0 1.0 5.0 0.9 5.0 0.9
C3 4.9 9.0 4.3 8.0 4.0 4.0 4.5 3.0 8.0 0.5 5.0 1.0 5.0 1.8 0.2 9.0 0.7 8.0 0.4 4.0 0.4 0.8 8.0 1.0 5.0 0.9 5.0 0.9
C4 4.3 10.0 3.8 6.0 3.5 4.0 4.0 1.3 8.0 1.3 5.0 2.0 5.0 1.5 0.3 10.0 0.4 6.0 0.8 4.0 0.4 0.9 8.0 1.0 5.0 0.9 5.0 0.9
C5 3.3 9.0 2.5 4.0 3.0 5.0 3.0 2.1 7.0 3.5 6.0 4.0 6.0 3.2 0.7 9.0 0.6 4.0 0.6 5.0 0.6 0.8 7.0 1.0 6.0 0.9 6.0 0.9
D1 3.3 10.0 3.5 8.0 3.8 4.0 3.5 3.3 8.0 3.0 5.0 3.5 6.0 3.3 0.5 10.0 0.4 8.0 0.7 4.0 0.5 1.0 8.0 1.0 5.0 0.9 6.0 1.0
D2 2.3 8.0 1.5 4.0 2.5 3.0 2.1 1.3 12.0 0.7 5.0 0.5 5.0 1.0 0.3 8.0 0.1 4.0 0.1 3.0 0.2 0.8 12.0 0.8 5.0 0.8 5.0 0.8
D3 3.6 10.0 2.5 6.0 3.0 5.0 3.1 1.2 12.0 0.5 5.0 0.3 5.0 0.8 0.5 10.0 0.4 6.0 0.7 5.0 0.5 1.0 12.0 0.9 5.0 0.9 5.0 0.9
179
Srl.
OTECHNOLOGY
G O
A1 4.6 10.0 4.2 5.0 4.5 3.0 4.5 3.3 8.0 1.7 7.0 1.0 7.0 2.0 1.0 10.0 0.6 5.0 0.6 3.0 0.8 1.0 8.0 0.9 7.0 0.9 7.0 0.9
A2 4.9 8.0 4.5 4.0 4.3 11.0 4.5 2.2 8.0 1.3 6.0 1.5 6.0 1.7 0.6 8.0 0.9 4.0 0.8 11.0 0.8 1.0 8.0 1.0 6.0 0.9 6.0 1.0
A3 4.8 15.0 4.2 3.0 4.0 5.0 4.5 3.0 8.0 1.3 6.0 1.5 6.0 2.0 1.0 15.0 0.5 3.0 0.4 5.0 0.8 0.9 8.0 1.0 6.0 0.9 6.0 0.9
A4 2.3 12.0 1.8 8.0 2.0 4.0 2.1 1.8 8.0 4.0 6.0 4.5 6.0 3.3 0.7 12.0 0.5 8.0 0.9 4.0 0.7 0.8 8.0 0.9 6.0 0.8 6.0 0.8
A5 5.0 12.0 4.8 5.0 4.5 4.0 4.8 1.3 8.0 0.5 6.0 1.0 6.0 1.0 0.7 12.0 0.1 5.0 0.2 4.0 0.4 0.9 8.0 0.7 6.0 0.8 6.0 0.8
A6 4.7 14.0 4.5 5.0 4.0 4.0 4.5 2.0 8.0 0.5 6.0 1.0 6.0 1.3 0.7 14.0 0.1 5.0 0.1 4.0 0.4 0.9 8.0 0.6 6.0 0.8 6.0 0.8
A7 4.8 11.0 4.3 6.0 4.0 5.0 4.5 3.0 8.0 3.0 6.0 3.5 6.0 3.2 0.6 11.0 0.7 6.0 1.0 5.0 0.7 1.0 8.0 0.5 6.0 0.8 6.0 0.8
A8 4.7 11.0 3.5 4.0 3.0 5.0 4.1 3.0 8.0 2.5 6.0 2.0 6.0 2.6 0.8 11.0 0.5 4.0 0.8 5.0 0.7 0.8 8.0 0.7 6.0 0.8 6.0 0.7
A9 4.3 11.0 3.5 7.0 4.0 5.0 4.0 3.0 8.0 3.5 6.0 2.0 6.0 2.9 0.5 11.0 0.1 7.0 0.1 5.0 0.3 0.8 8.0 0.8 6.0 0.6 6.0 0.7
A10 4.6 15.0 4.3 4.0 4.0 4.0 4.5 0.2 8.0 0.7 6.0 0.5 6.0 0.4 0.5 15.0 0.1 4.0 0.1 4.0 0.4 0.7 8.0 0.9 6.0 0.7 6.0 0.8
B1 4.9 10.0 4.5 3.0 5.0 7.0 4.9 0.9 8.0 0.5 6.0 0.3 6.0 0.6 0.3 10.0 0.1 3.0 0.1 7.0 0.2 1.0 8.0 1.0 6.0 0.9 6.0 1.0
B2 4.8 14.0 4.2 7.0 3.8 3.0 4.5 1.1 8.0 0.5 6.0 0.3 6.0 0.7 0.3 14.0 0.1 7.0 0.1 3.0 0.2 1.0 8.0 0.8 6.0 0.9 6.0 0.9
B3 4.9 10.0 4.7 7.0 5.0 7.0 4.9 2.9 8.0 0.5 6.0 0.3 6.0 1.4 0.3 10.0 0.2 7.0 0.1 7.0 0.2 0.9 8.0 0.7 6.0 0.9 6.0 0.8
B5 4.9 8.0 4.2 7.0 4.3 7.0 4.5 0.9 8.0 0.5 6.0 0.3 6.0 0.6 0.4 8.0 0.1 7.0 0.1 7.0 0.2 0.9 8.0 1.0 6.0 0.9 6.0 0.9
B6 4.0 11.0 4.0 3.0 4.0 8.0 4.0 0.9 8.0 0.5 6.0 0.3 6.0 0.6 0.3 11.0 0.1 3.0 0.1 8.0 0.2 0.9 8.0 0.9 6.0 0.9 6.0 0.9
B7 4.2 12.0 3.8 5.0 3.5 3.0 4.0 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.4 12.0 0.1 5.0 0.1 3.0 0.3 0.9 8.0 0.2 4.0 0.6 4.0 0.7
B8 4.7 14.0 4.2 7.0 4.0 3.0 4.5 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.4 14.0 0.1 7.0 0.1 3.0 0.2 0.9 8.0 0.8 4.0 0.8 4.0 0.9
B9 4.9 11.0 4.3 4.0 4.0 6.0 4.5 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.2 11.0 0.1 4.0 0.1 6.0 0.1 0.7 8.0 0.9 4.0 0.8 4.0 0.7
B10 4.8 8.0 4.0 6.0 4.5 7.0 4.5 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.1 8.0 0.1 6.0 0.2 7.0 0.1 0.8 8.0 1.0 4.0 0.8 4.0 0.8
B11 4.9 10.0 4.2 4.0 4.0 5.0 4.5 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.1 10.0 0.1 4.0 0.1 5.0 0.1 0.9 8.0 0.6 4.0 0.8 4.0 0.8
B12 4.9 11.0 4.3 5.0 4.0 6.0 4.5 2.5 8.0 1.5 4.0 2.5 4.0 2.3 0.4 11.0 0.1 5.0 0.1 6.0 0.2 1.0 8.0 0.7 4.0 0.8 4.0 0.9
C1 4.9 10.0 4.5 6.0 4.0 5.0 4.5 3.0 8.0 5.0 6.0 5.0 6.0 4.2 0.1 10.0 0.5 6.0 0.4 5.0 0.3 0.9 8.0 1.0 6.0 0.9 6.0 0.9
C2 5.0 14.0 4.6 4.0 4.5 3.0 4.8 2.8 8.0 2.5 6.0 2.5 6.0 2.6 0.6 14.0 0.7 4.0 0.2 3.0 0.6 0.9 8.0 1.0 6.0 0.9 6.0 0.9
C3 4.7 10.0 4.9 8.0 5.0 6.0 4.8 0.6 8.0 1.3 4.0 1.0 4.0 0.9 0.3 10.0 0.5 8.0 0.8 6.0 0.5 0.5 8.0 0.8 4.0 0.6 4.0 0.6
D1 4.8 13.0 4.3 5.0 4.0 4.0 4.5 2.7 8.0 3.0 6.0 2.0 6.0 2.6 0.2 13.0 0.1 5.0 0.2 4.0 0.2 0.8 8.0 0.3 6.0 0.6 6.0 0.6
D2 4.7 2.0 4.9 3.0 5.0 16.0 5.0 0.7 8.0 3.5 6.0 4.0 6.0 2.5 0.1 2.0 0.3 3.0 0.2 16.0 0.2 0.6 8.0 0.5 6.0 0.6 6.0 0.5
D3 4.6 5.0 4.9 8.0 5.0 9.0 4.9 0.7 8.0 3.5 6.0 4.0 6.0 2.5 0.4 5.0 0.1 8.0 0.5 9.0 0.3 0.5 8.0 0.8 6.0 0.6 6.0 0.6
180
Srl.
O G FACILITY O
A1 4.7 10.0 4.7 7.0 4.5 3.0 4.7 0.9 8.0 0.5 4.0 0.3 4.0 0.6 0.5 10.0 0.9 7.0 0.6 3.0 0.6 0.1 8.0 0.4 4.0 0.2 4.0 0.2
A2 4.8 12.0 4.3 7.0 4.0 4.0 4.5 0.7 8.0 0.0 4.0 0.3 4.0 0.4 0.9 12.0 1.0 7.0 1.0 4.0 0.9 0.9 8.0 1.0 4.0 0.9 4.0 0.9
A3 4.8 12.0 4.3 7.0 4.0 4.0 4.5 0.7 8.0 0.8 4.0 1.5 4.0 0.9 0.2 12.0 0.7 7.0 0.3 4.0 0.3 0.8 8.0 1.0 4.0 0.9 4.0 0.9
B1 4.8 12.0 4.3 7.0 4.0 4.0 4.5 0.5 8.0 0.5 4.0 0.5 4.0 0.5 0.1 12.0 0.1 7.0 0.1 4.0 0.1 1.0 8.0 0.8 4.0 0.9 4.0 0.9
B2 4.0 10.0 3.5 6.0 3.0 8.0 3.5 2.7 8.0 1.0 4.0 1.0 4.0 1.8 0.6 10.0 0.9 6.0 0.3 8.0 0.5 0.9 8.0 0.7 4.0 0.8 4.0 0.8
B3 4.8 12.0 4.7 8.0 4.0 4.0 4.6 0.7 8.0 2.0 4.0 2.3 4.0 1.4 0.4 12.0 0.7 8.0 0.3 4.0 0.5 0.7 8.0 0.8 4.0 0.8 4.0 0.7
B4 4.3 12.0 3.5 5.0 3.7 5.0 4.0 3.0 8.0 2.0 4.0 2.3 4.0 2.6 0.4 12.0 0.2 5.0 0.1 5.0 0.3 0.6 8.0 0.9 4.0 0.7 4.0 0.7
C1 4.5 8.0 4.8 6.0 5.0 8.0 4.8 0.7 8.0 0.7 4.0 0.5 4.0 0.6 0.5 8.0 0.6 6.0 0.1 8.0 0.4 0.5 8.0 0.8 4.0 0.6 4.0 0.6
C2 4.8 12.0 4.7 5.0 4.8 7.0 4.8 2.7 8.0 0.7 4.0 0.5 4.0 1.6 0.1 12.0 0.1 5.0 0.5 7.0 0.2 0.5 8.0 0.1 4.0 0.2 4.0 0.3
C3 4.8 12.0 4.7 5.0 4.8 7.0 4.8 0.7 8.0 0.7 4.0 0.5 4.0 0.6 0.1 12.0 0.1 5.0 0.4 7.0 0.2 0.5 8.0 0.2 4.0 0.2 4.0 0.3
D1 4.8 12.0 4.7 5.0 4.8 7.0 4.8 1.7 8.0 0.7 4.0 0.5 4.0 1.1 0.1 12.0 0.7 5.0 0.6 7.0 0.4 0.5 8.0 0.1 4.0 0.3 4.0 0.3
D2 4.9 13.0 4.7 5.0 4.5 4.0 4.8 2.2 8.0 0.7 4.0 0.5 4.0 1.4 0.2 13.0 0.2 5.0 0.2 4.0 0.2 0.5 8.0 0.5 4.0 0.3 4.0 0.5
D3 3.2 11.0 3.3 7.0 2.8 6.0 3.1 2.2 8.0 0.7 4.0 0.5 4.0 1.4 0.1 11.0 0.1 7.0 0.4 6.0 0.2 0.9 8.0 0.6 4.0 0.8 4.0 0.8
D4 4.5 11.0 4.3 6.0 3.5 4.0 4.3 0.9 8.0 1.3 4.0 0.5 4.0 0.9 0.1 11.0 0.3 6.0 0.5 4.0 0.3 0.5 8.0 0.8 4.0 0.6 4.0 0.6
D5 3.3 10.0 3.3 6.0 2.8 6.0 3.1 2.2 8.0 0.7 4.0 0.5 4.0 1.4 0.6 10.0 0.6 6.0 0.5 6.0 0.6 0.9 8.0 0.3 4.0 0.5 4.0 0.7
181
Strength/Prepardness - P (S-Small Bank) Threats/Risks - R (S- Small) Vulnerability Quotient - V (S-Small) Upgrades /Improvements - T (S-Small)
Overa Overa Overal
Top Middle Functional Overall Top Middle Functional Top Middle Functional Top Middle Functional
Srl. ll ll l
PST RST PSM RSM PSF RSF PS RST RST RSM RSM RSF RSF RS VST RST VSM RSM VSF RSF VS TST RST TSM RSM TSF RSF TS
ORGANIZATION
A1 4.1 25.0 3.8 7.0 4.2 12.0 4.1 3.1 21.0 3.2 13.0 4.0 6.0 3.3 0.4 25.0 0.4 7.0 0.8 12.0 0.5 0.9 21.0 0.4 13.0 0.5 6.0 0.6
A2 3.8 18.0 4.8 4.0 4.2 16.0 4.0 3.4 18.0 3.3 11.0 3.0 5.0 3.3 0.3 18.0 0.5 4.0 0.9 16.0 0.6 0.5 18.0 0.6 11.0 0.4 5.0 0.5
A3 2.6 24.0 3.7 10.0 3.3 8.0 3.0 1.5 28.0 1.6 7.0 2.5 6.0 1.7 0.8 24.0 0.3 10.0 0.8 8.0 0.7 0.9 28.0 0.9 7.0 1.0 6.0 0.9
A4 3.0 15.0 2.7 15.0 3.5 10.0 3.0 1.6 21.0 1.6 13.0 2.2 4.0 1.7 0.0 15.0 0.1 15.0 0.0 10.0 0.1 0.9 21.0 0.8 13.0 0.8 4.0 0.8
A5 4.8 8.0 5.0 36.0 4.5 1.0 4.9 0.3 22.0 0.1 18.0 1.0 2.0 0.3 0.2 8.0 0.1 36.0 0.0 1.0 0.1 0.2 22.0 0.2 18.0 1.0 2.0 0.2
A6 3.1 30.0 2.9 9.0 2.8 4.0 3.0 4.3 6.0 4.3 24.0 3.5 8.0 4.2 0.0 30.0 0.1 9.0 0.6 4.0 0.1 0.9 6.0 0.9 24.0 0.9 8.0 0.9
A7 2.8 32.0 3.3 6.0 4.0 4.0 3.0 1.3 21.0 1.7 12.0 2.5 12.0 1.7 0.2 32.0 0.2 6.0 0.3 4.0 0.2 1.0 21.0 0.8 12.0 0.5 12.0 0.8
A8 3.9 13.0 4.0 22.0 4.2 3.0 4.0 4.8 7.0 5.0 33.0 4.6 3.0 4.9 0.2 13.0 0.3 22.0 0.6 3.0 0.3 1.0 7.0 0.7 33.0 0.8 3.0 0.8
A9 2.0 22.0 1.8 15.0 2.5 4.0 2.0 0.2 26.0 0.4 7.0 0.1 10.0 0.2 0.2 22.0 0.2 15.0 0.4 4.0 0.2 0.3 26.0 0.4 7.0 0.1 10.0 0.3
B1 4.2 24.0 4.0 6.0 3.5 8.0 4.0 3.6 20.0 3.0 22.0 3.0 3.0 3.3 0.7 24.0 0.9 6.0 0.6 8.0 0.7 0.3 20.0 0.9 22.0 0.6 3.0 0.6
B2 4.9 9.0 5.0 33.0 4.7 1.0 5.0 3.3 23.0 3.6 9.0 3.2 12.0 3.3 0.2 9.0 0.5 33.0 0.6 1.0 0.4 0.4 23.0 0.6 9.0 0.5 12.0 0.5
B3 4.1 29.0 4.6 6.0 3.5 10.0 4.0 0.1 17.0 0.5 17.0 0.5 6.0 0.3 0.3 29.0 0.2 6.0 0.1 10.0 0.2 1.0 17.0 0.9 17.0 1.0 6.0 0.9
B4 3.5 5.0 2.7 7.0 3.0 30.0 3.0 1.6 17.0 1.1 7.0 1.5 18.0 1.5 0.4 5.0 0.1 7.0 0.2 30.0 0.2 0.4 17.0 0.5 7.0 0.4 18.0 0.4
B5 4.3 7.0 3.8 10.0 4.0 23.0 4.0 4.6 12.0 3.9 14.0 4.0 15.0 4.2 0.1 7.0 0.6 10.0 0.5 23.0 0.5 1.0 12.0 1.0 14.0 0.7 15.0 0.9
B6 3.2 7.0 2.9 13.0 3.0 25.0 3.0 4.8 10.0 3.7 15.0 4.2 12.0 4.2 1.0 7.0 1.0 13.0 1.0 25.0 1.0 0.8 10.0 0.7 15.0 0.9 12.0 0.8
B7 3.5 23.0 3.6 19.0 3.0 3.0 3.5 1.1 18.0 0.3 17.0 1.2 7.0 0.8 0.3 23.0 0.1 19.0 0.0 3.0 0.2 0.4 18.0 0.5 17.0 0.5 7.0 0.5
C1 3.0 25.0 2.8 13.0 3.5 3.0 3.0 1.7 24.0 2.6 9.0 1.2 11.0 1.7 0.6 25.0 0.5 13.0 0.4 3.0 0.5 0.3 24.0 0.5 9.0 0.8 11.0 0.5
C2 4.4 14.0 3.7 16.0 4.0 12.0 4.0 3.6 13.0 3.2 18.0 3.2 8.0 3.3 0.3 14.0 0.5 16.0 1.0 12.0 0.6 0.5 13.0 0.7 18.0 0.6 8.0 0.6
C3 4.9 17.0 5.0 28.0 4.7 1.0 4.9 4.9 6.0 5.0 32.0 4.7 2.0 5.0 1.0 17.0 1.0 28.0 1.0 1.0 1.0 1.0 6.0 1.0 32.0 0.8 2.0 1.0
D1 3.3 10.0 3.6 29.0 3.0 2.0 3.5 2.7 20.0 3.1 7.0 2.0 12.0 2.5 1.0 10.0 1.0 29.0 1.0 2.0 1.0 0.8 20.0 1.0 7.0 0.2 12.0 0.6
D2 4.9 14.0 5.0 30.0 4.7 1.0 4.9 4.9 6.0 5.0 32.0 4.7 2.0 5.0 0.6 14.0 0.8 30.0 0.2 1.0 0.7 1.0 6.0 0.9 32.0 0.9 2.0 0.9
182
Overa Overa Overal
Srl. ll ll l
OPROCEDURE
G O
A1 4.9 14.0 5.0 29.0 4.6 2.0 4.9 4.1 19.0 4.5 12.0 3.5 5.0 4.2 0.8 14.0 1.0 29.0 0.7 2.0 0.9 1.0 19.0 1.0 12.0 1.0 5.0 1.0
A2 4.4 9.0 3.8 16.0 4.0 18.0 4.0 3.6 16.0 3.2 17.0 3.2 12.0 3.3 0.9 9.0 0.7 16.0 0.8 18.0 0.8 1.0 16.0 0.9 17.0 0.6 12.0 0.8
A3 2.7 14.0 3.1 24.0 3.5 5.0 3.0 4.6 20.0 3.8 8.0 4.0 15.0 4.2 0.9 14.0 0.7 24.0 0.6 5.0 0.7 0.4 20.0 0.7 8.0 0.7 15.0 0.5
A 3.1 27.0 2.8 9.0 2.7 4.0 3.0 4.3 34.0 4.0 4.0 3.5 4.0 4.2 0.6 27.0 0.8 9.0 0.7 4.0 0.7 0.8 34.0 0.9 4.0 0.5 4.0 0.8
A4 4.9 7.0 5.0 37.0 4.6 1.0 5.0 4.8 7.0 5.0 32.0 4.6 2.0 4.9 1.0 7.0 1.0 37.0 1.0 1.0 1.0 1.0 7.0 1.0 32.0 1.0 2.0 1.0
A5 4.1 27.0 4.1 7.0 3.5 8.0 4.0 3.6 14.0 3.2 13.0 3.2 12.0 3.3 0.5 27.0 0.8 7.0 0.0 8.0 0.4 0.5 14.0 1.0 13.0 0.5 12.0 0.7
A6 3.2 25.0 3.0 10.0 2.5 9.0 3.0 4.8 8.0 4.0 18.0 4.3 17.0 4.2 0.6 25.0 0.3 10.0 0.6 9.0 0.5 0.2 8.0 0.6 18.0 1.0 17.0 0.7
A7 3.1 23.0 3.7 5.0 2.7 16.0 3.0 4.2 25.0 4.3 14.0 3.5 5.0 4.2 0.2 23.0 0.8 5.0 0.2 16.0 0.2 0.3 25.0 0.6 14.0 0.5 5.0 0.4
A8 4.5 31.0 4.6 7.0 4.2 6.0 4.5 4.6 28.0 4.9 14.0 4.2 3.0 4.7 0.7 31.0 0.8 7.0 0.6 6.0 0.7 0.7 28.0 0.6 14.0 0.9 3.0 0.7
A9 4.1 27.0 4.1 7.0 3.5 7.0 4.0 3.8 19.0 3.9 8.0 3.5 12.0 3.8 0.3 27.0 0.8 7.0 0.7 7.0 0.4 0.5 19.0 0.7 8.0 0.8 12.0 0.6
A10 4.0 31.0 4.0 10.0 3.5 2.0 4.0 4.8 26.0 4.7 13.0 4.6 5.0 4.7 0.1 31.0 0.8 10.0 0.6 2.0 0.3 0.7 26.0 0.4 13.0 0.2 5.0 0.6
A11 4.0 32.0 4.0 11.0 3.5 2.0 4.0 4.0 20.0 3.6 10.0 3.5 9.0 3.8 0.5 32.0 0.8 11.0 0.7 2.0 0.6 0.9 20.0 1.0 10.0 0.5 9.0 0.8
A12 3.6 26.0 3.8 4.0 3.3 12.0 3.5 4.7 22.0 4.7 11.0 4.2 2.0 4.7 0.1 26.0 0.5 4.0 0.5 12.0 0.2 0.8 22.0 0.6 11.0 0.7 2.0 0.8
B1 4.1 30.0 4.0 8.0 3.5 6.0 4.0 4.0 12.0 4.5 10.0 4.2 18.0 4.2 1.0 30.0 0.7 8.0 0.9 6.0 0.9 0.9 12.0 0.6 10.0 0.5 18.0 0.6
B2 4.2 26.0 3.7 6.0 3.5 6.0 4.0 1.8 22.0 1.9 13.0 1.2 9.0 1.7 0.1 26.0 0.1 6.0 0.1 6.0 0.1 0.2 22.0 0.1 13.0 0.2 9.0 0.2
B3 4.1 26.0 4.1 8.0 3.7 8.0 4.0 4.4 17.0 4.3 19.0 3.5 5.0 4.2 0.8 26.0 0.9 8.0 0.9 8.0 0.8 0.9 17.0 1.0 19.0 0.1 5.0 0.9
B4 4.1 18.0 4.0 13.0 3.9 9.0 4.0 4.4 16.0 4.1 21.0 3.8 4.0 4.2 0.8 18.0 0.8 13.0 0.9 9.0 0.8 1.0 16.0 1.0 21.0 0.5 4.0 0.9
B5 3.6 21.0 3.6 8.0 3.3 14.0 3.5 4.6 19.0 4.9 22.0 3.7 4.0 4.7 0.4 21.0 0.5 8.0 0.8 14.0 0.5 0.9 19.0 1.0 22.0 0.8 4.0 0.9
B6 3.6 26.0 3.4 13.0 3.3 5.0 3.5 1.9 23.0 1.5 14.0 1.5 5.0 1.7 0.2 26.0 0.3 13.0 0.3 5.0 0.3 0.2 23.0 0.2 14.0 0.6 5.0 0.3
C1 4.1 26.0 4.1 9.0 3.5 5.0 4.0 4.8 10.0 4.8 4.0 4.7 22.0 4.7 1.0 26.0 1.0 9.0 1.0 5.0 1.0 1.0 10.0 1.0 4.0 1.0 22.0 1.0
D1 4.1 19.0 4.0 12.0 3.8 7.0 4.0 4.6 26.0 4.9 13.0 4.2 2.0 4.7 0.5 19.0 0.5 12.0 0.5 7.0 0.5 0.7 26.0 0.5 13.0 0.3 2.0 0.6
D2 3.0 23.0 3.1 10.0 2.8 10.0 3.0 3.7 14.0 3.4 14.0 3.0 15.0 3.3 0.3 23.0 0.3 10.0 0.5 10.0 0.3 1.0 14.0 0.2 14.0 0.2 15.0 0.5
D3 3.2 7.0 2.9 14.0 3.0 17.0 3.0 4.9 6.0 5.0 33.0 4.7 2.0 4.9 0.8 7.0 0.8 14.0 1.0 17.0 0.9 0.5 6.0 0.2 33.0 0.8 2.0 0.2
D4 3.4 26.0 3.7 14.0 3.2 3.0 3.5 3.2 14.0 3.4 22.0 2.8 3.0 3.3 0.7 26.0 0.4 14.0 0.8 3.0 0.6 0.9 14.0 0.2 22.0 1.0 3.0 0.5
183
Overa Overa Overal
Srl. ll ll l
O GPEOPLE O
A1 4.9 9.0 5.0 25.0 4.8 3.0 4.9 4.8 9.0 4.8 28.0 4.2 4.0 4.7 0.8 9.0 1.0 25.0 0.9 3.0 0.9 1.0 9.0 1.0 28.0 1.0 4.0 1.0
A2 4.9 14.0 4.1 15.0 4.5 12.0 4.5 4.1 17.0 4.3 24.0 3.8 3.0 4.2 0.5 14.0 0.5 15.0 0.5 12.0 0.5 0.8 17.0 0.3 24.0 0.7 3.0 0.5
B1 4.9 5.0 5.0 32.0 4.9 2.0 5.0 4.6 17.0 4.8 15.0 4.3 4.0 4.7 0.6 5.0 0.5 32.0 0.2 2.0 0.5 0.4 17.0 0.3 15.0 0.4 4.0 0.4
B2 4.3 14.0 3.9 14.0 3.8 12.0 4.0 4.1 20.0 4.5 12.0 3.8 6.0 4.2 0.7 14.0 0.8 14.0 0.3 12.0 0.6 0.8 20.0 0.9 12.0 0.7 6.0 0.8
B3 4.1 14.0 4.0 13.0 4.1 9.0 4.1 4.7 4.0 5.0 33.0 4.8 1.0 5.0 0.8 14.0 0.9 13.0 0.3 9.0 0.7 0.5 4.0 1.0 33.0 0.5 1.0 0.9
B4 4.1 14.0 4.0 11.0 3.8 8.0 4.0 4.8 7.0 5.0 30.0 4.9 3.0 4.9 0.7 14.0 0.9 11.0 0.7 8.0 0.7 0.5 7.0 0.5 30.0 0.6 3.0 0.5
B5 4.3 18.0 3.3 10.0 4.3 9.0 4.0 4.7 4.0 5.0 31.0 4.8 1.0 5.0 0.9 18.0 0.6 10.0 1.0 9.0 0.8 0.5 4.0 0.3 31.0 0.5 1.0 0.3
B6 2.3 20.0 2.7 16.0 2.8 6.0 2.5 4.7 15.0 4.9 21.0 4.2 8.0 4.7 0.5 20.0 0.4 16.0 0.6 6.0 0.5 0.5 15.0 0.3 21.0 0.8 8.0 0.4
B7 3.5 20.0 3.6 14.0 3.5 9.0 3.5 4.7 21.0 4.8 14.0 4.5 3.0 4.7 0.8 20.0 0.9 14.0 0.5 9.0 0.8 0.1 21.0 0.8 14.0 0.7 3.0 0.4
B8 4.2 12.0 3.2 18.0 3.3 11.0 3.5 1.1 20.0 0.7 14.0 0.4 9.0 0.8 0.9 12.0 0.9 18.0 0.5 11.0 0.8 0.5 20.0 0.9 14.0 1.0 9.0 0.8
C1 2.4 13.0 2.1 19.0 2.8 5.0 2.3 3.6 28.0 2.7 12.0 3.5 3.0 3.3 0.2 13.0 0.1 19.0 0.0 5.0 0.1 0.2 28.0 0.1 12.0 0.1 3.0 0.2
C2 3.6 25.0 2.8 13.0 2.8 6.0 3.3 4.6 30.0 4.9 7.0 4.3 2.0 4.7 0.9 25.0 1.0 13.0 0.8 6.0 0.9 0.7 30.0 1.0 7.0 1.0 2.0 0.8
C3 4.2 17.0 4.8 13.0 4.7 11.0 4.5 4.5 24.0 3.8 10.0 3.9 6.0 4.2 0.9 17.0 0.6 13.0 0.7 11.0 0.8 0.6 24.0 0.6 10.0 0.9 6.0 0.6
C4 4.2 14.0 4.8 15.0 4.3 4.0 4.5 4.1 23.0 4.3 9.0 3.9 4.0 4.2 0.7 14.0 0.9 15.0 0.6 4.0 0.8 1.0 23.0 1.0 9.0 1.0 4.0 1.0
C5 3.8 20.0 2.9 10.0 3.5 12.0 3.5 4.6 21.0 4.8 10.0 4.5 7.0 4.7 0.5 20.0 0.7 10.0 1.0 12.0 0.7 0.8 21.0 0.5 10.0 1.0 7.0 0.7
D1 3.1 18.0 2.9 16.0 3.5 4.0 3.0 4.8 7.0 5.0 30.0 4.9 3.0 4.9 0.3 18.0 0.5 16.0 0.9 4.0 0.5 0.4 7.0 0.5 30.0 0.9 3.0 0.5
D2 3.5 19.0 3.6 13.0 3.3 7.0 3.5 4.6 17.0 4.8 15.0 4.3 4.0 4.7 0.8 19.0 0.9 13.0 0.8 7.0 0.8 0.8 17.0 0.9 15.0 0.9 4.0 0.8
D3 3.4 12.0 4.3 20.0 4.2 9.0 4.0 1.9 23.0 1.5 14.0 1.5 5.0 1.7 0.6 12.0 0.3 20.0 0.9 9.0 0.5 0.5 23.0 0.6 14.0 0.5 5.0 0.5
184
Overa Overa Overal
Srl. ll ll l
OTECHNOLOGY
G O
A1 4.3 16.0 3.7 15.0 4.2 7.0 4.0 4.5 24.0 3.8 10.0 3.9 6.0 4.2 0.9 16.0 0.8 15.0 0.6 7.0 0.8 0.9 24.0 1.0 10.0 0.8 6.0 0.9
A2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.1 23.0 4.3 9.0 3.9 4.0 4.2 0.7 6.0 0.5 31.0 0.6 3.0 0.5 0.3 23.0 0.6 9.0 1.0 4.0 0.4
A3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.7 22.0 4.7 11.0 4.2 2.0 4.7 0.9 6.0 1.0 31.0 0.7 3.0 1.0 1.0 22.0 1.0 11.0 0.8 2.0 1.0
A4 3.7 13.0 3.4 17.0 3.5 9.0 3.5 4.2 18.0 4.4 16.0 3.0 3.0 4.2 0.8 13.0 0.5 17.0 0.7 9.0 0.7 0.8 18.0 0.6 16.0 1.0 3.0 0.7
A5 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.6 28.0 4.9 14.0 4.2 3.0 4.7 1.0 6.0 1.0 31.0 0.9 3.0 1.0 1.0 28.0 1.0 14.0 1.0 3.0 1.0
A6 4.4 17.0 3.9 16.0 3.5 9.0 4.0 4.7 4.0 5.0 31.0 4.8 1.0 5.0 1.0 17.0 0.9 16.0 0.6 9.0 0.9 1.0 4.0 1.0 31.0 1.0 1.0 1.0
A7 4.9 6.0 5.0 31.0 4.9 3.0 5.0 3.6 16.0 3.2 17.0 3.2 12.0 3.3 1.0 6.0 0.9 31.0 0.8 3.0 0.9 1.0 16.0 1.0 17.0 1.0 12.0 1.0
A8 4.9 6.0 5.0 31.0 4.9 3.0 5.0 3.6 13.0 3.2 18.0 3.2 8.0 3.3 1.0 6.0 1.0 31.0 1.0 3.0 1.0 1.0 13.0 1.0 18.0 1.0 8.0 1.0
A9 4.9 6.0 5.0 31.0 4.9 3.0 5.0 3.4 18.0 3.3 12.0 3.0 5.0 3.3 1.0 6.0 0.5 31.0 0.8 3.0 0.6 0.9 18.0 0.7 12.0 0.8 5.0 0.8
A10 3.3 18.0 3.4 15.0 4.2 7.0 3.5 1.8 19.0 1.8 14.0 1.0 6.0 1.7 0.6 18.0 0.5 15.0 0.2 7.0 0.5 0.2 19.0 0.7 14.0 0.6 6.0 0.4
B1 4.8 10.0 3.5 18.0 4.2 8.0 4.0 4.2 18.0 4.4 16.0 3.0 3.0 4.2 0.9 10.0 0.9 18.0 0.3 8.0 0.8 1.0 18.0 1.0 16.0 1.0 3.0 1.0
B2 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.6 28.0 4.9 10.0 4.0 2.0 4.7 0.9 17.0 0.7 18.0 0.8 8.0 0.8 1.0 28.0 1.0 10.0 1.0 2.0 1.0
B3 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.5 24.0 3.8 10.0 3.9 6.0 4.2 0.9 17.0 1.0 18.0 0.7 8.0 0.9 1.0 24.0 1.0 10.0 1.0 6.0 1.0
B5 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.6 16.0 3.8 16.0 4.0 12.0 4.2 0.9 17.0 1.0 18.0 1.0 8.0 0.9 1.0 16.0 1.0 16.0 1.0 12.0 1.0
B6 3.7 17.0 3.7 13.0 3.0 12.0 3.5 4.9 13.0 5.0 31.0 4.6 3.0 4.9 1.0 17.0 0.7 13.0 1.0 12.0 0.9 1.0 13.0 0.5 31.0 1.0 3.0 0.7
B7 4.7 11.0 3.9 16.0 3.5 11.0 4.0 4.6 28.0 4.9 14.0 4.2 3.0 4.7 0.9 11.0 0.8 16.0 1.0 11.0 0.9 1.0 28.0 0.6 14.0 1.0 3.0 0.9
B8 4.3 14.0 4.0 14.0 3.5 9.0 4.0 4.7 23.0 4.5 11.0 4.5 3.0 4.7 0.9 14.0 0.9 14.0 0.9 9.0 0.9 1.0 23.0 1.0 11.0 1.0 3.0 1.0
B9 2.7 14.0 2.7 14.0 2.0 9.0 2.5 4.9 18.0 4.9 9.0 4.4 3.0 4.8 0.9 14.0 0.9 14.0 0.9 9.0 0.9 1.0 18.0 1.0 9.0 1.0 3.0 1.0
B10 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.7 21.0 4.7 13.0 4.3 4.0 4.7 0.7 17.0 0.5 18.0 0.4 8.0 0.6 0.9 21.0 0.6 13.0 1.0 4.0 0.8
B11 4.9 6.0 5.0 31.0 4.9 3.0 5.0 3.6 16.0 3.2 17.0 3.2 12.0 3.3 0.1 6.0 1.0 31.0 0.6 3.0 0.8 1.0 16.0 1.0 17.0 1.0 12.0 1.0
B12 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.4 26.0 4.0 11.0 4.0 3.0 4.2 0.9 6.0 1.0 31.0 0.8 3.0 1.0 0.9 26.0 1.0 11.0 1.0 3.0 1.0
C1 4.8 17.0 3.5 18.0 3.5 8.0 4.0 4.8 9.0 4.8 28.0 4.2 4.0 4.7 0.7 17.0 0.9 18.0 0.4 8.0 0.7 0.5 9.0 1.0 28.0 0.8 4.0 0.9
C2 4.8 17.0 3.5 18.0 3.5 8.0 4.0 2.7 18.0 3.2 5.0 2.5 4.0 2.8 0.8 17.0 0.6 18.0 0.7 8.0 0.7 1.0 18.0 1.0 5.0 1.0 4.0 1.0
C3 3.0 17.0 2.9 14.0 3.3 8.0 3.0 2.5 12.0 2.5 2.0 2.0 4.0 2.4 0.9 17.0 0.4 14.0 0.3 8.0 0.6 0.4 18.0 0.3 5.0 0.6 4.0 0.4
D1 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.6 28.0 4.9 10.0 4.0 2.0 4.7 0.8 6.0 1.0 31.0 0.5 3.0 0.9 1.0 28.0 1.0 10.0 1.0 2.0 1.0
D2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.6 28.0 4.9 14.0 4.2 3.0 4.7 1.0 6.0 1.0 31.0 0.6 3.0 1.0 1.0 28.0 1.0 14.0 1.0 3.0 1.0
D3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.7 23.0 4.5 11.0 4.5 3.0 4.7 1.0 6.0 0.5 31.0 1.0 3.0 0.6 1.0 23.0 0.7 11.0 1.0 3.0 0.9
185
Overa Overa Overal
Srl. ll ll l
O GFACILITY O
A1 4.2 18.0 3.9 15.0 3.8 8.0 4.0 3.7 17.0 3.3 14.0 2.5 10.0 3.3 1.0 18.0 0.9 15.0 0.2 8.0 0.8 0.9 17.0 0.8 14.0 0.7 10.0 0.8
A2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.3 8.0 4.8 18.0 4.7 18.0 4.7 0.9 6.0 1.0 31.0 0.9 3.0 1.0 1.0 8.0 1.0 18.0 1.0 18.0 1.0
A3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 10.0 4.7 13.0 4.8 14.0 4.7 0.7 6.0 0.5 31.0 0.5 3.0 0.5 1.0 10.0 1.0 13.0 1.0 14.0 1.0
B1 4.4 16.0 3.8 12.0 3.8 11.0 4.0 3.2 20.0 3.1 15.0 4.0 8.0 3.3 0.2 16.0 0.2 12.0 1.0 11.0 0.4 0.9 20.0 0.4 15.0 0.6 8.0 0.7
B2 4.9 12.0 3.6 13.0 3.5 10.0 4.0 4.5 17.0 4.8 15.0 4.7 12.0 4.7 0.8 12.0 0.8 13.0 0.5 10.0 0.7 1.0 17.0 1.0 15.0 1.0 12.0 1.0
B3 4.2 18.0 4.3 16.0 3.0 7.0 4.0 4.7 26.0 4.6 11.0 4.6 6.0 4.7 0.9 18.0 0.9 16.0 0.5 7.0 0.8 0.5 26.0 1.0 11.0 0.9 6.0 0.7
B4 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.6 13.0 4.8 14.0 4.7 12.0 4.7 0.9 6.0 0.9 31.0 1.0 3.0 0.9 1.0 13.0 1.0 14.0 1.0 12.0 1.0
C1 3.4 17.0 3.6 15.0 3.7 8.0 3.5 3.3 15.0 3.3 12.0 3.2 8.0 3.3 1.0 17.0 0.7 15.0 1.0 8.0 0.9 0.5 15.0 0.5 12.0 0.4 8.0 0.5
C2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 0.8 6.0 1.0 31.0 1.0 3.0 1.0 1.0 17.0 1.0 14.0 1.0 12.0 1.0
C3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 0.9 6.0 1.0 31.0 0.8 3.0 1.0 1.0 17.0 1.0 14.0 1.0 12.0 1.0
D1 4.8 15.0 3.7 15.0 3.5 12.0 4.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 0.9 15.0 0.9 15.0 0.5 12.0 0.8 1.0 17.0 1.0 14.0 1.0 12.0 1.0
D2 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 1.0 6.0 0.8 31.0 0.8 3.0 0.8 1.0 17.0 1.0 14.0 1.0 12.0 1.0
D3 4.9 6.0 5.0 31.0 4.9 3.0 5.0 4.5 17.0 4.9 14.0 4.7 12.0 4.7 0.7 6.0 0.7 31.0 0.7 3.0 0.7 1.0 17.0 1.0 14.0 1.0 12.0 1.0
D4 4.0 21.0 4.0 13.0 4.5 8.0 4.1 3.3 18.0 3.1 10.0 4.0 6.0 3.3 0.7 21.0 0.7 13.0 0.2 8.0 0.6 0.6 18.0 1.0 10.0 0.8 6.0 0.7
D5 4.0 21.0 4.0 13.0 4.5 8.0 4.1 3.3 18.0 3.4 12.0 3.0 5.0 3.3 0.8 21.0 0.5 13.0 0.9 8.0 0.7 1.0 18.0 1.0 12.0 1.0 5.0 1.0
186
Exhibit 6.3 (Table 6.11) - Strength/Preparedness & Vulnerability Factor Summary
Strength/Prepardness (large) Strength/Prepardness (Small) Vulnerability (Large) Vulnerability (Small)
Srl. RILT RILM RILF RIL Avg Vari SD Max Min RIST RISM RISF RIS Avg Vari SD Max Min VILT VILM VILF VIL Avg Vari SD Max Min VIST VISM VISF VIS Avg Vari SD Max Min
ORGANIZATIONAL ORGANIZATIONAL
A1 3.96 1.70 2.13 1.95 2.43 1.07 1.04 3.96 1.70 3.53 1.43 2.10 1.95 2.25 0.81 0.90 3.53 1.43 0.10 1.50 0.20 0.52 0.58 0.41 0.64 1.50 0.10 1.36 1.23 3.20 1.73 1.88 0.82 0.90 3.20 1.23
A2 2.15 2.55 1.72 3.71 2.53 0.73 0.86 3.71 1.72 1.75 3.02 1.68 3.71 2.54 0.99 0.99 3.71 1.68 0.61 1.00 0.25 0.55 0.60 0.09 0.31 1.00 0.25 0.84 1.66 2.70 1.81 1.75 0.58 0.76 2.70 0.84
A3 4.41 3.86 3.80 3.89 3.99 0.08 0.28 4.41 3.80 2.36 3.19 3.14 3.89 3.14 0.39 0.62 3.89 2.36 0.78 0.13 0.10 0.29 0.32 0.10 0.31 0.78 0.10 1.30 0.41 2.00 1.17 1.22 0.43 0.65 2.00 0.41
A4 4.20 3.31 3.60 3.48 3.65 0.15 0.39 4.20 3.31 2.73 2.05 2.80 3.48 2.76 0.34 0.58 3.48 2.05 0.26 0.40 0.05 0.27 0.25 0.02 0.14 0.40 0.05 0.05 0.16 0.00 0.08 0.07 0.00 0.07 0.16 0.00
A5 0.76 1.05 3.80 3.68 2.32 2.70 1.64 3.80 0.76 0.74 1.16 4.28 3.68 2.46 3.15 1.77 4.28 0.74 1.56 4.00 4.50 3.55 3.40 1.66 1.29 4.50 1.56 0.06 0.01 0.00 0.03 0.02 0.00 0.02 0.06 0.00
A6 4.41 3.73 4.32 4.16 4.15 0.09 0.30 4.41 3.73 2.78 2.47 2.48 4.16 2.97 0.65 0.80 4.16 2.47 3.53 3.60 2.45 3.22 3.20 0.28 0.53 3.60 2.45 0.00 0.48 2.10 0.33 0.73 0.88 0.94 2.10 0.00
A7 4.20 2.50 1.75 2.70 2.79 1.05 1.03 4.20 1.75 2.81 2.75 2.00 2.70 2.57 0.14 0.38 2.81 2.00 0.73 0.75 1.00 0.82 0.83 0.02 0.12 1.00 0.73 0.27 0.36 0.63 0.37 0.41 0.02 0.15 0.63 0.27
A8 4.78 2.95 2.80 3.34 3.47 0.81 0.90 4.78 2.80 3.88 2.81 3.36 3.34 3.35 0.19 0.44 3.88 2.81 1.47 2.31 3.50 2.22 2.38 0.70 0.84 3.50 1.47 1.19 1.42 2.76 1.46 1.71 0.50 0.71 2.76 1.19
A9 1.20 1.35 0.30 2.22 1.27 0.62 0.79 2.22 0.30 0.58 0.69 0.25 2.22 0.94 0.77 0.88 2.22 0.25 0.40 0.90 0.50 0.63 0.61 0.05 0.22 0.90 0.40 0.06 0.07 0.04 0.06 0.06 0.00 0.01 0.07 0.04
B1 1.35 3.25 1.80 3.46 2.46 1.09 1.04 3.46 1.35 1.35 3.71 2.10 3.46 2.66 1.25 1.12 3.71 1.35 2.22 2.10 2.10 2.05 2.12 0.01 0.07 2.22 2.05 2.54 2.73 1.80 2.34 2.35 0.16 0.40 2.73 1.80
B2 1.83 2.53 1.50 2.57 2.11 0.28 0.53 2.57 1.50 1.91 3.16 2.35 2.57 2.50 0.27 0.52 3.16 1.91 1.34 0.63 0.75 0.86 0.89 0.10 0.31 1.34 0.63 0.74 1.78 1.92 1.49 1.48 0.28 0.52 1.92 0.74
B3 4.75 3.86 4.30 3.67 4.15 0.23 0.48 4.75 3.67 4.06 3.95 3.50 3.67 3.79 0.07 0.26 4.06 3.50 0.89 0.30 0.93 0.55 0.67 0.09 0.30 0.93 0.30 0.04 0.08 0.05 0.08 0.06 0.00 0.02 0.08 0.04
