Professional Documents
Culture Documents
Document Information
Project Name: BCP Project
Prepared By: Tomas Nilsson MBCI Document Version No: 1.0
Title: Senior Consultant Document Version Date: 2008-08-05
Reviewed By: Review Date:
Distribution List
From Date Phone/Fax/Email
Tomas Nilsson 2008-08-05 tomas.nilsson@hp.com
* Action Types: Approve, Review, Inform, File, Action Required, Attend Meeting, Other (please specify)
Version History
Ver. No. Ver. Date Revised By Description Reviewer Status
0.1 2008-07-07 RPD First draft RPD Completed
0.2 2008-07-09 RPD Reviewed and approved BC Completed
0.3 2008-07-16 RPD Client review and amendments applied SM Completed
0.4 2008-07-23 RPD Client final review and amendments applied BK Completed
1.0 2008-08-05 TN Internal review and finalisation SM
Table of Contents
Proprietary Notice.............................................................................................................................................. 4
1 Executive Summary................................................................................................................................... 5
1.1 Summary of Key Findings.................................................................................................................. 5
1.2 Summary of Main Recommendations................................................................................................6
2 Introduction................................................................................................................................................ 8
3 Acknowledgements.................................................................................................................................... 8
4 Scope, Objectives and Approach............................................................................................................. 9
4.1 Scope................................................................................................................................................ 9
4.2 Objectives.......................................................................................................................................... 9
4.3 Approach........................................................................................................................................... 9
5 Business Impact Analysis....................................................................................................................... 10
5.1 Purpose........................................................................................................................................... 10
5.2 General Observations...................................................................................................................... 10
5.3 Findings & Recommendations......................................................................................................... 10
5.4 Business Impacts............................................................................................................................ 13
5.4.1 Financial Impacts............................................................................................................................ 13
5.4.2 Qualitative Impacts.......................................................................................................................... 15
5.5 Recovery Time and Recovery Point Objectives...............................................................................16
5.5.1 IT Systems...................................................................................................................................... 16
5.6 Priorities........................................................................................................................................... 19
5.7 Critical Staff by Department............................................................................................................. 19
5.8 Dependence on Key Staff................................................................................................................ 20
5.9 Facilities and Services..................................................................................................................... 21
5.10 Critical Documents.......................................................................................................................... 21
5.11 Critical Suppliers.............................................................................................................................. 22
6 Recommended Action............................................................................................................................. 23
Appendix A – Contributors............................................................................................................................. 24
Appendix B – RTO & RPO................................................................................................................................. 26
Proprietary Notice
No part of this document (including any designs) may be reproduced in any form, published, broadcast or
transmitted or have an adaptation made of it, except with the prior written permission of Hewlett-Packard
Company to parties outside of Burgan Bank.
Hewlett Packard makes no warranty of any kind concerning this document, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose. Hewlett Packard shall not be liable for
errors contained herein or direct indirect, special incidental or consequential damages concerning the
furnishing, performance, or use of this material.
1 Executive Summary
Burgan Bank (BB) has initiated a business continuity project, of which this Business Impact
Analysis (BIA) is the first step. The objective of this effort is to identify critical business functions
and to determine their business continuity requirements regarding people, data and underpinning IT
systems. This BIA addresses all business functions, undertaken at the Bank’s headquarters in
Kuwait City and the branch offices, using the Shuwaikh Industrial branch as a model.
There is a strong and growing reliance on the IT infrastructure with increasing volumes of
transactions. This is due to both organic growth and also due to recent acquisitions.
Some critical business functions rely heavily on departmental servers and standalone PC’s,
without utilising available central backup capabilities.
There are virtually no manual fallback procedures for the functions relying on central IT.
Although there is a proven IT DR solution for the core business applications environment
(banking and teller systems : “Symbols”), and an untested recovery dealing room facility for
Investment Banking and Treasury at the Kuwait University, which is not connected to Symbols
and Kondor+ and without telephone lines, there are currently no provisions for work space
recovery of critical business functions (requirement : +/-. 100 seats within 24 hours).
The IT DR centre is only configured to recover core business systems. Other applications have
no DR capacity at present. If the DR data centre is activated, the capacity of the IT DR
configuration will result in lower levels of performance than may be required operationally.
