IDBI’s unique BS 25999 certified BCM model a first among PSU banks

Indian BFSI player IDBI became the first PSU bank to get BS 25999 certified for all branches and processes. We take a look at the BFSI player’s BCP strategy.

A relatively new banking player, Industrial Development Bank of India (IDBI) strives to segment itself from other domestic players. IDBI’s BS 25999 certified BCM initiative which encompasses key products and services is the latest on that front. According to IDBI, this effort makes it the first Indian public sector bank to get BS 25999 certification.

Initiated in 2007, IDBI’s branch-level BCM project was seen as a strategy for differentiation from competitors says Anirudh Behera, IDBI Bank’s general manager for operational risk. With over 1000 branches, IDBI’s enterprise-wide BCM program faced many challenges. On September 6, 2012 the bank achieved BS 25999 certification for all Indian branches, as well as a majority of its critical business and support functions.

Long road to certification

According to Behera, IDBI’s initial objective was uninterrupted customer service, since branches regularly faced downtime. Apart from branches, external interfaces like IDBI’s trade-finance and credit departments witnessed business disruption.

IDBI’s first BCM policy was drafted in July 2007. A BCP steering committee was formed in September 2007 comprising of the top management, with members from all operational areas. The team determined IDBI’s BCP requirements and benchmarked those against BS 25999. The BCM model is unique to IDBI, asserts Kuntal Biswas, the deputy general manager for IDBI’s operational risk and BCP cell.

IDBI’s BCP plans were approved in March 2010, following which a full-fledged BCM team was formed within the risk department. The core three-member BCM team operates under IDBI’s risk function. The central BCM team drawn from various business functions conceptualized and completed the BCM process. Biswas explains that engaging a consultant would have proved expensive due to the comprehensive scope.

Roll out time

Evaluation of asset/function criticality, business impact analysis (BIA), risk assessment (RA), implementation and testing was performed by respective business units under the BCP cell’s guidance, says Ritesh Kumar, the assistant general manager for IDBI’s operational risk and BCP cell.  

BS 25999’s multiple documentation requirements became the BCM team’s focus. The team comprehensively documented BCM plan requirements, starting with separation of IDBI’s various business lines. BCP requirements for each function were extensively documented in consultation with the function. This enabled prioritized grading of plans and processes for function-wise BCP, as well as subsequent BS 25999 certification.

Post documentation, implementation was a straightforward task of defining timelines, personnel, responsibilities, owners and priorities. Recovery time objective (RTO) and recovery point objective (RPO) for critical business applications have been based on BS 25999 standard guidelines. Kumar informs that state-of-the-art DR is in place for data centers. Quarterly DR drills ensure that every critical application (numbering over 100) is covered at least once a year.

The implementation process relied on phase-wise testing. IDBI’s over 1000 branches made this technically impossible to do in one shot, says Biswas. At the time of writing, 200 branches have undergone final BCP testing. Given the unique way in which IDBI’s BCP plan involves branches, each location is tested from another branch. 400 branches have been covered so far, says Kumar.

How it works

Monthly top management meetings discuss and review BCP related issues to evolve BCM in sync with the bank’s needs. Each branch has a well defined BCP hierarchy with a designated BCP invocation authority. 

Invoking the BCP involves bringing the business unit’s ‘call tree’ into play. A ‘call tree’ is a layered hierarchical communication model used during a disaster to communicate, coordinate BCP and percolate messages down to all unit layers (See Figure 1). Personnel fall back on prearranged and rehearsed roles as per the unit’s BCP documentation. Call Tree Central credit unit.PNG

Figure 1- Sample call sheet for IDBI's central credit unit

Going the extra mile

According to IDBI, it was the first public sector bank to have its own DR setup (implemented by IBM) in 1991. In its current avatar, IDBI wanted BCM to go beyond IT. Biswas says that innovation was essential to break away from industry standard procedures. In cases where the branch cannot connect to the IDBI’s core banking system due to network failure, deviations from existing systems and procedures (approved by the top management) ensure uninterrupted services.

Biswas asserts that this provision is procedural and not IT related. BCM invokes an alternate location/branch’s services to provide operations. Only critical processes/transactions are expected to run at such times. Each bank has two BCP terminals used by other branches for BCP. The level of additional IT/resource augmentation depends on function and BCP role, says Kumar. For instance, DR for treasury requires subscriptions to wire services and

 terminals at its designated BCP site.

In addition, certain provisions allow branch staff to work from alternate locations/branches, or workload can be taken up by the alternate branch. IDBI’s each branch/function has a ‘hot standby’ or ‘DR’ at alternate bank locations/branches. IDBI’s treasury has two DR sites equipped with necessary infrastructure in different areas of Mumbai. These sites are located near IDBI’s housing colonies to compensate for transport unavailability during disasters.

Implementation challenges

According to Behera, employee sensitization was the major challenge. The BCP plan’s nitty-gritty had to percolate down to all 16,000 employees. Considerable hand-holding brought branch managers up to par with BCP. “As the first point of interface with customers, branches stood to gain the most. Enthusiastic support followed awareness,” says Behera.

Determining redundancy was a challenge. DR redundancy requirements for functions like treasury and data centers were based on a cost versus criticality valuation, as well as acceptability to the business. A recent power grid failure in north-east India demonstrated the effectiveness of IDBI’s BCP plan – 99% of affected branches continued operations.

Getting BCM certified has brought a great deal of assurance followed by process maturity, says Biswas. He also adds that migration to ISO 22301 maybe a future option.

Read more on Disaster recovery