B4 1.93 1.75 1.70 3.12 2.13 0.45 0.67 3.12 1.70 1.51 1.35 1.20 3.12 1.79 0.79 0.89 3.12 1.20 0.06 0.50 0.17 0.14 0.22 0.04 0.19 0.50 0.06 0.69 0.16 0.30 0.32 0.37 0.05 0.22 0.69 0.16
B5 4.90 4.80 3.01 4.07 4.19 0.76 0.87 4.90 3.01 4.29 3.80 2.80 4.07 3.74 0.43 0.66 4.29 2.80 2.41 2.96 2.25 2.76 2.59 0.10 0.32 2.96 2.25 0.66 2.36 2.00 1.92 1.73 0.55 0.74 2.36 0.66
B6 3.22 2.97 4.32 3.68 3.55 0.35 0.59 4.32 2.97 2.46 1.90 2.70 3.68 2.69 0.55 0.74 3.68 1.90 2.13 2.63 2.40 2.42 2.39 0.04 0.20 2.63 2.13 4.80 3.69 4.20 4.15 4.21 0.21 0.46 4.80 3.69
B7 1.59 1.46 1.25 1.50 1.45 0.02 0.14 1.59 1.25 1.51 1.76 1.50 1.50 1.57 0.02 0.13 1.76 1.50 0.08 0.15 0.10 0.10 0.11 0.00 0.03 0.15 0.08 0.32 0.03 0.00 0.15 0.13 0.02 0.15 0.32 0.00
C1 1.16 2.34 3.60 3.79 2.72 1.50 1.23 3.79 1.16 0.91 1.55 2.80 3.79 2.26 1.66 1.29 3.79 0.91 0.65 0.75 1.75 0.79 0.98 0.26 0.51 1.75 0.65 0.99 1.28 0.48 0.95 0.93 0.11 0.33 1.28 0.48
C2 2.07 3.05 2.88 4.17 3.04 0.75 0.86 4.17 2.07 2.07 2.50 2.40 4.17 2.79 0.88 0.94 4.17 2.07 0.38 0.30 0.20 0.28 0.29 0.01 0.07 0.38 0.20 1.08 1.54 3.20 1.90 1.93 0.83 0.91 3.20 1.08
C3 4.97 4.70 3.44 4.49 4.40 0.45 0.67 4.97 3.44 4.89 4.98 3.76 4.49 4.53 0.31 0.56 4.98 3.76 2.29 4.00 4.05 2.75 3.27 0.79 0.89 4.05 2.29 4.87 4.99 4.70 4.96 4.88 0.02 0.13 4.99 4.70
D1 2.25 3.00 0.66 1.66 1.89 0.98 0.99 3.00 0.66 2.45 3.62 0.60 1.66 2.08 1.62 1.27 3.62 0.60 1.81 2.31 1.20 2.04 1.84 0.22 0.47 2.31 1.20 2.65 3.14 2.00 2.54 2.58 0.22 0.47 3.14 2.00
D2 3.80 3.56 4.05 3.92 3.83 0.04 0.21 4.05 3.56 4.72 4.42 4.23 3.92 4.32 0.11 0.34 4.72 3.92 2.31 2.40 2.50 2.48 2.42 0.01 0.09 2.50 2.31 2.78 3.89 0.94 3.48 2.77 1.70 1.30 3.89 0.94
Avg 3.04 2.87 2.70 3.30 2.54 2.68 2.48 2.50 1.24 1.60 1.47 1.39 1.30 1.50 1.67 1.49
Vari 2.16 1.08 1.59 0.75 1.66 1.33 1.14 1.11 0.94 1.69 1.91 1.31 2.10 2.17 2.08 1.99
SD 1.47 1.04 1.26 0.86 1.29 1.15 1.07 1.05 0.97 1.30 1.38 1.14 1.45 1.47 1.44 1.41
Max 4.97 4.80 4.32 4.49 4.89 4.98 4.28 4.89 3.53 4.00 4.50 3.55 4.87 4.99 4.70 4.96
Min 0.76 1.05 0.30 1.50 0.58 0.69 0.25 0.52 0.06 0.13 0.05 0.10 0.00 0.01 0.00 0.03
187
PROCEDURES PROCEDURES
A1 4.89 4.50 4.00 3.83 4.31 0.23 0.48 4.89 3.83 4.87 4.97 4.60 4.92 4.84 0.03 0.16 4.97 4.60 1.63 0.50 0.45 1.04 0.90 0.30 0.55 1.63 0.45 3.28 4.44 2.45 3.80 3.49 0.71 0.84 4.44 2.45
A2 4.29 3.67 2.88 3.98 3.70 0.37 0.60 4.29 2.88 4.24 3.23 2.40 3.30 3.29 0.56 0.75 4.24 2.40 0.33 0.60 1.75 0.75 0.86 0.39 0.62 1.75 0.33 3.35 2.36 2.56 2.69 2.74 0.18 0.43 3.35 2.36
A3 1.84 3.30 2.80 4.02 2.99 0.83 0.91 4.02 1.84 1.03 2.11 2.45 1.65 1.81 0.38 0.61 2.45 1.03 0.52 0.37 0.33 0.44 0.42 0.01 0.08 0.52 0.33 4.01 2.57 2.40 3.11 3.02 0.52 0.72 4.01 2.40
A 3.78 4.05 2.15 4.09 3.52 0.85 0.92 4.09 2.15 2.38 2.55 1.35 2.27 2.14 0.29 0.54 2.55 1.35 1.23 0.40 0.35 1.06 0.76 0.20 0.45 1.23 0.35 2.67 3.38 2.45 2.86 2.84 0.16 0.40 3.38 2.45
A4 4.89 4.50 4.00 4.21 4.40 0.15 0.38 4.89 4.00 4.86 4.99 4.60 4.96 4.85 0.03 0.18 4.99 4.60 2.82 2.25 1.70 2.32 2.27 0.21 0.46 2.82 1.70 4.84 4.98 4.60 4.94 4.84 0.03 0.17 4.98 4.60
A5 2.39 4.30 1.90 2.70 2.82 1.08 1.04 4.30 1.90 2.23 4.14 1.75 2.73 2.71 1.07 1.03 4.14 1.75 2.67 1.20 1.00 1.55 1.60 0.55 0.74 2.67 1.00 1.71 2.54 0.00 1.46 1.43 1.12 1.06 2.54 0.00
A6 0.62 1.74 2.50 2.20 1.76 0.68 0.82 2.50 0.62 0.64 1.93 2.50 2.11 1.79 0.65 0.81 2.50 0.64 0.72 0.18 0.30 0.54 0.44 0.06 0.24 0.72 0.18 2.95 1.19 2.37 2.26 2.19 0.54 0.73 2.95 1.19
A7 1.54 2.46 2.00 3.69 2.42 0.85 0.92 3.69 1.54 1.02 2.11 1.35 1.28 1.44 0.22 0.47 2.11 1.02 1.45 0.30 0.75 0.85 0.84 0.22 0.47 1.45 0.30 0.64 3.43 0.70 1.01 1.45 1.77 1.33 3.43 0.64
A8 3.11 2.46 4.32 3.73 3.40 0.64 0.80 4.32 2.46 3.21 2.61 3.78 3.05 3.16 0.23 0.48 3.78 2.61 1.65 0.80 0.10 0.94 0.87 0.40 0.64 1.65 0.10 3.23 3.64 2.52 3.23 3.16 0.22 0.47 3.64 2.52
A9 2.12 3.01 2.78 3.47 2.84 0.31 0.56 3.47 2.12 2.13 2.90 2.63 2.51 2.54 0.10 0.32 2.90 2.13 1.53 1.80 0.60 1.25 1.29 0.26 0.51 1.80 0.60 0.98 3.26 2.45 1.61 2.08 0.99 0.99 3.26 0.98
A10 3.53 2.14 0.86 3.69 2.56 1.76 1.33 3.69 0.86 2.94 1.79 0.70 2.34 1.94 0.91 0.95 2.94 0.70 0.60 0.30 0.25 0.41 0.39 0.02 0.15 0.60 0.25 0.28 3.75 2.76 1.21 2.00 2.41 1.55 3.75 0.28
A11 3.04 4.00 1.75 2.57 2.84 0.88 0.94 4.00 1.75 3.72 3.95 1.75 3.37 3.20 0.99 1.00 3.95 1.75 0.25 0.30 0.75 0.61 0.48 0.06 0.24 0.75 0.25 2.11 2.78 2.45 2.25 2.40 0.08 0.29 2.78 2.11
A12 4.06 3.05 3.01 3.74 3.46 0.27 0.52 4.06 3.01 2.99 2.39 2.28 2.68 2.58 0.10 0.32 2.99 2.28 1.80 0.25 0.20 0.83 0.77 0.55 0.74 1.80 0.20 0.36 2.36 2.10 1.11 1.48 0.85 0.92 2.36 0.36
B1 3.86 2.88 2.50 3.38 3.16 0.35 0.59 3.86 2.50 3.69 2.40 1.75 2.58 2.61 0.65 0.81 3.69 1.75 0.70 0.40 0.50 0.56 0.54 0.02 0.13 0.70 0.40 3.84 2.93 3.78 3.77 3.58 0.19 0.44 3.84 2.93
B2 0.85 0.35 0.90 3.33 1.36 1.79 1.34 3.33 0.35 0.88 0.37 0.70 0.70 0.66 0.05 0.21 0.88 0.37 0.16 0.40 0.69 0.25 0.38 0.05 0.23 0.69 0.16 0.18 0.19 0.12 0.17 0.17 0.00 0.03 0.19 0.12
B3 4.56 4.00 0.30 3.78 3.16 3.74 1.93 4.56 0.30 3.84 4.06 0.37 3.47 2.93 2.98 1.73 4.06 0.37 0.68 0.35 0.30 0.40 0.43 0.03 0.17 0.68 0.30 3.28 3.73 3.15 3.39 3.39 0.06 0.25 3.73 3.15
B4 4.53 4.00 1.50 3.80 3.46 1.80 1.34 4.53 1.50 3.95 4.00 1.95 3.77 3.42 0.97 0.98 4.00 1.95 0.39 1.25 0.50 1.08 0.80 0.18 0.42 1.25 0.39 3.53 3.51 3.42 3.53 3.50 0.00 0.05 3.53 3.42
B5 4.27 4.50 3.20 2.96 3.73 0.59 0.77 4.50 2.96 3.31 3.56 2.64 3.32 3.21 0.16 0.40 3.56 2.64 0.30 1.20 1.75 1.05 1.08 0.36 0.60 1.75 0.30 1.74 2.25 2.96 2.47 2.35 0.26 0.51 2.96 1.74
B6 0.75 0.79 2.58 3.53 1.91 1.89 1.38 3.53 0.75 0.82 0.70 1.95 0.93 1.10 0.33 0.58 1.95 0.70 0.34 1.25 1.60 1.13 1.08 0.28 0.53 1.60 0.34 0.43 0.43 0.45 0.44 0.44 0.00 0.01 0.45 0.43
C1 4.98 4.50 4.30 4.10 4.47 0.14 0.38 4.98 4.10 4.08 4.11 3.50 4.01 3.93 0.08 0.29 4.11 3.50 2.06 0.80 0.17 1.77 1.20 0.76 0.87 2.06 0.17 4.84 4.75 4.70 4.74 4.76 0.00 0.06 4.84 4.70
D1 2.79 2.69 1.35 4.05 2.72 1.22 1.11 4.05 1.35 2.75 2.15 1.14 2.45 2.12 0.49 0.70 2.75 1.14 1.30 1.26 0.80 1.01 1.09 0.05 0.23 1.30 0.80 2.30 2.46 2.10 2.34 2.30 0.02 0.15 2.46 2.10
D2 4.63 0.82 0.90 3.88 2.56 3.93 1.98 4.63 0.82 3.04 0.69 0.56 1.40 1.42 1.30 1.14 3.04 0.56 0.48 0.75 2.70 1.19 1.28 0.98 0.99 2.70 0.48 1.03 0.92 1.50 1.10 1.14 0.06 0.25 1.50 0.92
D3 1.41 0.51 2.00 1.62 1.38 0.40 0.63 2.00 0.51 1.46 0.45 2.40 0.69 1.25 0.78 0.88 2.40 0.45 0.29 0.13 0.18 0.25 0.21 0.01 0.07 0.29 0.13 3.67 3.77 4.70 4.28 4.10 0.23 0.48 4.70 3.67
D4 2.49 0.69 3.50 1.91 2.15 1.38 1.17 3.50 0.69 3.03 0.91 3.20 1.87 2.25 1.15 1.07 3.20 0.91 0.47 0.13 0.18 0.36 0.29 0.03 0.16 0.47 0.13 2.29 1.19 2.10 1.98 1.89 0.23 0.48 2.29 1.19
Avg 3.13 2.87 2.42 3.43 2.80 2.63 2.18 2.60 1.01 0.72 0.75 0.90 2.40 2.78 2.45 2.49
Vari 2.04 2.01 1.28 0.53 1.66 1.95 1.35 1.39 0.61 0.31 0.45 0.25 2.11 1.66 1.66 1.74
SD 1.43 1.42 1.13 0.73 1.29 1.40 1.16 1.18 0.78 0.56 0.67 0.50 1.45 1.29 1.29 1.32
Max 4.98 4.50 4.32 4.21 4.87 4.99 4.60 4.96 2.82 2.25 2.70 2.32 4.84 4.98 4.70 4.94
Min 0.62 0.35 0.30 1.62 0.64 0.37 0.37 0.69 0.16 0.13 0.10 0.25 0.18 0.19 0.00 0.17
188
PEOPLE PEOPLE
A1 4.33 4.50 4.00 4.32 4.29 0.04 0.21 4.50 4.00 4.66 4.98 4.80 4.89 4.83 0.02 0.14 4.98 4.66 3.11 0.15 0.10 1.23 1.15 1.98 1.41 3.11 0.10 3.88 4.75 3.78 4.45 4.21 0.21 0.46 4.75 3.78
A2 3.66 1.50 2.59 4.10 2.96 1.35 1.16 4.10 1.50 3.78 1.41 3.15 2.40 2.68 1.03 1.02 3.78 1.41 0.22 1.17 0.90 0.64 0.73 0.16 0.41 1.17 0.22 2.07 2.17 1.90 2.11 2.06 0.01 0.12 2.17 1.90
B1 1.99 1.38 1.64 3.49 2.12 0.89 0.94 3.49 1.38 2.06 1.60 1.94 1.87 1.87 0.04 0.20 2.06 1.60 3.82 0.23 0.30 1.63 1.49 2.81 1.68 3.82 0.23 2.69 2.41 0.86 2.31 2.07 0.68 0.82 2.69 0.86
B2 3.91 4.48 3.22 4.65 4.06 0.42 0.65 4.65 3.22 3.43 3.60 2.66 3.29 3.25 0.17 0.41 3.60 2.66 2.83 0.75 1.60 1.75 1.73 0.73 0.86 2.83 0.75 2.96 3.73 1.14 2.65 2.62 1.18 1.09 3.73 1.14
B3 2.40 4.78 2.35 4.44 3.49 1.69 1.30 4.78 2.35 2.05 3.87 2.05 3.70 2.92 1.00 1.00 3.87 2.05 2.88 1.35 0.35 1.60 1.54 1.08 1.04 2.88 0.35 3.79 4.30 1.44 3.47 3.25 1.57 1.25 4.30 1.44
B4 2.24 2.35 2.64 3.64 2.72 0.41 0.64 3.64 2.24 2.04 2.02 2.28 2.03 2.09 0.02 0.13 2.28 2.02 0.60 0.15 0.05 0.26 0.27 0.06 0.24 0.60 0.05 3.16 4.35 3.43 3.67 3.65 0.26 0.51 4.35 3.16
B5 2.22 1.24 2.00 3.69 2.29 1.05 1.03 3.69 1.24 1.91 0.87 2.15 1.17 1.53 0.36 0.60 2.15 0.87 0.70 0.15 0.05 0.26 0.29 0.08 0.29 0.70 0.05 4.11 2.89 4.80 4.09 3.97 0.63 0.79 4.80 2.89
B6 2.33 1.25 3.20 3.91 2.67 1.32 1.15 3.91 1.25 1.10 0.75 2.24 1.11 1.30 0.42 0.65 2.24 0.75 0.70 0.15 0.05 0.32 0.31 0.08 0.29 0.70 0.05 2.37 2.10 2.52 2.30 2.32 0.03 0.17 2.52 2.10
B7 0.45 2.65 2.10 3.31 2.13 1.50 1.23 3.31 0.45 0.39 2.97 2.45 1.48 1.83 1.29 1.14 2.97 0.39 1.89 0.30 0.25 0.94 0.85 0.59 0.77 1.89 0.25 3.75 4.18 2.25 3.58 3.44 0.69 0.83 4.18 2.25
B8 2.33 3.56 3.50 3.26 3.16 0.32 0.57 3.56 2.33 2.24 2.99 3.30 2.68 2.80 0.20 0.45 3.30 2.24 0.21 0.30 0.05 0.18 0.18 0.01 0.10 0.30 0.05 0.95 0.67 0.20 0.66 0.62 0.10 0.31 0.95 0.20
C1 0.88 0.40 0.37 3.39 1.26 2.08 1.44 3.39 0.37 0.49 0.21 0.28 0.39 0.34 0.01 0.12 0.49 0.21 0.27 1.05 0.10 0.33 0.44 0.18 0.42 1.05 0.10 0.62 0.27 0.00 0.37 0.31 0.07 0.26 0.62 0.00
C2 2.72 3.40 3.04 3.41 3.14 0.11 0.33 3.41 2.72 2.55 2.76 2.66 2.51 2.62 0.01 0.11 2.76 2.51 1.77 0.20 0.10 0.74 0.70 0.59 0.77 1.77 0.10 4.16 4.74 3.44 4.22 4.14 0.28 0.53 4.74 3.44
C3 2.74 2.58 3.60 3.93 3.21 0.43 0.65 3.93 2.58 2.34 2.87 4.23 2.80 3.06 0.66 0.81 4.23 2.34 0.70 0.35 0.40 0.78 0.56 0.05 0.21 0.78 0.35 4.18 2.25 2.73 3.22 3.10 0.68 0.83 4.18 2.25
C4 4.30 3.80 3.50 3.65 3.81 0.12 0.35 4.30 3.50 4.19 4.84 4.30 4.50 4.46 0.08 0.28 4.84 4.19 0.33 0.52 1.60 0.60 0.76 0.33 0.57 1.60 0.33 3.02 3.81 2.34 3.27 3.11 0.37 0.61 3.81 2.34
C5 2.47 1.20 2.85 2.69 2.30 0.56 0.75 2.85 1.20 2.87 1.40 3.33 2.52 2.53 0.67 0.82 3.33 1.40 1.43 2.10 2.20 1.96 1.92 0.12 0.34 2.20 1.43 2.45 3.31 4.28 3.20 3.31 0.56 0.75 4.28 2.45
D1 1.41 1.76 3.42 3.33 2.48 1.08 1.04 3.42 1.41 1.31 1.45 3.15 1.58 1.87 0.74 0.86 3.15 1.31 1.66 1.20 2.45 1.65 1.74 0.27 0.52 2.45 1.20 1.64 2.49 4.41 2.31 2.71 1.41 1.19 4.41 1.64
D2 1.79 1.38 2.25 1.66 1.77 0.13 0.36 2.25 1.38 2.67 3.34 2.97 2.96 2.98 0.08 0.28 3.34 2.67 0.31 0.07 0.05 0.17 0.15 0.01 0.12 0.31 0.05 3.52 4.52 3.44 3.86 3.84 0.24 0.49 4.52 3.44
D3 1.78 1.59 1.50 2.91 1.94 0.43 0.65 2.91 1.50 1.69 2.72 2.10 2.17 2.17 0.18 0.42 2.72 1.69 0.59 0.20 0.21 0.42 0.36 0.03 0.19 0.59 0.20 1.17 0.40 1.35 0.88 0.95 0.17 0.41 1.35 0.40
Avg 2.44 2.43 2.65 3.54 2.32 2.48 2.78 2.45 1.33 0.58 0.60 0.86 2.81 2.96 2.46 2.81
Vari 1.15 1.81 0.83 0.48 1.36 1.86 1.08 1.35 1.33 0.32 0.64 0.38 1.31 2.17 2.08 1.49
SD 1.07 1.35 0.91 0.69 1.17 1.36 1.04 1.16 1.15 0.57 0.80 0.62 1.14 1.47 1.44 1.22
Max 4.33 4.78 4.00 4.65 4.66 4.98 4.80 4.89 3.82 2.10 2.45 1.96 4.18 4.75 4.80 4.45
Min 0.45 0.40 0.37 1.66 0.39 0.21 0.28 0.39 0.21 0.07 0.05 0.17 0.62 0.27 0.00 0.37
189
TECHNOLOGY TECHNOLOGY
A1 4.26 4.20 3.60 4.11 4.04 0.09 0.30 4.26 3.60 3.93 3.67 3.36 3.71 3.67 0.06 0.24 3.93 3.36 3.12 1.02 0.60 1.63 1.59 1.22 1.10 3.12 0.60 4.22 2.98 2.34 3.45 3.25 0.63 0.79 4.22 2.34
A2 1.28 2.70 4.30 4.37 3.16 2.17 1.47 4.37 1.28 1.28 2.99 4.85 2.12 2.81 2.33 1.53 4.85 1.28 1.33 1.17 1.20 1.28 1.25 0.01 0.07 1.33 1.17 2.90 2.16 2.34 2.25 2.41 0.11 0.33 2.90 2.16
A3 4.59 4.20 3.20 4.24 4.06 0.36 0.60 4.59 3.20 4.75 4.99 3.88 4.80 4.60 0.24 0.49 4.99 3.88 2.86 0.65 0.60 1.58 1.42 1.12 1.06 2.86 0.60 4.22 4.70 2.94 4.48 4.08 0.62 0.79 4.70 2.94
A4 1.92 1.04 1.90 1.72 1.64 0.17 0.41 1.92 1.04 3.08 1.93 3.33 2.56 2.72 0.38 0.62 3.33 1.93 1.34 2.00 4.05 2.24 2.41 1.34 1.16 4.05 1.34 3.27 2.36 2.10 2.74 2.62 0.26 0.51 3.27 2.10
A5 4.95 4.80 4.50 3.87 4.53 0.23 0.48 4.95 3.87 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.87 0.05 0.20 0.43 0.39 0.13 0.36 0.87 0.05 4.38 4.84 3.57 4.56 4.34 0.30 0.55 4.84 3.57
A6 4.66 4.50 4.00 3.49 4.16 0.28 0.53 4.66 3.49 4.38 3.88 3.50 4.00 3.94 0.13 0.36 4.38 3.50 1.31 0.05 0.10 0.55 0.50 0.34 0.59 1.31 0.05 4.48 4.71 2.88 4.33 4.10 0.69 0.83 4.71 2.88
A7 4.77 4.30 4.00 3.39 4.11 0.34 0.58 4.77 3.39 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 1.77 2.10 3.50 2.25 2.41 0.57 0.76 3.50 1.77 3.41 2.86 2.40 2.99 2.92 0.17 0.42 3.41 2.40
A8 4.73 3.50 3.00 2.99 3.55 0.67 0.82 4.73 2.99 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 2.35 1.25 1.60 1.86 1.76 0.21 0.46 2.35 1.25 3.62 3.17 3.20 3.32 3.33 0.04 0.20 3.62 3.17
A9 4.05 2.45 3.20 2.98 3.17 0.44 0.66 4.05 2.45 4.60 3.49 3.88 4.14 4.03 0.22 0.46 4.60 3.49 1.53 0.35 0.20 0.84 0.73 0.36 0.60 1.53 0.20 3.20 1.71 2.40 2.00 2.33 0.42 0.65 3.20 1.71
A10 1.10 2.89 2.40 3.40 2.45 0.97 0.99 3.40 1.10 0.78 2.28 2.52 1.57 1.79 0.61 0.78 2.52 0.78 0.10 0.07 0.05 0.16 0.10 0.00 0.05 0.16 0.05 1.01 0.88 0.20 0.79 0.72 0.13 0.36 1.01 0.20
B1 4.85 4.50 5.00 4.64 4.75 0.05 0.22 5.00 4.50 4.75 3.50 4.20 4.00 4.11 0.27 0.52 4.75 3.50 0.26 0.05 0.03 0.12 0.11 0.01 0.10 0.26 0.03 3.75 3.94 0.90 3.19 2.94 1.96 1.40 3.94 0.90
B2 4.75 4.20 3.80 3.93 4.17 0.18 0.42 4.75 3.80 4.75 3.50 3.50 4.00 3.94 0.35 0.59 4.75 3.50 0.33 0.05 0.03 0.15 0.14 0.02 0.14 0.33 0.03 4.40 3.25 3.20 3.75 3.65 0.31 0.56 4.40 3.20
B3 4.85 4.70 5.00 4.04 4.65 0.18 0.42 5.00 4.04 4.75 3.50 3.50 4.00 3.94 0.35 0.59 4.75 3.50 0.86 0.10 0.03 0.29 0.32 0.14 0.37 0.86 0.03 4.05 3.61 2.73 3.74 3.53 0.32 0.57 4.05 2.73
B5 4.90 4.20 4.30 4.15 4.39 0.12 0.35 4.90 4.15 4.75 3.50 3.50 4.00 3.94 0.35 0.59 4.75 3.50 0.30 0.05 0.03 0.11 0.12 0.01 0.12 0.30 0.03 3.94 3.63 4.00 3.83 3.85 0.03 0.16 4.00 3.63
B6 4.00 2.06 4.00 3.50 3.39 0.84 0.92 4.00 2.06 3.74 1.91 3.00 2.39 2.76 0.63 0.79 3.74 1.91 0.27 0.05 0.03 0.12 0.12 0.01 0.11 0.27 0.03 4.88 3.71 4.60 4.54 4.43 0.25 0.50 4.88 3.71
B7 4.20 2.17 3.50 2.64 3.13 0.81 0.90 4.20 2.17 4.73 2.22 3.50 3.48 3.48 1.05 1.02 4.73 2.22 0.31 0.05 0.03 0.16 0.14 0.02 0.13 0.31 0.03 4.36 3.73 4.20 4.13 4.11 0.07 0.26 4.36 3.73
B8 4.70 4.20 4.00 3.82 4.18 0.14 0.38 4.70 3.82 4.30 4.03 3.50 4.00 3.96 0.11 0.33 4.30 3.50 0.30 0.05 0.03 0.15 0.13 0.01 0.12 0.30 0.03 4.02 4.29 4.05 4.18 4.13 0.01 0.12 4.29 4.02
B9 4.87 4.30 4.00 3.28 4.11 0.44 0.66 4.87 3.28 2.68 2.66 2.00 2.51 2.46 0.10 0.32 2.68 2.00 0.15 0.05 0.03 0.09 0.08 0.00 0.05 0.15 0.03 4.40 4.55 3.96 4.41 4.33 0.07 0.26 4.55 3.96
B10 4.54 2.49 4.50 3.72 3.81 0.92 0.96 4.54 2.49 4.48 2.18 3.50 3.35 3.38 0.89 0.94 4.48 2.18 0.09 0.05 0.06 0.08 0.07 0.00 0.02 0.09 0.05 3.34 2.35 1.70 2.63 2.50 0.46 0.68 3.34 1.70
B11 4.79 4.20 4.00 3.65 4.16 0.23 0.48 4.79 3.65 4.83 4.99 4.85 4.93 4.90 0.01 0.07 4.99 4.83 0.09 0.05 0.03 0.06 0.06 0.00 0.02 0.09 0.03 0.18 3.07 1.92 2.67 1.96 1.64 1.28 3.07 0.18
B12 4.66 4.30 4.00 4.01 4.24 0.10 0.31 4.66 4.00 4.66 4.99 4.85 4.79 4.82 0.02 0.14 4.99 4.66 0.89 0.15 0.25 0.51 0.45 0.11 0.33 0.89 0.15 3.71 3.99 3.20 4.06 3.74 0.15 0.39 4.06 3.20
C1 2.64 4.40 3.20 4.28 3.63 0.73 0.85 4.40 2.64 2.59 3.43 2.80 3.46 3.07 0.19 0.44 3.46 2.59 0.30 2.50 2.00 1.20 1.50 0.93 0.96 2.50 0.30 3.56 4.19 1.47 3.42 3.16 1.38 1.18 4.19 1.47
C2 4.96 4.60 4.50 4.54 4.65 0.04 0.21 4.96 4.50 4.75 3.50 3.50 4.00 3.94 0.35 0.59 4.75 3.50 1.69 1.75 0.50 1.49 1.36 0.34 0.58 1.75 0.50 2.07 1.92 1.75 1.90 1.91 0.02 0.13 2.07 1.75
C3 2.03 1.52 3.00 2.80 2.34 0.47 0.69 3.00 1.52 1.29 0.89 1.98 1.31 1.37 0.20 0.45 1.98 0.89 0.19 0.65 0.80 0.44 0.52 0.07 0.26 0.80 0.19 2.13 0.89 0.60 1.34 1.24 0.45 0.67 2.13 0.60
D1 4.77 4.30 4.00 2.55 3.91 0.92 0.96 4.77 2.55 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.48 0.30 0.30 0.40 0.37 0.01 0.09 0.48 0.30 3.48 4.79 2.00 4.27 3.63 1.47 1.21 4.79 2.00
D2 4.70 4.90 5.00 2.67 4.32 1.23 1.11 5.00 2.67 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.07 1.05 0.80 0.52 0.61 0.18 0.42 1.05 0.07 4.38 4.83 2.52 4.46 4.05 1.07 1.04 4.83 2.52
D3 4.62 3.56 5.00 3.08 4.07 0.80 0.89 5.00 3.08 4.93 3.63 4.85 4.56 4.49 0.36 0.60 4.93 3.63 0.27 0.35 2.00 0.84 0.86 0.64 0.80 2.00 0.27 4.73 2.38 4.50 2.94 3.64 1.33 1.15 4.73 2.38
Avg 4.12 3.67 3.89 3.55 4.05 3.58 3.80 3.80 0.87 0.59 0.71 0.72 3.56 3.31 2.65 3.35
Vari 1.40 1.18 0.61 0.49 1.56 1.37 0.81 1.18 0.77 0.56 1.14 0.49 1.22 1.39 1.35 1.08
SD 1.18 1.09 0.78 0.70 1.25 1.17 0.90 1.09 0.88 0.75 1.07 0.70 1.11 1.18 1.16 1.04
Max 4.96 4.90 5.00 4.64 4.93 4.99 4.85 4.97 3.12 2.50 4.05 2.25 4.88 4.84 4.60 4.56
Min 1.10 1.04 1.90 1.72 0.78 0.89 1.98 1.31 0.07 0.05 0.03 0.06 0.18 0.88 0.20 0.79
190
FACILITIES FACILITIES
A1 4.15 3.83 3.15 0.82 2.99 2.26 1.50 4.15 0.82 3.66 3.20 2.66 3.26 3.19 0.17 0.41 3.66 2.66 0.38 0.45 0.18 0.39 0.35 0.01 0.12 0.45 0.18 3.49 2.95 0.50 2.55 2.37 1.71 1.31 3.49 0.50
A2 4.75 4.30 4.00 4.03 4.27 0.12 0.35 4.75 4.00 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.57 0.00 0.30 0.38 0.31 0.06 0.24 0.57 0.00 3.93 4.79 4.23 4.56 4.38 0.14 0.38 4.79 3.93
A3 4.75 4.30 4.00 3.93 4.25 0.14 0.37 4.75 3.93 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.10 0.56 0.45 0.31 0.36 0.04 0.20 0.56 0.10 2.96 2.38 2.38 2.47 2.54 0.08 0.28 2.96 2.38
B1 4.37 1.85 2.40 4.08 3.17 1.53 1.24 4.37 1.85 4.00 1.61 2.28 2.77 2.66 1.02 1.01 4.00 1.61 0.05 0.05 0.05 0.05 0.05 0.00 0.00 0.05 0.05 0.57 0.55 4.00 1.36 1.62 2.66 1.63 4.00 0.55
B2 4.00 3.50 3.00 2.95 3.36 0.24 0.49 4.00 2.95 4.85 3.62 3.50 4.01 3.99 0.37 0.61 4.85 3.50 1.47 0.90 0.25 0.99 0.90 0.25 0.50 1.47 0.25 3.34 3.90 2.35 3.25 3.21 0.41 0.64 3.90 2.35
B3 2.52 4.70 3.60 3.43 3.56 0.80 0.89 4.70 2.52 2.22 4.25 2.70 2.82 3.00 0.76 0.87 4.25 2.22 0.23 1.40 0.69 0.65 0.74 0.23 0.48 1.40 0.23 4.10 4.02 2.30 3.78 3.55 0.71 0.84 4.10 2.30
B4 4.25 3.50 3.70 2.73 3.54 0.40 0.63 4.25 2.73 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 1.05 0.40 0.23 0.67 0.59 0.13 0.36 1.05 0.23 3.87 4.31 4.47 4.20 4.21 0.06 0.25 4.47 3.87
C1 2.04 2.40 2.00 2.83 2.32 0.15 0.39 2.83 2.00 1.53 1.79 1.48 1.61 1.60 0.02 0.14 1.79 1.48 0.33 0.42 0.05 0.24 0.26 0.02 0.16 0.42 0.05 3.16 2.40 3.20 2.88 2.91 0.13 0.37 3.20 2.40
C2 4.79 4.70 4.80 1.46 3.94 2.74 1.65 4.80 1.46 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.27 0.07 0.25 0.35 0.23 0.01 0.12 0.35 0.07 3.34 4.83 4.70 4.46 4.33 0.46 0.68 4.83 3.34
C3 4.79 4.70 4.80 1.60 3.97 2.51 1.58 4.80 1.60 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.07 0.07 0.20 0.12 0.11 0.00 0.06 0.20 0.07 3.79 4.83 3.76 4.46 4.21 0.27 0.52 4.83 3.76
D1 4.79 4.70 4.80 1.60 3.97 2.51 1.58 4.80 1.60 4.84 3.67 3.50 4.04 4.01 0.36 0.60 4.84 3.50 0.17 0.49 0.30 0.42 0.34 0.02 0.14 0.49 0.17 3.83 4.21 2.35 3.54 3.48 0.65 0.80 4.21 2.35
D2 4.91 4.70 4.50 2.20 4.08 1.59 1.26 4.91 2.20 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.43 0.14 0.10 0.28 0.24 0.02 0.15 0.43 0.10 4.23 3.66 3.76 3.66 3.83 0.07 0.27 4.23 3.66
D3 3.23 3.30 2.80 2.50 2.96 0.14 0.38 3.30 2.50 4.93 4.99 4.85 4.97 4.93 0.00 0.06 4.99 4.85 0.31 0.07 0.20 0.27 0.21 0.01 0.11 0.31 0.07 2.90 3.63 3.29 3.39 3.30 0.09 0.31 3.63 2.90
D4 2.58 4.13 2.80 2.57 3.02 0.56 0.75 4.13 2.57 2.25 3.80 3.60 2.94 3.15 0.49 0.70 3.80 2.25 0.12 0.39 0.25 0.23 0.25 0.01 0.11 0.39 0.12 2.37 2.01 0.80 2.02 1.80 0.47 0.69 2.37 0.80
D5 3.25 3.30 2.80 2.06 2.85 0.33 0.58 3.30 2.06 3.97 3.96 4.50 4.07 4.13 0.06 0.25 4.50 3.96 1.29 0.42 0.25 0.79 0.69 0.21 0.46 1.29 0.25 2.56 1.75 2.70 2.37 2.34 0.17 0.42 2.70 1.75
Avg 3.94 3.86 3.54 2.59 4.12 4.05 3.88 4.02 0.46 0.39 0.25 0.41 3.23 3.35 2.99 3.26
Vari 0.94 0.79 0.85 0.99 1.40 1.31 1.32 1.20 0.20 0.14 0.03 0.07 0.85 1.66 1.55 0.94
SD 0.97 0.89 0.92 0.99 1.18 1.15 1.15 1.10 0.45 0.37 0.16 0.26 0.92 1.29 1.25 0.97
Max 4.91 4.70 4.80 4.08 4.93 4.99 4.85 4.97 1.47 1.40 0.69 0.99 4.23 4.83 4.70 4.56
Min 2.04 1.85 2.00 0.82 1.53 1.61 1.48 1.61 0.05 0.00 0.05 0.05 0.57 0.55 0.50 1.36
191
Exhibit 6.4 (Table 6.12) - Survey of Large and Medium & Small Retail Banks (MSRBs)
Clusters Overall Top Middle Functional
Average RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 3.30 2.50 1.39 1.49 3.04 2.54 1.24 1.30 2.87 2.68 1.60 1.50 2.70 2.48 1.47 1.67
Procedure 3.43 2.60 0.90 2.49 3.13 2.80 1.01 2.40 2.87 2.63 0.72 2.78 2.42 2.18 0.75 2.45
People 3.54 2.45 0.86 2.81 2.44 2.32 1.33 2.81 2.43 2.48 0.58 2.96 2.65 2.78 0.60 2.46
Technology 3.55 3.80 0.72 3.35 4.12 4.05 0.87 3.56 3.67 3.58 0.59 3.31 3.89 3.80 0.71 2.65
Facility 2.59 4.02 0.41 3.26 3.94 4.12 0.46 3.23 3.86 4.05 0.39 3.35 3.54 3.88 0.25 2.99
Max RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 4.49 4.89 3.55 4.96 4.97 4.89 3.53 4.87 4.80 4.98 4.00 4.99 4.32 4.28 4.50 4.70
Procedure 4.21 4.96 2.32 4.94 4.98 4.87 2.82 4.84 4.50 4.99 2.25 4.98 4.32 4.60 2.70 4.70
People 4.65 4.89 1.96 4.45 4.33 4.66 3.82 4.18 4.78 4.98 2.10 4.75 4.00 4.80 2.45 4.80
Technology 4.64 4.97 2.25 4.56 4.96 4.93 3.12 4.88 4.90 4.99 2.50 4.84 5.00 4.85 4.05 4.60
Facility 4.08 4.97 0.99 4.56 4.91 4.93 1.47 4.23 4.70 4.99 1.40 4.83 4.80 4.85 0.69 4.70
Min RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 1.50 0.52 0.10 0.03 0.76 0.58 0.06 0.00 1.05 0.69 0.13 0.01 0.30 0.25 0.05 0.00
Procedure 1.62 0.69 0.25 0.17 0.62 0.64 0.16 0.18 0.35 0.37 0.13 0.19 0.30 0.37 0.10 0.00
People 1.66 0.39 0.17 0.37 0.45 0.39 0.21 0.62 0.40 0.21 0.07 0.27 0.37 0.28 0.05 0.00
Technology 1.72 1.31 0.06 0.79 1.10 0.78 0.07 0.18 1.04 0.89 0.05 0.88 1.90 1.98 0.03 0.20
Facility 0.82 1.61 0.05 1.36 2.04 1.53 0.05 0.57 1.85 1.61 0.00 0.55 2.00 1.48 0.05 0.50
Variance RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 0.75 1.11 1.31 1.99 2.16 1.66 0.94 2.10 1.08 1.33 1.69 2.17 1.59 1.14 1.91 2.08
Procedure 0.53 1.39 0.25 1.74 2.04 1.66 0.61 2.11 2.01 1.95 0.31 1.66 1.28 1.35 0.45 1.66
People 0.48 1.35 0.38 1.49 1.15 1.36 1.33 1.31 1.81 1.86 0.32 2.17 0.83 1.08 0.64 2.08
Technology 0.49 1.18 0.49 1.08 1.40 1.56 0.77 1.22 1.18 1.37 0.56 1.39 0.61 0.81 1.14 1.35
Facility 0.99 1.20 0.07 0.94 0.94 1.40 0.20 0.85 0.79 1.31 0.14 1.66 0.85 1.32 0.03 1.55
SD RLRIL RSRIS VLVIL VSVIS RLRIt RSRIt VLVIt VSVIt RLRIm RSRIm VLVIm VSVIm RLRIf RSRIf VLVIf VSVIf
Organization 0.86 1.05 1.14 1.41 1.47 1.29 0.97 1.45 1.04 1.15 1.30 1.47 1.26 1.07 1.38 1.44
Procedure 0.73 1.18 0.50 1.32 1.43 1.29 0.78 1.45 1.42 1.40 0.56 1.29 1.13 1.16 0.67 1.29
People 0.69 1.16 0.62 1.22 1.07 1.17 1.15 1.14 1.35 1.36 0.57 1.47 0.91 1.04 0.80 1.35
Technology 0.70 1.09 0.70 1.04 1.18 1.25 0.88 1.11 1.09 1.17 0.75 1.18 0.78 0.90 1.07 1.16
Facility 0.99 1.10 0.26 0.97 0.97 1.18 0.45 0.92 0.89 1.15 0.37 1.29 0.92 1.15 0.16 1.25
192
Resilience Indicator and Vulnerability Index Correlations
ORGANIZATION
Table of Correlations Gross Data
3.04 2.54 1.24 1.30 Top RLRIt RSRIt VLVIt VSVIt