BCP awareness is high, and all department heads and most interviewees appreciate the need for
improvement to the current situation (no current plan in place / no work area recovery). However,
BCP maturity is low; the existing Business Continuity Management Plan has not been updated to
reflect the changing business and the Bank’s growth. Although the IT DR facility already
referred to has been tested, there has been no validation of the existing continuity plan. At the
time of the review, there were no resources allocated to implement and maintain a business
continuity programme, although it was reported that a Business Continuity Planning Manager
position was being recruited in order to progress the business continuity management program.
Recovery Time Objectives (i.e. the tolerable downtime according to users - RTO) for IT systems
range from virtually zero to four weeks. Most IT managed systems have an RTO of 24 hours or
less. This is currently only achievable for the recovery of core banking and teller applications
and, as stated above, there are no provisions for work area recovery that would guarantee
availability of suitable facilities within the required timeframe for core banking processes.
Recovery Point Objectives (i.e. the tolerable level of data loss - RPO) was either zero (i.e. no
data loss) or 24 hours (i.e. to the backup point of the day before). With current data replication
processes, zero data loss is not achievable. In the event of failure of the core systems, there
would be approximately fifteen minutes’ data loss (established via testing).
The production and issue of credit cards requires special equipment and its location represents a
single point of failure.
From a total headcount of approximately 477 (at the main site) 99 are deemed to be required as
soon as possible (i.e. within 4 hours), rising up to 166 over the next few days. It is assumed that,
in the event of a branch failure (including the main branch located with the head office), the
required staff will relocate to various other branches. Currently, there is no designated office
space available for recovery and continuation of critical head office functions and processes.
There will be major delays in recovery whilst suitable and sufficient accommodation is found.
There is a high reliance upon single source suppliers (e.g. Al Mulla / Securicor for ATM
replenishment)
Although the IT back-ups of the core business systems are controlled by Veritas software, other
applications’ back-ups are managed by “scripts” developed internally. If all data back-ups are not
synchronised, there will be a significant impact upon recovery capabilities.
These recommendations are mostly high level, and many may fall outside the scope of the on-going
BCP project. More specific recommendations will be presented in the subsequent Continuity Strategy
Document, which will be based on this BIA and the Risk Assessment reports.
Assess the availability of commercially available provisioning of workplace recovery space and
ship-to-site IT recovery services in Kuwait and make arrangements for the guaranteed
availability of work area recovery with the required links to the Bank’s IT systems and required
external networks.
Test the recovery capabilities of the contingency dealing facilities at the Kuwait University.
Expand the IT DR provisions and processes to include other systems than the core banking and
teller applications, and to ensure that the IT DR system can be upgraded as required in the
event of it becoming the main processing system for the Bank.
Continue with the process to appoint a business continuity planning manager to ensure that, on
completion of the initial BCP project, a program for on-going training and awareness activities
can be successfully implemented.
Review current replication and backup processes against stated RPO’s to achieve the required
targets (e.g. zero transaction loss).
Review the IT back-up processes to ensure that there is consistency across all platforms.
Check the level of Business Continuity capability/provision for key suppliers, especially where
they are a single-source supplier/service provider (e.g. ATM replenishment / credit card
network / K-Net / Information feeds / Saxo Bank). Consider alternate supplier arrangements.
2 Introduction
Burgan Bank S.A.K (BB) is one of the youngest commercial banks in the State of Kuwait. Originally a
government-owned Bank, privatization in 1997 reduced government ownership from 61% to a current
stake of less than 10%. The Kuwait Investment Projects Company (KIPCO), a leading investment
institution in Kuwait, now represents the largest single shareholder. This change in the ownership
structure has paved the way for further growth and expansion of product ranges and services.
A leading retail and commercial banking institution, BB offers a full range of retail, corporate and
investment banking services. Through innovative product offerings and technologically advanced
delivery channels, BB has continuously improved its performance and is considered to be trendsetter
in the domestic market. The network of 20 branches and 100 ATMs is one of the widest ATM
networks in the GCC.
Burgan Bank is committed to developing its activities through diversification innovation and also
expanding its retail network throughout Kuwait and to the wider region. BB is currently the only bank
in the GCC with ISO 9001:2000 certification in all its banking businesses.
