An early adopter of disaster recovery (DR) management planning in India, HDFC Bank's DR efforts have been the result...
of quite a challenging journey. HDFC Bank is among the country's largest financial institutions, with a network of 1412 branches and 2890 automated teller machines (ATMs) in 528 Indian cities.
Such a focused DR management approach has resulted from the fact that HDFC Bank faces a significant amount of responsibility as a new generation private sector bank. "Even if an ATM is down for two hours, it becomes a huge issue and customer complaints start to pour in. So continuity becomes very crucial in the financial services industry. So continuity of service is the only objective for our organization, which is HDFC Bank's survival mantra," says Munish Mittal, HDFC Bank's executive vice president and head of technology solutions group.
Mittal points out that from an Indian banking context, a bank like HDFC Bank may cause systemic risks in the Reserve Bank of India's (RBI) Real Time Gross Settlement (RTGS) system if there is a business continuity failure. If HDFC Bank's core banking system malfunctions for even half a day, its customers (as well as those from other banks) cannot access or route their funds. This is because almost 40 percent of RTGS transactions are routed through HDFC Bank. Hence DR management is of extreme importance for HDFC Bank.
DR management challenges
HDFC Bank's disaster recovery management saga began in year 2000. 'Disaster Recovery' was largely unheard of at that time, so questions were raised about the project's need and determination of stakeholders. There was no real knowledge about the advantages of disaster recovery investments. This brought about financial challenges, as there were apprehensions about DR spends.
The turning point for HDFC Bank's DR project was an RBI directive which recommended that Indian banks put in place a disaster recovery plan. Apart from this, challenges were faced during the disaster recovery implementation process. HDFC Bank has 350 large and medium sized applications. There was significant confusion about which applications should be covered under the DR plan.
Above all these, HDFC Bank's biggest challenge was to determine the DR deployment's effects post the implementation. Some of the DR management queries raised on this front were:
- Is the application running perfectly?
- What is our recovery point objective (RPO) and recovery time objective (RTO) right now?
- Who will we turn to, in case of any problems?
- How do we switchover to a DR site? If we have to switchover, what kind of disaster will necessitate the move?
In order to implement its DR infrastructure, HDFC Bank adopted the 'IT Driven Program Management of Disaster Recovery' model recommended by Gartner in one of its papers. This management model ensured that DR is not just the IT team's responsibility. Before the DR implementation, every business unit used to depend on IT to ensure business continuity. So HDFC Bank started with this IT organization driven DR management model.
Out of its 350 applications, HDFC Bank selected eight core applications critical for the bank's customer service continuity. It also adopted the popular responsible, accountable, consulted and informed (RACI) matrix model to define the roles of various stakeholders. Despite all these efforts, the IT team still faced the same challenges as earlier on the disaster recovery management front.
The evolution stage
HDFC Bank's entire DR management process started to evolve after the project's second phase started in 2006-07. "In order to structure processes, we worked on evolving roles and responsibilities with respect to disaster recovery management. We formalized these results and ensured that our DR management team comes under the Chief Risk Officer and the information security umbrella. We also hired a business continuity manager. A crisis management team was also put in place," says Mittal.
As part of the DR management project, HDFC Bank partnered with Sanovi Technologies to implement a DR management solution which tracks and monitors RTOs as well as RPOs. Thus HDFC Bank gradually evolved to the Gartner model, which details how to organize DR management structurally in a bank (called the Chief Risk Officer model).
(This feature on disaster recovery management has been collated from Munish Mittal's presentation at a recently held IT event.)