Top RLRIt RSRIt VLVIt VSVIt Avg 3.04 2.54 1.24 1.30
RLRIt 1.000 Vari 2.16 1.66 0.94 2.10
RSRIt 0.880 1.000 SD 1.47 1.29 0.97 1.45
VLVIt 0.307 0.391 1.000 Max 4.97 4.89 3.53 4.87
VSVIt 0.157 0.361 0.422 1.000 Min 0.76 0.58 0.06 0.00
2.87 2.68 1.60 1.50 Middle RLRIm RSRIm VLVIm VSVIm

Middle RLRIm RSRIm VLVIm VSVIm Avg 2.87 2.68 1.60 1.50
RLRIm 1.000 Vari 1.08 1.33 1.69 2.17
RSRIm 0.822 1.000 SD 1.04 1.15 1.30 1.47
VLVIm 0.281 0.267 1.000 Max 4.80 4.98 4.00 4.99
VSVIm 0.517 0.644 0.528 1.000 Min 1.05 0.69 0.13 0.01
2.7 2.48 1.47 1.67 Functional RLRIf RSRIf VLVIf VSVIf

Functional RLRIf RSRIf VLVIf VSVIf Avg 2.70 2.48 1.47 1.67
RLRIf 1.000 Vari 1.59 1.14 1.91 2.08
RSRIf 0.838 1.000 SD 1.26 1.07 1.38 1.44
VLVIf 0.441 0.620 1.000 Max 4.32 4.28 4.50 4.70
VSVIf 0.154 0.135 0.264 1.000 Min 0.30 0.25 0.05 0.00
3.30 2.50 1.39 1.49 Overall RLRIL RSRIS VLVIL VSVIS

Overall RLRIL RSRIS VLVIL VSVIS Avg 3.30 2.50 1.39 1.49
RLRIL 1.000 Vari 0.75 1.11 1.31 1.99
RSRIS 0.470 1.000 SD 0.86 1.05 1.14 1.41
VLVIL 0.390 0.334 1.000 Max 4.49 4.89 3.55 4.96
VSVIS 0.301 0.594 0.421 1.000 Min 1.50 0.52 0.10 0.03
193
PROCEDURE

RLRIt 1.000 Vari 2.04 1.66 0.61 2.11
RSRIt 0.916 1.000 SD 1.43 1.29 0.78 1.45
VLVIt 0.270 0.272 1.000 Max 4.98 4.87 2.82 4.84
VSVIt 0.398 0.473 0.209 1.000 Min 0.62 0.64 0.16 0.18

RLRIm 1.000 Vari 2.01 1.95 0.31 1.66
RSRIm 0.942 1.000 SD 1.42 1.40 0.56 1.29
VLVIm 0.338 0.404 1.000 Max 4.50 4.99 2.25 4.98
VSVIm 0.651 0.680 0.204 1.000 Min 0.35 0.37 0.13 0.19

RLRIf 1.000 Vari 1.28 1.35 0.45 1.66
RSRIf 0.930 1.000 SD 1.13 1.16 0.67 1.29
VLVIf -0.107 -0.111 1.000 Max 4.32 4.60 2.70 4.70
VSVIf 0.327 0.418 -0.231 1.000 Min 0.30 0.37 0.10 0.00

RLRIL 1.000 Vari 0.53 1.39 0.25 1.74
RSRIS 0.371 1.000 SD 0.73 1.18 0.50 1.32
VLVIL 0.443 0.545 1.000 Max 4.21 4.96 2.32 4.94
VSVIS 0.112 0.621 0.290 1.000 Min 1.62 0.69 0.25 0.17
194
PEOPLE

RLRIt 1.000 Vari 1.15 1.36 1.33 1.31
RSRIt 0.930 1.000 SD 1.07 1.17 1.15 1.14
VLVIt 0.140 0.148 1.000 Max 4.33 4.66 3.82 4.18
VSVIt 0.278 0.291 0.353 1.000 Min 0.45 0.39 0.21 0.62

RLRIm 1.000 Vari 1.81 1.86 0.32 2.17
RSRIm 0.846 1.000 SD 1.35 1.36 0.57 1.47
VLVIm -0.084 -0.228 1.000 Max 4.78 4.98 2.10 4.75
VSVIm 0.506 0.530 -0.084 1.000 Min 0.40 0.21 0.07 0.27

RLRIf 1.000 Vari 0.83 1.08 0.64 2.08
RSRIf 0.861 1.000 SD 0.91 1.04 0.80 1.44
VLVIf 0.329 0.314 1.000 Max 4.00 4.80 2.45 4.80
VSVIf 0.384 0.412 0.257 1.000 Min 0.37 0.28 0.05 0.00

RLRIL 1.000 Vari 0.48 1.35 0.38 1.49
RSRIS 0.249 1.000 SD 0.69 1.16 0.62 1.22
VLVIL 0.289 0.274 1.000 Max 4.65 4.89 1.96 4.45
VSVIS 0.086 0.424 0.186 1.000 Min 1.66 0.39 0.17 0.37
195
TECHNOLOGY

RLRIt 1.000 Vari 1.40 1.56 0.77 1.22
RSRIt 0.897 1.000 SD 1.18 1.25 0.88 1.11
VLVIt 0.070 0.164 1.000 Max 4.96 4.93 3.12 4.88
VSVIt 0.423 0.387 0.110 1.000 Min 1.10 0.78 0.07 0.18

RLRIm 1.000 Vari 1.18 1.37 0.56 1.39
RSRIm 0.754 1.000 SD 1.09 1.17 0.75 1.18
VLVIm -0.056 0.061 1.000 Max 4.90 4.99 2.50 4.84
VSVIm 0.617 0.552 -0.187 1.000 Min 1.04 0.89 0.05 0.88

RLRIf 1.000 Vari 0.61 0.81 1.14 1.35
RSRIf 0.411 1.000 SD 0.78 0.90 1.07 1.16
VLVIf -0.354 0.177 1.000 Max 5.00 4.85 4.05 4.60
VSVIf 0.281 0.174 -0.107 1.000 Min 1.90 1.98 0.03 0.20

RLRIL 1.000 Vari 0.49 1.18 0.49 1.08
RSRIS 0.112 1.000 SD 0.70 1.09 0.70 1.04
VLVIL -0.123 0.138 1.000 Max 4.64 4.97 2.25 4.56
VSVIS 0.042 0.484 -0.187 1.000 Min 1.72 1.31 0.06 0.79
196
FACILITY

RLRIt 1.000 Vari 0.94 1.40 0.20 0.85
RSRIt 0.863 1.000 SD 0.97 1.18 0.45 0.92
VLVIt -0.060 0.206 1.000 Max 4.91 4.93 1.47 4.23
VSVIt 0.182 0.189 0.151 1.000 Min 2.04 1.53 0.05 0.57

RLRIm 1.000 Vari 0.79 1.31 0.14 1.66
RSRIm 0.740 1.000 SD 0.89 1.15 0.37 1.29
VLVIm 0.151 -0.114 1.000 Max 4.70 4.99 1.40 4.83
VSVIm 0.693 0.679 0.009 1.000 Min 1.85 1.61 0.00 0.55

RLRIf 1.000 Vari 0.85 1.32 0.03 1.55
RSRIf 0.613 1.000 SD 0.92 1.15 0.16 1.25
VLVIf 0.291 0.128 1.000 Max 4.80 4.85 0.69 4.70
VSVIf 0.311 0.405 -0.241 1.000 Min 2.00 1.48 0.05 0.50

RLRIL 1.000 Vari 0.99 1.20 0.07 0.94
RSRIS -0.120 1.000 SD 0.99 1.10 0.26 0.97
VLVIL -0.020 0.083 1.000 Max 4.08 4.97 0.99 4.56
VSVIS -0.205 0.580 0.159 1.000 Min 0.82 1.61 0.05 1.36
197
Exhibit 6.5 (Table 6.13) - Classification of Factors for BCM Implementation
Organization
Srl. CFLT CFST CFLM CFSM CFLF CFSF CFL CFS CF RLRIL RSRIS VLVIL VSVIS
A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 1.95 2.65 0.52 1.73
A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 3.71 2.07 0.55 1.81
A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 3.89 2.71 0.29 1.17
A4 A4 A4 A4 A4 A4 A4 A4 A4 A4 3.48 2.54 0.27 0.08
A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 3.68 1.12 3.55 0.03
A6 A6 A6 A6 A6 A6 A6 A6 A6 A6 4.16 2.64 3.22 0.33
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 2.70 2.46 0.82 0.37
A8 A8 A8 A8 A8 A8 A8 A8 A8 A8 3.34 3.01 2.22 1.46
A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 2.22 0.52 0.63 0.06
B1 B1 B1 B1 B1 B1 B1 B1 B1 B1 3.46 2.55 2.05 2.34
B2 B2 B2 B2 B2 B2 B2 B2 B2 B2 2.57 2.33 0.86 1.49
B3 B3 B3 B3 B3 B3 B3 B3 B3 B3 3.67 3.76 0.55 0.08 Legend
B4 B4 B4 B4 B4 B4 B4 B4 B4 B4 3.12 1.29 0.14 0.32 Parameter Type PT
B5 B5 B5 B5 B5 B5 B5 B5 B5 B5 4.07 3.56 2.76 1.92 Criticality level CL
B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 3.68 2.30 2.42 4.15 Resilence Indicator RI
B7 B7 B7 B7 B7 B7 B7 B7 B7 B7 1.50 1.64 0.10 0.15 Vulnerability Indicator VI
C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 3.79 1.43 0.79 0.95 PT VI
C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 4.17 2.38 0.28 1.90 RI CL High Low
C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 4.49 4.89 2.75 4.96 High Important Essential
D1 D1 D1 D1 D1 D1 D1 D1 D1 D1 1.66 2.19 2.04 2.54 Low Critical Desirable
D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 3.92 4.45 2.48 3.48 Divergent Views
198
Procedures
A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 3.83 4.92 1.04 3.80
A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 3.98 3.30 0.75 2.69
A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 4.02 1.65 0.44 3.11
A A A A A A A A A A 4.09 2.27 1.06 2.86
A4 A4 A4 A4 A4 A4 A4 A4 A4 A4 4.21 4.96 2.32 4.94
A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 2.70 2.73 1.55 1.46
A6 A6 A6 A6 A6 A6 A6 A6 A6 A6 2.20 2.11 0.54 2.26
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 3.69 1.28 0.85 1.01
A8 A8 A8 A8 A8 A8 A8 A8 A8 A8 3.73 3.05 0.94 3.23
A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 3.47 2.51 1.25 1.61
A10 A10 A10 A10 A10 A10 A10 A10 A10 A10 3.69 2.34 0.41 1.21
A11 A11 A11 A11 A11 A11 A11 A11 A11 A11 2.57 3.37 0.61 2.25
A12 A12 A12 A12 A12 A12 A12 A12 A12 A12 3.74 2.68 0.83 1.11
B1 B1 B1 B1 B1 B1 B1 B1 B1 B1 3.38 2.58 0.56 3.77
B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 3.53 0.93 1.13 0.44 Vulnerability Indicator VI
C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 4.10 4.01 1.77 4.74 PT VI
D1 D1 D1 D1 D1 D1 D1 D1 D1 D1 4.05 2.45 1.01 2.34 RI CL High Low
D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 3.88 1.40 1.19 1.10 High Important Essential
199
People
A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 4.32 4.89 1.23 4.45
A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 4.10 2.40 0.64 2.11
B1 B1 B1 B1 B1 B1 B1 B1 B1 B1 3.49 1.87 1.63 2.31
B2 B2 B2 B2 B2 B2 B2 B2 B2 B2 4.65 3.29 1.75 2.65
B3 B3 B3 B3 B3 B3 B3 B3 B3 B3 4.44 3.70 1.60 3.47
B4 B4 B4 B4 B4 B4 B4 B4 B4 B4 3.64 2.03 0.26 3.67
B5 B5 B5 B5 B5 B5 B5 B5 B5 B5 3.69 1.17 0.26 4.09
B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 3.91 1.11 0.32 2.30
C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 3.39 0.39 0.33 0.37 Criticality level CL
C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 3.41 2.51 0.74 4.22 Resilence Indicator RI
C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 3.93 2.80 0.78 3.22 Vulnerability Indicator VI
C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 3.65 4.50 0.60 3.27 PT VI
200
Technology
A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 4.11 3.71 1.63 3.45
A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 4.37 2.12 1.28 2.25
A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 4.24 4.80 1.58 4.48
A4 A4 A4 A4 A4 A4 A4 A4 A4 A4 1.72 2.56 2.24 2.74
A5 A5 A5 A5 A5 A5 A5 A5 A5 A5 3.87 4.97 0.43 4.56
A6 A6 A6 A6 A6 A6 A6 A6 A6 A6 3.49 4.00 0.55 4.33
A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 3.39 4.97 2.25 2.99
A8 A8 A8 A8 A8 A8 A8 A8 A8 A8 2.99 4.97 1.86 3.32
A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 2.98 4.14 0.84 2.00
A10 A10 A10 A10 A10 A10 A10 A10 A10 A10 3.40 1.57 0.16 0.79
B1 B1 B1 B1 B1 B1 B1 B1 B1 B1 4.64 4.00 0.12 3.19
B2 B2 B2 B2 B2 B2 B2 B2 B2 B2 3.93 4.00 0.15 3.75
B3 B3 B3 B3 B3 B3 B3 B3 B3 B3 4.04 4.00 0.29 3.74
B5 B5 B5 B5 B5 B5 B5 B5 B5 B5 4.15 4.00 0.11 3.83
B6 B6 B6 B6 B6 B6 B6 B6 B6 B6 3.50 2.39 0.12 4.54
B7 B7 B7 B7 B7 B7 B7 B7 B7 B7 2.64 3.48 0.16 4.13
B8 B8 B8 B8 B8 B8 B8 B8 B8 B8 3.82 4.00 0.15 4.18
C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 4.54 4.00 1.49 1.90 PT VI
201
Facilities
A1 A1 A1 A1 A1 A1 A1 A1 A1 A1 0.82 3.26 0.39 2.55
A2 A2 A2 A2 A2 A2 A2 A2 A2 A2 4.03 4.97 0.38 4.56
A3 A3 A3 A3 A3 A3 A3 A3 A3 A3 3.93 4.97 0.31 2.47
B1 B1 B1 B1 B1 B1 B1 B1 B1 B1 4.08 2.77 0.05 1.36
B2 B2 B2 B2 B2 B2 B2 B2 B2 B2 2.95 4.01 0.99 3.25
C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 2.83 1.61 0.24 2.88 Criticality level CL
C2 C2 C2 C2 C2 C2 C2 C2 C2 C2 1.46 4.97 0.35 4.46 Resilence Indicator RI
D1 D1 D1 D1 D1 D1 D1 D1 D1 D1 1.60 4.04 0.42 3.54 PT VI
D2 D2 D2 D2 D2 D2 D2 D2 D2 D2 2.20 4.97 0.28 3.66 RI CL High Low
202
CHAPTER 7
RESEARCH FINDINGS AND FUTURE SCOPE OF WORK
7.0 Preamble
This chapter describes the findings of research and their relationship with the
hypothesis of study. It also details the limitations of the study and future scope of
work.
7.1 Research Findings and Hypothesis Evaluation

The findings of research based on the literature survey, primary research in banks of
all categories in Mumbai and application of BCM reality check metrics (developed as
a part of this study) to small and medium banks and their relation to the hypothesis of
the study are enumerated below:
7.1.1 Deployment of technology by banks to attain continuity

It has been found that banks in India have made efforts in achieving higher level of
customer satisfaction by providing multiple innovative products and services
delivered through multiple delivery channels. Large banks in all categories public,
private and foreign have deployed current and dependable technology to achieve
higher efficiency, effectiveness and competitiveness. They have attained high degree
of automation in core banking processes and building efficient value added services
that are IT enabled on these processes. Small banks have limited portfolio as well as
delivery options making them less resilient and more vulnerable.
The IT infrastructure involving Data Centres, Servers, Storage and Backup systems
possessed by all private and foreign banks and most large public sector banks is of
high quality and reliability and kept current by deploying modern practice of efficient
data sharing, server & storage consolidation, data protection and redundancy of
hardware and network. They have secured their sensitive assets using computerized
and modern access control and security systems. Large percentages of services
offered by these banks are integrated using Internet and advanced CRM solutions. The
small and medium banks do not possess high quality and reliable IT infrastructure
that is run on modern system optimizing practices.
Foreign, private and large public sector banks have attained higher degree of
sustained business continuity. SBI displayed very high degree of continuity when
203
challenged by the catastrophic floods that submerged the city of Mumbai on July 26,
2006. The recovery efforts of the bank to bring it back to life within thirty six hours
whilst others remain crippled for almost five days, was made possible by their world
class IT infrastructure housed at Central Data Center at Belapur that is well equipped
with safety and environment control management systems supported by third party
agencies. SBI’s data centers have remote management capabilities and are organized
in a manner that they replicate each other’s data and systems, in real time and
asynchronous modes, as near and far sites and can substitute each other if one is not
functioning.
The above findings support the hypothesis - Higher the level of state-of-the-art IT
infrastructure more is the reliability of the BC practice and organizational strength,
especially for banks that support multiple products and services delivered through
multiple channels.
7.1.2 Focus on Softer Issues
7.1.2.1 Communicated BCM Policy and Procedures
Most large banks have put in place comprehensive BCM organization and have
identified vulnerability of critical processes with quantified impact. They have well
documented policy and procedures to run the operations in alternate mode that ensure
their high level of continuity. These however have not been communicated to all
stakeholders (customers, partners, support agencies, etc.) elaborately. Banks in India
therefore have experienced severe constraint in switching to alternate modes
whenever challenged.
The management of SBI attributes the success of their recovery after the Mumbai
floods to their efficient DR organization wherein the real transactions are loaded in
alternate sites regularly and the instructions to the emergency organization (Controller
and support staff) are well communicated and procedures well rehearsed. That helps
them bring into effect the alternate organization to run the data centre from alternate
locations as per specified procedure. The fine details of emergency procedures such as
layout of all emergency equipment and continuous breakdown drills, access controls
to various locations, cash lockers, availability of duplicate/alternate keys and
emergency power supply etc are communicated to all concerned. Communication
(to all concerned) and practice (by all involved) of BCM policy (organization and
people) and procedures (alternate operating processes and recovery methods) is
paramount to success of BCM implementation.
7.1.2.2 Adherence to Quality improves readiness and trust
204
The level of adherence to international quality standards (Basel II) and insurance of
IT and non-IT assets in most banks is found to be below what is practiced by banks in
advanced countries. The practice of forging collaborative relationships with trusted
partners and civic machinery in owning and managing IT infrastructure assets for
sustained and continuous high performance is almost absent. There is very little
sensitivity to issues of brand management & image that give rise to increased faith in
bank’s ability to recover during disasters.
Adherence to international quality standards in terms of infrastructure and processes
enhances image and faith of customers in bank more than it improves operational
efficiency and readiness
7.1.2.3 People readiness – A Key to Continuity

The SBI case of 26 Jul 2007 reveals that the employees displayed high sense of
belonging and shouldered responsibility during the disaster and provided continuity.
This is attributed to the rich culture of empowerment and enablement, clear definition
and communication of policy and procedures and regular job rotation, training and
interaction of employees with senior management. This ensured that employees are
aware of functioning of other departments enabling them to take up roles of those who
are absent and ensure continuity. The implementation of Core banking solution
removed load of back office processing allowing staff to focus on delivery and
support thereby enhancing service levels and more personal contact with customers.
Allocation of roles & responsibilities to key personnel in running alternate processes

is crucial to maintain higher levels of continuity during disruptions. The performance
levels of the workforce must be kept high in normal times to ensure they handle
emergency situations efficiently during disruptions. Procedure to affect “manual
workaround”, adopt “correct safety procedures” and “Incidence reporting and
logging” in the face of eventualities must be defined elaborately and communicated to
all concerned. These are found to be at staggering levels in most banks.
The above findings prove the hypothesis: The success in the implementation of BC
practices as envisaged in enhanced image and reputation of the bank depends on the
softer aspects of Operations such as employee awareness, readiness, empowerment,
culture of innovation and adaptability and Adherence to International Quality
Standards.
7.1.3 Resilience and Preparedness of Large and Small Banks
205
The application of the BCM reality check model (developed in this study) to banks in
India has given insights into the gaps that exist in otherwise seemingly comprehensive
BCM implementations. The BCM organization and practice needs to be monitored
regularly to ensure its relevance under contemporary conditions. The model serves as
a “barometer” to do a reality checks and apply corrections where necessary. The test
results of the metrics indicate that large banks are more resilient and less vulnerable.
Small banks are highly vulnerable on account of technology and facilities. Both
categories of banks are equally vulnerable from the perspective of organizational
readiness and thus merit more management definition on softer issues of customer
service and image.
The above observations prove the hypothesis – Success of BCM depends more on
softer aspects of Operations such as employee awareness, readiness, empowerment,
culture of innovation and adaptability in bank that enhances its image and reputation.
7.1.4 Resilience of Small and Medium Banks

Large banks are more vulnerable to discontinuity on account of Organizational issues
as compared to Facilities and Technology. Small banks are more vulnerable with
respect to Facilities and Technology. Large organizations are, hence, less resilient
with regard to Facilities management largely due to their size and expanse (all over
the country). Small banks operate mostly at state-level operations and have facilities
that are fairly compact which can be managed easily. the Resilience of Small banks is
higher than Large banks with regard to “Facilities” and, to a lesser extent,
“Technology”.
Large banks are more resilient on account of parameters related to Organization,

Procedure and People owing to well-established and managed systems but are less
resilient on Facilities owing to their size and scale. Small banks show a comparable
resilience on account of technology, as their infrastructure is more than adequate for
the scale and scope of their operations but are highly vulnerable on account of
Procedures, Technology and Facilities. Large banks are more vulnerable on account of
People due to volumes and expanse of operations needing more people, not the case
with Small banks that cater to localized customers. The smaller banks are more
resilient on account of Facilities owing to lesser demand (hence pressure) of volumes
and diversity of products/services offered by them. The absence of adequate
206
The small banks therefore have to organize themselves in different model to counter
disruptions, which is to get into collaborative arrangements where they do not “own”
but “use” infrastructure, people and process support from third party agencies in a
form of consortium.
This supports the hypothesis - Small banks are less resilient to meet major
disruptions as compared to large banks on account of technology and facilities due
to their inability to invest in state-of-the-art IT infrastructure and establish reliable
and communicated procedures for alternate operations.
7.2 Deliverables of the Study

This study presents two deliverables that will help managements in banks both, big
and small, to evaluate their BCM efforts, identify gaps and use the BCM framework to
augment their continuity efforts. These are briefly given below:
7.2.1 Reality Check Metrics

This framework of metrics to carry out reality check measures and evaluates
parameters in five clusters (Organization, Procedure, People, Technology and
Facilities) at four levels (Corporate, Technical, Methods/Tools and Review/Testing).
These parameters are measured for strength/preparedness (P) and
Threats/Challenges(R) on a scale of 0-5 (low - high). These are further qualified by
measuring vulnerability of threats (V) and upgradation of preparedness (T) on a scale
of 0-1 indicating low-high probability and frequency respectively.
Resilience indicator (RI)= P*T and Vulnerability Index (VI) = R*V. These two factors
indicate the levels of strength and vulnerability of the bank from BCM perspective
from each of the parameter in the clusters. The summations of these two indicators for
clusters indicate the status at the cluster level.
Resilience indicator (RI)= P*T and Vulnerability Index (VI) = R*V. These two factors
indicate the levels of strength and vulnerability of the bank from BCM perspective
207
from each of the parameter in the clusters. The summations of these two indicators for
clusters indicate the status at the cluster level.
The application of above metrics suggests following trends:

a. Issues related to Facilities and Technology is better poised to handle business
disruptions because of advances in Technology and Maturity of banking
practices.
b. More management attention will have to be focused on softer issues of service
delivery such as trust of customers, image in the industry, and participation of
all stakeholders as owners.
7.2.2 BCM Implementation Methodology

The experiences of various financial institutions and banks and the views of experts
and consultants suggest the following four elements that make BCM Plans:
Technology
Procedures
People
Facilities
Banks need to invest in BCM by creating appropriate organization and infrastructure

so as to maintain their market position, preserve confidence of customers,
governments & shareholders and prevent losses to business and liabilities towards
employees, shareholders and customer claims. All types of threats and vulnerabilities
are to be identified to reduce risk or Impact of discontinuity and keep business in
operation with minimal disruption. Successful BCM is the one that ensures
prevention of discontinuities, quick response if they occur, speedy resumption of
critical tasks, early recovery of other non-critical processes and smooth restoration to
normalcy.
BCM Implementation relies heavily on effective use of Key Personnel who are
It must ensure safety of personnel & equipment, protection of assets and minimize
confusion and uncertainty, quick rebuilding and return to normal processing and re-
establishing market share and customer Confidence. Banks must learn from the
incidence and document actions that can be taken in future.
208
Embarking on a BCM project
Formation of BCM Implementation team drawn from both the bank and
consultants and having a rich blend of functional and practice experts
Budgeting the BCM Program with provisions to provide adequate funding every
year to account for one time, annual maintenance and updating costs.
Conducting Business Impact Analysis (BIA) and related Insurance needs to
examine the threats, vulnerabilities and possibility of exposure of business to these.
Managing BCM Implementation project

Following are the steps that are suggested for carrying out BCM implementation:
Project Initiation - Supported by Senior Management drawing objectives,
enumerating budget, details of resource requirements and reporting process
Business Impact Analysis - Identify and quantifying organizational risks (financial
and operational), critical business processes and supporting equipment and systems
with prioritization of risks / vulnerabilities that are to be insured by alternative
processes and recovery schematic
Designing and Developing a BCP - A Business continuity planning framework
comprising of three sections is suggested:
Implementation - Banks must establish trained and committed teams to lead
manage and direct the organization through the crisis and provide necessary
technical, operational and administrative support to move to alternate scheme
during discontinuities and recover to normal scheme once crisis is over
Testing - BCM Plan and operating scheme needs to be tested for efficiency and
relevance from annually or after major organizational changes or an incident.
Maintenance and Updating the Plan - The BCM organization and practice must be
updated at least annually or after major organizational changes, implementation of
new systems, networks and hardware or changes in market conditions / staff levels.
7.3 Recommendations for successful BCM in Small banks

The MSRBs are less resilient and more vulnerable on issues of organization policies,
procedures and people issues. They also have humble infrastructure related to IT and
Facilities that is making them fall short on customer expectations as well as makes
209
them more vulnerable in disruptive situations. The following therefore are brief
recommendations to MSRBs to improve their resilience from continuity perspective.
Enhancing products and service delivery options by resorting to high degree of
automation.
Clear and documented roles and responsibilities to facilitate operationalize
alternate process.
Enhance awareness, preparedness and tolerance limits of employees and partners
by way of appropriate training.
Augment technology infrastructure both IT and Facilities by forming consortiums
Raise the bar in terms of performance and communicate to all stakeholders.
Foster a culture of adapting to changes and focusing on enhancing value to
customer by way of wider range of services delivered efficiently and effectively.
7.4 Limitations of the Model

The model though comprehensive has limitations that are typical of most perception
based models addressing behavioral issues. The correctness, accuracy and relevance
of responses owe a lot to the knowledge, length of service and motivation of the
respondents particularly at middle and functional levels. These limitations were
addressed by resorting to strict methodology while collating data and carrying out
analysis. The steps taken to overcome these limitations:
Increasing awareness and knowledge of respondents by conducting training
sessions and one-on-one meetings and presentations
Re-referencing the responses with the respondents whose values were divergent
from the mean value suggested by majority
Checking the value of measures with superiors in the bank and other banks
Referring summary of measures to a team of “neutral” consultants
The following are considered to be the limiting factors that must be taken into account
to enhance the strength the model before re-application.
a. Certainty about the level of knowledge of the respondents about the parameter
being surveyed needs to be ascertained by cross-referencing. The higher levels
of managements are more aware about policy and strategic aspects whilst
functional levels have better view of operational features and constraints.
210
b. The ability of respondents to provide the measure of preparedness, threats,
vulnerability and effectiveness of upgrades on a numeric scale is limited. They
need to be trained in. converting subjective knowledge to numeric
representation scale.
c. The levels of performance & success and culture prevalent in the banks in
India are diverse. This makes generalizations less accurate unless supported by
a large number of objective measures (for each response) and normalized. The
methodology adopted in this study did address this to an extent by educating
respondents about the parameters on several occasions and normalizing the
responses with the help of experts and consultants by re-referencing and
applying statistical corrections.
d. Respondents have serious reservations in sharing exact operational data with

external consultants. The trend was found to be more pronounced in private
sector banks. This aspect can be worked around by obtaining more reference
data from secondary sources (RBI publications, Gartner & Forester
communications – these are at a cost) and involving internal team that is more
“acceptable”.
e. The technology aspects for the entire infrastructure (IT & facilities) can be
ascertained more objectively by researching into operating and failure logs.
These are not shared even with internal people. Since most operations in banks
(front and back office as well as inter bank) are IT enabled “Data mining” of
operating logs that are system generated can provide valuable and reliable
information about performance and related up gradations.
7.5 Strengthening the Model

The following are suggestions to increase confidence levels of the use of the model
for the banks that are applying it while implementing/upgrading their BCM initiatives.
a. The commitment of senior management in the banks in India is a vital component

for the success of the Business Continuity Planning. This can be expressed as a
function of various parameters such as:
i. Percentage of Annual Expenditure on Business Continuity
211
ii. Number of full-time personnel assigned to BCP process formulation /
improvement
iii. Number of personnel assigned to BC implementation
iv. Number of revisions of the BCP (version no.)
v. Number of incidences of disruptions recorded and the time to recover
b. It is wise to have an emergency response plan and a crisis control plan in place.
The identification of crisis-roles and responsibilities for every center is also
crucial. The preparedness could be assessed using metrics such as:
i. Percentage of centers that an identified crisis-commanders (and maybe,
backups) came to the rescue (recovery)
ii. Frequency of test-deploying the DR plan and verification of results
c. With the exception of certain large private sector banks, which are moving
towards server virtualization, there are no practices in the Indian Banking
industry, which reduces the risk of data loss. In US and Europe, offsite data
centers or electronic vaults are quite popular (such as Iron Mountain, formerly
Arcus Data Security). One therefore needs to explore the Supply side in India as
regards intent and capability of providing comprehensive DR support. This is
happening sporadically as understood in this study.
d. The level of maturity of a BCP is clearly evident in the quantitative nature of the
process. The following attributes would be present in a good BCP. The banks can
be compared and contrasted across these attributes to obtain accurate measures
and thus more reliable solutions.
i. Identification of possible disasters (no: of disasters planned for)
ii. Quantitative assessment of Business Impact for each incident
iii. Time-frames for recovery, and test logs for drills (Testing can be explored
in detail)
iv. Minimum resource requirements for each scenario
v. Clear established guidelines for priority based in criticality and urgency
e. Communication is extremely important and crucial during an incident. Clear

communication recovery procedures and hierarchy of recovery needs to be
detailed (Which one goes up first? LAN or WAN or DC, phone lines, E-mail
212
servers etc). Putting in place “knowledge Management” practice and recording &
reviewing incidences of discontinuity can ascertain this.
f. Training and awareness is necessary for the business to be managed without a

break. This is essential to, Employees, Customers, Partners and State Agencies etc
(typically all stakeholders). Measures of numbers, frequency and type of training
can throw light on preparedness levels.
g. Information Security Management Systems (ISMS) are common in all

organizations across US and Europe and even the IT services sector in India. This
aspect needs to capture by looking into ISMS practices and system prevalent in
banks as well as the incident logs.
h. Certain metrics in the model need to be supported by more data to improve

robustness of the model looking from the Goal-Question-Metrics angle. Some of
these are:
i. Allocation of Budget for BCM
ii. Promotional Model and Brand Management
iii. Socializing, Planning and Learning from Review of Results and
Performance
iv. Rationalizing Organization – Roles and Responsibilities
v. Insurance of Equipment and Personnel
vi. Health Rules, Social Rules etc
7.6 The Future scope of Work

The model can be made more widely reusable and accurate by undertaking focused
research in future in terms of measurements of parameters, methodology of
application of model / metrics and analysis to improve usability.
7.6.1 Measurements of parameters