The Bank has recognised that its current Business Continuity Management (BCM) policy needs to be
reviewed and that the current Business Continuity Plan (BCP) must be revised in order to ensure that
there are measures in place protect its competitiveness and to meet regulatory requirements. BB
has therefore initiated a business continuity project with the objective to implement a business
continuity programme. The CEO is actively sponsoring this project. The first and significant step of
that process is to conduct a Business Impact Analysis (BIA).
The BIA interviews were conducted by Tomas Nilsson MBCI between 15 th June and 1st July, 2008, and
are part of the BB Business Continuity Management project encompassing this BIA, a risk assessment of
the security and infrastructure of BB sites, a Business Continuity plan framework, and a policy document.
Information was gathered via questionnaire and interviews with client-selected personnel. The results
were validated by the BB project lead, Mr. Satishkumar Mane.
This document summarises the findings from the BIA study of operations within the Kuwait
headquarters and the Shuwaikh Industrial branch site. It describes how the business operations
would be impacted in the event of a disaster or major incident affecting this site. The report also
considers appropriate Business Continuity Management (BCM) strategies and makes
recommendations for ensuring the strategy and recovery solutions meet the requirements of the
business.
It should be read in conjunction with the Risk Assessment conducted by Bob Draper FBCI between
15th and 17th July, 2008.
3 Acknowledgements
The author would like to take this opportunity to thank all BB participants and contributors to the
study - a list can be found in Appendix A – who gave their time and responded positively to requests
for information, and in particular Mr Satishkumar Mane and Mr Binoy Koonammavu for coordinating
this effort and for their hospitality.
4.1 Scope
4.2 Objectives
Identify critical business functions and supporting systems
Identify Recovery Time and Recovery Point Objectives (RTO and RPO)
Summarise recovery requirements over time (people, facilities, IT)
Identify vital records required for recovery
Produce BIA report
4.3 Approach
Information was gathered from key personnel from each business area via interviews and associated
questionnaire. A list of interviewees can be found in Appendix A.
The results were consolidated by the author and validated by Mr. Satishkumar Mane. It is this
validated impact analysis and IT systems information that is contained in this report.
The questionnaire forms used have been typed up and will be made available to BB. They must
however not be regarded as a formal part of, or appendices to, this report.
5.1 Purpose
The Business Impact Analysis (BIA) identifies those parts of a business whose loss has the potential
for significant impact, threat to the company’s reputation or cause of internal disruption. It also
identifies the various resources needed to recover essential business functions. This information is
used as the basis for identifying an appropriate Business Continuity Management Strategy.
Although there is an IT disaster recovery centre, with capacity to recover core business systems in
the event of a main data centre failure, current disaster readiness within the Bank’s departments is
very limited. There is no corporate BCP programme. Overall, BCP awareness is high, and all
department heads and most interviewees are aware of, and appreciate, the need for improvement.
The most time critical functions identified are the ones directly related to daily transaction
management and are client interfacing. A failure of those functions will cause damage within a
single day and are very visible. Less time critical functions, such as reconciliation and risk
management, becomes critical after a few days, but are probably more critical to the Bank’s
survival over time.
The Operations Group (OPSG) is most probably the single most critical business function.
Although the direct impact of a disaster will first affect the business functions, nothing can be
resumed without the support functions provided by elements of this department. These include
IT, Facilities Maintenance and Security.
Most departments are inter-dependent and the inability of one to produce its output has a serious
knock-on effect to the others. There is a significant reliance on the IT infrastructure and the bank
could not survive without IT support. As the bank continues to grow, there will be an increased
reliance and dependency upon the availability and integrity of IT services supporting business
operations.
Only three areas reviewed showed that they have adequate documented manual fallback
procedures that could be implemented in an incident / emergency that might result in IT services
being unavailable. These are CCD, RBG (HQ) and HRD However, even these are highly
dependent upon the availability of data and information generated by the core banking system or
held on hard copy.
Manual fallback procedures are generally not in place for fundamental banking functions, so
there is no question that the bank will not survive without access to its IT infrastructure.
Therefore, it is imperative that the IT systems are recovered within a very short time following an
incident.
The Bank should initiate a program to develop and maintain documented fallback procedures for
critical processes across all departments.
All areas indicated an increasing reliance upon PC-based processes, using PC applications (e.g.
