Hewlett-Packard Company Business Impact Analysis Report For BCP Project Qiib

Hewlett-Packard Company
Business Impact Analysis

Report for
BCP Project
QIIB
Prepared by: Tomas Nilsson MBCI
Senior Consultant
tomas.nilsson@hp.com
Project Document Id: BIA Report
Date Prepared: 2008-01-11
BIA Report
Project ID No.:
Document Information
Project Name: BCP Project
Prepared By: Tomas Nilsson MBCI Document Version No: 1.4
Title: Senior Consultant Document Version Date: 2008-02-06
Reviewed By: Ahmed Tawfiq Review Date: 2008-02-06
Distribution List
From Date Phone/Fax/Email
Tomas Nilsson 2008-02-06 tomas.nilsson@hp.com
To Action* Due Date Phone/Fax/Email

Ahmed Tawfiq Approve 2008-02-06 ahmedtawfiq@qiib.com.qa
* Action Types: Approve, Review, Inform, File, Action Required, Attend Meeting, Other (please specify)
Version History
Ver. No. Ver. Date Revised By Description Reviewer Status
0.1 2008-01-07 TN First draft Self Completed
0.2 2008-01-09 TN Phase 1 analysis Self Completed
0.3 2008-01-11 TN Findings compilation, exec summary Self Completed
1.0 2008-01-11 TN Final Draft AT Completed
1.1 2008-01-22 TN Final following client review TN n/a
1.2 2008-01-28 TN Final (staff observation added after review) AT Completed
1.3 2008-02-06 TN Final after additional QIIB review BC Commit. Completed
1.4 2008-02-06 TN Final after Committee review/workshop Approval
HP Global Method HP Restricted Page 2 of 24

Document Version: 1.4 / 2008-02-06 © Copyright 2021 Hewlett-Packard Development Company, L.P. 519323989.doc
Project Document Id: BIA Report Valid agreement required. Last changed: 07 February 2008 at 07:19
BIA Report
Project ID No.:
Table of Contents
Proprietary Notice.............................................................................................................................................. 4
1 Executive Summary................................................................................................................................... 5
1.1 Summary of Key Findings.................................................................................................................. 5
1.2 Summary of Main Recommendations................................................................................................6
2 Introduction................................................................................................................................................ 7
3 Acknowledgements.................................................................................................................................... 8
4 Scope, Objectives and Approach............................................................................................................. 9
4.1 Scope................................................................................................................................................ 9
4.2 Objectives.......................................................................................................................................... 9
4.3 Approach........................................................................................................................................... 9
5 Business Impact Analysis....................................................................................................................... 10
5.1 Purpose........................................................................................................................................... 10
5.2 General Observations...................................................................................................................... 10
5.3 Findings & Recommendations......................................................................................................... 10
5.4 Business Impacts............................................................................................................................ 13
5.4.1 Financial Impacts............................................................................................................................ 13
5.4.2 Qualitative Impacts.......................................................................................................................... 14
5.5 Recovery Time and Recovery Point Objectives...............................................................................15
5.5.1 IT Systems...................................................................................................................................... 15
5.6 Phone & Fax.................................................................................................................................... 17
5.7 Priorities........................................................................................................................................... 17
5.8 Critical Staff by Department............................................................................................................. 18
5.9 Dependence on Key Staff................................................................................................................ 19
5.10 Facilities and Services..................................................................................................................... 20
5.11 Critical Documents.......................................................................................................................... 20
5.12 Critical Suppliers.............................................................................................................................. 21
6 Recommended Action............................................................................................................................. 22
Appendix A - Contributors.............................................................................................................................. 23
Appendix B – RTO & RPO................................................................................................................................. 24

BIA Report
Project ID No.:
Proprietary Notice
No part of this document (including any designs) may be reproduced in any form, published, broadcast or
transmitted or have an adaptation made of it, except with the prior written permission of Hewlett-Packard
Company to parties outside of QIIB.
Hewlett Packard makes no warranty of any kind concerning this document, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose. Hewlett Packard shall not be liable for
errors contained herein or direct indirect, special incidental or consequential damages concerning the
furnishing, performance, or use of this material.
© Copyright 2007 Hewlett-Packard Company

BIA Report
Project ID No.:
1 Executive Summary
Qatar International Islamic Bank (QIIB) has initiated a business continuity project, of which this
Business Impact Analysis (BIA) is the first step. The objective of this effort is to identify critical
business functions and to determine their business continuity requirements regarding people, data
and underpinning IT systems. This BIA addresses all business functions, primarily undertaken at
the QIIB headquarter and main branch site in Doha.
1.1 Summary of Key Findings
 There is a high dependency on hard copy documentation, for which there is no resilience. These
files are often poorly protected, and the volumes are huge. The frequent usage of most hard
copy documentation presents an added challenge.
 There is a strong and growing reliance on the IT infrastructure. IT is however not utilised to its full
extent, business processes are largely still manual and paper based.
 Some critical business functions rely heavily on standalone PC applications, without utilising
available central backup capability.
 There are virtually no manual fallback procedures for the functions relying on central IT.
 There is not much current disaster readiness, only a limited IT DR solution for the AS/400
environment. The plan to establish a new DR site in Wakrah is a major step in the right direction.
 BCP maturity is low, but all department heads and most interviewees appreciate the need for
improvement. There are no resources allocated to implement and maintain a business continuity
programme.
 Recovery Time Objectives (i.e. the tolerable downtime according to users) for IT systems range
from virtually 0 to 2 weeks. Most IT managed systems has an RTO of 48 hours or less. This is
currently not achievable.
 Recovery Point Objectives (i.e. the tolerable level of data loss) was either 0 (i.e. no data loss) or
24 hours (i.e. to the backup point of the day before). This should be achievable with the current
replication and backup regime, with the exception of critical standalone PCs.
 Printing and mailing of statements and bills requires special equipment and is a single point of
failure.