All parameters that are surveyed are to be supported by figures from the industry
(contemporary banks) and the target bank in terms of:
a. Operating Volumes
b. Number and Variety of products/ options.
c. Operating Budget.
213
d. Investment in technology.
e. Investment in reviews and their frequency.
f. Investment in training.
g. Investment in infrastructure and Facilities.
h. Failures and recoveries statistics.
i. Growth in volumes and variety (scale and scope).
j. Mention in media for performance
k. Number of employees
l. Retention and hiring statistics.
m. New customers added during the period.
n. Customers lost during the period.
o. Number of business partners
p. Retention and retirement of partners
q. Deficiencies in operating SLAs.
r. Incidences of security breaches.
s. Incidences of regulatory defaults.
t. Any other measure that will support the survey perception for definition of
high/low.
7.6.2 Methodology of application of model

The following methodology is suggested to be explored to enhance usability of the
model:
a. Application of model to five best performing banks in the segment
internationally.
b. Application of model to five best performing banks in the segment nationally.
c. Application of model to five moderately performing banks in the segment.
d. Generation of bench marks to ascertain limits of high and low with context.
e. Administering model to the three levels of management in the target bank.
f. Comparisons with bench marks to identify outliers (divergent)
g. On spot observations and meeting with divergent respondents.
h. Re administer model to this group of respondents.
i. Normalization of responses in focused group meeting and consultation with
third party experts.
j. Finalization of survey data to take design/ upgradations of BCM Solutions.
214
7.6.3 Analysis to improve usability
The data collected and finalized must be analyzed by resorting to:
a. Statistical Techniques to ascertain significance and variances
b. Employing Delphi technique to discuss suggested solutions.
c. Pilot testing the recommendations on selected branch/office.
d. Deliberations with three levels of management, first separately and then
collectively to evaluate recommendations.
7.7 Towards sure business continuity in banks

The BCM model and metrics when applied by banks with serious intent, higher level
of involvement of Senior Management and strong desire to become “Customer
centric” and “Globally competitive” promises dependable BCM practice and higher
level of continuity and fuel consistent economic growth.
215
ANNEXURE 1
BCM IMPLEMENTATION FRAMEWORK
1.0 BCM Paradigm
The experiences of various financial institutions and banks and the views of experts
and consultants suggest the following paradigm to plan and implement successful
BCM.
Banks have a duty to provide customers with uninterrupted access to bank accounts
especially so that people can quickly receive relief and aid provided to them by
government and other agencies in event of disaster. They must put in place BCM
plans that are comprehensive to cover all consequences and protect the bank against
any disaster / disruptions, man-made or natural, catastrophic or relatively minor. Most
banks have formal crisis management and response plans that deal with contingencies
like virus attack, natural disasters etc and over look certain trivial discontinuities like
absence of key staff. The recovery plans are of two types: one to effect immediate
recovery to cover the most critical elements of business (involves 20% of the work
force) and other to address long term perspective of recovering the business to
normalcy (involves 80% of the work force
BCM must enable banks to survive as a legal and financial entity by addressing entire
key assets that are necessary to continue operations – process, technology, people and
facilities even the best-laid plans can encounter unexpected challenges. Therefore
plans must be tested with a battery of potential scenarios with total participation of
staff. Experiences of banks in UK that tried to recover from discontinuities reveal that
the key is in execution of a well planned BCM during the face of disaster. Too much
focus on technology protection can be dysfunctional in absence of effective
development and deployment of policies and procedures to react in minimizing
damage and recovery. Senior Management with the right level of experience must
lead the BCM planning with their wholehearted support else it can reduce to a mere
corporate nuisance.
BCM Plan involves planning process that identifies core business processes that need
to be kept running to keep the business continuous together with key personnel and
technology infrastructure involved. The processes must be well defined after
collecting data from all stake holders involved in ensuring continuity and documented
preferably electronically. Banks must carry out detailed risk management assessment
by identifying critical assets and systems that need protection against all potential
threats that can interrupt operations. Once vulnerabilities are identified banks need the
216
right processes and technologies possibly with support of external agencies to ensure
business integrity. BCM Plans must be simple and regularly updated with systematic
reviews proactively to ensure they remain current and effective.
The elements that constitute an effective BCM Plan are given below and enumerated
in paragraphs 2.1 to 2.4.
Procedure
People
Technology
Facilities
1.1 Procedure
The procedures for multiple/ alternate site operations and documentation to ensure
continuity are enumerated below.
1.1.1 Backup Site and Relocation

Most businesses have plans in place to back-up essential data. And most, if not all,
have installed firewalls to prevent unauthorized access to their systems. Bleiberg
(2005) recommends that organizations must establish relationships with outsourcers
that provide disaster-recovery hot sites given the increasing vulnerability of data
centers to physical damage. Many organizations in US and Europe, particularly banks,
have changed their IT practices to ensure continuity by relocating data centers, or
moving to a more distributed data processing or storage architecture1.
Olstik (Nov 2004) in his paper has described the practice followed by Chittenden
Corporation, a bank holding company headquartered in Burlington, Vt., that replicates
data between two IBM AS/400 systems in Burlington and Brattleboro. This allows the
bank, in case of a fire or some other disaster at their Burlington headquarters, to set up
shop in a nearby BCM office in Burlington and begin replicating data from
Brattleboro. Specialized BCM service providers companies provide "hot" and "cold"
site services as an insurance policy against rare natural disasters, such as hurricanes,
floods or earthquakes. This protection is not only costly but it usually means some
degree of downtime as service providers set up and emulate corporate systems in
1
Remarks by many CIOs and CTOs in response to a survey report published in Security 2002: “Rethinking
Risk”, Published: September 16, 2002.
217
remote data centers or in tractor trailers2. Olstik (Nov 2004) says that costs and
inconveniences are the price one pays for a worst-case insurance policy.
Large companies are bringing BCM in-house to overcome the above shortcomings,
Olstik (Nov 2004) describes that,
a. Business collocation. Companies like to own their own facilities near their central
operations to increase choice of options. 3
b. Architectural flexibility. The traditional concept of a redundant BCM site is
rapidly becoming obsolete. Geographic clustering, grid computing and wide-area
Storage Area Networks (SANs) mean companies that own their BCM
infrastructure can use that equipment for everyday business processing while
maintaining protection.
c. Consideration of natural. Often times, the biggest obstacle is Mother Nature
storms, floods, and earthquakes. This restricts choices of alternate sites to locate
BCM sites.4.
1.1.2 Multiple Site Operations

Companies with large scale and wide spread operations architecture their back up and
recovery infrastructure in peer-to-peer and geographic clusters Ferguson (2002),
suggests that many companies will mirror their primary sites to a nearby local site in
some kind of load balancing configuration. A third site will be much farther away,
asynchronous, and possibly maintained by a managed service provider. Each site will
be a source for one other and a target for other, providing a round-robin sort of high
availability, while not wasting any resources on passive mirroring.5 Smith (2002),
describes AT&T’s BCM Configuration as having a backup ring architecture riding
through its offices, which enable it to recover and immediately begin processing
transactions on computers in safe locations. Quintana (2002), says "We have put a
mirroring environment within the technology constraints to architect a BCM
2
Shared infrastructure services (typical "cold" sites) may not offer enough coverage when recovery time
objectives (RTOs) and recovery point objectives (RPOs) mandate minimal downtime. Dedicated equipment
at a BCM service provider's data center (a "hot" site) can overcome that limitation, but may place the
backup systems thousands of miles from IT staff and business operations.
3
New York-based firms don't want their backup data centers in BCM facilities in Arizona or Florida but own
facilities in preferred nearby locations such as New Jersey or Brooklyn.
4
San Francisco-based companies, on the other hand, typically replicate their data to Salt Lake City or Phoenix,
rather than just across the bay to Oakland, because the two California cities sit on some of the same fault
lines that cause the area's occasional earthquakes.
5
Donald Ferguson, an enterprise storage consultant, from EMC, Hopkinton, MA, USA provided his views of
“Configurations in Future” to Smith Laura, in her article “The new face of disaster recovery”, Mar 2002.
218
configuration that ensures the proximity of storage devices so as to minimize the
wait".
Bleiberg (2005), asserts that it is pertinent that backup facilities are on different power
and communications grids than data center. To protect day-to-day operations,
organizations also should have redundant network connections, through different
service providers. Authorized employees should have access through a virtual private
network not only to E-mail, but to business applications.
1.1.3 Documentation of Technology and Procedures

Activities under the control of System Administrators must be comprehensively
documented. Details of how to connect application data to recovery servers, whether
it is in the form of a tape library or disk array, how to perform command line restores
of file systems and databases etc should be included in BCM plan. Brooks (2003)
recommends that organizations while testing BCM plans should employ someone
from, Functional group who is IT literate, yet unfamiliar with organizations storage
practices to execute the plan. This should give the organization an idea of how an
outside consultant would fare in resurrecting their applications. All procedures should
be standardized, documented and well known by the recovery team. Organizations
must ensure that recovery procedures are well known and communicated with public
documentation. Not sharing this information doesn't ensure security. All it does is to
force the operation support staff to call in the middle of the night. Having a recovery
priority list helps shift resources based on a business objective approved by upper
management, which leads to a more successful recovery effort.6
1.2 People
Most organizations while addressing the people issues to address continuity appoint
alternates to each key role. Kelly (et.al 2002) observes that almost all plans contain an
assumption that the key people identified to populate their teams will be both
available and will have the wherewithal to function to their normal capability
following the disaster event.7 When questioned about this, few have really addressed
the issue of the impact of a disaster event on the people upon whom the carefully
planned response is dependent.8 Barnes (2005), has made specific questions that need
to be asked:
6
Brooks Darryl, Best Practices, Published: Nov 2003.
7
and Strategy- “The Internet and the 21st Century Firm” April 12, 2002(WP 2003-02).
8
219
a. Will a designated team really be able to perform with the speed and efficiency
foreseen within the plan when close colleagues have been fatally injured in the
firm’s disaster?
b. What is the effect on individuals, for whom you depend in a disaster, when their
personal space and memories (trinkets, photographs and so on that many maintain
in their work-space) have been wantonly vandalized or destroyed?
c. To what extent have you assessed the risk that your employees / team members
might be affected by the same disaster scenario at home? In many scenarios their
primary concern will be to the immediate safety and welfare of their family.
d. Do crisis-management / emergency response exercises consider the impact of the

event on the stress-tolerance levels of the key decision-makers?
1.2.1 Communications Planning

Communications play vital role even more than technology in ensuring Business
Continuity. As per O’Neil (2005), in case of relocation, it is critical that the
organization have a plan in place to enable key personnel to make contact and report
their locations. In addition, all key positions should be cross-trained to help ensure
that essential skills and knowledge will be available when they are most needed. As
has been demonstrated in more recent disasters, contact "trees" utilizing telephones,
cellular phones and electronic mail will not suffice in a disaster situation when service
will likely be interrupted. Alternate methods of communication and dissemination of
critical information are required, such as two-way battery powered radios for essential
personnel, Hunt (2004).
1.2.2 Transportation
Business Continuity Plans have been generally found to be related to equipment and
software comprehensively but often does not spell out clear schemes to house the staff
during disasters. Lee (2004) feels that telecommuting, something his organization has
hesitated to use so far is considering deploying as a solution to get numbers to work
during emergency9. Ulsch, (2004) found that one backup site isn't enough. The firm
established a back up site in Western suburb of Boston 20 miles away anticipating
that employees could reach it in 30 minutes discovered that in situations of Bomb
threats post September 11, when the organization attempted alternate site operations,
it took the employees six hours to get there, because every other business around them
9
Lee, CIO, Baltimore, Maryland's tax department commented on problems faced in moving 900 employees
across its 24 offices during emergency – Security 2002: Rethinking Risk, Published: September 16, 2002.
220
was evacuating as well10. Hunt (2004) in his remark on ‘People deployment’ by banks
post Hugo Hurricane disaster observes while deploying people to backup sites at
locations such as Atlanta, Philadelphia and Norfolk resulted in sending key personnel
away from main operating location at Charleston just when they were most needed. In
some cases, lack of advance travel plans hampered these efforts. He recalls that
another organization, which experienced facilities damage, operated temporarily from
trailers brought into its parking lot.
1.2.3 Involvement
Olstik (June 2004), says “As for half-hearted support from the corner office, this is a
certain recipe for failure”. CEOs and senior management must champion the plan in a
visible way. Executives must sit in on training and highlight the BCM plan at
corporate meetings in order to maintain the role of BCM cheerleader. It is essential to
communicate the plan's importance and maintain focus. At the executive level, lines
of succession should be included in firm’s corporate charter and board of directors
meeting minutes, so that there's no question about who is empowered to make what
decisions. As per Bleiberg (2005), in the case of major disasters, one should have
access to a detailed organization chart with job descriptions for every position. An
employee file containing training levels and certifications for each employee should
accompany this. Should some personnel be unable to perform their tasks after an
event, this can be used to fill key positions quickly. Businesses can use an in-house or
outsourced call center to notify employees of immediate and ongoing status.
1.2.4 Training
Barnes (2005) insists that BCM plans should include training and drills in the
continuity plan itself. In addition to having disaster plans in place, it is critical to keep
personnel trained to carry them out effectively.11 In addition, if possible, it is
important to give people enough lead time to accomplish all of the planned disaster
preparations (Hunt, 2004). Organizations must ensure that all appropriate staff
receives training for their respective plan components. For example, if users will be
responsible for helping to move computer equipment, they should be trained how to
disconnect the computers to move them to safer locations within the buildings.
Improperly disconnecting equipment can cause damage, which can then unnecessarily
delay return to service on the desktops. Equipment remaining in vulnerable locations
risks water damage. Hunt (2004) iterates that personnel must be aware of details such
10
Ulsch, Financial Services Inc, Boston, comments on need fore more alternate sites to move people, Security
2002: Rethinking Risk, Published: September 16, 2002.
11
221
as the locations of emergency power off switches, and how to properly shut down the
fire alarm, fire suppressant and uninterruptible power supply (UPS) systems.
1.3 Technology
As per Periera (2002), the benefits to be derived from the use and adoption of
technology cannot be exaggerated. Central Banks the world over have been providing
their unstinted support to development of technological infrastructure and to IT
innovations in the banking sector. 12Technology usage, therefore, is a core component
of all future efforts of central banks to improve their deliverables and to play their
defined role more effectively. No system or institution can hope to benchmark itself
against international standards without making optimal use of technology.
1.3.1 Security
The need for enforcing security measures is getting due attention by most companies
since the levels of security breaches ire increasing (Howarth, 2004). As per a survey
ninety percent of companies experienced security breaches of some sort in the 2003
and that this threat was growing at a rate of fifty percent or more every year13.
Companies have responded to this threat by drawing both IT and business executives
into contingency planning and enforcing security procedures. As per Boulton (2005)
encryption of data is a must have practice to ensure “leak-free” storage.
Large number of banks in Europe and USA do posses’ ability to continue critical
business operations in the face of a malicious disaster. Many have tightened security
procedures, decentralized computing and storage architectures, and even relocated
data centers. The physical separation of Technology and Business provides flexibility
necessary to meet the firm's Recovery Time Objectives (RTO) in the event of an
untimely business interruption. Fucito (2004) reports that in his bank Primary
Business locations, Production and Backup Data Centers are strategically located to
protect against wide scale disruptions14. There are no simple answers to ensuring
security. "You don't just buy some software and install it. We're dealing with a
number of issues that are pretty complex—internal and external security, disaster
recovery, business continuity, crisis management, privacy and regulatory issues."15
12
Brian Periera, implementing a Business continuity plan, network magazine, issue of Aug 2002
13
Findings by Robin Bloor, of Bloor Research, USA (2003).
14
Fucito Robert, BNP Paribas, Business Continuity report (2004).
15
MacDonnell Ulsch, managing director of Janus Risk Management Inc. in Marlborough, comments in report
“Security 2002: Rethinking Risk”, Published: September 16, 2002.
222
Business continuity plans to combat cyber terrorism and system breaches need
strengthening as internet-based commerce is on the rise. Gartner study in this regard
reveals alarming trends. Pescatore says, "Our estimate is that the Internet systems of
about 65 percent of Fortune 5,000 companies are vulnerable to an attack that at least
results in a content change. Another 25 to 30 percent are vulnerable to an attack that
could cause a financially significant event that would have to be reported”.16
Battling the insider threat involves watching the behaviors among people inside the
business. Threatening actions include password misuse or theft, social engineering
and unintentional – yet damaging – security breaches by employees.17 Luft (2005)
recommends that organizations should consider a written security policy as a means to
battle the Internet as well as insider threats. A security policy puts in place an ongoing
statement of protection, detection and response. Some of issues the policy should
address are:
a. Appropriate use of the e-mail system.
b. Method to handle sensitive information.
c. Responsive actions when faced with a security incident.
d. Securing all IT systems.
e. Measures for protecting employee, customer or accounting information.
f. Appropriate use of user IDs and passwords.
g. Roles and responsibilities of administrator, users, and providers.
h. Enforcement.
The security policy should encompass all of the organization’s assets and IT systems
ensuring that all the risks against the vulnerabilities are assessed. . This will help
determine how much time and money is to be invested in various areas. The bottom
line is that small and medium-sized businesses face multiple threats to their business
that get more serious and difficult to battle each day. Luft (2005) asserts that by taking
a proactive approach to protecting and securing critical data and leveraging
appropriate technology, IT set ups can minimize the chances of losing data and
increase ability to have the business back up and running in the event of catastrophic
data loss.
16
Pescatore from Gartner , comments in report “ Security 2002: Rethinking Risk”, Published: September 16,
2002.
17
Luft David, Proactive plans thwart SMB threats, Published: 15 Jun 2005.
223
1.3.2 IT Infrastructure
Many firms that have excellent IT infrastructure in place have taken steps to minimize
risks by relocating, dispersing or distributing parts of their IT infrastructure, such as
servers and storage. All furnishings and equipment in a facility are important to
business resumption and should be protected. Hunt (2004) sharing his observation
states that use of custom plastic covers for the mainframe equipment, servers and
peripherals in were a key element in preventing water damage to the equipment, so
the military center at Charleston and enabled quick resumption of operations when
US was struck by Hurricane Hugo on September 21, 1989.
Disaster Recovery Planning (DRP) experts are of the opinion that older methods for
DRP, based on mainframe recovery, have become too cost prohibitive in distributed
systems environments. As per Smith (2002) N-tier client-server systems and
burgeoning networked storage topologies have introduced newer challenges that can
be met only with considerable technical expertise. BCM must be proactive. Toigo
(2004) enumerates, "Planners can't simply wait to be dealt a hand of cards. They need
to get involved in actual systems development and ask questions about the impact of
this or that middleware choice (for example) on the recoverability of the application
in a disaster. Most system developers, when asked why they didn't design
recoverability into their application, say no one asked them to."18
Oltsik (2004) observes certain BCM plans are at too high a level and suffer from a
lack of granularity. These plans define which systems need protection but do not dive
down into the equipment level protection steps. The data storage platforms should be
so selected as to ensure ‘data portability’ i.e. to facilitate restoration of data to
identical equipment at a recovery facility or an alternate storage platform if necessary.
This is significant in terms of recovery plan expense and timeframe. As per Smith
(2002) storage managers, who are a part of the BCM team, are to ascertain which
storage technologies are appropriate for protecting which applications and data. They
are to consider cost difference between mirroring to a remote hot site and sending
tapes off-site is orders of magnitude, balanced against the time-to-restore differential
of minutes to days.
Staimer (2005) feels that the key to cost-effective BCM is first placing a value on the
data and understanding how the data's value changes over time and then matching
18
William Toigo, a BCMP consultant commented on TV program Lesson of Hurricane Hugo on May 8, 2004 at
6:00 AM on ECT News Network.
224
various data protection technologies to that value. A cost-effective BCM strategy
requires a mix of BCM applications running on several platforms. Managing cost and
effectiveness requires matching the value of the data to specific BCM capabilities.
This mix-and-match approach will reduce overall BCM cost while meeting the
organization's needs. 19 This process must be repeated periodically to re-evaluate new
technologies, products, (Service Level Agreement) SLA requirements and compliance
regulations.
It is important to pick right choices presented by the telecommunications (Telco)

infrastructure providers. Olstik (Nov 2004) emphasizes that it is obvious that existing
data centers should be connected, but if there is no fiber infrastructure in place,
network construction costs alone could run into the nine-figure territory. Given this
restriction, it's best to start by examining the existing Telco infrastructure and related
real-estate options. 20 The make-or-buy decision comes down to two essential factors:
(i) How many internal people can an organization afford to dedicate to BCM planning
and implementation? (ii) How much money will really be saved by going outside? As
per Ambrosio (2001), “If yours is a small IT group, it might be worth it to pay an
outside consultancy to come in and set up your BCM plan, policies and procedures
and then train your internal folks to handle things from there”.
1.3.3 Information and Data Backup

BCM plans must ascertain the limit of ‘acceptable data loss’ both from business and
technology perspective. Olstik (Nov 2004) feels that, if a company needs to mirror
transactions with minimal data loss, it must use synchronous replication tools
generally provided by various disk drive manufacturers like IBM. Less-restrictive
data loss requirements widen the field to a potpourri of asynchronous options from
software companies like Veritas. BCM planners, while developing a data protection
schemes need to address issues related to technology options of ‘manual’ or
‘automatic’ backup and restore systems.
Luft (2005) has suggested following steps that are to be taken to determine ‘data
protection scheme’21 :
a. Decide what you need to back up. Ask yourself, "What can we afford to lose?"
19
Staimer Marc, Data determines the right disaster recovery, Issue: Jan 2005.
20
Oltsik Jon, Hot Spots, Issue: Nov 2004.
21
Luft David, suggested a framework in his paper, Proactive plans thwart SMB threats, Published: 15 Jun 2005
225
The key here is to get high-level buy-in from around the corporation, so that the
IT group isn't guessing about what's important Ambrosio (2001).
b. Know your data environment. Then determine where that data is located in your
IT system. How often does it need to be backed up? How often is it retrieved or
restored?
Organizations have to look at their application base and determine the effort and
money to be put in for shoring up most critical resources firs and in such a way
that doesn't disrupt everyday operations, As per Gruener (2001) 22, "Different data
have different performance requirements. One therefore needs to assess what all
this will mean to existing storage devices, networks and applications if you start
mirroring applications or doing hot backups”. Ambrosio (2001) suggest the
technologies that can be choose: Data mirroring (taking a copy of the data as it is
created in real-time, such as with Redundant Array of Inexpensive Disks [RAID]);
Hot backup (copying real-time data and storing it on a server at a different
facility); taking a Snapshot at intervals of every five minutes, every hour, or every
24 hours.
c. Document backup policies and procedures. Validate the integrity of the backups.
Make sure they are complete and that you haven't backed up viruses or other
malware. Also be sure they can be successfully restored.
The issue here can be the time it takes to actually recover the data. Storage-area
networks are wonderful tools for storing information, but they can be less efficient
at actually finding the stored data.
d. Keep backups in a safe place. This is typically done by storing them offsite in a
secure location.
e. Routinely check your backup plan to ensure it is current and has evolved with the
business.
f. At the end of the backup lifecycle, be sure it is destroyed completely so that the
data cannot be retrieved by an unauthorized person.
g. One huge lesson from the WTC disaster is that people also kept critical
information on their desktops - regardless of whether or not the company
mandated that such information should be stored on a network drive. Solutions to
this problem in the past have been a nightmare: lost diskettes and negligent
backups.
22
Jamie Gruener’s, (an analyst at the Yankee Group in Boston) comment in the article ‘Disaster recovery: Know
what you really need’ by Ambrosio Johanna, October 25, 2001.
226
1.3.4 Data Protection Technologies
1.3.4.1 Tape
These have been the most widely used devices for bulk data storage as a primary back
up. Smith (2002) observes that the role of tapes is being reexamined post September
11 incidence. This is mainly due to the problem of transporting and reading tapes
written on older drives while effecting recovery. However as per Scott (2002) the
need for tape won't disappear because of the potential for corruption or sabotage while
organizations’ attempt recovery of their data with mirroring.23
1.3.4.2 Electronic Vaulting

In looking for a faster restore time than off-site tape can provide, electronic vaulting is
another option. Large Financial Institutions in US are able to effect full back up of
large number of servers at reasonable cost. The biggest advantage to electronic
vaulting is that it automates the backup procedure, and that can be a big plus outside
of the data center. Smith (2002), recommends large arrays of inexpensive IDE disks
that businesses can use for primary backup. These are about four to five times costlier
than tape, but cheaper than RAID. Most companies use a mix of tape, disk, electronic
backup, and consulting services. Sun Life Assurance, an insurance and financial
services company in Wellesley Hills, MA, uses a multifaceted backup approach.
According to Mulcahy (2002), Sun Life has contracts with Iron Mountain and
Amerivault, and a hot site at Comdisco in Tewksbury, MA which provide multi-
faceted backups with a very degree liability in conjunction with their main sight in
Wellesley Hills vaulting about three-quarters of a terabyte of data. 24
1.3.4.3 Remote mirroring

Remote mirroring provides data accessibility protection for an application using
physically separate locations. While similar to mirroring within a RAID array, remote
mirroring takes place over Metropolitan Area Network (MAN) or Wide Area
Network (WAN) distances. It's usually between storage arrays or storage appliances,
and can be synchronous or asynchronous. As per Oltsick (Nov.2004), Synchronous
remote mirroring is the highest possible level for BCM RPO (Recovery plan
23
Scott (Gartner) sharing his experience with Smith Laura in her article “The new face of disaster recovery”,
Published: Mar 2002
24
Bill Mulcahy, assistant vice president of Systems, Sun Life Assurance explained the structure of electronic
vaulting deployed by his company to Smith Laura in her article “The new face of disaster recovery”,
Published: Mar 2002
227
objective) and RTO (Recovery Time objective). The RPO is "zero" lost data, and the
RTO is typically seconds to minutes. Asynchronous remote mirroring is a "store-and-
forward" technique that reduces I/Os and wait delays, allowing remote writes to fall
behind the local writes. This means the RPO for lost data can range from seconds to
minutes, and even hours in some cases. Asynchronous remote mirroring is most often
utilized when the remote site is a long distance from the local site.
The primary advantage of both synchronous and asynchronous remote mirroring is

the minimal (asynchronous) to zero (synchronous) risk exposure in losing data during
a disaster. A secondary advantage is the potential for quick data recovery when a
disaster occurs. However, remote mirroring applications are often pricey, the
equipment is usually expensive, and it typically requires at least twice the primary
disk space and sometimes much more. However, when the lowest possible RPO and
RTO are the requirement, remote mirroring is the answer.
Another disadvantage is that remote mirroring doesn't prevent a rolling disaster, data
damage, corruption or accidental deletion. If data is corrupted, damaged or deleted at
the primary site, it will also be at the BCM site. Less-expensive alternatives to remote
mirroring can also provide the lowest possible RPO and RTO. They're generally
Continuous Data Protection (CDP) products and include time-based continuous
snapshots, automated backup, replication of changed data and automated,
generational-change distributed backup. They offer a lower TCO (total cost of
ownership) than remote mirroring, support heterogeneous storage and provide better
rollback capabilities. But they usually require installing and managing agents.
1.3.4.4 Backup software

Backup applications copy primary stored data directly from the application server and
move it over TCP/IP networks to a local backup server or remote BCM backup
server. The server then writes the copied data to disk or tape. RPO is the window
between backups or incremental backups. RTO is minimally hours, but usually days
to weeks. While backup is the primary BCM application deployed in most IT
organizations, it also has the highest failure rate attributed to user error, bandwidth
issues, throughput issues, tape issues and even application server availability
requirements.
228
As per Olstick (Nov. 2004), the two key disadvantages of backup are that its RPO and
RTO are usually quite high, and backup is a local process. Data consistency and
usability--the ability to use the backed up data without modification, reordering or re-
creation--may also be a problem. Backup programs require server-based agents and
backup costs escalate sharply as the environment scales and grows more complex.
However backup products are evolving and improving. Virtual tape, disk-to-disk-to-
tape (D2D2T) and massive array of idle disks (MAID) technologies speed backups
and recovery times. New types of backup software, such as content-addressable
storage (CAS), reduce the amount of data required to back up by sending only
changed data and meta tags about data, there by significantly reducing recovery times
and dramatically increases recovered data usability.
1.3.4.5 Replication
Replication software replicates data from server to server synchronously and
asynchronously. There are incremental and CDP modes. Replicated data travels over
TCP/IP networks to a remote server's disk, and then a backup client is needed to move
the data to a storage device. RPO for replication is similar to the RPO for storage
array remote mirroring, depending on whether it's synchronous or asynchronous. RTO
can be a little faster because the BCM application servers are already collocated with
the BCM storage. According to Olstick (Nov.2004), Replication software is easy to
install & operate and it can run locally & distributed. One important benefit to
replication is data migration. However, Replication software can't prevent damaged
data from being replicated.
1.3.4.6 Snapshot
A snapshot provides a point-in-time reference marker to data stored on a storage
system. Snapshots are a way to speed RTOs. There are two primary types of
snapshots: copy-on-write and split-mirror. As per Olstick (Nov.2004), a copy-on-
write snapshot stores changes and additions to existing data, which ensures rapid
recovery. A split-mirrored snapshot references all the data on a set of mirrored drives
where one is local and the other is local or remote. Each time the snapshot is run, it
snaps the entire volume, not just new or updated data. Snapshot is easy to install and
operate. A copy-on-write snapshot provides a short RTO and a relatively slow RPO
(data must still be recovered before it can be used). Split-mirror snapshots have a
relatively long RPO, but they speed data recovery (RTO), duplication and data
229
archival. One important benefit to split-mirror snapshots is that it's possible to access
data offline for tasks such as data mining and offline production data testing.
1.3.5 BCM Hardware Platforms

Olstik (Nov 2004) and Ambrosio (2001) have identified four principal hardware
delivery platforms deployed to effect BCM infrastructure: Storage array, General-
purpose server, Purpose-built storage appliance and Intelligent storage-networking
switch.
1.3.5.1 Storage Array

This is a purpose-built storage server for block or file-based storage. Many storage
vendors provide optional storage array BCM software, which includes synchronous
and asynchronous remote mirroring and snapshot. These software products are
typically specific to the individual vendor and its storage offerings. Storage array-
based software usually doesn't require application server agents. The arrays are server
operating system-agnostic and the BCM applications run fast. They are also installed
in thousands of locations, and are proven and mature. However, the array BCM
applications don't work with heterogeneous storage. In general, they don't have file-
level or application awareness. In certain applications the throughput has been found
to decline while BCM applications are running (Olstik, Nov 2004). Storage array
BCM applications have some of the highest Total Cost of Ownership (TCO) and, in
some cases, consume more raw storage than non-array based alternatives.
1.3.5.2 General-purpose servers

These have very low acquisition costs and low TCO. Implementing, servicing and
managing them are known quantities. Performance is tunable and BCM application
performance leverages ongoing improvements in server technology. Increasing
performance or scalability may be as simple as buying the next-larger server, and
more memory and processing power. Other advantages include support for
heterogeneous storage, and application and file-system awareness. General-purpose
servers require BCM application agents (Olstik, Nov 2004).
230
1.3.5.3 Purpose-built Storage Appliance
As per Olstik (Nov 2004) this is nothing more than a BCM application optimized
server and can be viewed as a networked storage controller. It leverages technologies
specifically optimized for storage BCM applications. Optimization includes I/O
performance, throughput, scalability and high availability (no single point of failure).
TCO is definitely lower than for the storage array or intelligent server, but these are
mostly proprietary. They may also have higher initial acquisition costs and may not
keep up with server technology advances.
1.3.5.4 Intelligent Storage Networking Switch

This is a relatively new BCM delivery platform. The storage area network (SAN)
switch is the ideal system to provide BCM applications because it sits between
application servers and their target storage, and it also has visibility into all servers
and storage targets. There are two principle types of intelligent storage-network
switches. The first essentially integrates the purpose-built storage appliance as a
server blade into a Fibre Channel SAN switch or director. The second packages it as a
storage software delivery platform that just happens to use switching as part of its
architecture. It leverages a new technology called Split Path Acceleration of
Independent Data Streams (SPAID) that improves performance by separating the
control path (the slow path) from the data path (the fast path). It enables out-of-band
virtualization without requiring server agents and runs most BCM software
applications without any changes. Initial costs and TCO will probably be much higher
than for non-integrated systems. Olstik (Nov 2004) believes that no other platform has
the BCM application performance potential of the SPAID intelligent storage
networking switch. SPAID switches have an inherently higher level of reliability,
availability and serviceability than storage appliances.
1.4 Facilities
Two aspects of facilities namely Space and Power are described in succeeding
paragraphs.
1.4.1 Redundant physical space
The business-continuity plans of many enterprises deal with physical facility
protection as just that protection. Bleiberg (2005) asserts that a state-of-the-art plan,
however, should include having agreements in place for occupying other locations
from which business can be conducted for an extended period of time. The plans must
include agreements with disaster recovery service providers that are contracted to
231
provide emergency desk space. Despite some prearrangement with providers, the
events of Sept. 11 brought about some unique difficulties for all parties. Shore (2002)
explains that although a company may hold an individual contract with a service
provider, the emergency space promised in the agreement is usually shared with other
companies. Disaster recovery service providers base their plans on the probability that
multiple clients will not invoke their agreements at the same time for the same
space—an unforeseen issue in the case of the New York City events. While the client
organization is busy restoring business as usual, the disaster recovery service provider
is left with as many as six other clients who share that same disaster recovery space
and cannot invoke that space if necessary25. This leaves the disaster recovery service
suppliers looking for alternate space as well, possibly competing with their clients to
find suitable housing.
Shore (2002) further observes that usually service providers predict an expected
duration of occupancy following an invocation. The typical expectation is that
recovery from the incident will occur within days, or at worst, within two to three
weeks. This was clearly not enough time for the organizations affected by the events
of September 11. Organizations are contemplating arrangements with disaster
recovery providers for longer term and also proceed with acquisition of alternate
premises (possibly a move to another location within the same organization) to allow
the full complement of staff to resume normal work.
The investment-banking sector has a huge investment in BCM planning for obvious
reasons. Having dealers and traders out of commission for just a few minutes can
mean millions in lost deals or trades. As per Shore (2002) even in this high-stakes
business sector, the development of business continuity plans is still in a state of
infancy. Despite the size of the potential losses, typical disaster recovery plans only
provide sufficient facilities for about 20 percent of the headcount to allow
dealers/traders to close positions as quickly as possible 26. The planning assumption is
that, in most situations, normal service to the primary office environment will be
quickly restored.
A major factor in the decision to provide only limited recovery facilities is the cost of
having “redundant” office space ready to use just in case of an incident. This is
25
Shore Dave, “Sept. 11 teaches real lessons in disaster recovery and business continuity planning”, May 17,
2002.
26
Shore Dave, Web-based solutions can ensure business continuity, 20 May 2002
232
especially true in the investment-banking environment. Here, the technology piped to
the desks of the dealers/traders is always utilizing the latest technology and is
complex to set up. To replicate this in a BCM site is equally expensive and
complicated, especially when the temporary site has to be maintained to the same
level as the real work environment. Providing desk space with a workstation at a
BCM site for a dealer/trader position is typically three times more expensive than an
ordinary office desk utilizing general office systems. Shore (2002) believes that the
extra cost of BCM sites can be offset somewhat with new products that exploit
Internet capabilities. If dealers and traders could access the exact same information
through the Internet as they can at their work location, they could conceivably work
from anywhere, even from home.
Shore (2002) suggests that internet based solution provided to staff / partners on their
desktops would have possibly allowed them to continue working from home locations
in the weeks and months after the disaster of September 11. The disaster recovery site
itself would have needed only to implement a new server and install the firm’s
analytics and models created with the software. For IT staff says Shore (2002), this
would mean that they would have to maintain only the server systems and would not
have to connect all the data feeds to each dealer/trader desktop. For disaster recovery
planners, all that remained would be to keep the backup server up to date and ready
for action. This Web-based approach could be the answer to providing a quicker,
cheaper solution for disaster recovery and business continuity planners.
1.4.2 Commercial Power

The critical importance of availability of electrical power as prime factor in ensuring
business continuity has been amply established going by the experiences of banks in
North America. As per Bruno (2005), one of the most severe problems businesses
faced in post-Katrina/ Isabel like disasters was the lack of commercial power27. Only
a few enterprises had backup generator systems at the time and the building supplies
distributor had to bring in a generator from different city which took almost thirty six
hours to arrive in.Hunt (2004) recalling his experience post Hugo hurricane disater
reinforces the importance of a fallback power-generating capability as part of a
business resumption plan. Consumers interests can be best served when banks provide
them undisrupted service despite large scale contingencies that disrupt power. 28
27
Bruno-Britz Maria, Banking System Defiant in Katrina's Aftermath, September 13, 2005.
28
Hunt Hal, commented on “Lesson of Hurricane Hugo” on ECT News Network, at 6:00 AM on May 08, 2004
233
1.5 BCM Implementation Methodology
Business Continuity Management includes all of the functions needed to develop, test
and maintain a Business Continuity Plan and the skills and techniques employed in a
crisis situation to effectively execute the BCP as a strategic tool in the Recovery
Process (Karakasidis, 1997). A framework, based on literature survey is provided in
the succeeding paragraphs.
1.5.1 BCM Deliverables

Mawson (2003) highlights the essentials for a successful BCM Implementation and
demands effectiveness of certain critical deliverables prior to, during and after an
incident.
a. Prior to an Incident
i. Effective use of Key Personnel – empowered and motivated individuals.
ii. Documentation – to ensure enhanced understanding of business processes and
awareness of interdependencies between Departments and with outside
agencies
iii. Identification of Threats and Vulnerabilities – Types of Incidents and their
possible sources of Incidents.
iv. Reduce Risk or Impact of an Exposure
b. During an Incident
i. Keep business in Operation with minimal disruption
ii. Ensure safety of Personnel and Equipment
iii. Protect Assets
Reputation
Financial
Inventory
Knowledge
iv. Minimize confusion and uncertainty – There must be clear decision-making
authority taking correct leadership posture. The Communications both inter
and intra units must be crisp and unambiguous.
c. Following an Incident
i. Rebuild and return to normal processing
ii. Re-establish Market share and Customer Confidence
iii. Learn from the incidence and document for future.
234
In many instances, the secret behind a successful BCP program is not the quality of
the program itself, it is knowing your needs and providing the leadership and
coordination to make the plan a reality29.
1.5.2 Preparing to implement a BCM

Howarth (2004) finds that most banks in UK are ill prepared to deal with crises
caused by physical or electronic disasters. Many of them had a business continuity
plan in place, only just over one-third of those had suffered an IT disaster over the last
five years. Only 50% of them used the measures that they had put in place in the
business continuity plan to solve the problem.30 The inability to execute well-planned
BCM impacts most organizations that have structured BCM Practice implemented.
a. BCM Implementation Team - Composition and Skills
b. Budgeting the BCM Program
c. Risk Identification
1.5.2.1 BCM Team

Gallagher (2002) recommends that the team undertaking designing and
implementation of BCM have to be drawn from both the bank and consultants and
must have a rich blend of functional and practice experts.
a. BCM Project Leader: The project leader has to be one who can work with
people, Understand, Motivate, and direct them. He should enjoy the confidence of
senior management and have good awareness of Corporate Priorities. He/She
must be at an appropriate level in the Organization having ability to influence
decisions.
b. Team Members: The members ought to know their business especially the area
they work in. It is desirable, however, to get people that also know how the
various departments interact and how the business processes flow within and
externally to the bank (Karakasidis, 1997).
29
Disaster Recovery Journal (Volume 15, No.3, Summer 2002).
30
235
1.5.2.2 Budgeting the BCM Program
Gondek (2002) opines that a BCM program is a dynamic and valuable investment for
an organization31. Provisions have to be made to provide adequate funding every
year to account for one time, annual maintenance and updating costs. The Table A1.1
below gives an indicative list of costs that need to be considered while working out a
business continuity plan32. This needs to be adapted for the existing environment
(organizational and technical) of the target bank. One must watch for low initial cost
but extra ordinary annual costs. Nearly every tool has hidden costs such as
maintenance, storage, backups, technical assistance etc
Table A1.1 Budgeting for a Business Continuity Management Project