Office) and email. During the review, it was noted that information stored on some departmental
servers (e.g. Legal Division) or individual PC’s may not be subject to the same back-up
processes as the data residing on central IT systems. In the event of loss, or failure, of these
systems, this data may not be recoverable.
Recovery Time Objectives (i.e. the tolerable downtime according to users - RTO) for IT systems
range from virtually zero to four weeks. Most IT-managed systems have an RTO of 24 hours or
less. This is currently only achievable for the recovery of core banking and teller applications, as
these are the only applications for which the IT DR systems are configured.
Although the core banking and teller business systems are recoverable via the DR data centre,
this is not an identical IT configuration to the main data centre at the Burgan Tower location.
The performance of recovery processing centred on the DR system would be lower than normal
operations. There are no arrangements in place to guarantee the availability of hardware /
capacity upgrades in the event of an incident causing the IT DR centre to become the main
processing hub of the Bank.
The Bank should assess the availability of commercially available provisioning of workplace
recovery space and ship-to-site IT recovery services in Kuwait and make arrangements for the
guaranteed availability of work area recovery with the required links to the Bank’s IT systems
and required external networks.
Although the core banking and teller business systems are recoverable via the DR data centre,
other systems outside the Symbols environment would need to be recovered manually to
hardware and equipment that would need to be obtained at the time of the incident and its
aftermath. There are no arrangements in place to guarantee availability of required hardware at
short notice.
The Bank should consider expanding the IT DR provisions and processes to include other
systems than the core banking and teller applications, and to ensure that the IT DR system can
be upgraded as required in the event of it becoming the main processing system for the Bank.
There is an arrangement to use the dealing room facility at the Kuwait University for Investment
Banking and Treasury purposes in the event of an incident affecting the dealing facilities at the
Burgan Tower site. However, this is, as yet, untested.
Recovery Point Objectives (i.e. the tolerable level of data loss - RPO) was either zero (i.e. no
data loss) or 24 hours (i.e. to the backup point of the day before). With current replication of data
processes, zero data loss is not achievable. In the event of failure of the core systems, there
would be approximately fifteen minutes’ data loss (established via testing).
The Bank should review current replication and backup processes against stated RPO’s to
achieve the required targets (e.g. zero transaction loss).
The core systems are backed up using a process controlled by Veritas software. Other systems
are backed up using processes controlled by internally developed scripts. Any inconsistency in
synchronisation between the two types of back up may impact the Bank’s ability to fully recover
effectively.
In the event of a full recovery being required, due to a major incident at the Burgan Tower site,
there is no guarantee that, following acquisition of required hardware, the back-ups of systems
outside the core banking and teller applications will be synchronised with the core systems’ data.
This is due to the potential time difference in recovering the Symbols applications and those
running on other platforms.
The Bank should review the IT back-up processes to ensure that there is consistency of back-up
across all platforms and also that time gaps between recovery of systems will not affect data
integrity.
Currently, there are no provisions for work area recovery that would guarantee availability of
suitable facilities within the required timeframe for core banking processes. Responses during
the review showed that, from a total headcount of approximately 477 (at the main site), 99 are
deemed to be required as soon as possible (i.e. within four hours), increasing up to 166 over the
next few days. It is assumed that, in the event of a branch failure (including the main branch
located with the head office), the required staff will relocate to various other branches. There is
no designated office space available for recovery and continuation of critical head office
functions and processes. There will be major delays in recovery whilst suitable and sufficient
accommodation is found.
It was noted that there is a plan to relocate some functions to a new site in the Free Trade Zone,
with a reported capacity of 200 seats. The availability of this facility should be considered in the
future business continuity strategy.
The production and issue of credit cards requires special equipment which is currently only
available at the Salmiya Branch. This is a single point of failure.
The single PABX at the Burgan Tower location presents a single point of failure for voice
communications.
The Bank should take action to ensure there is a contingency solution for credit card production
and PABX functions.
In the event of an incident, several departments (e.g. Corporate Communications / HR) will have
a reliance on hardcopy information. This may not be available, as the only versions are held in
the main office and may be inaccessible. A need to re-create the required information may
severely impact recovery of these departments’ ability to recover business operations.
Although the review has not highlighted any specific areas where there are specific
dependencies upon the availability of individual staff members, all departments should review
“single points of failure” to ensure that all critical work functions are adequately covered should
one or more the key persons be absent.
