e_Finance Trends: Implementing IT solutions to mitigate risk

What are the information technology (IT) safeguards needed to mitigate operational risks? The issue is multi-dimensional. One dimension pertains to the uninterrupted running of all business critical systems. Another pertains to the quality of application systems. The third is implementation of solutions which can help risk managers perform their tasks. Yet another dimension is the sound administration of IT-related functions. Let us address each issue one by one.

How do we ensure that our business-critical systems run without interruption? What if we have a disaster, be it failure of hardware, peripheral facilities, building crash situation or vandalism?

Have we as an organisation visualised such scenarios and devised remedial measures? Disaster recovery management is perhaps one of the most talked about subjects, which does not undergo complete cycle in many organisations.

Why so? It is human tendency to assume that disaster will not happen to them. It is some times reluctance of profit managers to approve expenses for such projects where the benefits are not direct.

How do we go about planning our disaster recovery posture? Where do we start? What are the issues? Have we assessed the risk associated with non-functioning of our systems?

A system failure could be due to any component in it failing - application software, operating or networking systems, servers, data lines and so on. We must initiate our disaster recovery planning with a risk assessment exercise.

We need to list all our business process and associates tasks, and map it with internal and external system dependence. We need to assess the probability of failure of systems and its impact on processes.

Once we have answers to various failure scenarios we will have the information to determine how critical each of our systems is, and how much lag we can have in restoring it without impacting our business. We must ensure complete coverage of all systems in our inventory.

A typical bank today will have a mixed baggage of main core banking application, ATM controlling system, card processing units, SWIFT, Trade finance, administrative systems for human resources, training, administration, archives and so on. The associated hardware and networking equipment will be spread all over the organisation.

What about infrastructure? Do we have an alternate IT processing site, reasonably away from main processing site? Is it in ready stage to be used as alternate site? How do we assess its readiness?

There are standards readily available on necessary features of any data processing site. It must be structurally safe, it must have reasonably raised level no to be affected by rain or water logging. Pipe lines should not directly go through its ceiling or bottom and so on. The electric work should conform to standards. Connectivity with telecom service providers should not be an issue. This involves co-ordination with multiple entities and we need to make sure that we have our infrastructure in place.

Have we already crossed the above stages as an organisation? Do we have our infrastructure and alternate processing centre ready? If so, we are well placed effort- and cost-wise.
For all new projects, we need to develop a habit of including disaster site components also in cost projection.

For all new upgrades and enhancements, we need to ensure that the main site and the disaster recovery site are always compatible in terms of hardware and software. It must become routine, otherwise we will very soon be forced to start another project to make live and disaster site compatible.

What about late starters? The outlay of any such project is very high, if we have not taken disaster processing centres seriously in past. The task of information technology managers and risk managers there is much harder. They have to start from scratch. We need to go through the pain of building a complete infrastructure, which should be in a prepared stage for running the data processing activities.

Another major exercise after creating the disaster recovery site is testing it for fail-over.

The cost and effort involved is wasted if the site does not come to our rescue when an actual disaster occurs. How do we test the disaster site?

There are so many disaster scenarios. There are so many systems. We need to simulate all of our disaster scenarios and test each of the system against it. This is a major exercise and requires large scale coordination organisation wide.

An exercise of this nature unless supported wholeheartedly by management team, does not get done in entirety. Any shortcut or assumptions means only one thing – wastage of investment in the project.

The risk managers have a tough job in hand in ensuring that organisation goes through the complete cycle – from risk assessment, to budget approvals, to infrastructure creation, and finally to testing that it really works.

We will discuss other dimensions in coming weeks.


The writer is Assistant General Manager of Doha Bank.