Courtesy: Henry Bellwood Consulting, Canada, 2002
Budgeting for a Business Continuity Management Project
One Annual /
Cost
Item Time Periodic
Description
Cost Cost
Workspace for team
Team Member Time
Software Tools and Licensing

Project
Initiation Cost
Hardware
Education and Training (Team)
Consulting Costs
Business Information Gathering (Survey)

Impact
Analysis Meeting with key Personnel
Design and Alternate Response Evaluations
31
Richard Gondek, (Internetworking Practice Lead, Greenwich Technology Partners) Journal of Business
Strategy, Aug 2002.
32 Courtesy: Henry Bellwood Consulting, Canada, 2002
236
Budgeting for a Business Continuity Management Project
One Annual /
Cost
Item Time Periodic
Description
Cost Cost
Development Communication Systems
Training of Business Unit Representatives
Legal Costs
Costs to develop plan
Preparation and Stocking of EOC
Printing Costs
Distribution
Hot Site Costs
Implementation Costs for offsite Backup of data
Costs for offsite Backup of Documentation
Alternative Delivery Channel Costs
Alternate Communication Costs
Movement of Personnel and Cash Costs
Annual Hot Sites Tests
Testing Periodic Tests
Delivery of Data
External Audit Review

Maintenance
Annual Review by Business Unit Reps
and Updating
Annual Compilation of Changes
237
Gallagher (2003) emphasizes that the issue of ownership of implementation of BCM
is paramount. The study of various banks suggests, particularly in present times when
business risk is being carried by the functional units that the ownership must rest with
business units. Accordingly, the funding has to be supplied in appropriate proportions
both from Corporate and departmental budgets
1.5.2.3 Risk Identification

The team must possess (develop/ source) ability to identify risks, which is a critical
source of Business Impact Analysis (BIA) and related Insurance needs. They need to
examine the threats, vulnerabilities and possibility of exposure of business to these. A
model to carry out risk assessment is suggested in Figure A1.1
Figure A1. 1 : Risk Management Model

(Courtesy: Henry Bellwood Consulting, Canada, 2002.)
Mawson (2003) identifies some examples of Risks that are possible sources of
business interruptions include – Water Leakage, Flooding, Storms, Communications
and Utility failures, Natural Events – earthquakes, Fire, Viruses, Employee Error
238
etc33. Some risks are hidden and not as obvious – Corporate Culture, Push for delivery
before quality, Poor morale, Fraudulent activity, Poor controls, Tendency to hide
errors etc.
1.6 Managing BCM Implementation project

The steps to implement BCM suggested, mostly based on the recommendations of
Herbane (et al 1997), Karakasidis (1997) and Kevin34 (2003), are listed below and
enumerated in succeeding paragraphs.
Project Initiation
Business Impact Analysis
Designing and Developing a BCP
Implementation
Testing
Maintenance and Updating the Plan
1.6.1 Project Initiation

A BCM project is an enterprise wide initiative and hence all areas (Banking,
Administrative, Technical) should be considered. Traditionally 30% (non-banking)
and 60% banking processes (delivery units) of an organization requires a detailed
recovery plan and most areas may not need an extensive BCM. BCM efforts are to be
driven by the respective business units, being the owners and accordingly the team
must do the best to discover the interrelationships between the core department and
other units in bank (Herbane et al, 1997). The plan has to include all resources: time,
people, budget, equipment, software etc.
1.6.1.1 Mission Statement

Karakasidis (1997) suggests that the BCM project team ought to prepare a mission
statement that outlines organizational objectives and Management Priorities in
relation to achieving business continuity preparedness35. It also enumerates the
authority vested on the BCP Team to gather information from all functionaries.
33
Thomas Mawson, Executive Director, DRI international, Virginia, Risk evaluation & Control, Security
Magazine, May 2003.
34
Miller Kevin, consultant, Stroh Consulting Services, July 2003.
35 Kon Karakasidis, (KPMG Information Technology Consulting Division, Melbourne, Australia) A project
planning process for business continuity, Information Management & Computer Security, Vol. 5 , No. 2,
Aug 1997.
239
1.6.1.2 Senior Management Support
Rodetis (1999) emphasizes that the success of any organization wide intervention
such as BCM depends largely on the support of Senior Management who must take
visible actions to make it known. This is to be done by appointing a Project Sponsor
who is “Director Level” executive36. Appropriate announcement letter must follow
this to the entire organization, declaring the importance of BCM Project and soliciting
support of all units of the bank to assist BCP team in their endeavor.
1.6.1.3 Planning / Steering Committee

A steering committee must be appointed to oversee the Project Plan and enforce
timelines, deliverables & budget compliance, emphasizes Karakasidis (1997). It must
review assumptions of the project for relevancy and current ness and ensure that
BCM team receives from all departments.
1.6.1.4 Project Planning

The BCM team is to develop a BCM Project Plan and prepare Project Budget
enumerating details of resource requirements. MacSweeny (2003) advises use of
established project management techniques to set clear timelines, control points and
monitoring scheme. The project must cater to having regular reviews of progress and
documentation of all activities, responsibilities and assumptions.
1.6.1.5 Reporting Process for Executive Mgmt

Karakasidis (1997) recommends that there must be regular reporting to Senior
Management to ensure correct and timely completion of project besides obtaining
guidance for course corrections. The Regular reports are to include - Deliverables to
date, Test results, Actual incidents investigated, Lessons learned, Costs incurred and
projected savings, Level of cooperation received, Additional requirements etc.
1.6.2 Risk Management
1.6.2.1 Calculating Risks

The third step in the BCM process is a detailed risk management assessment so that
the financial resources spent in protecting the most critical corporate assets are
adequate and justified.
36
Susan Rodetis, Can your business survive the unexpected, Journal of Accountancy, Feb 1999.
240
In the risk assessment phase organizations must identify critical assets that need
protection and also uncover all of the potential threats that could interrupt operations.
Both of these assignments can become problematic, as it may be difficult determining
which threat is real and which is a stretch. As per Olstick (2004), "Organizations used
to be worried about natural disasters but now they are more concerned about business
interruptions from things like Internet worms, terrorist attacks or cyber terrorism. One
needs to be comprehensive, but this creates a long list of potential problems."
O’Neill (2005) recommends that the board of directors need to have an active role in
the BCM process to determine what needs protection and what doesn't. The BCM
plan should start with some assumptions about which systems will need protection
and any changes or compromises that must be made after this should be viewed as a
business (not an IT) decision.
1.6.2.2 Threat Mitigation

Once vulnerabilities are identified, enterprise needs the right processes and
technologies to ensure business integrity. The likelihood of each threat to each system
must be defined precisely. For example, an Internet-facing e-commerce system is far
more likely to be hacked then a finance system on its own subnet. Olstick (2004)
recommends that assistance from professional services, rather than technology
vendors must be sought in assessing the likelihood of each threat that are unknown.
Mawson (2003) explains that BIA involves identification of risks (vulnerabilities) and
their impact on the organization. Since BIA is a subjective risk assessment the results
are as good as the information gathered and the information is as good as the people
involved. This therefore requires use of multiple instruments of data gathering namely
Surveys, Questionnaires, Workshops and Interviews. Snow (2003) recommends that,
while undertaking survey the questions have to be customized to the level of the
sample and documentation needs to be “intelligent” to draw correct results 37.It is
recommended that automated tools are used as they provide standardization,
completeness and tried and proven methodologies. The disadvantages of using tools
is the costs involved in purchase and training and that they could be cumbersome,
complex or too boilerplate and may only support one recovery alternative.
37
Snow David, Senior Consultant , Stroh Consulting Services, July 2003, http/www. Stroh.systems.com
241
1.6.3 Business Impact Analysis (BIA)
1.6.3.1 BIA Objectives

The objectives of BIA are to identify and quantify organizational risks and critical
business processes. The risks / vulnerabilities need to be, prioritized and then insured
by of alternatives and recovery schematic (Rodetis, 1997). Identifying organizational
risks involves:
a. Understanding of Organizational Structure
b. Singling out points of failure
c. Find out processes that have undue reliance on technology / vendor
d. Understanding of location and utilization of building / infrastructure
e. Feel of the culture prevalent in the organization as regards preparedness for
continuity
f. Find out awareness of employees (Is there a cross training of staff?).
1.6.3.2 Critical Business Processes

Mawson (2003) recommends that identification of Critical Business Processes is to
include obtaining detailed knowledge about:
a. Core business functions
b. Primary supporting systems
c. Equipment (banking and infrastructure)
d. Software (Applications and systems software)
e. Hardware (Servers, Front-ends, automation gadgets linked to computer system)
f. Key personnel (Banking transactions, IS support and facilities management)
g. Maximum Allowable Downtime (MAD) - also called Maximum Tolerable
Downtime (MTD)
1.6.3.3 Impact Analysis

Having identified the critical processes their impact on business are to quantified and
qualified. Mawson (2003) summarizes impacts as follows:
a. Financial impacts
The following are the financial impacts of disruptions.
i. Loss of banking transactions
ii. Loss of income (receipts)
242
iii. Delayed Income (transfers)
iv. Additional Expenditures
Rental of temporary premises/equipment
Moving equipment, cash, people
Media reconstruction
b. Operational Impacts
The following are the operational impacts of disruptions
i. Reputation, Negative public image
ii. Loss of shareholders confidence
iii. Impact on Customers
iv. Impact on other departments
v. Complexity of Systems – is a partial recovery possible?
Can a manual workaround be set up?
How long can the workaround be used?
vi. Voice and Data Communications requirements
Is email more important than telephone?
The gravity of impact can be ascertained by answering the question “When is a

Disaster Over?” (Herbane et al, 1997). The disaster / discontinuity takes time to
disappear and it recedes in steps, reducing the impact each time. Following are
the stages, from recovery time perspective i.e. impacts that take longer to
dissolve, Business recommenced
i. Impact on personnel is over
ii. Financial impact is over
iii. Regained what was lost in terms of research
iv. Regained Market Share
v. Got over legal liabilities
1.6.3.4 Key Steps involved in conducting Business Impact Analysis

Karakasidis (1997) enlists the following steps to conduct business impact analysis in
banks:
a. Define the assumptions and scope of the project ( HO, branch, delivery units,
products, service etc )
b. Develop a survey (all levels) to gather the needed information
c. Identify survey recipients and provide needed education
243
d. Distribute the survey and / or conduct interviews / observations. Note v/ collect
the readings / responses.
e. Conduct follow up survey / interviews where needed
f. Modify survey responses based on interviews / follow ups
g. Analyze survey data
h. Verify results with business / service unit management
i. Prepare a report – present findings to management
1.7 Designing and developing a BCP

The steps recommended undertaking designing and developing activity of a BCM
Plan for a bank are enumerated in the following paragraphs.
1.7.1 Objectives of BCM plan

Gallagher (2003) recommends that the business continuity strategy must be in line
with organizational strategy and consistent with agreed business objectives and
priorities. The plan must be feasible, realistic and workable and should be able to
effectively counteract interruptions to business activities and to protect critical
business processes from the effects of major failures or disasters. People will not
support a plan, especially senior management, if they do not believe in it and
therefore, the plan must have management approval and bank employees “buy in”
(Miller, 2003). The plan’s objective must include:
a. Minimize interruptions to banking operations / services at all delivery channels
b. Resume critical operations within a specified time after the discontinuity /
disaster
c. Minimize financial losses
d. Assure customers / collaborative business partners that their interests are
protected
e. Limit the severity of the disruption
f. Expedite the restoration process
g. Maintain a positive public image of the operation / service
h. Establish awareness so that management and staff understand the implication of
disruptions / disasters
244
1.7.2 Assumptions of BCM plan defined
Gondek (2002) recommends that the following assumptions should be defined prior
to developing the plan:
a. The bank’s business / service goals and objectives in terms of level, speed and
type of operations.
b. The bank’s policy on maintaining service / operations continually
c. Service / operation interruption scenarios that pertain to each functional area /
location
d. Definition of “minor interruption” and “major disaster” in terms of service /
operation impact and anticipated duration of outage.
e. Which service / operation will be reused / recovered and to what capacity levels
over what period of time?
f. Which service / operation will be resumed immediately?
g. Which service / operation will not be resumed immediately and when will they
be available?
h. Which service / operation are expendable?
i. What resumption and recovery strategies are to be employed and what are the
priority sequences associated with each?
j. What resources need to be pre-positioned and what are their interdependencies
(inter and intra channel)
1.7.3 Business continuity planning framework

A single framework of business continuity plans shall be maintained to ensure that all
plans are consistent, and to identify priorities for testing and maintenance
(Karakasidis, 1997). The suggested structure of the plan is enumerated below:
a. Section One - Sequence of resumption / recovery

Mawson (2003) suggests, that the BCM plan must list critical services / operations
to be resumed followed by those to be recovered, in decreasing order of priority
b. Section Two - Steps to operationalize plan

Gallager (2003) iterates undertaking proper steps to operationalize BCM plans to
ensure success and reliability. Each service / operation is to be enumerated clearly
with amplification notes where necessary38:
i. Time scale for resumption
38
Disaster Recovery Journal, http://www.drj.com, May 2003.
245
ii. Well-documented, agreed and understood (by all stake holders involved)
alternate procedures & processes. Possibly a manual workaround to cater for
immediate requirement.
iii. Staffing requirements – key personnel & support staff
iv. Non-information processing resources
v. Identification & agreement of all responsibilities and emergency procedures
vi. Enabling services and resources to achieve the resumption – accessibility of
business unit premise, alternate spaces, power supply, communication etc.
vii. Fallback arrangement for information processing facilities
viii. External business dependencies and relevant Contracts in place
ix. Staff education in procedures, processes & crisis management
x. Conditions for activating the plans
How to assess the situation
Who should be involved
xi. Emergency procedures - Actions to be taken
xii. Public relations management - Effective liaison with public authorities e.g.
police, fire dept., local Govt.
xiii. Fallback Procedures
Moving essential business activities or support services to alternative
temporary locations
Bring business process back into operation in required time scale -
Resumption Procedures
Action for returning to normal business operations
c. Section three - Maintenance Schedule & upgradation

MacSweeny (2003) recommends that the plan must incorporate the following
aspects of maintenance and upgradations:
i. Testing & updating of the plans - schedule
How and when to test the plan
How to maintain the plan
ii. Awareness and Education
iii. Responsibility allotment
iv. Upgrade procedure & facilities based on test results and communicate the
same
246
1.7.4 Strengthening the BCM Plans
39
BCM plans can be made more resilient by addressing the issues given below
(Herbane, Elliott, Swartz et al, 1997):
a. Policy matters
Top management sponsoring BCM projects should display high degree of
involvement in guiding the effort on certain key items enumerated below
Organization structure - Responsibility for coordination of BCM process
(Rodetis, 1999).
i. Recovery System Alternatives40
Banks Own Resources
Outsourced – Certain systems like Payroll, Customer Contact, Mailing,
Shipping, Web Site Maintenance etc can be outsourced.
ii. Reliance on outside firms – especially telecom, government and utility firms.
Arrangements have to be made with these external agencies, by way of
maintaining formal and informal relationships, to obtain their unflinching
support during crisis.
iii. Location and Organization (People, Security, Access etc) of:
Primary Site
Alternative sites
Off site storage
b. Personnel and General Administration

i. Availability of key personnel – The list of key personnel should be worked
out branch/office wise and communicated through all modes of internal
communication.
ii. Establish Calling trees.
iii. Determine access method for senior managers
iv. Logistics – how to move people, equipment and data.
v. Authorization for extraordinary expenses. One way could be by providing
credit facilities for onsite staff.
vi. Prepare for handling media
vii. Prepare to interact with customers, government, shareholders, customers
39
Brahim Herbane, Dominic Elliott and Ethne Swartz ( Leicester Business School, UK), Contingency and
continua, Achieving Excellence through Business continuity planning, Business Horizons, December 1997.
40
Financial Times, June 2005,Business Continuity and Disaster Recovery.
247
c. The Human Factor
Morganti (2001) emphasizes the importance of Human factor41 in ensuring
reliable BCM implementation and execution.
i. People are not equipment – that must not be forgotten.
ii. Disturbed Emotions may affect ability to respond
iii. Family issues may impact availability
iv. Stress related illness and fatigue has to be considered.
v. Sustenance of staff must be taken care of.
d. Technical
Rodetis (1999) emphasizes that the people and systems (desktops, servers and
networks) need to be kept operational. Alternate / emergency operations are
therefore to be planned as also the processes and drill to rebuild the state of
normal operations 42.
i. Immediate Recovery Options -Data Mirroring, Site Mirroring
ii. Near Immediate Recovery Options - Hot Site, Mobile Site, Service Bureau,
Multiple Processing Sites
iii. Medium Term Outage can be met by providing for Warm Site or Data Re-
entry.
iv. Long Term Outage can be met by providing for Rental of alternate space (cold
site) or Data reconstruction.
v. Emergency Operations Centre (EOC) - Issues pertaining to EOC address
questions such as :
How far should it be located
How large in size
How much equipment
What Communications Systems and Access Systems are required
Housekeeping and Security of Emergency Operations Centre.
1.8 Implementation Process

Morganti (2001) emphasized that there must be a managed process in place for
developing and maintaining business continuity throughout the bank and various
Business Units. A responsible person in each business unit is to be appointed who is
to maintain plan and be the point of contact in case of incident. Testing plans must be
41
Michael Morganti, A business continuity plan keeps you in business, Record – The magazine of Property
Conservation, September 2001.
42
American Society for Industrial Security, http://www.asisonline.org and International Association of
Emergency Managers, http://www.nccem.org May 2002.
248
set up. Agreement must be entered into with appropriate vendors for delivery of
replacement service/support within critical time frames. The strength of the vendors
must be ascertained to ensure that they are not over whelmed by requests for support
in the event of a large-scale disaster
1.8.1 BCM storage and Communication

The scheme for ensuring reliable storage and communication has been enlisted
comprehensively by BCP Consulting, Canada43
a. BCM can be stored in documents or electronically on CDs or Intranet.
b. The storage of BCM must be in a manner that its Confidentiality is maintained.
c. It must also be stored at alternate sites in both modes.
d. BCM Version Control has to be exercised by the BCM team.
e. BCM is to be communicated to everyone.
1.8.2 Allocation of Responsibilities

Herbane (et al 1997) and Morganti (2001) suggest allocation of following
responsibilities:
a. To have a trained and committed team in place to lead, manage and direct the
organization through the crisis
b. Able to handle pressure
c. Make key decisions
d. Provide credible suggestions
e. Knowledgeable about new threats
f. Reaction Teams - Assign people to teams:
g. Technical Support
h. Administrative Support
i. Operational Support
j. Recovery of Primary site
k. Relocation to Primary site
l. Cards with important phone numbers
1.8.3 Systems
As per Rodetis (1999) systems and processes must be worked out and communicated
to all concerned regarding the following aspects:
a. Off Site Storage
43
Disaster Recovery Information Exchange, http://www.drie.com and Survive – The Business Continuity
Group, http://www.survive.com July 2002
249
b. Data, Documentation, Procedures
c. Unneeded Data
d. Protection of Data
e. Change Control
f. Frequency of Backups
g. Access Control
h. Physical Security of Site
1.9 Review and Testing

As per Howarth (2004), BCM Implementation problems are compounded as even
those organizations with plans in place fail to review those plans on a regular basis -
meaning that new potential areas of disaster are often not included. Kirkpatrick (2002)
says, “Few organizations think that they are so big and powerful that nothing can
happen to them, have their heads in the sand. The larger these reactive companies are,
the less they are prepared.”44Most companies seriously underestimate risk, conducting
their planning exercises with a purely fiscal and annual focus instead of preparing for
non-financial events such as business discontinuity or sudden market reverses. As per
a survey, only 32% companies use sophisticated business-simulation models such as
driver-based forecasting to evaluate and mitigate such perils45
Even though the BCM plan seems complete, numerous problems may exist. For
example, sometimes the BCM plan is overly complex and only the core BCM team
can truly understand it. There are also instances where upon completion, the BCM
plan remains static and doesn't accommodate changes to technical infrastructure or
business processes. Olstick (2004), maintains that BCM plan is a living document and
changes to the business or technology infrastructure must trigger a parallel change to
the BCM plan.
Organizations of all sizes need to draft a business continuity plan. An effective

Business Continuity Plan must be thorough and tested regularly.46 Business specific
continuity plans to suit organizations’ needs and requirements can be designed and
implemented (Waji, 2006) using ‘Continuous Risk Improvement' (CRI) methodology
in the following project phases:
44
Kirkpatrick, Terry A remarked in report published in CIO Insight in 2002.
45
Leading Companies Revive Focus on Best Practices to Bolster Profits in Recessionary Climate, February 26,
2002.
46 Doede de Waij, Senior Manager, Marsh Risk Consulting, BCM - Protecting enterprise value, July 2006.
250
a. Identify overall strategic objectives for response and recovery.
b. Analyze what are the requirements to meet these objectives (BIA) and conduct
gap analysis.
c. Design strategies to close the gaps; organizational structure to implement the
formulated strategic objectives; and operating model to respond to the incident
/ crisis.
d. Execute / Implement the chosen strategies and document the procedures to be
followed in applying the strategies (plan writing).
e. Measure results through exercising, training, auditing and maintenance.
Olstick (2004) assets “It isn't worth the time, money and effort to put a BCM plan
together unless the company is willing to invest in comprehensive training and
frequent testing. This will maximize preparation while providing a method to uncover
and fix any weaknesses”.
1.9.1 Testing the BCM

The BCM Plan and operating scheme needs to be tested for efficiency and relevance
from time to time, Gondek (2002). The types of test and related issues are briefly
given in the following paragraphs.
1.9.2 The Types of Tests recommended

The Business Continuity Group, Canada recommends the following types of tests47:
a. Basic Tests – The BCM can be tested for overall effectiveness by resorting to
review by senior management by carrying out tabletop exercises. Using
software simulations to carry out Structured Walkthrough and make
appropriate recordings can also test these.
b. Partial Tests – These are resorted to test the capability of system for partial
recovery of selected systems.
c. Complex Testing – This is a full blown test in which banks should simulate
total breakdown of infrastructure and support to test alternate systems
involving both internal stakeholders as well as support partners and regulatory
/ government agencies.
47
Disaster Recovery Information Exchange, http://www.drie.com and Survive – The Business Continuity
Group, http://www.survive.com July 2002
251
1.9.3 Periodicity of Testing BCM
BCM organization and documentation must be tested on following occasions,
deficiencies recorded and improvements / modifications worked out (Gondek, 2002).
a. At least Annually
b. After major organizational changes
c. After an incident
d. Implementation of new systems, networks and hardware
e. Changes in market conditions
f. Changes in staff levels
g. After tests
1.9.4 Why Test BCM?

MacSweeny (2003) recommends testing as a regular organizational practice in banks
(in fact in any organization implementing BCM) as it provides following advantages:
a. Training of all stakeholders (internal and partners)
b. Helps People understand Roles and Responsibilities
c. Practice recovering with loss of key personnel
d. Find Weaknesses and Incorrect Assumptions
e. Find gaps in methods and procedures and documentation
f. Prove that BCP is feasible
g. Demonstrate the ability of the organization to recover
h. Verify that backup facilities and data are compatible
i. Provide mechanism for updating and maintaining the BCP
1.9.5 Testing Process

MacSweeny (2003) recommends the following are the steps to organize and effect
BCM tests48:
a. Assign one person just to record the progress of the test
b. Observe decision-making process
i. Were correct decisions made
ii. Was adequate information obtained
iii. Who showed leadership – who showed intimidation
c. Document all assumptions made
d. Look for efficient process
e. Debriefing after the Tests
i. Always meet to discuss what went well and what could be improved
48
252
ii. Solicit as much feedback as possible
iii. Designate personnel responsible for correcting deficiencies
f. Document all changes to the plan and watch for version control
g. Report results of tests to management for incorporation
1.10 Maintaining and Updating the BCM

MacSweeny (2003) recommends that the BCM organization and practice must be
updated on following occasions:
a. At least Annually
b. After major organizational changes
c. After an incident
d. Implementation of new systems, networks and hardware
e. Changes in market conditions
f. Changes in staff levels
g. After tests
1.11 Disaster Management

preparedness, response and recovery (Yodmani et al 2001)49. This section focuses on
effecting dependable disaster recovery management, which is a part of the business
continuity plan.
1.11.1 Disaster Response

The DR Institute, Canada outlines the following as the priorities in which a disaster
situation needs to be responded to50
a. First Priority: Safety and prevention51 of injury to personnel on site
b. Second Priority: Prevent or limit damage to facilities and equipment
c. Third Priority: Keep critical business functions operational
1.11.2 Disaster Declaration

The situation is to be assessed at right level to ascertain whether “Is it a disaster?” and
that “Is it really going to Impact on business appreciably? Parameters such as
exceeding Maximum Allowable Downtime or Minimum response time etc are to
49
Dr.Suvit Yodmani and Dr.David Hollister, Disasters and Communication Technology: Perspectives from
Asia, Presented at the Second Tampere Conference on Disaster Communications, 28-30 May 2001.
50
Disaster Recovery Institute Canada, http://www.dri.com and http://www.incident response.org;
http://www.drii.org, July 2002.
51
253
chart out so as to aid decision-making, questions Karakasidis (1997). The authority
that can declare disaster must be nominated. A list of all those key personnel both
from within and outside the organization, who are to be alerted, must be prepared and
published. The services (alternate) that need to be mobilized must be listed and made
available.
1.12 Phases of a Crisis

The Disaster Recovery Institute of Canada explains the phases in which crisis is
generally expected to manifest52:
1.12.1 Pre-existing conditions

The BCM team must examine previous failures, incidents & disasters regularly to
remain current. The prevalent corporate culture determines degree of preparedness.
The tendency to focus more on blame and pressure than process improvement may
encourage the staff to hide errors and report incidents with misleading statistics or
bypass safety or security controls. As per Gallagher (2003), the culture that favors
preparedness involves good communications and press or media handling,
Identification of key recovery personnel, fostering good interrelationships between
systems and departments.53
1.12.2 Crisis Trigger

Crises can be triggered by a major event such as: Weather, Accident, Power or other
utility failure, Attack by an outsider or an employee or Technology failure. The
trigger may be a seemingly innocuous or unimportant event.
1.12.3 Crisis Expansion

As per Gallagher (2003), the first objective of DR is to limit the damage and restrict
Crisis expansion. Complications may be from other affected areas. This might
involve some or all stake holders such as: Other departments, Law enforcement
agencies & Government, Social Organizations, Clients or vendors, Media etc.
1.13 Crisis Response

The organization must be able to discreetly infer that there is a crisis. The key
personnel should be able to recognize an incident, decide who should be involved and
52 Disaster Recovery Institute Canada, http://www.dri.com and http://www.incident response.org;

http://www.drii.org, July 2002.
53 Michael Gallagher, What is the worst that could happen, Financial Times, Printece Hall, May 2003.
254
whether there is a need to escalate. There must be a preset drill of reaching the key
people and all should know who is to be in command.
1.13.1 Impact on People

Herbane (et al 1997) observed that the team taking charge during a crisis ought to be
sensitized to Family issues, Stress and Health & Safety of the fellow employees. It is
generally a practice that a group of employees who are neighbors at workplace should
keep track of each other in emergency. Controlling emotions, though difficult, is the
center point of effective crisis resolution.
1.13.2 Managing Media

Gallagher (2003) asserts that managing media post a crisis is pertinent to ensure that
the image of the organization does not get a beating due to crisis. A credible
spokesperson who is to lead the Media and provide Information /Access almost
instantaneously so that the story can be broadcasted early enough.
1.13.3 Crisis Resolution

As per Gallagher (2003), the management must be able to ascertain objectively as to
when the crisis is over. It may involve financial impact that may take from few
months to several years to recoup. The impact on morale of employees, health of the
organization (culture) and credibility in the market place if affected may take long
time to come around.
1.13.4 Incident Response

Eric (et al, 2002) group the crisis resolution under following action points54:
1.13.5 Prior to an Incident

The bank must have an approved incident response plan to prevent pressured
decisions and effect fair and balanced response. For this purpose a thorough and
complete response team needs to be established.
1.13.6 Incident Response Team

The incident response team is to comprise of members from all departments such as:
Information Security, Legal, Human Resources, Public Relations, Communications,
Physical & Network Security, Network & System Administration, Internal Audit etc
(Herbane et al, 1997)
54
Maiwald Eric & Seiglein William, Security Planning and Disaster Recovery, McGraw-Hill Professional,
Osborne, USA, Jan 2002.
255
1.13.7 During an incident
The response team must follow the plan to keep the business operational and prevent
further development/impact of incident. They must gather information to permit
effective response (Herbane et al, 1997). It has been found that the teams responding
in disaster situation thereby making the operation totally ineffective did not adhere to
a well chalked out plan.
1.13.8 Following an Incident

The crisis managing organization must meet to debrief and discuss the actions taken
so as to implement improvements, better controls, training and new tools or
countermeasures for dealing with the situation more effectively in future
(Karakasidis, 1997).
256
ANNEXURE 2
SURVEY METHODOLOGY - BCM SURVEY IN INDIAN BANKS
2.0 Interview Questions Set

The following is the set of questions that were used while interviewing officials from
target banks at three levels:
a. Heads of Zone / Divisions
b. Branch Managers
c. IT Heads at Zone / Branches
All the respondents were given an assurance that the information collected is purely
for the purpose of study for doctoral work and not for any commercial use. The
respondents were also assured of maintaining anonymity about their views expressed.
Table A2.1: Survey of BCM Status (Level wise)
Srl. Survey Question Percentage Levels Details Provided

Responded Achieved
SET 1 - Heads of Zone / Divisions

This set is designed to gather information regarding banks overall business
objectives and strategy in relation to current level of performance and growth. The
exercise intended to understand the philosophy and execution of Business
Continuity Practices in the concerned bank.
i. What are the main operations of 100% High Details of products
your bank in terms of: and services
portfolio provided
a. Products
b. Services
ii. What is the market segment that 80% Medium Most Banks offer
your bank addresses? products and
services in personal
a. Personal Banking and corporate
b. Corporate Banking banking. SBI is
present in
c. International Banking international
d. Niche Banking banking while ICICI
& HDFC in Niche
257
iii. What is the vision and mission of 100% Medium Well defined for
your bank in terms of to high HDFC and ICICI.
Moderate for others.
performance targets, delivery
mechanisms, products & services
and other non-banking service
offerings?
iv. What are the challenges envisaged 100% Medium Well defined for
and how are they met in the to high HDFC and ICICI.
Moderate for others.
present times when there is fierce Details provided.
competition amongst banks due to
entry of private sector and MNC
banks in a big way?
v. What is the degree of automation / 100% High to High degree of
computerization in your bank in Medium automation in all
except SBI where it
terms of front office and back is moderate. Block
office processes? Diagrams provided.
vi. Do you use standard quality 100% Low to Low in GTB,
frameworks for process High moderate in UTI
and SBI and high in
improvements (e.g. BS7799, ICICI.
Basel II, etc) in your bank?
vii. What is the strategic view of 100% High to High incase of all
technology implementation in medium except SBI (IDEAS,
FinnOne,
achieving higher efficiency and Spectranet). Details
effectiveness? provided.
viii. Which innovations in technology 100% Medium High in all banks

has your bank deployed to to High (IDEAS, Direct Pay,
Wireless ATMs).
achieve competitive edge? Details provided.
Moderate in UTI.
258
ix. How critical is it to maintain 80% Low to Low in PSUs. High
continuity for the prosperity of High in Private Sector
banks.
your bank? How is prosperity of
the business defined in your bank
(e.g. business objectives,
strategy)?
x. What in your opinion are the 80% Moderate All banks do it in
major discontinuities that can some measure. Need
to be more
hamper operations of your bank? exhaustive and
How do these impact and to what clarity expressed.
extent? What is the probability of
these threats occurring?
xi. How are the steps to manage the 80% Moderate All banks do it in
disruptions / threats incorporated some measure. Need
to be more
in your organizational policy and exhaustive and
procedures? How is the staff clarity expressed.
trained /educated in this regard?
xii. What is an acceptable/tolerance 80% Medium Clarity not
level of your stakeholders, in experienced.
terms of disruptions and
subsequent revival?
xiii. How well are BCP practices 80% Moderate Clarity not
integrated with normal operating experienced.
procedures?
xiv. Do you have a clear brand or 80% Low to Low in PSUs.
policy for managing global medium Medium in Private
sector banks. No
reputation or image? Is this well clear organizational
preserved in major business processes.
developments to ensure the
company’s image is protected?
259
xv. Have you tested the PR machine 60% Low No clarity on the
in the event of an incident? issue.
xvi. Does succession planning feature 60% Low No clarity on the
as a matter of course in your issue.
organization’s risk management
approach? How appropriate is the
organization’s “key man
insurance” for the business?
xvii. What risk mitigating actions are 80% Medium Reasonably well-
in place? Is the cost of accepting defined.
the risk lower than any mitigation
actions?
xviii. Are the considerations the same if 60% Medium Not articulated
this occurred during a critical exactly.
period of the business, e.g. end of
a financial reporting cycle?
xix. Are business objectives and 80% Medium Not articulated
strategy clearly defined to help exactly.
determine which activities are
critical for the managing the
prosperity and continuity risk
strategy?
xx. What is the strategy or cost 80% Low to Not articulated
evaluation for accepting risks or Medium exactly.
transferring them?
xxi. Does the organization know what 80% Medium Most banks have
is acceptable to/expected by key general idea. But no
specifics.
stakeholders? Have costs of the
plans been rationalized?
260
xxii. How is business continuity 80% Medium Most banks have
integrated with your risk general idea. But no
specifics.
management framework? Does
the concept of business continuity
feature in the risk map/landscape
in every part of the business?
xxiii. What mechanisms / frameworks 60% Low No clarity on the
do you adopt to gather market issue.
intelligence as regards
performance of your products &
services and use of technology as
compared to your
contemporaries?
xxiv. Do you carry out sensitivity test 80% Medium UTI carried out
on your employees regularly to specific initiative
called ‘Mystery
assess their preparedness to Customer’. Other do
confront eventualities? it as ‘good to do’
only.
xxv. Have youimplemented 80% Low to Low in PSUs. High
knowledge management practice High in Private Banks.
Block Diagram and
in your bank to review incidents schematic provided.
and draw out lessons to formulate
continuity guidelines?
SET 2 - Branch Managers

This set aims to collect information from the bank at operating level in terms of
implementation of alternate processes and their efficiency and effectiveness. It also
endeavors to get insights into people related aspects of preparedness to handle
eventualities. The set explores the efficiency and effectiveness of deployment of
alternate processes both from in-bank resources and outsourced resources.
i. Who is responsible to ensure 80% Medium Most banks have
promulgation, implementation general idea. But no
specifics.
and testing of BCM in your bank?
261
ii. Are the alternate processes to key 80% Medium Most banks have
processes of the bank, whose general idea. But no
specifics.
disruption may cause serious
impact and losses, well defined in
terms of steps to be taken,
delegation of authority and assets
to be used?
iii. Do you have a manual 80% Medium Most banks have
workaround for the core general idea. But no
specific instructions
processes? How is the information except in case of
collected during manual working SBI.
updated to the IT system once
normalcy is attained?
iv. Are the safety procedures well 80% Medium Most banks have
communicated in your bank? Do general idea. But no
specifics.
you conduct regular training of
your employees to make them
aware of these?
v. Do you outsource services to 100% Medium Most banks
undertake critical activities to high outsource non-core
functions. ICICI has
towards ensuring business specific contracting
continuity or safeguards to scheme to manage
outsourcing.
minimize disruption? How are
these incorporated in service
contracts?
vi. Do these contracts provide 60% Low No clarity on the
appropriate levels of issue.
compensation in the event of
failure to provide an acceptable
level of service (acknowledging
that compensation may not always
be sufficient to cover cost of
certain high profile failures)?
262
vii. Does the contract provide for 60% Low to No clarity on the
independent checks or testing of medium issue.
the outsourcer’s business
continuity arrangements?
viii. Have the outsourcer’s business
60% Low to No clarity on the
continuity arrangements been medium issue.
tested – in particular where
significant core activities are
involved?
ix. What internal risk assessment of 80% Medium Most banks have
the outsourcer has taken place to general idea. But no
specifics.
manage the potential failure of the
outsourcer to provide an
acceptable level of uninterrupted
service?
x. Does the cost of
insurance 60% Medium Most banks have
outweigh the potential loss or general idea. But no
specifics.
damage to the rest of the
business? Should the organization
merely accept the risk and cost of
rebuilding the lost service or
activity, or opt for total shutdown
of that activity? If the risk
becomes too great, should the
activity (still) be outsourced?
xi. Has the organization carried out a 80% Low Except in case of
risk culture or awareness heath UTI.
check?
xii. What is the likelihood of major 90% High All banks expressed
disruption to the business due to this as a critical
factor.
prolonged unplanned absence of
key individuals?
263
xiii. Have you assessed
the 80% Medium Most banks have
vulnerability of your business general idea. But no
specifics
portfolio to changes in economic /
social conditions?
xiv. Is the organization well positioned
60% Low to High in case of
to influence the direction of Medium ICICI. Details
provided.
regulation and professional
standards?
xv. How is the organization keeping 80% High Senior
its finger on the pulse of managements highly
sensitive to this.
regulatory or market changes?
xvi. Does your business continuity
100% Medium Most banks have
management extend beyond the to High BCM for IT setup.
Block Diagrams
traditional areas of IT and provided. Explicit
physical security? instructions in case
of SBI.
xvii. Are there risks to the business’s
80% Low to Low in PSUs.
ability to stay on track of its goals Medium Moderate in Private
sector banks.
that have yet to be identified,
assessed and managed?
xviii How is the review of existing

80% Medium Mostly carried out
processes conducted? At what to High annually and
communicated
frequency? How are the changes through intranet and
communicated? internal
publications. UTI
has elaborate
process.
xix. What is the incidence reporting
60% Low Instructions exist
procedure followed in your bank? but not well
communicated.
How is the escalation achieved?
264
xx. What are the incidence logging 60% Low No clarity on the
mechanisms? How are these issue.
analyzed and the results
communicated to the employees?
xxi. Is knowledge management 80% Low to Low in PSUs. High
practiced? How is this integrated High in Private Sector
banks. Block
with other computerized systems? Diagrams &
Specifications
provided.
xxii. Are emergency action plans and
80% High Safety instructions
other safety regulations made exist and well
promulgated.
available to the employees in a Implementation not
manner that they are easily really challenged.
accessible during contingency?
xxiii Do you hold post event audits
60% Low No clarity on the
with a view to draw learnings and issue.
suggest improvements?
xxiv Does the reward system in your
60% Low to Low in PSUs.
bank objectively recognize medium Practice of rewards
does exist but not
performance and sensitivity of really linked to
your employees towards business BCM.
continuity?
xxv. Do you conduct regular training
90% High Increased awareness
of all stakeholders in the issues in banks in taking
this seriously was
related to emergency procedures, observed.
alternate equipments etc.?
SET 3 - IT Heads at Zone / Branches

i. This set explores the IT deployment in the bank to achieve automation and a high
degree of efficiency. The aspects related to practices in process management,
database maintenance and performance tuning are discussed.
265
ii. What are the major applications 100% High Most banks have
that are installed in a bank to implemented CBS,
Internet Banking
address structured workflow (e.g. and CRM solutions
core banking processes)? (Finacle, Spectranet,
FNS).
iii. How is the informal workflow 80% High Good Use of IT in
(e.g. mails, interdepartmental using internal
communications
notes…) realized in your bank? found.
iv. What is the level of automation in 60% Low to All banking
your bank as regards electronic high operations
document
documentation and information automated in most
exchange? How paperless have banks. Internal
management (assets,
you become? HR…) low in PSUs.
v. What is the data transfer 90% Medium Most banks have
organization and architecture to High near state-of-the-art
infrastructure for
deployed in your bank? What is banking operations.
the network architecture at branch Block diagrams
provided.
level and interbranch level?
vi. What are the various hardware 100% High Most banks have
platforms and system software near state-of-the-art
hardware at data
deployed to support your IT centre level.
Infrastructure? Specifications
provided.
vii. How robust is your security 90% Medium UTI has excellent
policy? Is this policy applied to high security policy
documentation and
consistently across the group? implementation.
viii. Are there gaps in the
IT 90% Medium Most banks are
infrastructure which may expose sensitized to this.
parts of the database and
applications?
266
ix. As most data is held on servers, 90% Medium Most banks have
are you confident that any to high comprehensive
applications running
unauthorized access with the risk on CBS to take care
of misappropriation and of this.
corruption of financially sensitive
data, will be detected?
x. If using outsourcers, are they 60% Medium UTI has elaborate
appropriately covered by your to high practice in
managing this.
security policy? Block diagram
provided.
xi. Are existing insurance 60% Low No clarity on the
arrangements appropriate – to issue.
cover both data, system & system
time loss?
xii. Is there a coherent
incident 60% Low No clarity on the
reporting system to maximize use issue.
of these insurance arrangements?
xiii. Do you have a central incident log
60% Low Only GTB had well-
or hotline? defined system.
Specifications
provided.
xiv. Do all contractors and staff in
60% Low No clarity on the
privileged positions sign a issue.
confidentiality clause?
xv. What are the various storage 90% Medium Most banks have
devices deployed in your bank? to high near state-of-the-art
hardware at data
How do they compare with the centre level.
contemporary banks? Specifications
provided.
xvi. Is there a detailed backup policy
in your bank? What are the to high reasonably well-
defined backup
various devices used to take policy.
backups? Specifications
provided.
267
xvii. How is the bandwidth of the IT
100% High All banks have well-
setup of your bank managed? managed
(outsourced)
What are alternate modes of data bandwidth
communication? management with
alternate/ redundant
modes of
telecommunications.
Specifications
provided.
xviii What level of integration has been