There are a few critical suppliers whose failure to deliver could cause significant damage to BB.
Examples include K-Net, Gulf Security, G4S, market data feeds. If possible, alternatives to these
suppliers should be identified.
BCP awareness is high, and all department heads and most interviewees appreciate the need for
improvement to the current situation (no current plan in place / no work area recovery). However,
BCP maturity is low; the existing Business Continuity Management Plan has not been updated to
reflect the changing business and the Bank’s growth. Although the IT DR facility already
referred to has been tested, there has been no validation of the existing continuity plan. At the
time of the review, there were no resources allocated to implement and maintain a business
continuity programme, although it was reported that a Business Continuity Planning Manager
position was being recruited in order to progress the business continuity management program.
The Bank should continue with the process to appoint a business continuity planning manager to
ensure that, on completion of the initial BCP project, a program for on-going training and
awareness activities can be successfully implemented.
Impact to the business was assessed in qualitative (reputation, internal disruption, non-compliance
etc.) and financial terms. Any of these indicators, if assessed as serious, can provide the justification
for expenditure on Business Continuity Planning.
When assessing impacts the interviewees were asked to assume the worst possible scenario striking
at the worst possible time (month-end, year-end, payroll etc.).
An accurate assessment of financial impacts proved difficult for the majority of interviewees. All
numbers related to the financial impact of a disaster in the following paragraphs are based on
interviewee responses.
The financial impact would be dependent upon its nature. An incident affecting the Bank only would
not have a major impact upon its assets or liabilities, and if effective continuity procedures are in
place, processes could be resumed (see the Qualitative Impacts and Recovery Time Objectives,
below). If, however, there were to be an incident / situation affecting the country or region, there
would be more substantial impacts upon the Bank’s ability to continue business activities, with
subsequent financial losses to stakeholders.
The following table shows the indicated estimated cumulative losses (KWD ‘000) or comments on the
potential losses for each department that provided financial information to the review.
The numbers shown in the table above are not scientifically derived. They are based on interviewees
educated estimates, e.g. BG estimates a loss of 100,000 KD per 3 hours of downtime.
Another aspect is the exposure to direct financial impact in terms of penalties and fines. Penalties
resulting from non-performance regarding client obligations are quite difficult to gauge. It was stated
in the review that “this will probably happen, but it has never been put to the test and there are no
clear rules”. (Operations Group)
It was noted during the review that the Central Bank of Kuwait (CBK) will halt stock trading within 45
days if position reports are not submitted by BB.
The main financial concern was raised by the Investment Banking and Treasury Department. The
number of transactions per month is relatively few (average 1,500), but they are for large sums:
If the Bank’s processes should fail, this could lead to a client defaulting on their obligation, leading to
liability on the Bank. The resultant compensation could be significant, coupled with significant
reputational damage in the market.
The average volume of branch transactions is reported 600 per working day. The impact of an
incident at a branch is not considered financially critical, as, with an effective response to inform
customers of alternative arrangements, banking activities can be continued from another branch.
In 2007 the bank processed 1.3 Million transactions, of which only very minor fraction can be done
without the support of IT systems.
In spite of the difficulties obtaining hard financial numbers, it is obvious that the financial losses to BB
would be crippling if operations are not timely resumed after a disaster. This is of course hardly
surprising for a bank and a fair assumption is that BB is currently putting its survival at stake by not
having an up to date and tested BCP in place. The Bank is aware of this issue and this project shows
that the intent to reduce the potential impact of a failure is being taken seriously.
Respondents were asked to identify the non-financial impacts if their business unit were unable to
operate. These impacts were assessed by considering the effect on customers, company image,
regulators, employees, suppliers and management information. The next table shows the overall
impacts.
