Firms add business to continuity plans

A growth in the reliance on interconnected applications such as CRM and ERP systems is driving companies to give business continuity the attention than it deserves, claims Eileen Ott, director of Global Business Continuity Practice at EMC Corp. “Applications and business processes no longer stand alone. Predictive software needs information that is accurate and available.”

When the disaster recovery industry started, data was after the fact – a historical reporting mechanism, she explains. “The industry didn’t move beyond that for years and years. Most of those plans were developed for the sake of audit compliance, not because companies recognized the importance of information within their organization.

“About five years ago, companies started to really waken up to the fact that data had come out of the data processing centre and had morphed into information. It is what we all do today. If we don’t have information available, we’re impacted and because we are this integrated world, everyone else is impacted to some extent as well.”

Ott argues that the disaster recovery industry has focused for years on the less than one per cent cause of business interruption – natural or man made disasters – when it is really the whole scope of business that needs to be addressed: planned outages which comprise 87 per cent of loss of access to data. Further, it tends to look only at “the big piece of data” and not at the integration flow within the business, beyond the IT department, she stresses.

She views disaster recovery as tactical and business continuity as strategic. “A lot of the financial services companies have implemented great technology solutions: remote mirroring, failover from one site to another, but many times an organization stops with a tactical solution and doesn’t go back and marry the people and process around it.”

Ott cites as an example a financial services firm in New York who after Sept. 11 was able to get their production systems’ data up and running, but in May of this year, finally gave up on trying to recreate the remaining 65 per cent or so of their desktop environment.

“If you think about a financial services organization or traders, there’s a heck of a lot of information on desktops and laptops,” she continues. “Business continuity is all about the business. It’s not about technology. It’s understanding what is important to the business and what the interdependencies are between those business properties.

“Many times I see within the IT department a person has been designated as the person responsible for the disaster recovery plan and maybe some companies will have someone on the business side – typically it’s a facilities manager who focuses on facilities restoration or it might be somebody in the risk management department who is advising business units that they need to have some type of a plan in place until information is available.

“Quite frankly, up until Sept. 11, many times those two groups didn’t even know they existed and didn’t even talk to each other. They did not have an integrated plan which you really have to do.”

Ott says she still comes across companies with “false assumptions that this IT department is doing this miraculous thing that’s going to restore the whole business without any input from the business people. So there’s still a big gap between what the IT people are doing and what the business people are doing – if anything.”

Ott illustrates by recalling a bank with no single point of data between its chequing, lending and e-banking businesses. With no links between business and IT, there were nine ways of doing back-up from systems that included IBM mainframe and servers for chequing, Sun Microsystems products for lending and Compaq servers for e-banking. She says a senior vice-president of the bank complained that every day, opportunities to grow were being hampered by IT. Being an EMC customer, there is now a networked storage links all three business units so information can be protected, shared and managed as an asset.

The focus in the financial services community has been increasingly on business continuity since last year’s release of the Interagency White Paper Sound Practices to Strengthen the Resilience of the U.S. Financial System, created by the Federal Reserve, Securities & Exchange Commission (SEC), and the Office of the Comptroller of the Currency (OCC). (See related article Interview.)

Ott reports that EMC was one of the advisors for the white paper which was issued as a discussion paper for ensuring the reliability of core clearing and settlement organizations, firms that play significant roles in critical financial markets (top 15 – 20 banks and top 5 – 10 securities firms), and others with a significant role in one or more critical markets.

Many see the impact of the discussion around these proposed guidelines for upcoming regulations as shifting companies to become unbreakable organizations. Certainly the recommendation for considerable distance between primary and back-up sites would protect the experience Ott cites of a company in the first World Trade Centre tower to be hit. Their back up was in the second tower.

Ott describes a continuum toward full business continuity. At one end is the typical corporate status of a back-up/recovery focus with offsite tape backup and basic server failover. At the other end is what EMC sees as ideal: multiple peer to peer data centres, full data replication of all applications, alternate workplace and elimination of a weakest link. She ranks financial services as falling between those two extremes, with selective data replication of selective applications.

“In today’s environment of cost reductions, improving productivity, reducing loss, being more efficient and leveraging what we have, the biggest challenge to organizations is the ability to articulate what the business requirements are and to build realistic business cases for justifying solutions. The first thing the CFO, CEO or board of directors want to know is: why, not how. IT people traditionally, and I was one, jump into the how and the why is so important today. The why is the path to the how.

“It is time for the IT people to come out of the data centre and into the business,” she concludes.

Omgeo makes continuity planning mainstream

When everything you do is electronic, it pays to make business continuity a priority. For that reason, continuity planning has become a mainstream business issue at Boston-based Omgeo, a virtual trade-matching joint venture of the Depository Trust Clearing Corp. (DTCC) and Thomson Financial. The Depository Trust & Clearing Corporation (DTCC) is said to be the largest financial services post-trade infrastructure organization in the world. Thomson Financial is a US$1.6 billion provider of information and technology solutions to the worldwide financial community.

Having two parent companies provides Omgeo with a number of services, many of which are related to business continuity, reports Gary Foster, Omgeo’s CTO. “Being a joint venture puts us in a very unique place to leverage a lot of the capabilities that they offer to much larger companies.

“We are what I’d call business critical in the securities industry in the United States as well as in 40 other countries. We have a number of offices around the world with their own specific business continuity plans but here in the United States it has much greater scale to it. Everything we do is electronic, the main business being electronic trade and confirmation, mostly institutional trades. Of the million or so confirmations we do every day, the hundreds of clients we do those for rely on those in a great way.”

Prior to 9/11, business continuity efforts already included specific schedules for testing switchovers between primary and alternate sites. Omgeo’s Manhattan data centre did not experience interruption on Sept. 11 although communications and logistics were affected. Foster reports that post 9/11, those efforts have become an increased focus to the extent that the company is “building a focus to make it part of our core business.

“If you ask our clients ‘what do you expect from Omgeo?’ they’re going to say safety and soundness, reliability, responsiveness. The things clients value most from us are things like reliability and availability of service. Not only does being in the financial services industry put you at risk in this day and age of business continuity; the business value is very high.”

Omgeo’s system architecture is distributed over four physical locations and at press time, a fifth site was being considered. With primary offices in Boston, New York and London, Omgeo uses EMC’s Advanced Solutions Group application management and hosting services for disaster recovery. Using EMC Symmetrix Remote Data Facility (SRDF) software, EMC maintains mirrored copies of Omgeo’s production data at EMC’s remote facilities, in addition to Omgeo’s own remote facilities. This provides back-up in near real-time.

Foster admits that business continuity efforts “raise the cost of doing business but the ROI is that clients will stay with us because they can depend on us. It is a cost of being in the mission-critical securities business,” Foster concludes.