100% High Good integration
achieved in your bank as regards across delivery
channels. Private
applications, delivery channels sector banks
and storage devices? attempting advanced
storage structures.
Details provided.
xix. What access control technology
and mechanisms are deployed in to High modern access
control systems.
your bank to regulate access to Block Diagram
sensitive places? provided.
xx. Does the architecture of your IT 100% High All banks rely on
solution rely on proprietary proprietary systems
excepts UTI which
systems or open systems or a has gone in for a
combination of both? combination of
proprietary and
open systems. Block
Diagram and
specifications
provided.
xxi. Do you use automation tools to
100% Low to Except GTB all
manage network and other IT High have state-of-the-art
applications and
assets of your bank? Do you security
undertake performance tuning at management
systems (Symantec,
regular intervals? CA…). Details
provided.
268
xxii. Do you have alternate 60% Medium Private sector banks
arrangements for specialized have larger number
of ATMs (per
automated delivery mechanisms customer) that serve
such as ATMs, point of sale as alternate to each
other. PSUs have
terminals, kiosks, etc.? lesser in number.
xxiii How is the intra-bank 80% High to High in private
communication system deployed? medium sector banks.
Medium in PSUs.
What is the portfolio (intranet,
voice based, messaging based)
etc.?
xxiv Are there failsafe mechanisms for
100% High RBI sponsored
specialized inter-banking NIFNET ensures
sufficient
operations, such as RTGS, EFT, redundancies to
SFMS, etc? sustain these inter-
bank operations.
Details provided.
xxv. Do you use automation tools for
60% Low to Low in GTB.
carrying out facilities high Extensive use of
automation tools
management? How frequently do found. Reviews not
you review the performance of that frequent.
Details provided.
non-IT assets?
xxvi Do you carry out knowledge
80% Low to Low in GTB and
management to assess the high PSUs. Advanced BI
Practice in private
performance of IT applications sector banks. Block
and benchmark them with the best diagrams and
specifications
available in the industry? provided.
269
3.0 Introduction 270
3.1 Pre-development activity 270
3.2 Model Development. 270
3.2.1 Questions asked 271
3.3 Themes explored 272
3.3.2 Procedural 273
3.3.3 People 274
3.4 The BCM Model 277
ANNEXURE 3
Development of Metrics for conducting “Reality Check”
3.0 Introduction
The issues explored to articulate parameters that need to be measured to ascertain

preparedness; vulnerability and degree of threat and augmentation of BCM in banks
pre and post implementations are enumerated in this annexure.
3.1 Pre-development activity
These have been worked out based on the knowledge gained on literature survey,
secondary research (exploring literature on BCM successes and failure globally) and
primary research (survey of 5 major, 8 medium and 6 small banks of both private and
public sector in Mumbai). The knowledge components are listed below:
a. Banking Scenario in India as regards BCM implementation and its success or

failure in light of RBI instructions on the subject as enumerated in Chapter 2,
Section 2.5, 2.6 and Paragraph 2.9.1.
b. Business Continuity Paradigm culled out from successful experiences in BCM

implementation in Finance and banking sector in North America and Europe as
enumerated in Chapter 2, Section 2.4.
c. BCM in operation – experience of managing continuity in a disaster situation by a

major Public Sector bank in Mumbai (case study) as enumerated in Chapter 4,
Section 4.4.
d. BCM status and experience in two large, two medium and one modern bank as
culled out from learnings accrued after an elaborate survey of the target banks as
enumerated in Chapter 4, Section 4.5.
3.2 Model Development.
The BCM model was developed by interacting with 26 officials of Banks that were
surveyed to study BCM state in India and 8 BCM consultants from leading
Consulting companies in India.
For this purpose the questions asked and themes explored to articulate BCM
parameter are given in the paragraphs below.
270
3.2.1 Questions asked
Following questions were asked from the respondents in respect of the themes given
in Section 7.3 below
a. Is the measure considered relevant in their bank? If yes to what degree?
b. Is there an organizational policy to the effect? What levels are involved?
c. How is policy formulated and promulgated?
d. Does the bank have enumerated implementation guidelines?
e. Are the guidelines communicated, implemented and measured for effectiveness

and relevance?
f. Is there an organization structure to deal with implementation and upgradation of

BCM?
g. Is there adequate infrastructure (Technology, facilities) and financial support to

address the requirement? Indicate the same and their Utilization levels.
h. Is the parameter in question considered critical (moderate, not critical) from BCM
perspective?
i. Is the non-availability / non-performance of the parameter in question perceived

as a threat to business continuity?
j. If yes what is the impact on business (severe, considerable, moderate, tolerable,

neglible)?
k. What is the probability of occurrence of the event leading to discontinuity of the

parameter?
l. Are there budgets sanctioned to address the issues related to the initiatives to
provide continuity in respect of the parameter?
m. How are these utilized and monitored? Who are involved at functional &
supervisory levels?
n. How is the knowledge of employees enhanced in managing discontinuities

(Operational and Technical)?
o. How are employees motivated to assume responsibility in a disaster situation (as

regards the parameter)?
p. Are their procedures to review the efficacy and currency of managing

discontinuity in respect of the parameter?
271
3.3 Themes explored
The themes (evolved based on the knowledge components enumerated in paragraph

2.0 above) explored are clustered in following 5 groups that are also the groups in the
final model and are listed in sub sections that follow.
Definition of mission and vision of the bank – articulated and communicated.
a. Sensitivity to issues of brand management & image and maintaining good public
relations
b. Responsibility shared by Top management in respect of establishing and

implementation of reliable BCM practice
c. Focus on sustaining high level of Business continuity adopting dual strategy for
Disaster Recovery System - one for mission critical applications and the other for
routine applications.
d. Adoption of challenging strategies to imbibe new concepts in banking: turn tech

savvy, leaner and meaner.
e. Enhanced focus on Customer service. Approach of “Bank Customers” and not

“Branch Customers” to enhance Customer service
f. Focus on diversifying Products - Retail banking (housing finance, credit cards,

auto loans, consumer finance, etc.)
g. Enhancing Services and products like "Anywhere Banking" "Tele-Banking"

"Internet banking" "Web Banking”, e banking, e-commerce, e-business etc.
h. Enlarging services offered such as selling insurance, mutual funds and investment
opportunities.
i. Provide wide range of products and services to meet the specialized needs of
customers by offering extensive portfolio involving Multiple Delivery options.
j. Deployment of Technology to support high volumes of transactions and improve

efficiencies by high degree of automation (Core-banking system, integration of
diverse products etc.).
272
k. Modernization of system of reporting and reconciliation of transactions of
customer accounts and other banking services like remittances etc. at branch level
has been revamped and modernized.
l. Extension of automation to areas like funds transfer, electronic mail, BANKNET,

SWIFT, ATMs etc. and inter connecting computerized branches.
m. Effective use of MIS for control of operations and of maintaining customer and
business/industry databases for strategic planning.
n. Deployment of Advanced Information management techniques such as Data

warehousing, Data mining, Analytics and Restructuring of business processes.
3.3.2 Procedural
a. Elaborate and well-communicated instructions on operating and maintaining the

Technology (IT & communication infrastructure) of bank that supports
transactions and processes.
b. Carrying out appropriate measures of effect of disruptions on customers and the

degree of their “tolerance limit”
c. Knowledge Management - to gather benchmarking data of contemporary banks to

monitor their own performance.
d. Deployment of “Internet Banking” to operate Customer centered technology

applications such as “Anywhere” branch banking, Mobile Banking etc. (low cost
electronic services)
e. Integration of banking services with web based E-commerce to make convenient

international transactions one stop shopping to 'Banking Portfolio’.
f. Implementation of quality initiatives (Basel II framework) to address issues

related to financial and operational risks so as to ensure higher levels of
continuity.
g. Consolidation of IT resources and assets in the form of Data Centers both at the
Primary Site and at the Recovery and Continuity site/s.
h. A hybrid approach where in there is still faith in “Old Economy” manual systems
working symbiotically with modern IT-Based Systems.
i. High degree of innovation in providing better and efficient service - providing

value added and multiple services to the customers.
j. BCM is practiced with greater degree of sincerity and effectiveness and integrated
with normal operating procedures when it comes to actual operations.
273
k. Operationalizing BCM planning process effectively - Data collection &
Documentation, Calculating Risks and Review & Testing.
l. Documentation of BCM Plans - Technology (Structure, Organization) and

Operating Procedures (Instructions) and communication through intranet and
internal publications.
m. Conducting BCM reviews and testing of disaster recovery and business continuity
plans and changing business processes accordingly, updating/modifying and
communicating
n. Formulating Procedure to effect “manual workaround” as an alternate to

technology driven processes – enunciating, communicating (Instruction booklet)
and rehearsing.
o. Sensitivity to good customer service amongst employees is tested periodically

using well-defined framework & process and notification of improvements where
applicable.
p. The safety procedures to be adopted in the face of eventualities to be formulated,

elaborated, communication and training conducted to ensure compliance. (Have
they been challenged?)
q. Outsourcing of non-core functions and use of efficient and specific contracting

scheme to manage outsourcing arrangements.
r. Collaborations in the area of owning & managing assets and IT infrastructure with
trusted partners.
s. Sensitivity to changes in market or regulatory conditions and holding better

relationship with government and civic machinery (comes handy in recovering
from disruptions).
t. Incidence reporting and logging instructions articulated, adequately

communicated and comprehended by all concerned.
u. Documentation of automation of internal management systems (assets, HR…) like

the way it is done for all banking operations.
3.3.3 People
a. Effect of non-availability of key personnel on maintaining higher levels of

continuity quantification of impacts (operational, financial and image) is
comprehended
274
b. Ensuring implementation of succession planning in the event of discontinuities to
achieve greater level of “Trust” in abilities of work-force to tackle disruptions.
c. Providing regular training to employees on emergency procedures. Is there a

reward (as also punishment) system to ensure high degree of performance in this
regard?
d. The knowledge workforce (particularly IT staff) needs to be deployed optimally.

Skill inventory to be maintained and communicated.
e. The discipline in using IT assets for operations and communications in the

organization is maintained trough instructions and motivation.
f. Development of efficient and highly skilled teams (in-house or outsourced) to

carry out Systems Administration, Backing up, Network & Security Management
and also current practices of optimization such as Speedy Server Rebuilding.
g. Establishing elaborate “Communication links” to facilitate the process of

contacting and informing Key-personal (as also others) during eventualities.
h. Elaborate and well-communicated procedure and arrangement (in-house or

outsourced) to facilitate transportation of personal to alternate site when required.
i. Cost-effective strategies for up gradation and fine tuning of skills of human

resource management processes by regularly benchmarking themselves against
international standards.
3.3.4 Technological
a. Implemented Core Banking Solution (Finacle, Spectranet, FNS), Internet Banking

and CRM solutions and efficient IT enabled automation processes (EDI, EFT,
RTGS, MICR Clearing, ECS, ATM network, Shared Payment System,
Centralized Funds Management, Credit Monitoring Systems, Multi-application
Smart Cards etc.).
b. Ensuring higher degree of continuity for banking operations using RBI sponsored
NIFNET, which ensures sufficient redundancies to sustain inter-banking
operations (RTGS, EFT, SFMS, etc).
c. Implementation of a balanced portfolio of applications across products and

delivery channels. Deploying a combination of proprietary and open systems
applications to improve resilience
d. Deployment of state-of-the-art IT infrastructure housed in modern Data Centers

using advanced Hardware(Storage Array, General-Purpose Servers, Purpose-built
275
Storage Appliance and Intelligent Storage Networking Switch), Storage and
Backup systems.
e. Deployment of advanced Data Protection Technologies (Tapes, Electronic

Vaulting, Remote Mirroring, Backup Software, Replication and Snapshot)
f. Ensuring high degree of reliability by deploying efficient data sharing systems,

server and storage consolidation, data protection and redundancy of hardware and
network.
g. Setting up reliable and advanced Disaster recovery – A functional mix of

implementation of “near & far” and “hot & cold” sites that work in conjunction
with the main Data Centers.
h. Ensuring optimal utilization of their Data Centers by relocating assets and more
frequent use of DR sites for selected operations.
i. Well-managed (mostly outsourced) bandwidth with alternate/ redundant modes of

telecommunications (private, public and combination).
j. Deployment of advanced bandwidth management and security systems provided

by the best in class agencies.
k. Elaboration and execution of Security policy, which is well documented and

communicated. Comprehensive and applications to take care of security of
applications, databases, transactions and network.
l. Efficient management of IT Infrastructure (Hardware, Software, Bandwidth and

IT Infrastructure Management) and Cost (Acquisition, Implementation,
Maintenance and Upgrades)
3.3.5 Facilities
a. Physical Security of Data Centres, ATMs and other business touch-points

implemented using computerized and modern access control and security systems
(e.g. Fire and Damage control Systems, Access Control Systems etc.)
b. Use of automation tools and software systems (GPS enabled) for facilities
management along with display terminals and control room.
c. Provision for availability of Redundant Physical Space (in other branches or with
an outsourced agency) to provide workspaces for relocated staff. The facility is to
be complete with essential communication and computing arrangements (PCs,
Network Points etc).
276
d. Provision for allowing staff members to work from home by providing them PCs
with modems connected to telephone lines/cable TV.
e. Availability of Commercial Power in the event of Disasters (installed generators

and captive power plants, mobile gen-sets arrangement with outsourced agencies).
f. Insurance arrangements for critical IT and non-IT assets with appropriate

agencies. This aspect is important for rebuilding after disaster.
3.4 The BCM Model
The BCM model developed and tested comprises of 107 parameters that can be
measured and an objective assessment can be made as regards the health of BCM plan
or implementation. The model along with test data is enumerated in Exhibit 5.1.
277
ANNEXURE 4
BANK WISE SUMMARY OF STUDY
4.0 Primary Data Survey in select Banks in Mumbai

A primary data survey was carried out in select banks in Mumbai as per detailed
methodology enumerated in Chapter 4 paragraph 4.2. The information collected and
collated from the study (bank wise) is summarized in the succeeding paragraphs.
4.1 Oriental Bank of Commerce

The Oriental Bank of Commerce (division that was formerly Global Trust Bank) has
been doing well in terms of customer service at the point of conduct of this study. It
merged with the Oriental Bank of Commerce (OBC) subsequently owing to business
reasons. The bank (OBC) is currently going through massive restructuring process
post merger. The BCM practices and organization followed in OBC are still in the
same form as before merger in the concerned merged units till date. The findings of
study are therefore relevant even to date. The experiences of OBC as studied then are
summarized in the succeeding paragraphs.
OBC aimed "To be a Modern and a Model Bank". They endeavored to realize the
vision by:
a. Building the Business and the Institution
b. Creating Shareholder Value
c. Growing Profitably
d. Developing a Complete Financial Services Organization
e. Fostering a Caring and Sensitive Organization
4.1.1 Business Objectives

The bank envisioned technology is a key differentiator and focused on technology
driven products, technology supported convenience and technology access, as
emphasized by Mr. Sridhar Subasri, the then Executive Director, Global Trust Bank.
Critical areas such as Asset Liability Management, Fixed Asset Reporting and
Management System were few of the IT enabling initiatives that were undertaken by
the bank, both by developing in-house capabilities and partnering with professional IT
services providers. OBC focused on blending technology with high quality of
personalized service. The customers experienced caring human banking enabled by
Service focused staff greeting them with smile – “Warmth combined with IT”.
278
This emphasis on technology has led the Bank's concerted forays into Internet
banking in addition to Automated Teller Machines and Phone Banking. With
ibank@gtb, the Internet banking capability, customers could bank from home just by
clicking away while the ATMs bring in the convenience of round the clock banking.
The Banks telecommunication network was one of the best deployed at that time in
the country. A customer could access Global Trust Bank from anywhere in the world,
anytime.
4.1.2 Banking Application Projects

OBC deployed FINALCE (formerly Banncs2000), core Banking solution. It is a
powerful electronic commerce platform that enables OBC to provide integrated
financial services to both the retail and corporate customers- the one-click access to
all their bank accounts, trade finance, cash management, bill payment, investments,
on-line shopping, etc.
The bank undertook two major projects, in keeping with its objective of becoming the
modern bank. One with the support of Infosys entitled “BankAway” and the other
with in-house efforts, entitled “IDEAS”. The brief description of these projects in
enumerated below:
4.1.2.1 The BankAway Project

This facility provided a powerful Electronic Commerce platform enabling the bank to
provide an integrated financial services offering, both to their retail and corporate
customers. The specific cost for the project was not shared, however, based on several
interactions it could be inferred that OBC had spent Rs 40 crores on developing its IT
infrastructure with 150 lakhs of that being spent on its Net Banking initiatives. The
time taken was approx 90 days from the date of signing to the date of going online.
It effectively addressed issues like security, relationship banking, performance, cross-

selling and direct marketing. It provided a high level of flexibility and supported bank
& product branding. The solution runs on Solaris platform with Oracle as database
incorporating 128-bit encryption, Public Key Infrastructure, and SSL. The software
formed part of OBC’s project plan of being the first bank in India to provide its
customers access not only to their bank accounts, but also to their Depository
accounts. Customers of their Global Securities Banking service were able to enquire
on their Depository accounts over the Internet.
279
4.1.2.2 IDEAS (Integrated Delivery Channels Application System)
The IDEAS system is a flexible, modular and business driven solution designed to
manage various activities related to delivery channels. It provides multi-channel
integration for enterprise management of transactions and interfaces to the core
processing systems providing secure Web-based access for remote banking locations.
It manages operations related to delivery channels, including branches, ATMs, phone
and Internet banking, kiosks and mobile devices.
The system was developed using a relational database (Microsoft SQL 2000) on
Microsoft platform, (Windows 2000 and SQL 2000). Users at branches access the
system using the thin-client (Java Servlets, JDBC database connections) mode which
makes deployment quick and easy. Users at the back office access the system using
the thick-client (client-server) mode so that operations involving complex
computations can be done using the power of the client, thereby avoiding any impact
on the response times for online request entry and inquiries.
The IT infrastructure design was done in alignment with the objective by using the
latest technology and in a way, to reduce overall cost and project itself a
contemporary bank. The entire investment in IT is governed by a well- inculcated and
understood belief in ‘ROTI’ (Rate on Technology Investment). They have been able
to achieve this objective by implementing the most appropriate technology at the most
appropriate time and at the optimum cost.
280
The schematic of the IT Infrastructure is given below:
Applications Core Banking
Bank away/ Service,
Pay away Mumbai
Back End
Server
Core Banking
Bank Service (Finacle),
Connected Hyderabad
Web
ATM
Server
Figure A4.1 The IT Architecture at OBC
The salient features of IT Infrastructure to provide OBC competitive edges are given
below:
a. Fast Response: Faster response time and error free delivery of service resulted in
high customer satisfaction. Customer accounts were debited in real time no matter
from where in the country the transaction originates, be it at a branch, an ATM or
the Internet.
b. Security: Fully secured transactions using encryption and secured channels.
c. Uninterrupted business: A high uptime rate ensured using redundant data
communication channels.
d. Accessibility and wider coverage at minimum cost: Realized through Internet
billing and banking options.
e. High productivity: Through effective use of IT across all facets of their business
activity.
f. Focus on Strengths: The design leveraged OBC’s strength in core banking
operations coupled with in-house software development capabilities.
4.1.3.1 Hardware and Network

OBC used a mesh network supporting the hub & spoke architecture (data center to
branches) ensuring high reliability and performance. The bank employed reliable and
rugged WAN Network using TCP/IP protocol and multiple and high bandwidth
options for data delivery. High-end application and database servers from Compaq
Alpha (COMPAQ GS-320) and Sun Microsystems were deployed.
281
4.1.3.2 Security at OBC Bank
Security is a major concern at OBC bank just like any other bank. And it is making
huge efforts to secure both its hardware and software from issues of security. The
Internet Banking infrastructure of OBC, located in the data centre, is fully secured
using Firewalls from Check Point and other security features such as 128 bit
encryption, digital certificates etc.
It is also taking help of Infosys in this field - which provides complete online security
consulting services and other customization and implementation services to OBC.
4.1.4 Disaster Recovery Setup

The Bank’s Business Continuity Plan focused on protecting Data. The corporate Data
centre was established at Secunderabad and the Disaster Recovery Site (DRS) at
Mumbai. All critical applications systems were moved to the DRS. Whenever an
application was hosted at Corporate Office, its Disaster Recovery Set-up was
“imaged” at Mumbai. This ensured quick recovery in the event of major failures
giving a Recovery Time Objective (RTO) of couple of hours.
4.2 ICICI Bank

ICICI Bank (NYSE:IBN) is India's second largest bank and largest private sector
bank, with assets of USD 43 billion as of September 30,2005. ICICI Bank offers a
wide range of banking products and financial services to corporate and retail
customers through a variety of delivery channels and through its specialized
subsidiaries and affiliates. Areas include investment banking, life and non-life
insurance, venture capital, and asset management. Specifically, ICICI Bank is a
leading player in the retail banking market and has over 14 million retail customer
accounts. The bank has a network of 600 branches and extension counters and 2,060
ATMs. ICICI Bank is growing rapidly, in part through its online service offerings,
and is considered a technology trendsetter in the Asian banking industry.
ICICI Bank seeks to be at the forefront of technology usage in the financial services
sector. Information technology is a strategic tool for business operations, providing
the bank with a competitive advantage and improved productivity and efficiencies.
All the bank’s IT initiatives are aimed at enhancing value, offering customer
convenience, and improving service levels.
282
It is the first bank to offer Internet banking services in India. It is also extending
online banking to rural communities via kiosks.
4.2.1.1 Vision
a. One Stop Financial Services Shop
b. Cross Selling
c. E-Commerce Gateways – Online Buying
d. Building Long-Lasting Customer Relationships
4.2.1.2 Innovations in Delivery Channels

a. Innovative Delivery Mechanisms
b. Sustainable Access for Rural India (SARI) project
c. Partners: MIT Media Labs, Harvard University, I-Gyan,
d. Providing reliable Internet access through Kiosks using corDECT WiLL
e. 100 kiosks managed by entrepreneurs to be set-up
f. Providing e-governance, and information services
g. Delivering banking services through Internet kiosks

The following are the strategic objectives of ICICI:
a. Achieving leadership in retail financial services through strong corporate
relationships, brand building, use of technology to attain operational excellence
with relentless focus on the customer.
b. The bank uses delivery mechanisms like Internet Banking, Call Centers, 500
Outlets and over thousand ATMs to effect cross-selling of wide ranging products:
Fixed deposits, Bonds, Life insurance, Health insurance, Power Pay, Consumer
loans, Auto & home loans, Credit & debit cards, etc.
c. Multiple channel banking with efficient use of technology ensuring 24X7
availability to achieve wider and focused market reach-cross selling
d. Integration of diverse products using enterprise application to improve employee
productivity and increase customer satisfaction by providing a single view across
applications
e. Remain at the cutting edge of technology. ICICI has largest centralized database
among banks enabling a host of activities such as centralization of account-
opening processing, ATM card issue, MIS reports, statement generation and
central checkbook issuance.
283
f. The bank has implemented CRM using Siebel for automation of customer
handling in all key retail products and centralized tracking of complaints &
turnaround times
g. Tapping The Market by linking accounts to online buying, leveraging usage of
existing e-commerce gateways and tie-ups with online shopping houses. The bank
thus obtains “free data” about the consumer spending pattern and maintains data
warehouse. The bank has elaborate business intelligence architecture to run data
mining solutions for supporting CRM (refer figure A4.2 below).
h. Bank focuses on young customers (teenagers) by providing them “Plastic Pocket
Money” and Track their spending patterns.
Figure A4.2 Business Intelligence Architecture 1
4.2.3 Product & Services

ICICI provides wide-ranging products and services using multiple delivery
mechanisms. These include Bank Branches, Internet Banking, Call Centers, 500
Outlets and over thousand ATMs incorporating Net Banking “Infinity” – Kiosks. The
range of product and services include:
a. Personal Finance: Banking / DEMAT, Loans, Credit Cards, NRI Services, Bill
Payment, Customer Care, Promotional Offers (5 Friends = Exotic Holiday)
b. ICICIDirect.com: Trading, Market News, Research, Analysis, Quotes & Charts,
Mutual Funds, Personal Finance, Customer Service
1
Courtesy http://www.icicibank.com/
284
c. Phone Banking: Existing Customers Help Line (Query Handling), Product
Details for New Customers (Lead Generation), Application Status for Loan &
Credit Card Applicants
d. Chat: Customer Service for NRIs
e. 24 Hour ATM Service: Branch / Offsite Locations, Largest ATM Network, Cash
Dispensing, Cash/Cheque Deposit, Bill Payment, Order New Products, Enquiry &
Customer Service
f. IT Enabled Services: Mobile banking, E-Lobby, ATMs, Internet banking,
Partnerships with micro finance institutions, Direct lending to self help groups
ICICI Bank Limited (ICICI Bank) is a trendsetter in the use of banking technology in
India. The bank is achieving 99.9 percent application availability and 99.99 percent
uptime for its server infrastructure. The bank relies on a full range of software tools:
agents and options for data protection that has ensured 50 percent reduction in the
time to rebuild corrupted servers and 25 percent annual growth in data volume
without any increase in staffing resources. A schematic of ICICI Network at the Bank
and Branch level are given at figures A4.3 and A4.4 below.
Figure A4.3 ICICI Bank Network
285
Figure A4.4 ICICI - Branch Network
4.2.4.1 Banking Applications

To meet its data center availability goals, ICICI Bank runs its customer facing
services and key enterprise applications such as Finacle Core Banking (Infosys),
FinnOne Retail Loans System (Nucleus Technologies), CTL Prime Credit Cards
Processing System (Card Tech Limited), and SAP on highly available servers. The IT
infrastructure of ICICI runs on rugged and reliable network at enterprise level and
branch level.
The Finacle 7.0 is scalable and has been benchmarked on HP Superdome server at the
HP Capacity Planning Centre in Atlanta, USA proving 16 million transactions per
hour in an online mode and more than 13 million interest accrual transactions per hour
in the batch mode. The software provides features of
Intelligent Purging of Data and History, Workflow analysis capabilities by the user,
Increased customization capabilities, Multilingual facility for ICICI’s operations at
middle east and single database setup for host of applications: Personal banking,
Share trading, Credit cards, etc.
ICICI Bank deployed Oracle 9i database and Oracle Real Application Clusters (RAC)
to provide a robust database component for its enterprise applications, while other
applications such as Internet Banking and Customer Relationship Management use
Microsoft SQL Server 2000 Enterprise Edition.
286
The data center has several Sun Fire 15K, E6900, E2900, and E6500 enterprise class
servers and various Sun Fire mid-range servers—25 in all— running the Solaris 9
Operating System. The data for the Finacle application is stored on a new HP Storage
Works XP 12000 disk array. Periodically, point-in-time copies of the data are made to
facilitate restoration of database in case there is a corruption. While the HP
StorageWorks XP 12000 disk array permits such internally via its native
asynchronous data replication software, the FlashSnap option allows copying of the
data onto less expensive disk arrays from Hitachi or Sun.
The IT infrastructure which is both scalable and futuristic and addresses wide ranging
portfolio of products and services for front office and back office operations. The
development was realized in three phases. The IT group at ICICI is now focusing on
augmenting the infrastructure in terms of scale, scope and complexity. Few of the
projects on the anvil include:
a. New modes of payments
b. Internal Ratings based Accreditation Approach
c. Develop a database containing the historical data of loans approved, terms and
conditions, quality of customer, etc
d. Quantifying operating risk
e. Computerization of Rural branches and Networking of Post Offices
f. Online processing of Retail Loans
4.2.5 Business Continuity Setup

ICICI Bank Executive Director Chanda Kochhar viewed that there was a case for
banks to set up efficient disaster recovery systems. “In any case, it is easier to
replicate and run a parallel IT system than run a parallel system using manpower. I am
sure all banks are looking at their business continuity plan seriously” Ms. Kochhar
said.
The BCM initiatives of ICICI Bank are comprehensive and futuristic. Meeting their
senior executives from functional businesses and IT area and making spot
observations at their workplaces and data centers could establish this. The
distinguishing features that were observed are enumerated in the succeeding
paragraphs. The corresponding amplifying remarks are noted in the Annexure 5.
287
4.2.5.1 Building a World class Data Centre
ICICI bank has built a world-class data center looking at requirements of the future in
terms of growth and complexity. Adequate provisions were made to ensure that all
banking data had to be protected and recovered in case of disaster. In building the data
center at Mumbai, ICICI focused on establishing relationships with suppliers who
could solve a whole class of problems.
4.2.5.2 Targeting high availability for the end user

To meet its data center availability goals, ICICI Bank runs its customer facing
services and key enterprise applications on highly available servers (Sun Fire 15K,
E6900, E2900, and E6500 enterprise class servers and various Sun Fire mid-range
servers). ICICI Bank deployed Oracle 9i database and Oracle Real Application
Clusters (RAC) to provide a robust database component for its enterprise applications,
while other applications such as Internet Banking and Customer Relationship
Management use Microsoft SQL Server 2000 Enterprise Edition. The bank
maintained multiple periodic backups on dispersed storage arrangements ensuring
high availability.
4.2.5.3 Reliable data protection

While those Symantec products ensure data center availability, Veritas NetBackup
Enterprise Server provides protection for vital enterprise data and backs up 15
terabytes of data every day from more than 700 Microsoft Windows- and UNIX-
based servers. It is reliable and easy to administer. As data volumes grow at a rapid
rate for ICICI Bank—currently 300 gigabytes a month—the bank is challenged to
backup increased data volumes without extending its backup window. “With round-
the-clock operations, we only have a few hours during the night to complete our
backups,” says Mr. Pravir Vohra, Senior General Manager, Technology Management
Group, ICICI Bank.
4.2.5.4 Shared Storage Option leverages tape library

ICICI’s shared storage that combines heterogeneity of platforms overcame the
problems of lengthening backup operations arising due to data explosion. The EMC
CLARiiON 720 virtual disk library, a disk-based backup system that significantly
reduces the time needed to restore a file and enhances backup speeds by a factor of
four times has been gainfully deployed.
288
4.2.5.5 Bare Metal Restore speeds server Rebuilds
ICICI deploys the NetBackup Bare Metal Restore Option to address the requirement
of automatic rebuilding of servers that may get corrupted.
4.2.5.6 Enterprise Service Licensing Agreement (ESLA) saves time and money
ICICI entered into a comprehensive ESLA with Symantec that included Storage
Foundation, Cluster Server, and NetBackup, and associated options and agents. The
ESLA also provides ICICI Bank with the option to use other Symantec software
products that the bank wants to evaluate and test for future needs.
4.2.5.7 Enhancing data center availability with disaster recovery solution

A copy of ICICI’s important information is kept at disaster recovery site. The bank
replicates the data using HP StorageWorks asynchronous data replication product
called Continuous Access. It works fine but necessitates using only similar HP
StorageWorks disk arrays at both sites. In keeping with their policy of remaining
vendor neutral, they switched to Veritas Volume Replicator, which is on par with
HP’s proprietary data replication solution, and enables the bank replicate data across
heterogeneous storage arrays.
4.2.5.8 Efficient System Administration

ICICI Bank invests regularly in training the technical staff particularly in aspects of
network and systems administration to ensure smoothness of operations.
4.3 HDFC Bank

The Bank was incorporated in 1994, has its headquarters at Mumbai and has an
extensive network of 278 branches and over 750 ATMs across India. The bank
engages into wholesale business including Working Capital, Forex, Supply Chain
Management and retail including Savings A/C, Credit Cards, Home Loans, Personal
Loans. Its is the second largest Private Sector bank in India and also works as
Settlement Bank for the BSE and NSE.
The bank has launched onto high degree of automation ensuring high degree of
efficiency and effectiveness since inception. The strategy is to provide high degree of
customer service by providing convenience, reducing transaction cost and increasing
core operating efficiency by enabling the work force. The bank focuses on multiple
delivery channels to service its customers and moves at a high speed with latest
289
offerings. Munish Mittal, Assistant Vice President of Information Technology, HDFC
Bank Ltd., asserts “The time from when we conceived our Internet banking solution
to deployment was less than 12 weeks."

4.3.1.1 The Mission
HDFC Bank's mission is to be a world-class Indian Bank. The Bank's aim is to build
sound customer franchises across distinct businesses so as to be the preferred provider
of banking services in the segments that the bank operates in and to achieve healthy
growth in profitability, consistent with the bank's risk appetite. The bank is committed
to maintain the highest level of ethical standards, professional integrity and regulatory
compliance. HDFC Bank's business philosophy is based on four core values:
Operational Excellence, Customer Focus, Product Leadership and People.
The Bank has prioritized its engagement in technology and the Internet as one of its
key goals and has already made significant progress in web-enabling its core
businesses. In each of its businesses, the Bank has succeeded in leveraging its market
position, expertise and technology to create a competitive advantage and build market
share.
A Customer doesn’t belong to the branch anymore; he is the customer of the Bank
When HDFC decided to interconnect its branches, it was looking for the most cost-
effective method. The hub and spoke architecture proved to be beneficial in many
ways.
The bank services vast range of customer segments and offers differentiated treatment
to them to ensure customer lock-in. The “Hi-Touch” Group comprises of the age
group of 36 and above and demands speed, quality of service and value for their time
and social status. The “Accessibility” group – 46 to 60 years of age prefers convenient
time and closeness to residence. The “Value-added” segment – 18 to 25 years of men
& women are tech savvy and demand high speed, efficiency and esthetics. The
“Safety-first” Group comprises of traders, shopkeepers demand trust and conformity
to regulations. All segments expect prompt efficient & courteous service with or
without a smile. A schematic of process organization that enables HDFC to deliver
wide ranging services is given in figure A4.5 below:
290
Figure A4.5 Process Organization
4.3.1.2 Banking applications

The bank uses separate software for corporate and retail banking as there was no
single package that met both their business requirements.
On the corporate side HDFC Bank started with MicroBanker and then moved to
Flexcube in 2002. They use Flexcube UBS, which operates on a Compaq Alpha box-
GS160. The bank uses SAN solutions from Hitachi Data Systems. On the retail side
the bank uses Finware from i-flex solutions. HDFC Bank had acquired Times Bank in
2000. All the Times Bank customers were shifted from their package (called Kapiti)
to HDFC Bank's Finware and MicroBanker.
291
4.3.1.3 Management of All Financial & MIS Reports – NEWGEN
Huge amount of corporate reports are generated daily, volume is of order of terabytes
of data. Besides, there was duplication of reports that were generated at corporates
and at the branches. To curb the growing expenses & increase higher customer
satisfaction levels, the bank was looking for an effective and efficient system that
could provide instant access to all reports and also bring down the cost of operations
and maintenance – realized by NEWGEN.
4.3.2 Products and Services

HDFC focuses on Real-Time Internet Banking with emphasis on Effectiveness,
Efficiency & Customer convenience, using an effective network of Intel architecture-
based servers & workstations. The bank aims to enhance Customer convenience by
providing multiple channel options - ATMs, IVR-based phone, mobile banking,
NetBanking, etc. The bank offers a vast range of services and products:
a. IT Services Offered – International Debit Cards, e-banking, ATMs, DEMAT
services, etc. International.
c. e-Age account – Telephone, Internet, Mobile banking, etc.

d. Private Banking – A distinguished service rendered to select individuals and
institutions
e. HDFC – Loans – Personal & Professional loans and loans against securities
f. Phone Banking – Uses Simple IVR to Speech Recognition System
g. Call Centres – Simple manned call centres to integrated solutions – CRM, CTI,
Chat
h. Smart Cards - Multi-Application capability cards that can work on Technology
Platform – MULTOS, Smart cards for Windows, Java Enabled Cards
i. Internet banking at HDFC

i. Retail Banking
ii. Corporate Banking
iii. Payment Gateway – Debit to account
iv. Supply Chain Integration
j. Coporate Banking on Net (E-Net) – Cash Management, Funds Transfer,
Disbursement
292
k. Capital Mkts.@Net ..Capabilities – Demat, Calendaring and buying & selling
stocks
l. Direct Pay (Online Shopping

i. Purchases debited directly from customer’s account and credited to seller’s
account
ii. Facility available as an option for existing account holders – Free of Cost
iii. Secure transfer of money over SSL with 128 bit encryption
iv. Railways
v. Trading / Finance / Mutual Fund
vi. B2B : Timesofmoney
vii. Auction Sites : Baazee
HDFC has made an investment of over Rs. 200 crores. Overall, the IT system gives
HDFC Bank the ability to manage risk effectively with the availability of online
information. It also allows for better pricing of derivatives. For bank employees, the
new system has reduced the time to assimilate treasury information. The mundane
work of assimilating information on Excel for various activities is now being done by
the new systems, thus, increasing overall productivity.
Integration of complex bank operations had been a challenge as it meant

synchronizing the requirements of diverse users. The success of automation project
required the acceptance of the new process flow among all end-users. The bank
overcame the challenges by ensuring that there is proper communication among all
those involved in the project, be they vendors or internal users.
4.3.3.1 Current Architecture

HDFC Bank had a centralized IP-based network right since its inception. All branches
across the country converge at their respective zonal hub location, which in turn
connects to the data center at Chandivili, Mumbai. The network architecture is of hub
and spoke type connecting central site (data center) using a combination of 2 Mbps
and 64 Kbps pipes to hubs.
293
4.3.3.2 Network
Based on the bank's hub & spoke architecture for the network, the branches are
distributed under different regions and each major location has a regional hub. The
branches falling under a location connect to the hub at the main region. These hubs
then connect to the central site (data center) using a combination of 2 Mbps and 64
Kbps pipes, depending on the total volume of the transactions that pass through. A
highlight of HDFC Bank's network is the presence of two or more hubs in one
location.
Figure A4.6 HDFC Bank Network – India
4.3.3.3 Servers and Software

The IT Infrastructure of HDFC is supported on high end servers platforms that
include Sun E450 for Synergy Login System’s ITMS-Mirror System and Compaq
DL380 for SunGard Panorama System. The software includes Sybase v11.5.1, Oracle
v7.3.4, Panorama/Windows NT4.0/MS SQL v6.5, Citrix MetaFrame 1.8. The bank’s
infrastructure is supplied and maintained by their technology partners: SunGard,
Synergy Login Systems India, Sun Microsystems, Dell Computers and Compaq (now
merged with Hewlett-Packard). Scheme of servers at Data Processing Centre (DPC) at
Central Branch Mumbai given in figure A4.7 below.
The bank deploys a host of software to address various applications: Corporate