Banking Operations (BO) Critical Disastrous Disastrous Disastrous Disastrous Disastrous Disastrous
Operations Group (OPSG) Critical Critical Disastrous Disastrous Disastrous Disastrous Disastrous
Retail Banking Branch (RGB) Disruptive Critical Disastrous Disastrous Disastrous Disastrous Disastrous
Retail Banking HQ (RGB) Disruptive Critical Disastrous Disastrous Disastrous Disastrous Disastrous
Alt. Delivery Channels (ADC) Disruptive Critical Disastrous Disastrous Disastrous Disastrous Disastrous
Banking Group (BG) Disruptive Critical Disastrous Disastrous Disastrous Disastrous Disastrous
Risk Management (RMG) Disruptive Critical Critical Disastrous Disastrous Disastrous Disastrous
Human Resources (HRD) Disruptive Critical Critical Critical Disastrous Disastrous Disastrous
Legal Division (LD) Manageable Manageable Manageable Disruptive Critical Critical Disastrous
Strat. Financial Planning (SFP) Manageable Manageable Manageable Disruptive Disruptive Critical Disastrous
Corp. Communications (CCD) Manageable Manageable Manageable Manageable Disruptive Disruptive Critical
Internal Audit (IA) Manageable Manageable Manageable Manageable Manageable Disruptive Disruptive
The review has concluded that significant disruption would occur within relatively short timescales, as
shown in the above table.
The findings support the view that key functions need to be up and running quickly following a
disruption, and that a standby work area recovery facility is required to enable critical functions to
relocate and be operable within 24 hours. Relocation of critical staff to other Bank locations would
provide an acceptable short-term recovery solution, as long as sufficient office space, critical
documents and critical IT systems were available and prepared beforehand (i.e. ready to be used at
extremely short notice).
The recovery of PABX facilities currently at the Burgan Tower site and the credit card production
process at Salmiya branch are identified as key requirements.
Provisions should be made to provide ample line capacity and PABX functionality following a
disaster. The Bank should review the most suitable means of maintaining a link by which clients’
requests can be handled and information can be given. (e.g. by transferring all calls to the Call
Centre in the event of an incident at the head office)
As the Bank’s credit card business increases, the non-availability of this equipment following an
incident will delay recovery of the process and could add to the impact upon the Bank’s reputation
in the market place it serves. The Bank should identify an alternative production site for use in an
emergency (e.g. third party service).
The review also identified similar requirements for call centre equipment, such as ACD’s, for use in
the event that the call centre needs to be re-located at short notice.
Recovery Time Objective (RTO) means the elapsed time between a declared disaster and the
required resumption of services. Recovery Point Objective (RPO) means the elapsed time for which
data may be lost without causing severe problems at the resumption of services following a disaster.
Basically, the RTO states the longest acceptable resumption time and RPO states the amount of
acceptable data loss.
5.5.1 IT Systems
Respondents were asked to identify which IT systems they use, how important these are to them and
how quickly they would need to be restored in the event of an IT disaster or major incident (e.g. loss
of hardware, physical environment, power or telecom’s), as opposed to day-to-day operational
problems (which ideally should be covered by Service Level Agreements). The following table
identifies the applications that are critical to the departments over time. The information was
produced from the interviewees’ responses regarding the various systems, and must be validated by
BB before any decisions on recovery strategies are taken.
The information is a subset of the complete table, showing the most critical applications with on RTO
of 3 days or less. The complete table can be found in appendix B.
- ?? indicates that information was not made available at the time of the review, or that verification
from the appropriate department / function is required.
- n/a indicates that an RPO is not applicable. Once a service (e.g. an information feed, such as
Reuters) is available, it is useable; there will have been no requirement to restore saved data.
The above table does not take into account applications and associated data that may reside on
stand-alone PC’s, and which may not be backed up properly.
In addition to these application systems, the IT infrastructure and services underpinning the
applications, such as firewalls and catalogue services, must be considered to have RTOs and RPOs
corresponding to the most critical applications.
5.6 Priorities
The qualitative table illustrated in section 5.4.2 shows the relative priorities for recovery of the key
business functions within the scope of this review, and the timescales within which each
department/function should be operational. The underpinning IT systems must be recovered in the
same priority sequence.
It is important to understand however, that the table shows the maximum time within which an
acceptable level of service must be re-established and does not suggest that business units can “do
nothing” during this time. For instance, business partners, suppliers, regulators and other external
agencies may need to be contacted on day one. This is reflected in the critical staff requirements
shown in section 5.7 and must be reflected in (planned) Incident Management procedures.
It is also important to note that the timescales are for restoration of the critical “normal” operations of
each function. Certain other departments or individuals, such as IT and Media Communication would
be required immediately to perform technical recovery and to manage external communication.
Respondents were asked to state their minimum staff requirements for working at an alternative,
temporary location.
The following table summarises the critical staff requirements which would need to be catered for
following a disaster or major incident affecting the headquarters site. It is extremely important to
assign staff with the appropriate key skills required in response to a disruptive incident that causes
the business continuity plan and facilities (should these exist) to be activated.
Please note that the total staff numbers are the sum of the departments represented in the interviews
and based upon figures given. Although it may not match the HR official figures, it is used as a
representative figure for illustration purposes.
In addition to the staff numbers shown in the table below, switchboard personnel should be made
available and ready to accept incoming calls within a very short timeframe.
Although IT is included in these totals, it may be assumed that the department’s requirement for
operational personnel will be accommodated at the IT Disaster Recovery centre.
Branch requirements have not been included in this table, as it is assumed that, in the event of a
branch needing to be closed to business, operational staff will be re-located to another branch from
where they will be able to continue their duties, so long as IT access is available to them.
Although the review has not highlighted any specific areas where there are specific dependencies
upon the availability of individual staff members, there is a possibility that there are key staff who
were not identified in the interview process, e.g. in various back-office functions. All departments
should review “single points of failure” to ensure that all critical work functions are adequately
covered should one or more the key persons be absent.
A general observation, valid for virtually all businesses in the Gulf Area, is the heavy reliance upon
an expatriate workforce. Several business critical positions at BB are held by expatriates, which must
be considered as a major risk factor when considering the relative political instability of the greater
Middle East. An unforeseen exodus of expatriates would have an impact on the Bank’s capability to
operate efficiently.
The current IT DR site at Sabhan is, as stated above, configured to cover only the core business IT
systems. The requirement to improve the RPO and to bring the recovery configuration to a point
where other systems are able to be recovered has also been mentioned earlier in this report. This
review also noted that there are no facilities for IT operations control function at the site. Therefore,
the IT requirement for workspace as shown in the table in section 5.7 remains. The location will be
reviewed as part of the Risk Assessment Phase of this project.
When considering recovery requirements, generally, each recovery team member would require a
workstation (desk, chair and PC). The recovery team staff numbers in the table (section 5.7)
therefore also indicate the number of workstations that would need to be provided at a recovery site
over the time period indicated.
Should the entire main BB site be inaccessible, the immediate workplace requirement is 99 seats
growing to 166 seats within four days. At the time of this review, there were no arrangements in place
to accommodate the critical staff numbers shown in this table.
The potential use of the proposed site in the Free Trade Zone must be considered as part of the
future Business Continuity Strategy.
Most critical computer data is regularly backed up, and much of it would be available following a
disaster.
All data stored on the Unix platform (i.e. the core banking application) is replicated to the DR site,
and also backed up to tape at least daily. The requirement to improve the data duplication to meet
the RPO requirements has been covered elsewhere in this report.
All other production data deemed to be critical is stored on storage equipment hosted by IT is backed
up daily.
The review was not able to identify the extent to which data on departmental servers (e.g. Legal
Division) and standalone PCs are backed up to file servers hosted by IT, and hence backed up to
tape at the required intervals. It is however quite clear that there is a significant amount of more or
less critical data is not being backed up properly. The impact of loss of critical data must be made
clear to departmental management and action taken to reduce the potential for loss.
The review discussions identified a number of areas where critical information is held on hard copy.
The prime example of this is the Legal Division (LD), where only original documents are legally
binding. Whilst only a limited amount of work in progress might be lost in the event of an IT failure
(central or departmental), the impact of loss of original documents would be a long recovery process
in getting copies from third parties and getting legal confirmation of their validity.
Other examples of departments where loss of hard copy information would have an impact upon
effective recovery of operations include
The table below lists all critical suppliers of services upon which the Bank’s operations are dependent
and for which there is no identified alternative, where this information has been provided during the
review. Some of the suppliers, in particular service providers and software houses, are solid and
stable (in terms of delivery capability) enough not to be considered an issue from a continuity point of
view, while others could potentially be a cause for some concern.
Comments
Department Suppliers
(see also notes below)
IT All IT suppliers (hardware, software and services) are considered to be
single source, and therefore there are no alternatives
Retail Banking Group (RGB) CI-Net Services must be available within
one day
K-Net (ATM’s) See note 1 below
Visa-MC
Investment Banking & Treasury KAMCO Services must be available within
(IB&T) Reuters one day.