Internet Banking (ENet), Intelligent Data Mapper (IDM) which interfaces with
294
MicroBANKER – Core Banking System. It also deploys CAS – Cash Management
systems and SWIFT for Customer Support. The schematic of Enet Implementation
Architecture is given in figure A4.7 below.
Figure A4.7 DPC, Central Branch at Mumbai
4.3.3.4 Storage
HDFC currently deploys SAN and is considering NAS for installation sometime in
the future. The bank is investing heavily in all areas like backup, disaster recovery and
others. The bank has to store data for eight years as per the RBI guidelines and uses
tapes for off-line storage. The SAN deployment permits additions of extra devices in a
hot mode to address scalability and ensures better server power utilization for
business applications. Accordingly network capacity is released to the end user to
support customer services.
295
Figure 4.3.5
Figure A4.8 ENet Implementation Architecture of HDFC Bank
4.3.3.5 Network Management Software

HDFC uses Unicenter Remote Control option (RCO) in conjunction with the
Software Delivery Option (SDO). This has facilitated better and efficient management
of software from central location, thereby, cutting down manual fault rectification at
hubs. The bank is now able to initiate backup links if required and has been able to
achieve a reachability of 99 percent.
The website management solution has enhanced HDFC’s customers access for online
services thereby providing more convenience, 100 percent availability, faster response
time and enhanced transaction experience during every single interaction. The usage
of Net for banking has helped HDFC to reduce the investment in hardware by 10
percent. It has reduced administrative costs and system downtime, leaving more time
for IT staff to focus on strategic and business-critical issues.
296
4.3.3.6 Data Warehousing at HDFC
The data warehouse is built using SQL Server 2000 and Windows 2000 Advanced
Server with i-flex’s Reveleus. This solution will enable HDFC Bank to provide better
service and cross-sell high-value products across their customer base of 3.25 million.
This is the largest known SQL server-based data warehouse in India. Microsoft’s
Consulting Services team joined up with Intel, HP and i-Flex to benchmark the
solution for performance and scalability.
4.3.3.7 e-Internet Banking Software (eIBS)

This software provides single window to integrate multi-exchange, multi-segment,
multi-currency features between front-end back offices. It interfaces with PC SPAN ®
(Chicago Mercantile Exchange) and MATRIX Online Risk Engine and provides wide
range of customizable MIS reports and proactive client management and real time
pre-trade risk management.
4.3.3.8 The IT Organization

The central IT department has a total staff strength of 120 (approx.), with a mix of
functional and technical specialists. The project managers for new IT initiatives are
designated both from this group and from businesses. Almost all the project
development and application maintenance activities are outsourced to IT vendors.
HDFC has relationships with a gamut of vendors for implementation of various facets
of IT in the organization. The vendors include Wipro, SolutionNet and Iflex.
The entire systems set-up and the network is system-managed using UnicenterTNG,
which helps manage capacity better, secure the infrastructure and maintain assets
centrally. The bank has integrated its own payment gateway with VISA and
MasterCard. Plans are afoot for setting up a disaster recovery center as well.
4.3.3.9 Infrastructure Management at HDFC

The enterprise infrastructure and asset management HDFC is implemented using
automation tools that help IT personnel get alert messages much before a failure
occurs. HDFC always concentrates on managed services and focuses on its core
businesses. The bank puts thrust on procurement of ATMs, expansion of LANs and
WANs, building data center infrastructure, power supply setups, building security
297
infrastructure, and network monitoring tools. Facilities management practices have
been formalized as they are considered to be the key to successful operations.
4.3.3.10 Security at HDFC Bank

The bank deploys highest level of security commercially available and has taken
adequate measures to regulate access to applications based on valid customer ID and
password. In addition to elaborate IT Security the bank enforces strict measures in
handling paper-based and unstructured electronic correspondence. In the security
paradigm in the pre-internet banking era focused on internal activities of business by
ensuring strict regulation of user accounts and processes. In the Internet banking era,
the focus is on implementing perimeter security and regulate the network traffic both
from communications and applications perspective.
4.3.4 Business Continuity

HDFC has implemented business continuity practices in the organization efficiently.
There is elaborate business continuity plan and is well supported by rugged and
reliable disaster recovery systems. The BCM is well practiced both in terms of
organizational procedures as well as tending the hardware and other systems.
HDFC has the primary site (central data center) at Mumbai and the DR site in
Chennai — both for the system and operations. The features of operating the two sites
include:
a. The work is split between both the primary and DR sites, so as to achieve
optimum utilization and load balancing.
b. As both the sites operate in tandem, the staff is adequately familiar with the DR
process and can takeover & manage operations during periods of downtime.
c. The DR site is always online and data from the banking system is replicated on
the DR site within 15 to 30 minutes depending on traffic delay in the transmission
lines.
d. The lag between Mumbai database and Chennai backup database is maximum
limited to 15 minutes.
e. All ATMs are connected to both the sites and the state of the art switches
incorporated ensure quick changeover.
f. Periodic trials of the ATM switches are conducted every six months.
g. The entire retail, wholesale banking system, cash management are also covered in
DR.
298
h. The DR site at Chennai is designed to ensure “Near Zero Data Loss”. The main
technology centers religiously take up daily backups.
The Business Continuity initiatives at HDFC are now focusing on bringing in state-of-
the-art IT infrastructure practices such as Server and Storage Consolidation. They are
planning to deploy additional alternate connections, with built-in redundancy in the
network. The management of facilities and IT infrastructure, though already fairly
modern, is being upgraded to incorporate more comprehensive network and
applications management tools from CA and HP.
4.4 UTI Bank

UTI Bank is the first private bank in the post liberalization era. It is one of the fastest
growing private banks in India. UTI Bank is a new generation private sector bank
with its registered office in Ahmedabad and head office in Mumbai. It has a network
of 180 offices (136 branches and 44 extension counters) and 700 ATMs across 75
cities across the country.

The bank focuses on enhancing customer value by providing 24 /7 Access to Cash /
Funds from various channels Worldwide. UTI Bank expects to grow its retail assets
nearly 10 times in coming years. UTI Bank started its retail focus with building up
infrastructure and adhering to the latest technology. This is reflected from a
significant rise in its branches, ATMs and distribution network.
The bank has achieved a high degree of usage of technology to run its processes and
has implemented ‘finacle’ (by Infosys) core banking solution. The bank is focusing on
providing better service by way of offering products through multiple channels. The
processing has been pushed from branches to central offices to enable the staff to
engage in improving relationships and serving the customer better.
The bank is proactively building customer centric culture in all its branches. This is
effected and measured by an initiative called “Mystery Customer Shopping” wherein
the project team members simulate an exercise by visiting bank branches as pseudo
customers to measure sensitiveness of behavior of the staff towards customer needs.
The staff members are then ranked on customer sensitive index and suggested
methods to achieve the same.
299
4.4.2 Products and Services
The bank is aggressively launching new products and services to expand its retail
assets and client base. UTI Bank aims to increase its market share of auto and home
loans in large proportions. The products for savings bank and term deposits cater to:
Retirees, Students, Trusts/NGOs, Children, Women and Others. The products and
services specifically designed for the salaried segment opting for savings bank include
Government (State and Central), Defense Establishments, Corporates (Large, Small &
Medium and PSUs).
The Savings Bank products are offered through multiple channels: branch outlets,
Debit cards, ATMs, Bill Payments, Retail Loans, Internet, Demat facility, Retail
Bonds, Loans against security and Power - 24 Accounts and customer relationship
executives (home delivery). The bank offers wide ranging products specifically
designed for defense personnel. The bank offers “Travel Card” to the customers
engaging in frequent foreign travel. It gives them ease & flexibility of operation and
choice of currency for transactions with less service charges.
UTI offers unique product ‘Priority Banking’ to preferred customers who transact
large volumes. The Privileges offered to these customers are:
a. Banking privileges – a differentiated treatment is enjoyed by this segment in
terms of ease, speed and limits of transactions related to various products.
b. Investment privileges - guide to market information for investments.
c. Life style privileges – invitation to select and choiced events.
d. Other privileges – information on research and publications.
The financial services offered are marketed through various third party financial
products to the tune of over Rs. 2500 crore. The bank offers 15 schemes for
investments in loans.
The IT Infrastructure is one of the best in terms of security and connectivity. The
central data center is at Mumbai, to which all the branches connect in a secure mode.
The bank is well settled with all banking and financial processes running on finacle.
They are now concentrating on implementing non-financial services through Internet
i.e. research information and bank’s own administration. The project is being
undertaken in consultation with TCS.
300
The banks current infrastructure is supported on proprietary systems. They are
considering development of certain applications using open system software and
general purpose hardware platforms. This is primarily due to two reasons: one – the
bank has high degree of skills present internally in Unix and Linux and two – they
have excellent support relationship with Oracle Corporation for maintaining their
database software.
4.4.3.1 Hardware and Software

The bank has deployed IBM pSeries POWER4+ microprocessors based servers for
their production as well as fail over servers. The storage at central data centers and
zones is on state-of-the-art storage area network (SAN) solutions provided by IBM.
The core banking solutions are on finacle. They are also an Oracle shop and run their
primary databases on IBM's AIX platform, which is a Unix variant. They also use
Windows NT and Solaris as database platforms for other applications. UTI Bank has a
history with Unix. They are now in the process of scaling up their core banking
applications.
4.4.3.2 Head Office Applications

The central office and other zonal offices undertake entire back office processing
including interbranch reconciliation. This is in keeping with UTI’s philosophy of
relieving the branches from mundane processing work to enable them engage more in
customer service. The functional packages in use at Head Offices can be classified as
follows:
a. Treasury Management –Highly Critical
b. Back Office/MIS/DSS/EIS –Critical
c. Head Office Automation –Protected
d. PF/Pension –Critical
e. NPA Management –Critical
f. Money Market-Deposit And Loans –Highly Critical
g. Share Accounting –Highly Critical
4.4.3.3 Security
The security policy, practices and the operating culture in this regard is one of the
finest. The top management lays great emphasis on operationalizing and auditing
security procedures. UTI, though has adequate hardware and systems software to
implement security, believes that the cause is better served by imbibing right
education and concern in people.
301
4.4.3.4 IT Security
The IT security structure of UTI is implemented at two levels:
a. System Administration level – at the data centers in central and branch locations.
The structure of IT security solutions implemented at Systems level in UTI
comprises of:
i. Network Security – using VPNs and a combination of firewalls and IDSs to
regulate and monitor traffic (refer figure A4.9 below).
Figure A4.9 Network Security
ii. Application access security – applied at user levels for authentication.

iii. Security across applications – applied at run time to ensure integrity of
transactions.
iv. Database security – for database access and integrity.
v. Access Control - UTI enforces access control using the model of PKI.
Dedicated servers installed at appropriate locations carry out the key
distribution and authentication. The users are administered session keys by
Certifying Authority (CA) servers and Registration Authority (RA) for
302
generating and distributing digital signatures respectively (refer figure
A4.10 below).
Figure A4.10 Access Control
b. Operating level – users at branches and the customers hooking up to the systems
through Internet. The bank has elaborate guidelines for all the operators
connecting to the system to follow good practice while working both on computer
system and otherwise, to ensure prevention of a security breach.
4.4.3.5 Physical Security

There is no foolproof system that can guarantee 100 percent security. The system
level security is to be amply complimented by a good organization and sound
practices to realize physical security. There are rules and guidelines to regulate entry
to sensitive areas. The emphasis is on practicing safe procedures while handling
transactions both online and paper based.
303
4.4.3.6 Security Monitoring
The security incident reporting and management procedures are well-documented and
implemented. The 24X7 helpdesk supports incident handling by providing online help
and guidance. The bank has created teams that monitor activities related to security
for the entire range of applications by way of logging & analyzing audit trials and
providing antidotes and warnings.
4.4.4 Business Continuity

UTI was one of the first banks to implement a full-fledged disaster recovery centre at
Bangalore, which is managed by Wipro. The disaster site and the central data centers
are manned 24X7. UTI aims at realizing RTO of 5 hours. The BCP adequately caters
for a large number of small & big discontinuities that can impair operations. The
BCM addresses the issues related to minimum downtime and data recovery from hot
sites. It also details the organization and steps to be taken in the event of
discontinuities to realize speedy recovery to normalcy. The planning and
development of a business continuity organization was undertaken with the help of
TCS and IBM. The steps taken and the cost involved are given in the table 4.1 below.
Table A4.1 Business Continuity Survey Chart
S.No Cost Description
1. Project Initiation Workspace for Team

Team member time
Software tools & licensing
Hard ware
Education & Training
Consulting Cost
2. Business Impact Information gathering (Survey)
Analysis Meeting with key personnel
3. Design & Alternate response evaluations

Development Communications systems
Training of business unit representatives
Legal costs
Cost to develop plan
4. Implementation Preparation and stocking of EOC
Printing Costs
Distribution
Hot Site Costs
304
S.No Cost Description
Cost of off site backup of data /document
5. Testing Annual hot site test
Periodic tests
Delivery of data
6. Maintenance & External audit review
Updation Annual review by business unit reps
Annual compilation of changes
4.4.5 Mystery Customer

The philosophy of UTI in maintaining business continuity emphasizes on addressing
the issue on a wholesome basis. It is inescapable to install right technology
infrastructure and implement appropriate processes to effect continuity as has been
enumerated above. UTI believes that to achieve sustainable continuity of business the
faith and trust of customer in the organization is of paramount importance. This is
understandable as the businesses today operated in far more vulnerable environment
both social and technical and hence the emotive support of customers in the
organization is the key. UTI therefore engages in an initiative “Mystery Customer
Shopping” mentioned above to ascertain sensitiveness of employees towards
customers.
The following methodology was adopted:

a. A set of 2-3 Banks are identified for comparative study
b. The mystery customer visits the UTI Bank branch with a formatted questionnaire
(generally in his/her mind), records experiences and ranks them before updating
on the computer system the following:
i. Ambiance - Walls, Sofa, Noise level, POS, etc.
ii. Front desk officer’s behavior in engaging customers
iii. Proficiency of staff in providing information on various products
iv. Ability and attitude in answering basic questions
v. Ability to provide information on non-banking products
vi. Observation on any unusual (both good and bad) incidences
c. Similar exercise is carried out at other competitive banks to benchmark the
performance of the staff
d. Comparative ratings thus obtained together with recommendations are shared with
the Branch-head. He /she then administers appropriate steps for betterment of the
staff.
305
e. In case of serious deficiencies, same study repeated on the same officer after 6
months.
4.5 State Bank of India

The State Bank of India, is the largest bank in the country in terms of reach and
volumes. The bank has a history of pioneering banking services in India to a large
segment of customers in cities and villages. SBI has outstanding credentials in terms
of its financial performance. The bank did have a problem in managing NPA in past.
They have now shown a turnaround in terms of better management of resources and
expansion of portfolio of products and services. The bank has an impressive record in
globalization and has operations in large number of countries in the world. SBI has
been preferred by countries in middle-east who had been skeptic in permitting
overseas banks to establish operations in their country. The bank offers wide range of
products and services to a large segment of customers in India and abroad. Last five
years have seen a quantum jump in bank’s adoption of technology for its front and
back office processing, improvement in ambiance and customer service. There is a
visible drive in bank’s efforts to focus on marketing and thereby give a tough time to
its competitors both from private sector and MNC banks.
4.5.1 Major Turnaround Initiatives

4.5.1.1 Business Process Re-engineering
The BPR initiative undertaken by the bank has brought about an upheaval in
managing better service to its clients by focusing on relationship building and delivery
of products than back office processing. The branches now engage in customer
support and delivery including marketing where as the back office work has been
shifted to central data center.
The BPR exercise has resulted in massive reorganization at branch and zonal /
regional levels. There is now better “enabling” of the workforce engaged in managing
customers and markets. Cells have been created to address specific needs of segments
for particular products and services, both from delivery and processing perspective.
4.5.1.2 Centralized Processing of Retail Loans

SBI plans to incorporate a help desk in order to enhance customer service and
redeploy staff that were engaged in back office processing into outbound marketing.
The bank has also drawn up plans to convert its branches into service outlets, with
306
loans being processed at central hubs. This would cut turnaround time and ensure
uniform appraisal standards. As part of a restructuring exercise that was conducted in
the early 1990s, SBI had centralized its large loan accounts in the corporate account
group branches.
The bank has undertaken large scale technology initiatives. SBI has successfully
deployed CBS in a large number of its branches along with those of other 7 associate
banks. The bank has launched other cutting edge technology initiatives such as
prepaid cards for mobile users, wireless ATMs and Internet based customer support.
4.5.2 Products
The banking behemoth offers entire range of products and services that a banking
organization can offer through multiple delivery channels using modern technology
(refer figure A4.11 below).
Figure A4.11 Delivery Channels & Mobile Banking
4.5.2.1 Personal Banking

SBI offers a wide range of services and products in the Personal Banking Segment
designed with flexibility to suit one’s personal requirements. These include various
types of personal investment through deposits and a large number of loans and
insurance schemes. Personal Banking Branches (PBB) often dubbed as boutique
branches cater to one’s financial requirements with speed and efficiency in an
excellent ambience by way of providing a variety of accounts.
307
4.5.2.2 Personal Finance
SBI has a variety of schemes under Personal Finance to satisfy varying needs of the
banking public. The Bank offers a variety of schemes with attractive rates of interest
for large number of personal requirements and for different segments.
4.5.2.3 Exporter Gold Card

SBI has launched "SBI Exporters Gold Card Scheme" to meet the working capital
needs of exporters with good track record and credit worthiness, subject to their
fulfilling the specified eligibility norms in terms of Nayak Committee, particularly,
for units with export turnover up to Rs. 100 crore.
4.5.2.4 Senior Citizen’s Deposit Schemes

Government of India have decided to operate the scheme through all branches of
Public Sector Banks which are operating PPF Scheme, 1968.
4.5.2.5 Services
SBI offers a wide range of services in the following segments:
a. Personal Banking
b. Agriculture / Rural – Micro Credit
c. SME’s & SSI’s
d. NRI Services
e. International Banking
f. Merchant Banking
g. Project Export Finance
h. Treasury
i. Portfolio Management & Custodial Services
j. Corporate Banking
k. Government Business
l. Public Provident Fund
4.5.3.1 Core Banking Solution
SBI has successfully implemented Core Banking Solution (refer figure A4.12 below)
in consultation with Tata Consultancy Services (TCS) supported by HP and Datacraft.
308
The project is one of the largest projects of its kind in the world in terms of the
number of branches, customers and transaction volume. TCS manages the entire
project and system integration, in collaboration with Financial Network Services,
Australia (FNS) and Hewlett Packard, India (HP) for this project.
Figure A4.12 CBS Architecture
4.5.3.2 SBI Network

SBI has networked 10,000 of its branches and its seven associate banks - the largest
network of its kind in India. The networking initiative has helped the banks to offer
customers cashless transactions nationwide, reducing costs and treasury applications.
The network design incorporates integration of IP, telephony, call center, ATM and
Internet processes, combining voice, video and data. The project is supported by a
disaster recovery center in Chennai to address business continuity issues, and a
centralized data center in Bangalore. The networking project provides across the
board benefits by providing nationwide connectivity for its business applications. A
schematic of Network supported on robust backbone (using satellites) of SBI at zonal
and regional levels is given in figure A4.13 below.
309
Figure A4.13 Network Infrastructure
4.5.3.3 Technology Upgradation

SBI’s Information Technology Program aims at achieving efficiency in operations,
meeting customer and market expectations and facing competition. Few of the
noteworthy and differentiating achievements are listed below:
a. Full Branch Computerization (FCBs): All the 9038 branches of the Bank are
now fully computerized. This strategy has contributed to improvement in
customer service.
b. ATM Services: The State Bank Group (including seven associate banks) has at
present the largest network of ATMs in the country. The bank has outsourced the
managed services of its ATM network to NCR. SBI has also entered into sharing
of ATM network with other banks.
c. Wireless ATM Services: SBI has setup ATMs with CDMA wireless connectivity
with the help of Reliance Infocomm which is a superior option from technology
and cost perspective.
310
d. Internet Banking (INB): This on-line channel enables customers to access their
account information and initiate transactions on a 24x7, boundary less basis. It
caters to the requirements of individual and corporate customers.
e. Telebanking & Remote Login For Corporate Customers: This is a Value
added service to retail and corporate customers, which support Transactional
requests.
f. Govt. Business: SBI takes care of managing and generating reports for settlement
and reconciliation of Govt. funds.
g. SEFT: Electronic funds transfer systems for inter bank transactions.
h. MICR Centers: MICR Cheque Processing systems at 15 centers.
i. Trade Finance: The bank provides Internet based facility for handling Trade
Finance transactions for Corporate and Commercial Network branches.
4.5.4 Business Continuity Planning

SBI had been a pioneer in computerizing operations amongst the banks and financial
institutions in India. The progress of computerization had been consistent but slow
when compared to the volumes and diversity handled by the bank and the levels
achieved by its competitors particularly private sector and MNC banks. The bank had
a well-documented business continuity plan which did not hold up during major
disasters. In the words of Mr. U. S. Roy, General Manager-IT, State Bank Of India,
said, "We have already witnessed the drawbacks of not having a strong BCP in place
with the Orissa cyclone and Gujarat earthquake incidents. The notion that BCP is not
a good investment is false economy. Moreover, many in the industry believe that BCP
is a synonym for Disaster Recovery (DR), when in fact, DR is only a small subset of
the BCP umbrella. It’s the responsibility of the business head to take ownership of
BCP and not the CIO’s."
SBI therefore launched on to massive Business Continuity Planning and

implementation with the support of its technology partners TCS, HP and Datacraft.
The BCM organization has bee revamped in terms of technology infrastructure
particularly IT in terms of rugged and reliable hardware platform, secure data
communication network and comprehensive software solutions. Today, SBI has the
main data centre at Belapur and the DR site at Chennai. All branches of SBI and those
of the other 7 associate banks of SBI hookup to the main data centre through secured
switching network provided by INFINET (refer figure A4.14 below) under the
auspices of IDRBT, Hyderabad. The branches running the core banking and
messaging solutions are connected to the central database at Belapur through a
hierarchical client server setup. The transactions details are held at branch and central
311
database servers with back office and reconciliation process run on the central
database. The transactions after updations (commit) in the central data centre are
mirrored on the hot DR site at Chennai. The system is designed for an RTO of 5 hours
for the entire set of branches.
Figure A4.14 INFINET Supports SBI Network
The bank has elaborate, well-communicated and well-practiced processes in place

related to:
a. Physical Access control to data centres at branches, main data centre and DR site
b. System Level control by way of password identification and digital signature
authentication
c. User Level security enforced through password authentications
d. There is a branch wise and zone wise BCM plan which is well communicated
through banks instructional booklets and intranet
e. The BCM plan details procedure for physical security and access to premises in
event of discountinuities.
f. The plan clearly details the roles and responsibilities to be taken up by key staff
members in an eventuality, hampering bank’s normal operations.
g. The multiplicity of channels and ability of customers to avail banking facilities
and effect transactions in any branch adds to the availability factor.
312
h. The bank constantly reviews the technology infrastructure and incorporates
upgradations where necessary to ensure high uptime rate.
SBI’s Business Continuity preparedness owes a great deal to the rugged and reliable
IT Infrastructure in terms of hardware and solutions well supported on an efficient
network. The bank has entered into a dependable arrangement with IDRBT to carry
their banking transactions traffic both from branches and ATMs in a secured and
reliable manner. IDRBT constantly upgrades the switches to absorb the demand of
explosion of scale with more and more banks hooking up to the Net and security and
privacy issues.
313
ANNEXURE 5
BCM IN OPERATION – EXPERIENCES OF A LARGE BANK
5.0 Preamble
Banking services have become an integral part of social life in the digital era which
witnesses high paced economic activity. Disruptions of banking services have far
more pronounced effect on businesses and personal financial needs than ever before.
It is, therefore, pertinent that organizations, particularly those engaged in financial
activities in public domain, ensure high level of continuity to remain in business. This
requirement is being challenged by the disturbances created by social / political unrest
as also by the fury of nature – flooding, tsunamis. It is believed by few that
investment in infrastructure, information technology and reengineering processes are
few of the recommended prescription to guarantee business continuity. The
organizations who have made such investments have also not been able to address this
problem comprehensively. The growing sizes of businesses both in volume and scope
complicate the situation further. What more does it take, therefore, to ensure high
level of continuity? This chapter explores these by surveying the successful
disposition of a large public sector bank in the face of a recent disaster.
5.1 The Day the Financial Capital was submerged

Mumbai, where more than 15 million people live, is the financial capital of India, and
witnesses high volume of business transactions in commercial world ably supported
by a strong network of large number of banking Institutions. July 26, 2005, the date
city would not like to remember, when strong deluge followed by devastating floods
caused havoc, with meteorologists recording 949 mm of rain. As reported by
Bloomberg, Indian officials estimated that the disaster will cost the city $1bn in
restructuring and loss of business.
Despite the closure of banks and exchanges the city did its best to open for business
but crippled infrastructure and struggling workforces testified that the city is
unprepared. The local trains remained cut off and most of the roads submerged
underwater. The emergency services were not able to respond and the administration
has failed to anticipate and respond.
Even though the damage was not that high, some people could turn up to work. In
addition to the general chaos that surrounds natural disasters, some companies have
failed to prepare for flood scenarios and this is testing their disaster recovery plans.
314
One of the main issues is the large number of buildings with basements - water had
flooded these basements where the control systems are, so one can't have power and
can't even get in there. Mobile networks were affected and large parts of landlines too.
Internet backbone services went down for three days.
The banks remained closed and certain ATMs had to be shutdown on account of
power shutdown, loss of connectivity or water logging in the buildings/complexes
housing the ATMs, for most part of the week. Even people in Delhi reported being
unable to withdraw cash from ATMs as a result of systems failures in Mumbai. The
CitiBank, ICICI, HSBC and the Reserve Bank of India all reported to have
experienced problems with ATM networks.
5.2 Business as usual for SBI within 48 hrs

SBI, which has the largest number of branches in the city measured up to the
challenge remarkably. Most branches, except for a few in Sakinaka – Andheri (E)
area , were made operational and for their customers it was business as usual by July
29, 2005, the first working day as declared by the RBI after the natural disaster.
“Ours was the first bank to recover, even though it had branches in some of the worst
affected areas like Kurla. SBI was fully equipped and capable of operating from their
DR site in Chennai on 26th July evening itself. As compared to this, private banks and
other commercial banks were slow in getting back to normalcy,” said Mr Purohit Dy
General Manager, SBI Western Region, Mumbai.
Following the floods in Mumbai on 26th July, a DR cell was set up on 27th in HO
(Mumbai). Within an hour, a list of branches on the network was obtained. Audit
team entered strongholds that were in the basement, counted the notes and sent them
to RBI within 48 hours. Total amount saved was upto 10 crores.
“When one of the branches was totally down, the customers were not kept waiting.
Instead they were asked to bank at the nearest branch and all their needs were
serviced. This was possible due to the branches being online,” said Mr Anantharaman
Ganesh – Chief Manager, SBI.
315
5.3 Organisation
In terms of personnel and business continuity, SBI has a structure where there is no
single person absolute dependency at any level. In case of any personnel being
indisposed to perform their function, the reporting structure has been defined so that
there is no interruption in processes. SBI has defined responsibility of individuals in
the hierarchy in terms of scope of duty and communication. Individual powers have
been given to people to use their discretion.
In case of key personnel not being available, internal bank guidelines that are already
outlined provide the necessary knowledge to effect transactions by others. The Branch
Manager takes approval on “substitute personnel” from his controller and
communicates it to the employees at the branch via a circular. This list is subject to
audit and verification, and is renewed every year.
“In case of key personnel being incapacitated, the second rung of officials takes over.
The “task allocation list” is discussed in the branch meeting and recorded. Written
permission to promulgate the list is obtained from senior official (controller) each
year. Appropriate instructions are communicated to the employees to make them
aware, particularly about changes made from earlier instructions. The process is
internally audited,” said Mr. Srinivasan – Assistant General Manager.
The operational control and information flow scheme at various levels is as per the
organization hierarchy enumerated in figures A5.1 to A5.6 placed at the end of this
Annexure. The hierarchy of control is exercised through different levels of
controllers: branch manager, regional manager, zonal manager, and HO. The Chief
General Manager along with other General Managers picks the senior officers who in
turn pick the team under them. The Circle Management Committee comprising of the
CGM and GMs reviews periodic reports from the senior officers heading the cell.
Senior officers visit all branches under their control periodically, as per calendar, to
audit preparedness. The observations and comments on performance by the visiting
teams are shared with the branch manager. He / She incorporates the changes and
reports on the improvements made to the immediate controller. Senior officers
conduct regular internal staff meetings with employees of the branch to facilitate
improvements in individual and overall performance.
316
IFB Division of SBI commenced in 1997. It services corporate customers only,
roughly around 66 accounts. Daily turnover of the credit, forex etc depts. is approx
100 crores. There are approx 2000 branches of the total 9000 online in the core
banking system. By March 2006, 5000 branches are expected to come online.
Personnel & Human Resource department deals with various activities like transfers,
promotions, leave records, staff loans, welfare activities like scholarships etc. There
are 179 officers in Region 4, covering 33 branches. The person heading the branch,
whether it is AGM, CGM, or BM, depends on the volume of business generated by
that particular branch. Local HO comes up with the number of staff necessary at each
branch, depending on volume of business.
5.4 Culture
The planning for maintaining Business Continuity at all times has always been part of
the organizational culture in SBI. The comprehensiveness and clarity of the rules and
regulations that are well communicated ensures less individual intervention except in
the case of disasters, where decisions need to be made. The richness of open culture
promotes the practice of personnel at every level enjoying the liberty of approaching
senior management or immediate senior. There is no inhibition to any one in bringing
the suspected malpractice cases that are against the best interests of the bank, to the
notice of senior management. One could consider this to be a type of continuous
internal audit ensuring high degree of business continuity and quality.
“It is the organizational culture of SBI that motivates people to take initiatives in case
of disasters or any other untoward scenario is the culture in SBI. This has been
propagated by the top management and has helped to inculcate a feeling of
belongingness in the organization. Individuals are consciously identified by the top
management to be leaders in case of emergencies. The outsourced agencies administer
tests (psychosomatic analysis, situational analysis), usually done at the time of
appraisals and promotions, to employees to help this process,” said Ms. Naina Panse –
Asst. General Manager, SBI. She further adds, “Competency mapping is carried out
by way of these tests and helps employees perform their jobs better as they are
empowered in terms of knowledge and repercussions of faulty actions.”
317
The attitude and sponsorship of top management makes noticeable difference in
shaping the organization culture. Monthly bulletins enumerating vision, practices and
achievements, are circulated by the corporate center to the employees. Training
courses conducted, both on HR as well as operational issues reinforces the sense of
belongingness in employees. The high sense of belonging amongst SBI people is
further highlighted by the views of Mr. Dinesh Pandey – Asst. General Manager, SBI.
“Employee motivation levels are high due to the organizational culture. Employees
are aware of repercussions to the organization and self in case of any disaster. This
feeling of responsibility and belongingness is enhanced by continuous training in the
behavioral sciences, which is conducted in training schools and colleges,” said.
5.5 Practices
SBI launched on to massive BPR (Business Process Re-engineering) exercise with the
help of consultants to identify problem areas in processes. The study pointed out that
while process efficiency was well addressed customers had become low priority for
the managers engaged in business development initiatives. There were some issues of
clarity as regards job definitions, communication and focus. The re-engineered
processes ensure that customer becomes and remains the main point of focus of
managerial attention in SBI. There are clear metrics to measure performance of all
processes related to customer management e.g. contact time, delivery etc. These have
been defined with stringent timelines to be followed.
To ensure smooth running of processes in SBI, the different processes have been
bifurcated. The branch now acts only as a front end for customers. Previously every
procedure in SBI was done manually, and supervised by Branch Manager personally.
With extensive use of IT, cells have been formed for different functions of processing
and the back office work is now shifted out of the branch to the respective cell
(Central Processing Cell). This leaves the branch manager and the other employees
with ample time to focus on new business development, which was previously not
happening. The back office also needs to complete its processing within a certain
time, since audit is held and any lag is questioned.
“Nationalized banks offer more personalized contact with the customer as compared
to private banks, who use franchisees to contact customers. The only advantage
private banks have is online access for the customers to their money, and a range of
318
services. But with the advent of IT in nationalized banks of late, this advantage is
slowly disappearing,” said Mr. Anantharaman Ganesh – Chief Manager, SBI
Employees are rotated every 3 months within the same dept and annually between
depts. This helps in ensuring continuity incase of employee absenteeism, since other
employees can pitch in. Continuity can be looked at from a point of things like getting
relevant documents from customers, getting them on time etc. This helps processes to
run without any idle time. For this continuity, it is important that the customer is
educated, not only about existing processes but also about new products in the market.
This also adds to the trust factor and helps in retention of customer & expansion of
business.
Single window counter concept was started three years ago. The employee manning
this window is usually a senior or a special assistant, and is given certain powers so
that all sorts of queries and processes can be done at that window itself. There is
usually also a senior person sitting at the next counter, so that any tasks to be done
which requires additional sanctions can be done immediately. With decrease in
manual work, there will be more specialists in the organization. This will increase
efficiency and speed in processes.
Knowledge sharing and dissemination is a common practice at SBI whenever caring

out change management initiatives such as automation. “Faculty members visit
branches during any transition of IT processes, to ensure smooth pass-over. User
champions are then identified at the branch to help other employees after the
transition period is over and the central team withdraws. In case, the central support
team experiences shortage of IT staff to handhold, these user champions are deputed
to the branches needing help,” said Mr. R. J. Desai – Asst. General Manager – IT
Services dept., SBI.
Training and re-training of employees enjoys serious management attention at SBI.

The Head Office works out training calendar and allocates ‘seats’ to different regions.
Depending on the training topic, individuals are selected for participation. In case of
promotions, there is a fast track as well as a normal course. For the fast track, the last
4 years records are seen and compared to certain criteria, which are necessary for
promotion. These criteria are communicated to employees by means of circulars. At
any time, employees can put up a case when they feel that promotions have been
unfairly denied.
319
5.6 The Continuity Framework
DR plan is prepared in case of circumstances like fire, flood etc. Steps are taken to
recover at the earliest in case of a disaster. DR cell identifies people who will be
taking charge of the operations in case of disaster. Representatives from all divisions
(sections) with alternate / substitute officers (in case of incapacitation of selected
officers) are chosen. Discretion of senior officials and experience of the person under
consideration is also used to choose these people. People more than technology are
responsible for a DR plan and processes working effectively and efficiently. Policies
and guidelines are also important to put processes in place.
“In the month of October, a mock drill was held wherein the State Bank of Patiala
worked for a day accessing the Chennai DR site. The drill was largely successful,”
said Mr. Dinesh Pandey – Asst. General Manager, SBI
Each branch of SBI prepares a DR plan taking into consideration various factors like
the floor layout, the number of employees, volume of business etc. For transactional
safety, the system is closed at the end of the day. A 2nd set of transactions is prepared
each day and stored in a floppy at a nearby branch. There is a fireproof cabinet
assigned to each branch in which the floppy is stored. Officers to be taking charge of
the DR cell are selected by their superiors. Reporting structure is already laid down
and known to employees. Communication is done to the employees as to who will be
doing what function. The process of selecting these officers is according to discretion
of superior officer. One key to this cabinet is deposited at the local office. The branch
manager signs monthly certificate saying that this procedure has been followed
meticulously and this report is given to the controller. In case of a system failure,
backup taken as above, is used, so there is little or no idle time. In case of a disaster,
the immediate controller assumes responsibility. Then feedback is given to the next
immediate controller. India is divided into 14 circles totally. Mumbai and Goa are
included in the same circle and cover about 850 branches. In case of any disaster in
any branch, controller is given immediate feedback.
The Branch Manager prepares this every year and submits it to the controller for
approval. The controller is the reporting functionary like the Regional Manager or
DGM. This plan covers various eventualities like fire, system breakdown, employees
(senior functionaries) on leave or absconding. This plan when approved becomes a
branch document and is made available to all employees. Mock drills are conducted a
320
minimum of 2-3 times a year at random intervals, to test the DR plan. Security
officers who are retired military personnel, check the procedures followed during the
drills. There is a branch audit 3- 4 times a year. This audit checks the DR plan, the
controller’s remarks, and the action taken on the remark by the Branch Manager.
5.7 Processes
Tracking sheets are used to measure timelines and checked for adherence to processes
on a daily basis. The responsible individual explains reasons for delay in any of these
timelines. Tracking sheets are sent to the corporate office on a weekly basis. This
ensures auditing at regular intervals. Above all, ownership of processes needs to be
taken by individuals at management level.
“Another aspect is locking up of security, infrastructure, cash etc that is also done
each day. A duplicate key for access is kept at a nearby branch. The key number,
contents stored, person having the original and duplicate is documented and sent to
the controller. It is also recorded in the branch document register,” said Mr.
Srinivasan – Assistant General Manager, SBI.
Whenever there is any problem at any ATM, a team of engineers visits it to sort out
problems immediately. Specialisation in departments is being considered as an
initiative in the bank. Single window policy has also been started. Here, the customer
gets all services like drafts, account queries etc at a single window. The employee
manning this window is given certain powers so that decisions can be taken by him
alone instead of escalating matters to the senior official. Staff is also given 2 layers of
support, from peers as well as from senior officers.
“Awareness is increased by usage of the intranet. Policy decisions are also made
available easily through the intranet, so employees are kept informed and feel like part
of the organization,” said Mr. Srinivasan – Assistant General Manager, SBI.
“The security personnel hold security meetings and reports are given to the Branch
Manager. When the audit is held, the Branch Manager has to give a compliance report
otherwise the case is not closed. Ratings are also given to the branch on this
compliance report,” said Mr Dinesh Pandey – Asst. General Manager, SBI.
321
Employees are given access online to directions on how to use the software. This has
helped to educate them and increase the usage of IT. They are also allowed to view
their job cards having rules and regulations online.
“Reports are given by various branches on a monthly basis regarding business

parameters like turnover, dues, sales etc. These are given in a manual format. ABC
analysis is done and they are then converted into electronic format. Branches have
been made aware of the repercussions in case of erroneous reporting, and incorrect
procedures used. This helps to ensure internal audit,” said Mr. Ashok Menon – Chief
Manager, SBI.
Data about officers is stored in floppies by the P&HR department and sent to the local
HO. There it is stored in electronic format.
Rules and policies are well set, so that decisions can be easily made. Only exceptions
need to be considered, for which discretion is used by senior officer. Management has
given more powers to supervisory staff so that officers can focus more on marketing.
Every month, there is a performance review meeting of branch managers to analyze
and improve performance. In case of any personnel on leave or being incapacitated,
the senior officer immediately takes over.
5.8 Computerization
Computerization was introduced in SBI in 1992, which touched around 3 lakh
employees. There are totally 52 training centers, out of which 28 are for technical
training alone. There is a help line both in terms of telephone and web-based, which
caters to an entire circle. This can be used even for solving even the smallest
disruption. There are 2 help lines catering to the Maharashtra and Goa region. Web-
based help lines are e-learning modules, as well as the intranet. Inclination to change
is most important in a person. Therefore motivation is essential for changes to be
embraced, in terms of processes or IT. Age of the employee can also be a factor in
learning. Younger employees are much more likely to educate themselves through the
intranet, whereas older employees tend to call up the help line. In the initial 15-20
days, three to five IT people give an on-the-job training. Control mechanisms are also
taught to branch managers.
Corporate center at Belapur gives directions about infrastructure procurement,

bandwidth allocation, security policies and other IT issues. Directives are given to the
322
IT department, which then does the needful. Sizing of requirements at the branch
level is done by the IT department, in discussion with the Branch Manager. The
programming of the software is then done through the network.
“In the current core banking implementation process, the team doing the
implementation is temporary. After stabilization of the new process, the team might
get disbanded. The roles of the individuals in the team are likely to change to
maintaining control mechanisms,” said Mr. R J. Desai – Asst. General Manager – IT
Services dept., SBI.
Core banking project being implemented in SBI has its data center at Belapur, and DR
site is at Chennai. SBI has 3 global data centers, one each in US, UK and India. The
branches in Asia Pacific region are connected to the Indian global data center.
Capacity planning exercises of DR site are done once in 6 months. Data center
operations are managed by TCS while routine operations like the in house SBI team
does report generation. Long-term plan is to have totally in house DR operations.
“IT initiatives have lessened manual work. Time thus saved by employees is used in
expanding business by cross selling. Incentives are given for this, which has proved to
be a motivation,” said Mr. Ashok Menon – Chief Manager, SBI.
5.9 IT Organization
Communication to employees regarding updates, trainings, news etc is done via an
intranet newsletter, which is accessible to all employees of SBI. This is used
extensively throughout the organization and has proved to be quite helpful. Continuity
in processes also requires that employees know how to perform jobs effectively. Job
cards are available via the intranet, so that there is no barrier to communication
among employees.
In terms of system recovery, backup is taken each day. One backup is kept at office
and a copy is kept offsite. So recovery does not take more than a few hours at the
most. There is also a centralized data center at Belapur, which caters to problems/
queries from all the branches. This is facilitated since most of the branches are now
online. There is also an offsite backup at Chennai. In case of electricity outage, 2 UPS
batteries will take over as backup. Even if one UPS stops working, atleast 50% of the
branch will still function with the other UPS. The number of UPS to be kept at each
323
branch is decided by the IT team (Computers and communication system), depending
on the number of nodes at the location.
“IT has made facilitation of transactions easier due to networking of branches. Core
banking solution software was introduced in March 2005, and support is being given
by the IT team at Belapur. Employees are also given training on an ongoing basis on
the software, so that they can use the software effectively. Online help through the
intranet has also increased the level of motivation in the employees,” said Mr.
Srinivasan – Assistant General Manager, SBI.
Currently around 2500 branches are on the core-banking network. Associate banks
have around 3000 branches on the network. The data center has physical
infrastructure which is totally redundant having UPS back up as DG which has
another DG as backup, 2 air handling units etc. Electronic access controls are used for
physical security. Environment control management is done by parameters, which are
measured on real time basis. In terms of IT infrastructure, HP superdome servers (4
numbers) are clustered together in fail over mode to provide redundancy. Two of
these servers are used for SBI and the remaining 2 are used for the associate banks.
Racks are also configured with dual input so as to enable redundant power supply. In
terms of software, database used is Oracle and platform used is HP UNIX 11i. To
ensure that there is no bandwidth problem in transfer of logs, 156 mbps dedicated
lease line with a redundant link of 34 mbps is used.
TCS provides software solutions. Infosys provides applications to the branches abroad
and FNS (taken over by TCS) provides the domestic application. The logs of the End-
of-day operations are transferred to the DR site in Chennai. Log is shifted in
asynchronous and not real time mode. Therefore there is a slight time lag of around 3
minutes. In the case of a disaster, the current log and the subsequent logs will not be
shifted, due to the time lag. In the worst-case scenario, these logs will have to be re-
entered and re-sent. To ensure that there is zero data loss of logs in case of disaster,
SBI is coming up with plans for a nearby secondary DR site. There will be
synchronous data replication with log being maintained at the nearby site first and
then copied to the Belapur site. Therefore, even in case of current data not being
transferred to Chennai, current log can be retrieved from nearby site.
“RTO (recovery time objective) estimated for uptime is 4 hours. SBI has held mock
drills and the recovery have been managed within this estimated time frame.
324
However, fine-tuning of operations can still be done to further reduce this time frame.
RTO is extended due to the fact that after logs are transferred, they have to be
converted into production mode, which takes some amount of time. Also, in case of
disaster, the network provider (Datacraft) has to switch traffic through a different
router. This also adds to the RTO, which will hence take a total of around 3-4 hours,”
said Mr. T. Prabhakar – Deputy General Manager – IT Technical, SBI.
The Chennai site works on the same infrastructure as the Belapur data center, except
that redundancies are not built in. The site can take the load of transactions for atleast
a few weeks. Central service desk is used to solve user problems through the intranet.
There are various categories like hardware, software etc. User can log in through his
terminal to this helpdesk, log in his complaint, get a ticket, and follow up on the
status.
Escalation level is built into the software. 2nd level of escalation is the functional or
domain level expert and 3rd level of escalation is the system administrator. 80% of
user problems are solved within 2-3 hours. Otherwise they are escalated to 2nd and
3rd level as necessary. Third level is used when there are bugs in the system or code
changes need to be made. In such cases, functionality is checked in a test environment
and only then given to production.
Software introduced helps in faster transactions and decision-making. This is very

important in case of a volatile market like forex. Only 1% of total transactions are
bad. In terms of infrastructure, there is a 7-hour battery backup in case of an
electricity outage. There is also a DR site at Chennai. As long as transactions for the
day are completed, there is no loss of data. Bandwidth has also been expanded to
accommodate for increase in number of online branches. Provider is Sify. Business
growth is a result of process, attitude and a need for excellence. Software used by SBI
is maintained totally by TCS. The AMC of hardware is carried out by SBI itself.