Bloomberg No alternative suppliers available
Rating Agencies
Alternate Delivery Channels K-Net See note 1 below
(ADC) Metco
NCR See note 2 below
Saxo Bank
Legal Division (LD) Law firms See note 4 below
Salah Al Jassim Systems
Translators
Non-support would not have an
impact before 1 – 2 weeks
following the incident
Banking Operations (BO) Eastnet (Swift) Within one day
K-Net Within one day : See note 1 below
CI-Net 2 – 3 days
K-Post 4 – 5 days
Al-Mulla Securicor Within 1 day
Operations Group (OPSG) G4S No alternative
Gulf Security No alternative
Maintenance contractors
Leasing companies
Insurers
Notes
1. K-Net is vital to the operation of the entire card network. It was reported that, to date, there have
been no major failures
2. NCR is critical for all support for the ATM equipment (100+)
3. Corporate Communications (CCD) uses multiple suppliers (e.g. publishers / printers / agencies)
4. Legal Division (LD) use specialist law firms, so these are not readily interchangeable, but the
Bank only uses external support for minor cases.
6 Recommended Action
BB has already initiated a Business Continuity project (of which this BIA is one task), so assuming
this project will continue as planned there are few additional actions to recommend. A single project
is however not the same as a complete, implemented and working, Business Continuity Management
Programme, so the following actions should be planned and performed in addition to the current
project:
Assign a full time Business Continuity Manager
Plan for additional resources to maintain the BC programme over time
Plan for on-going training and awareness activities
Appendix A – Contributors
Notes
* Attended the meeting in the absence of Muneera Al-Mukhaizeem – AGM – Branches
** Attended the meeting in the absence of Nawal Bougaidi– AGM – Retail Banking
Not in Application Support Matrix. Some of the systems are internally managed by IT or other
groups and some of them are internet services used.
Tejari(External website) Operations Group (OPSG) 4w 1m
Zavanta(Intranet) Operations Group (OPSG) 4w 1m
Surveillance Servers (branches) Operations Group (OPSG) 4w n/a
BIRT(in the Datacentre(DC)) Risk Management (RMG) 3d 2d
KGL(DC) Risk Management (RMG) 24h 24h
Operational Risk System(DC) Risk Management (RMG) 5d 1w
web-Marshal(DC) Risk Management (RMG) 30m 4w
mail-Marshal(DC) Risk Management (RMG) 24h 24h
IPS(DC) Risk Management (RMG) 0 2d
Salah Al Jassim Systems (local) Legal (LD) 2w other
Job Evaluation System (PC) Human Resources (HRD) 4w+ 1w
Fixed Asset System (in progress) Operations Group (OPSG) 4w 24h
Ci-Net(External website) Retail Banking HQ (RBG) 24h n/a
Ci-Net (External website) Retail Banking Branch (RBG) 24h n/a
Visa/MC (DC) Retail Banking HQ (RBG) 0 n/a
Visa/MC(DC) Banking Operations (BO) 24h n/a
Lawyer System (PC) Retail Banking HQ (RBG) 4w+ n/a
Mystery Shopping(External website) Retail Banking HQ (RBG) 4w+ n/a
Prognosis Alternative Delivery Channels (ADC) 4h n/a
Symposium(DC) Alternative Delivery Channels (ADC) 4h 24h
CinCom Call Logging(DC) Alternative Delivery Channels (ADC) 4h 1m
BeeBank Back Office(DC) Alternative Delivery Channels (ADC) 4h 24h
BeeTrade (external hosted) Alternative Delivery Channels (ADC) 4h 0
Content Management System (CMS) Corporate Communications (CCD) 2w 1w
Kassip(external service) Banking Operations (BO) 0 n/a
GIC (insurance sales)/Internet Retail Banking Branch (RBG) 4w+ n/a
Auto Audit (PC/file server) Internal Audit (IA) 4w+ 4w+
Reuters Investment Banking& Treasury (IB&T) 0 n/a
Special equipment
Card printing machines Banking Operations (BO) 24h n/a
Voice communications All 0 n/a
PABX Alternative Delivery Channels (ADC) 4h n/a