The experience of managing successful BCM implementation by SBI discussed in
this case highlights learnings that can be put to practice in achieving effective
recovery by banks when they meet disasters. These are enumerated below:
325
5.10.1 Policy
a. Clear definition of vision & mission and performance of bank as well as the
employees not only serves as good motivator but also prepares a vibrant BCM
organization.
b. Creation of an organizational culture of empowerment and enablement amongst
employees to display high sense of belonging while overcoming disasters by
taking leadership positions augments BCM effectiveness.
c. A well-defined and communicated structure that is to be followed in challenging
situations as regarding sharing of roles and responsibilities is paramount to
realization of DR Plans. Processes need to be re-engineered to make them
substitutable with alternate processes when required.
d. Computerization of Core Banking and Allied processes allows pushing Back
office work out of branches to data centers allowing staff to focus on delivery
and support thereby enhancing customer service levels and more personal
contact.
5.10.2 Personnel
a. Employees are rotated every 3 months within the same dept and annually
between depts. This helps in ensuring continuity incase of employee
absenteeism. This also adds to the trust factor and helps in retention of customer
& expansion of business.
b. Awareness of policy decisions and operating procedures can be increased by
usage of the intranet. Training and re-training of employees must enjoy serious
management attention. User champion’s are to be identified at the branch to help
other employees.
c. More interaction between senior officers and branch employees helps operating
level understand corporate vision and enhances preparedness. It also serves as a
mechanism to facilitate improvements.
5.10.3 Facility
a. DR plans are to include details of floor layout, the number of employees,
volume of business , fire systems breakdown drills, access controls to various
locations, cash lockers, placement of duplicate/alternate keys in other locations
(nearby branch).
b. Basements are commonplace to install alternate power supply systems, air
conditioning equipment and water supply pumps etc. These become serious
326
constraints to continuity due to accidental flooding. Innovative ideas in locating
these enhance continuity.
5.10.4 Data Center

a. A centralized data center with electronic access controls for physical security,
environment control management, state of the art servers (are clustered together
in fail over mode to provide redundancy) & backing up systems, centralized
damage control monitoring systems and amenities for centre staff is absolute
necessity to house IT systems for a bank from BCM perspective
b. The logs of the End-of-day operations can be transferred to the Cold site in
asynchronous mode and nearby secondary site in real time mode to ensure faster
recovery during disruptions. The alternate sites must be loaded with transactions
regularly to keep them DR ready.
DR Operations
a. Data center operations that are normally managed by main centre staff must
have provisions (and must be practiced) for remote operations from other sites
or a service provider. Escalation levels are to be built into the centre
management software for functions, processes and system administration. 2nd
level of escalation is the functional or domain level expert and 3rd level of
escalation is the system administrator.
b. In case of disasters the organization that will come into force (Controller and
support staff) to run the data centre from alternate locations must be defined and
information communicated to all concerned to ensure continuity of operations.
327
Organization of SBI
Corporate Office
Zonal Office
Regional Office
Branch Office
Figure A5.1 Corporate Organization
328
Figure A5.2 Development Organization
Figure A5.3 IT Organization
329
Figure A5.4 HR & Administration
Figure A5.5 Corporate Banking Group
330
Figure A5.6 International Banking Group
331
Annexure 6
Test of Confidence Level (Standardized v/s Percentile Data)
Standardized Standardized Standardized
RLRIt Percentile RLRIm Percentile RLRIf Percentile
Data Data Data
A1 3.96 0.627 0.60 1.70 -1.132 0.15 2.13 -0.457 0.40
A2 2.15 -0.606 0.40 2.55 -0.313 0.40 1.72 -0.778 0.25
A3 4.41 0.931 0.75 3.86 0.952 0.85 3.80 0.871 0.75
A4 4.20 0.788 0.65 3.31 0.422 0.70 3.60 0.713 0.65
A5 0.76 -1.555 0.00 1.05 -1.755 0.00 3.80 0.871 0.75
A6 4.41 0.931 0.75 3.73 0.826 0.80 4.32 1.283 0.95
A7 4.20 0.788 0.65 2.50 -0.356 0.30 1.75 -0.754 0.30
A8 4.78 1.179 0.90 2.95 0.077 0.45 2.80 0.078 0.45
A9 1.20 -1.257 0.10 1.35 -1.465 0.05 0.30 -1.904 0.00
B1 1.35 -1.151 0.15 3.25 0.362 0.65 1.80 -0.714 0.35
B2 1.83 -0.822 0.25 2.53 -0.324 0.35 1.50 -0.952 0.15
B3 4.75 1.162 0.85 3.86 0.959 0.90 4.30 1.267 0.90
B4 1.93 -0.754 0.30 1.75 -1.080 0.20 1.70 -0.794 0.20
B5 4.90 1.264 0.95 4.80 1.861 1.00 3.01 0.245 0.55
B6 3.22 0.123 0.50 2.97 0.097 0.50 4.32 1.283 0.95
B7 1.59 -0.989 0.20 1.46 -1.355 0.10 1.25 -1.150 0.10
C1 1.16 -1.283 0.05 2.34 -0.510 0.25 3.60 0.713 0.65
C2 2.07 -0.664 0.35 3.05 0.174 0.60 2.88 0.142 0.50
C3 4.97 1.314 1.00 4.70 1.765 0.95 3.44 0.586 0.60
D1 2.25 -0.539 0.45 3.00 0.126 0.55 0.66 -1.618 0.05
D2 3.80 0.514 0.55 3.56 0.668 0.75 4.05 1.069 0.85
Correlation Coefficients Correlation Coefficients Correlation Coefficients

Percentile Percentile Percentile
Data Data Data
1 1 1
Data Data Data
Percentile 0.978 1 Percentile 0.982 1 Percentile 0.985 1
Standardized Data Standardized Data Standardized Data

Mean 3.042 Mean 2.870 Mean 2.701
Median 3.2224 Median 2.97 Median 2.88
Standard Standard Standard
1.469 1.037 1.261
Deviation Deviation Deviation
Skewness -0.085 Skewness 0.039 Skewness -0.311
332
Analysis:
The skewness of the distribution of responses for top and middle levels of management are found to be close to zero, indicating that
usage of standardized results would be consistent with the usage of percentile ranks, which have been used in the analysis. Further, the
correlation coefficients for the two sets of results, viz Standardized scores and Percentiles, yielded 0.978 and 0.982 respectively for top
and middle management, showing credence to use of percentiles. In case of responses by the third group, i.e., lower levels of
management, the skewness of -0.311 surely indicates the presence of higher scores towards the upper percentiles. However, this
cannot be a deterent to using percentiles for making a comparative prediction amongst the three management levels. This is due to the
fact that
(a) the mean score of this third group is lowest at 2.701 amongst the three groups
(b) the correlation coefficient between using standardized scores and percentiles is high at 0.985.
Inference:
It has been observed that an 80 percentile score is at around one standard deviation or above the mean, which captures nearly 16% of
the responses in the top bracket. The confidence in quoting this figure of 16% stems from the skewness factor of the responses, which
is found to be almost close to zero, as in a normal distribution. Hence an 80 percentile is being considered as a 'high' and a 20
percentile signifies a 'low' category.
Note: Standardization Formula = {( Value - Average ) / Standard Deviation }
333
REFERENCES
Amato-McCoy Deena M., Planning for Continuity, Bank Systems & Technology, February
27, 2006,
Ambrosio Johanna, THE INFORMATION ARCHITECT: Disaster recovery: Know what

you really need, Published: October 25, 2001.
Balasubramanya. S, IT wave breaks over banking, The City, August 2002,

http://www.tcs.com/0_features/articles/it_banking_industry.htm
Barnes Peter, FBCI, Planning for people, March 18, 2005,

http://www.continuitycentral.com/feature0186.htm
Bill Mulcahy, Assistant vice president of Systems, Sun Life Assurance explained the
structure of electronic vaulting deployed by his company to Smith Laura in her article “The
new face of disaster recovery”, March, 2002
Bimal Jalan, Governor, Reserve Bank of India, India’s economy in the new millennium,
VBS Publishers Pvt. Ltd, New Delhi, Aug 2006.
Bleiberg Ron, SmartAdvice: Planning Ahead Means A Disaster Needn't Wipe Out Your
Business, Aug. 22, 2005
http://www.fileon.com/press/articles/disaster-neednt-wipe-out-business.html
Bloor Robin, Bloor Research, BCM Findings in USA – A report, Jan 2003.
Boulton Clint, Bank Data Leak Jumpstarts Encryption Talk, March 2,

2005http://www.internetnews.com/storage/article.php/3486786
Brahim Herbane, Dominic Elliott and Ethne Swartz ( Leicester Business School, UK),
Contingency and continua, Achieving Excellence through Business continuity
planning, Business Horizons, December 1997.
Brian Periera, implementing a Business continuity plan, network magazine, issue of August
2002.
Brooks Darryl, Best Practices, Published: November 2003

334
Bruno-Britz Maria, Banking System Defiant in Katrina's Aftermath, September 13, 2005.
Charles Wallen, Managing Executive, FSTC's Business Continuity, Standing Committee

and Project Director, Bank systems & Technology, Resilience You Can Measure,
December 01, 2006.
Coles Warren, Executive Vice President, PULSE EFT Association, Houstan USA,
“Planning for Continuity”. - interview with Bank systems & Technology, February 27,
2006.
Core Banking Infrastructure - Sustenance and Deployment, Special Report, Indian Bank’s
Association, March 2006,
http://www.iba.org.in/iba_ibs.asp#
Croy Michael, Director of business continuity for Forsythe Solutions Group Bank systems
& Technology, Planning for Continuity, February 27, 2006.
Das Gupta Soutiman, Banking on business continuance, BCP Stratégies, Network

Magazine, August 2002
Dell’Ariccia Giovanni, Detragiache Enrica and Rajan Raghuram, Executives IMF, The Real
Effect of Banking Crises, October 2004
DeZabala Ted, Principal and National security services leader, Deloitte & Touché, “A
survey on large number of companies in UK”, Financial Services Technology,
September, 2002.
Dhawan, Consultant KPMG, comment in the article “Indian IT industry shies from investing
in BCM initiatives”, Express computers. Indian Express Group, July 7, 2003,
Djankov, S. C. McLiesh and A. Shleifer 2005, Private credit in 129 countries, NBER
Working Paper 11078, January 2005.
DoedeDe Waij, Senior Manager, Marsh Risk Consulting, BCM - Protecting enterprise
value, July 2006.
335
Donald Ferguson, an enterprise storage consultant, from EMC, Hopkinton, MA, USA
provided his views of “Configurations in Future” to Smith Laura, in her article “The
new face of disaster recovery”, Mar 2002.
Donna Scott of the Gartner Group, Stamford, CT. comments in “Leading Companies Revive
Focus on Best Practices to Bolster Profits in Recessionary Climate”, February 26,
2002.
Dr.Suvit Yodmani and Dr.David Hollister, Disasters and Communication Technology:

Perspectives from Asia, Presented at the Second Tampere Conference on Disaster
Communications, 28-30 May 2001
Fucito Robert, BNP Paribas, Business Continuity report Jan. 2004.
G Padmanabhan, Chief General Manager, Dept of IT, RBI, “Business Continuity – a new
priority for banks”, Bank Tech Summit, Taj Lands End Mumbai, ,September 22, 2005
G., Shrikanth, “SERVERS AND WORKSTATIONS: Going FullSteam”, Jan 2005.

Gallagher Michael, What is the worst that could happen, Financial Times, Printece Hall,
May 2003.
Ghaisas Deepak, CEO iflex, “Nimitt” Conference - “Innovations in banking”.,SPJIMR,

July 17, 2006.
Gondek, Richard, Internetworking Practice Lead, Greenwich Technology Partners,Journal

of Business Strategy, August 2002.
Gupta Soutiman Das, “BCP Strategies – Banking in Business continuance”, Network

magazine, Express Computer group, Indian Express, August 2002.
Herring Richard J. and Diebold Frank, Operational Risk Poses Challenges to Financial
Institutions and Regulations, Wharton School at the University of Pennsylvania,July
03, 2002
Knowledge@Wharton.edu
336
Hoenig Thomas M., President, Federal Reserve Bank of Kansas City, Kansas City,
Missouri, Financial Modernization: Implications for the Safety Net Conference on
Deposit Insurance, , Washington, D.C., January 29, 1998
Howarth Fran, Business continuity planning: will your plans save you, January 12, 2004
http://www.it-director.com/article.php?articleid=11564
Hunt Hal, “Lesson of Hurricane Hugo” - ECT News Network, at 6:00 AM on May 08,
2004
Hunt Hal, Lesson of Hurricane Hugo: Plan Recovery, 6:00 AM PT, Part of the ECT News
Network May 8, 2004
James Royds, founding partner of InfoSec Associates and past Chairman of Information
Security & BS7799 Survive - The Future of Business Continuity Management, Credit
Control, House of Words Ltd, January 2007.
James Ryods, founding partner of InfoSec Associates and past Chairman of Information
Security & BS7799 Survive - The Future of Business Continuity Management, Credit
Control, House of Words Ltd, January 2007.
Jamie Gruener’s, (an analyst at the Yankee Group in Boston) comment in the article
‘Disaster recovery: Know what you really need’ by Ambrosio Johanna, October 25,
2001.
John Webster, a senior analyst at Illuminata Inc. in Nashua, N.H., Disaster Recovery
Journal (WP 2003-02)., September 2002.
Kamesam Vepa, Deputy Governor, Reserve Bank of India, Excerpt from Address Delivered
at Central Bank of Sri Lanka, Colombo, August 20, 2003.
Kapoor Sameer, Executive Director, PWC, “Business Continuity and Disaster Recovery”,
Interview to Financial Times, June 2005.
Kaul, Hemant, “Customer Focus Banking. The UTI Bank Experience”, January, 2003,
337
Kelly John and David Stark, Presentation at the Reginald H. Jones Center’s 3rd Annual
conference on the Internet and Strategy- “The Internet and the 21st Century Firm”
April 12, 2002
Kerry Massaro, Mapping out BCP guidelines, Wall street Technology magazine, pages 21
to 22, June 2003
Khanna Anurag, MD & CEO, Banknet India, Developments in Banking & Banking
Technology, Banknet Directory, January 2002
King Jason, Director of financial services, Hyland Software's Vendor's OnBase content
management firm, Ohio, USA comments in his interview with Bank systems &
Technology, Planning for Continuity, February 27, 2006,
http://www.banktech.com/showArticle.jhtml?articleID=181400621.
Kirkpatrick Terry, Remarked in report published in CIO Insight, January 2002.
Kon Karakasidis, (KPMG Information Technology Consulting Division, Melbourne,

Australia) A project planning process for business continuity, Information
Management & Computer Security, Vol. 5 , No. 2, Aug 1997.
Kovar, Joseph F, Helping SMBs to weather the storm, CMP Media LLC, July 28, 2003.
www.CRN.com
Lee, CIO, Baltimore, Maryland's tax department commented Security 2002: Rethinking
Risk, September 16, 2002.
Luft David, Proactive plans thwart SMB threats, June 15, 2005
Powerhouse”,Mumbai, July 18, 2006.
MacDonnell Ulsch, managing director of Janus Risk Management Inc. in Marlborough,

comments in report “Security 2002: Rethinking Risk”, September 16, 2002.
Maiwald Eric & Seiglein William, Security Planning and Disaster Recovery, McGraw-Hill
Professional, Osborne, USA, P 235 – 249., January 2002.
Mani Rahul Neel, Indian IT industry shies from investing in BCM initiatives, July 7, 2003
http://www.expresscomputeronline.com/20030707/indtrend1.shtml,
338
Martin Pat, Vice President, Corporate Communications, Regions Bank, Birmingham, USA,
interview extracts, Bank systems & Technology, Planning for Continuity, February
27, 2006.
http://www.banktech.com/showArticle.jhtml?article ID=181400621
Mawson Thomas, Executive Director, DRI international, Virginia, Risk evaluation &
Control, Security Magazine, May 2003.
Miller Kevin, Consultant, Stroh Consulting Services, BCM Report, July 2003.
Mishra A. K., Professor, IIM Lucknow, Internet Banking in India – Part I, Conference
paper, Booz Allen & Hamilton, August 2005
Mohan Lakshmi and Rai Sunil, “, “Business Continuity Model: A Reality Check for Banks
in India”, Journal of Internet Banking and Commerce, vol. 11, no.2, August 2006,
http://www.arraydev.com/commerce/jibc/
Mohan Lakshmi and Rai Sunil, “Business Continuity Management in Banks – The Indian
Experience”, Journal of Internet Banking and Commerce, vol. 11, no.2, August 2006,
http://www.arraydev.com/commerce/jibc/
Morganti Michael, A business continuity plan keeps you in business, Record , The
magazine of Property Conservation, September 2001
Muntes Sumint, Chief Operating Officer, HSBC, “Disaster Recovery and Business
continuity in banks”, Bank Tech Summit, Taj Lands End Mumbai, September 22,
2005.
Navale Samrat, e-Finance for Development - An Indian Perspective, Monterrey, Mexico,

March 19, 2002
Navale Samrat, “e-Finance for Development - An Indian Perspective, Monterrey, Mexico,

January 2002.
Oltsik Jon, Hot spots: So much can go wrong with disaster recovery. What can you do to
ensure all goes well?, June 2004,
http://storagemagazine.techtarget.com/magItem/1,291266,sid35_gci969972,00.html
339
O'Neill Shane, Senior News Writer, DR plans stuck on, February 02, 2005.
Parthasarathi P., Chief General Manager, RBI, letter Ref. RBI/2004-05/420 DBS.CO.IS
Audit.No. 19/31.02.03/2004-05 dated April 15, 2005 to All Chairmen / Managing
Directors / Chief Executive Officers of all Scheduled Commercial Banks, April
15,2005.
Pescatore, Gartner , “ Security 2002: Rethinking Risk”, September 16, 2002.
Prabhu Giridhar G, Achal Industries, Mangalore, Paper presented at Symposium on

Privatization of Nationalized Banks – Corporation Bank Officers’ Organization (R),
Mangalore, July 21, 2001
Ramanathan, R.N, “Transforming a Giant: SBI ensures a smooth transition”, January 2006
http://www.financialnsights.com/FI/events/FTA06/downloads/presentations/rn_raman
athan.pdf
Rao Gurram Ramachandra and Kasula Prathima, Internet Banking in India, Mondaq
Business Briefing, April 11, 2003.
Ray, Atmadip, “Banks Gear Up To Set Up Disaster Recovery Centres”, January 2005
Reddy Amarender, Banking Sector Liberalization and Efficiency of Indian Banks, The
ICFAI Journal of Bank Management, Volume II P 37-53, May 2, 2004.
Reddy Y.V, RBI measures - Payment Systems, Extract from the Inaugural Address by
Governor, Reserve Bank of India at Twenty-Fifth Bank Economists’ Conference
(BECON- 2003) , December 11, 2003.
Scott, Gartner, interview with Smith Laura in her article “The new face of disaster
recovery”, Security Magazine, March 2002.
Seokumar, Emergence of eBanking, January 2005.

http://www.1888articles.com/emergence-of-ebanking-0bo443i67a.html
Shah Shilpa, Executive, Banknet India, Mumbai, Indian banks moving towards electronic
payment systems- Banknet India, Third Annual Conference on Payment Systems in
Banks", January 10, 2007.
340
Sharp John, Business Continuity Management & The Duties Under Civil Contingencies
Act, Continuity Forum, April 2003.
http://www.bristol.gov.uk/ccm/cms-service/download/asset/?asset_id=12781050.
Shore Dave, “Web-based solutions can ensure business continuity”, Tech Republic, May
20, 2002.
Shore Dave, Sept. 11 teaches real lessons in disaster recovery and business continuity
planning, May 17, 2002.
http://techrepublic.com.com/5100-10878_11-1048799.html?tag=search#
Sirsalewala, Minu, “Technology converges at HDFC Bank”, January 2003.

Smith Laura, “The new face of disaster recovery”, Disaster Recovery Magazine, March
2002.
Snow David, Senior Consultant , Stroh Consulting Services, July 2003.

http/www. Stroh.systems.com
Srinivasan M. R., Chief General Manager-in-Charge, Internet Banking in India – Guidelines

to All Scheduled Commercial Banks, DBOD.COMP.BC.No.130/ 07.03.23/ 2000-01,
June 14, 2001
Srivastav Pradeep, Department of Banking surveillance, RBI, “Computerization, efficiency

and Financial reforms” a report published by RBI, September 1999.
Staimer Marc, Data determines the right disaster recovery, Issue: January 2005,
Susan Rodetis, “Can your buiness survive the unexpected”, Journal of Accountancy,
February 1999.
Toigo William, BCMP consultant, “Lesson of Hurricane Hugo”, Interview on a TV

program at 6:00 AM on ECT News Network ,May 8, 2004.
341
Ulsch, Financial Services Inc, Boston, “Need for more alternate sites to move people” ,
Security 2002: Rethinking Risk, September 16, 2002.
Watanagase Tarisa, Governor, Bank of Thailand., BOT Notification No. 118-2550 (23-01-
07), January 23, 2007
Y.V. Reddy , Governor RBI, Report on trend and progress of banking in India 2005-06 ,
submitted to the Central Government in terms of Section 36(2) of the Banking
Regulation Act, 1949, Page 77, June 30, 2006.
342
RBI Directives and Reports
Banking Regulation Act of India, 1949 and Negotiable Instruments Act 1881
India Banking 2010, report submitted by McKinsey Consulting to RBI that was included in
RBI Report on Trend and Progress on Banking in India 2005-2006, RBI Publication,
June 30,2006.
RBI plans national settlement system, BS Banking Bureau in Mumbai, May 04, 2005.
RBI report on “Trend and Progress of Banking in India 05-06” June 30, 2006.
RBI Report on trend and progress of banking in India 2005-06 , Page 189, June 30, 2006,
RBI Report on trend and progress of banking in India 2005-06 , Page 98, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06 ,Page 97, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06 Page 67, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06 Page 84, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06, , Page 97, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06, Page 189, June 30, 2006,
RBI Report on trend and progress of banking in India 2005-06, Page 98, June 30, 2006,.
RBI Report on trend and progress of banking in India 2005-06, Page 116, June 30, 2006
RBI Report on trend and progress of banking in India 2005-06, Page 70, June 30, 2006
RBI report, “The overall turnover - payment and settlement systems, ECS, MICR and Non-
MICR , June 2006.
343
Reports and Websites
American Society for Industrial Security, http://www.asisonline.org and International

Association of Emergency Managers, http://www.nccem.org May 2002.
Annual Report, Henry Bellwood Consulting, Canada, 2002
Boosting Datacenter Availability for Largest Private Bank in India with the Help of
Symantec.
Business Continuity Report , Tower Group, a Research and advisory firm, January 2002.
Deloitte & Touché LLP and CPM Global Assurance conducted a survey of 200 corporate
and IT managers from various industries, January 2005.
Disaster Recovery Information Exchange, and Survive – The Business Continuity Group,
July 2002
http://www.survive.com
Disaster Recovery Institute Canada, http://www.dri.com and http://www.incident

response.org, July 2002.
Disaster Recovery Journal (Volume 15, No.3) May 2002
Disaster Recovery Journal, http://www.drj.com, May 2003.
European banking industry attitudes towards IT continuity explored, January 18, 2006,
http://continuitycentral.com/news02296.htm
Financial Times, Business Continuity and Disaster Recovery, June 2005,
HDFC Bank, http://www.hdfcbank.com
Hidden threats to enterprise: will your business continuity go according to plan, a Report,
Financial Services Technology ,June 2003.
ICICI Bank, http://www.icicibank.com.
344
Leading Companies Revive Focus on Best Practices to Bolster Profits in Recessionary
Climate, February 26, 2002.
Modernizing Payment Systems is a Top Priority for Indian Banks, Banknet India’s
Conference on Payment Systems in Banks, Mumbai, January 17, 2006.
Oriental Bank of Commerce, http://www.orientalbank.com
SBI Bank, http://www.sbi.com
Security 2002: “Rethinking Risk”, Reports of CIOs and CTOs, A survey report , September
16, 2002.
Security 2002: Rethinking Risk, September 16, 2002,

Security magazine, New York : Rethinking Risk, September 16, 2002
TCS-FNS emerges as most widely deployed core-banking solution in the country, March 3,
2006
UTI Bank, http://www.utibank.com
345
EXCERPTS FROM INTERVIEWS
Bondaiah Adepu, Manager – IT, Global Trust Bank, February 22, 2006 and April 27, 2006.
Dinesh Pandey, AGM, SBI on April 4, 2006 and June 26, 2006.
Dr. R. B. Burman, Executive Director, RBI made to the researcher in special meeting
organized in his office on March 20, 2007
Girish V, Principal Consultant, Banking association of India and editor Banking Frontiers,
magazine, August 12, 2005 and April 4, 2007.
Narain and Girish V., Banking Consultants, Excerpts from Meeting in June 2006.
Nayana Phanse, AGM, SBI, Regional Office, BKC Mumbai , December 23, 2005 and
January 18, 2006.
S. S. Purohit, DGM, SBI Zonal Office (West), Mumbai on December 28, 2005, January 24,
2006 and March 16, 2006.
Sundaram Kalyan, General Manager (IT) Bank of Baroda, BKC, Mumbai during the
meeting on May 12, 2007.
T. Prabhakar, Dy. General Manager (IT - Technical), SBI Corporate Centre, Navi Mumbai
on January 12, 2006, March 10, 2006 and April 7, 2006.
Trivedy Ravi, Partner KPMG and Girish. V., BFSI Consultant, Excerpts from meeting held
on August 22, 2005 and September 19, 2005 respectively.
Trivedy Ravi, Partner KPMG, Banking vertical division, during meeting, May 16, 2007.
Trivedy Ravi, Partner, KPMG and Girish V., Banking, Financial Services & Insurance,
Consultant, Excerpts from interviews, April 15, 2006
Uchil V. M, Chairman, Nextstep Infotech Pvt Ltd, Interview in July 2005
346
List of Publications
Prof. Sunil Rai (2002PHXF424)
International Journals
1. Business Continuity Management in Banks – The Indian Experience
Co-authored with Dr. Lakshmi Mohan
Journal of Internet Banking and Commerce, August 2006, vol. 11, no.2
2. Business Continuity Model: A Reality Check for Banks in India

Co-authored with Dr. Lakshmi Mohan
Journal of Internet Banking and Commerce, August 2006, vol. 11, no.2
Conference Papers
1. E-Governance through Information Technology Act, 2000
February 11, 2001, Economic Development Centre, Panaji, Goa, Conference on
eGovernance – “The State of Goa in the Next Millennium” organized by the
Government of Goa.
2. Role of Higher Education in Transforming India
April 8, 2004, Hotel Renaissance, Powaii, Mumbai, Conference – Vision 2020
organized by Veer Jijamata Technological Institute, Mumbai.
3. Ensuring quantifiable returns on investments made in technology
December 13, 2004, Le Royal Meridien, Mumbai, Conference – Financial
Technology Forum organized by Marcus Evans Conferences, Malaysia
4. Identifying infrastructure requirements for IT security
February 21, 2006, Hyatt Regency, Mumbai, Conference - Corporate IT Security
organized by Marcus Evans Conferences, Malaysia
5. Development of Young Managerial Talent
October 12, 2006, Conference Hall, Kalina Campus, University of Mumbai,
Conference - SAS Forum International 2007 organized by SAS India.
A-1
Biography of Candidate
Prof. Sunil Rai
Prof. Rai is currently the Joint Director of the S.P. Jain Institute of Management & Research
(SPJIMR), Mumbai. He is also the Chairperson of the PGDM Program, Centre for
Information Technology at SPJIMR and the Bhavan’s Centre for InterDisciplinary Studies of
Bharatiya Vidya Bhavan, who have set up several institutions of higher learning including
SPJIMR.
He has fifteen years of IT experience in Design & Development of Integrated Enterprise

Solutions for Corporate Organizations, Infrastructure Management & Execution of
Information Security & Networking projects. He also has twenty-two years of experience in
managing Ships and Technical Establishments of the Indian Navy in various capacities. As
CIO of Goa Shipyard Ltd, he piloted the project in transforming UNIX based legacy systems
in Ingress to Web enabled e-business solutions. He also developed and commissioned ERP
for Navy-wide Logistics Management.
As Chairperson and Professor in the Centre for Information Management at SPJIMR, he has
designed and conducted courses in IT Infrastructure Management and IT Services
Management. He has re-designed the Systems (Information) Management Program for MBA
Specialization with a unique pedagogy that aims at Scenario-based Industry Focus Solution
Architecture, Integration and Implementation. He is currently developing a unique
interdisciplinary program, “Professional Program in Management”, for aspiring young
managers who will complete this program as part of their undergraduate education.
His academic credentials include a Masters in Business Administration with HR

Specialization, an M. Tech. in Computer Science & Engineering from IIT, Mumbai, and a
degree in Marine Engineering from INS Shivaji at Lonavla. His doctoral research is focused
on Business Continuity Management.
A-2
Biography of Guide – Dr. Lakshmi Mohan
School of Business Lakshmi Mohan

Department of Management BA 361C
Science and Information 518-442-4927 (Office)
Systems 518-442-2568 (Fax)
Albany, NY 12222 l.mohan@albany.edu
Lakshmi Mohan is a member of the Management Science and Information Systems faculty of
the School of Business. She began her doctoral studies at the University of California,
Berkeley, and received her Ph.D. degree from Columbia University. Before joining SUNY,
she taught at the Sloan School of Management, M.I.T. and the Indian Institute of
Management, Calcutta. She has also been teaching the required course on Managing
Information Technology at the Duxx Graduate School of Business Leadership in Monterrey,
Mexico, since the inception of the school in 1996. She has been invited by the Nanyang
Business School, Nanyang Technological University, Singapore, to teach a course on
Customer Relationship Management in their MBA Program in July 2002.
Dr. Mohan brings to her teaching and research an analytical approach fostered by her
mathematical education, combined with pragmatism in putting theory into practice, which
she gained from her business experience. At SUNY, her empirical research on decision
support systems, executive information systems and management of information technology
has been supported by over US $2 million in grants from Fortune 100 firms and government
agencies. Her current research interests are in Enterprise Resource Planning (ERP), Customer
Relationship Management (CRM) and Supply Chain Management (SCM) systems, and use of
the Net in business. She is a member of the Senior Program Faculty of the University’s
interdisciplinary Doctoral Program in Information Science and has chaired several
dissertations. She has also lectured and consulted worldwide including Argentina, China,
India, Indonesia, Malaysia, Mexico, Singapore and South Africa. She has been appointed to
serve on the Advisory Board of The Bombay School of Business to guide curriculum
development for the Post-Graduate Program in E-Business, which was launched in July 2001.
Dr. Mohan has been active in conducting executive development programs in several
countries of the world, including some that were sponsored by the United Nations in
Bangkok, Taipei, Seoul, Singapore, Hong Kong and Kuala Lumpur, and by Unilever in
London and Bombay. At the invitation of the World Bank, she conducted a four-week
A-3
program on Decision Support Systems in Shanghai for a group of fifty faculty members
selected from various Chinese universities. She has also conducted a number of programs in
Singapore in Executive Information Systems for the Institute of Systems Science of the
National University of Singapore. She conducted several two-day Workshops on CRM in
Bombay and Singapore (Jan 2002), in Bombay, Hong Kong, Kuala Lumpur and Singapore
(July 2002) and is scheduled to do another series of these Workshops in Shanghai, Dubai and
Bombay (Feb 2003).
Dr. Mohan received the Dean Warren Hayes Outstanding Graduate Teaching Award of the
School of Business in 1986, and the Outstanding Faculty Service Award in 1999.
A-4

Prof. Sunil Rai PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Prof. Sunil Rai PDF

Uploaded by

Copyright:

Available Formats

Business Continuity Management Model for Indian Banks:

An Empirical Study of Selected Banks in Mumbai

Submitted in partial fulfillment

Sunil Kumar Rai

Under the supervision of

BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE

This is to certify that the Thesis entitled “Business Continuity Management

Model for Indian Banks: An Empirical Study of Selected Banks in Mumbai”

Degree of the Institute, embodies original work done by him under my

FACULTY - SCHOOL OF BUSINESS

CHAPTER TITLE PAGE

Chapter 2 Review of Literature

Chapter 3 Research Methodology

Chapter 5 BCM Model for Banks in India

Chapter 6 Application of BCM Model and Metrics

Chapter 7 Research Findings and Future Scope of Work

Annexure 1 BCM Implementation Framework 216

Annexure 2 Survey Methodology - BCM Survey in Indian Banks 257

Annexure 3 Development of Metrics for conducting “Reality Check” 270

Annexure 4 Bank wise Summary of Study 278

Annexure 6 Test of Confidence Level 332

I am indebted to my Faculty Colleagues at SPJIMR – Dr. Suranjan Das, Prof. Suresh

On the domestic front, a very special expression of appreciation is extended to my mother

Prof. Sunil Rai

1.2 BCM Implementation Framework 15

1.3 Level of Continuity 19

2.1 BCM Planning Framework 51

2.2 BCM Implementation Framework 63

2.3 Crises Management 66

3.1 Steps in development of BCM Model 76

3.2 Research Methodology Framework 78

A1.1 Risk Management Model 238

A4.1 The IT Architecture at OBC 281

A4.2 Business Intelligence Architecture 284

A4.3 ICICI Bank Network 285

A4.4 ICICI - Branch Network 286

A4.5 Process Organization 290

A4.6 HDFC Bank Network – India 294

A4.7 DPC, Central Branch at Mumbai 295

A4.8 ENet Implementation Architecture of HDFC Bank 296

A4.9 Network Security 302

A4.10 Access Control 303

A4.11 Delivery Channels & Mobile Banking 307

A4.12 CBS Architecture 309

A4.13 Network Infrastructure 310

A4.14 INFINET Supports SBI Network 312

A5.2 Development Organization 328

A5.3 IT Organization 328

A5.4 HR & Administration 329

A5.5 Corporate Banking Group 329

A5.6 International Banking Group 330

2.1 Number of Branches of Scheduled Commercial Banks 26

2.2 Percentage of Retail Loans to Total Loans 27

2.3 Retail Portfolio of Banks 27

2.4 Computerization in Public Sector Banks 30

2.5 Extent of Computerization of Branches PSBs 31

2.6 Paper Based v/s Electronic Transactions 33

3.1 Respondents for BCM Metrics Model Development 83

3.2 Respondents for BCM Metrics Model Validation 86

4.1 Importance / Criticality Status – Strategic Ingredients 108

4.2 Importance / Criticality Status – Operational Ingredients 109

4.3 Importance / Criticality Status – Technological Ingredients 110

5.1 The BCM Reality Check Metrics – Clusters 125