BIA Report
Project ID No.:
 From a total headcount of approx. 150 (at the main site) 68 are deemed to be required within 4
hours, and up to 93 over the next few days. Assuming the main branch staff will relocate to
various other branches. Office space available at the (planned) Wakrah DR site and the Hilal
Call Centre should meet the immediate requirements.
 Some departments seen to be critically understaffed. In some cases critical business functions
stand or fall with one single individual. The reliance on a largely expatriate workforce presents an
added risk.
1.2 Summary of Main Recommendations
These recommendations are mostly high level, and such that more or falls outside the scope of the on-going
BCP project. More specific recommendations will be presented in the sub-sequent Continuity Strategy
Document, which will be based on this BIA report and the Risk Assessment report.
 Assign a full time Business Continuity Manager and plan for resources required to maintain the
total BC programme over time.
 On completion of the initial BCP project, plan for on-going training and awareness activities.
 Update documentation of business processes, departmental procedures and staff contact

information to facilitate recovery and to reduce people dependency. Also consider some process
re-engineering, to get away from hard copy dependency as far as possible.
 Assess from all aspects (legal, regulatory, technical etc.) all possible options to duplicate or
digitalise critical hard copy documents. Additionally, review physical storage for critical paper
documents both on and off site. Identify those documents that require extra protection, especially
those that are difficult or impossible to recreate.
 Prepare and commission the Wakrah DR facility as soon as possible.
 Assess the availability of commercially available provisioning of workplace recovery space and
ship-to-site IT recovery services in Qatar.
 Ensure there is a contingency solution for printing and mailing.
 Review current replication and backup regime against stated RPOs (when verified). Consider
moving backup equipment to another location.
 Check contractual obligations with vendors and suppliers in the event of a “disaster” or major
incident, e.g. do all relevant contracts have a “force majeure” clause, are there clear continuity
clauses in SLAs (if applicable)? Establishing SLA’s between Information Services and the
businesses could also be considered.
 Check the level of Business Continuity capability/provision for key suppliers, especially where
they are a single-source supplier (e.g. NI, G4S), consider alternate supplier arrangements.
 Reduce reliance on key members of staff (and if at all possible of expatriates) by cross training
and succession planning.

BIA Report
Project ID No.:
2 Introduction
Qatar International Islamic Bank (QIIB) is the leading Islamic bank in Qatar, managing 8 Billion QAR
of assets & equity and employing 310 staff. Islamic banking is a rapidly growing business, prompting
more and more banks to offer Islamic banking services. This increases the competitive pressure on
QIIB. Qatar Central Bank (QCB), the governing body of the Qatari financial services sector, has
recently regulated that a business continuity programme is mandatory for all banks. To protect its
competitiveness and to meet regulatory requirements QIIB has therefore initiated a business
continuity project with the objective to implement a business continuity programme. The first and
significant step of that process is to conduct a Business Impact Analysis (BIA).
The BIA interviews were conducted by Tomas Nilsson MBCI between 11 th December and 18th December
2007, and are part of the QIIB Business Continuity Management project encompassing this BIA, a risk
assessment of the security and infrastructure of the site, a Business Continuity plan framework, and a
policy document. Information was gathered via questionnaire and interviews with client selected
personnel. The results were validated by the QIIB project lead, Mr. Ahmed Tawfiq.
This document summarises the findings from the BIA study of QIIB operations within the Doha
headquarter and main branch site. It describes how the business operations would be impacted in
the event of a disaster or major incident affecting this site. The report also considers appropriate
Business Continuity Management (BCM) strategies and makes recommendations for ensuring the
strategy and recovery solutions meet the requirements of the business.
It should be read in conjunction with the Risk Assessment conducted by Bob Draper FBCI between
8th January and 11th January 2008.

BIA Report
Project ID No.:
3 Acknowledgements
The author would like to take this opportunity to thank all QIIB participants and contributors to the
study - a list can be found in Appendix A – who gave their time and responded positively to requests
for information, and in particular Mr Ahmed Tawfiq for coordinating this effort and for his hospitality.

BIA Report
Project ID No.:
4 Scope, Objectives and Approach
4.1 Scope
The business functions addressed by the BIA comprise the following:
 Executive and administrative Head Office functions

 Corporate & Commercial Banking functions
 Primary and DR Data Centres
 Branch Offices
(A detailed list of departments/functions addressed can be seen in Appendix A).
The sites addressed by the BIA comprise the following:
 Bank Street Doha Headquarter site and Main branch

 Salwa Road Branch Office and current DR site
Not in scope is:

 Any other QIIB location/business function
4.2 Objectives
 Identify critical business functions and supporting systems
 Identify Recovery Time and Recovery Point Objectives (RTO and RPO)
 Summarise recovery requirements over time (people, facilities, IT)
 Identify vital records required for recovery
 Produce BIA report
4.3 Approach
Information was gathered from key personnel from each business area via interviews and associated
questionnaire. A list of interviewees can be found in Appendix A.
The results were consolidated by the author and validated by Mr. Ahmed Tawfiq. It is this validated
impact analysis and IT systems information that is contained in this report.
The questionnaire forms used have been typed up and will be made available to QIIB. T hey must however
not be regarded as a formal part of, or appendices to, this report.

BIA Report
Project ID No.:
5 Business Impact Analysis
5.1 Purpose
The Business Impact Analysis (BIA) study identifies those parts of a business whose loss has the
potential for significant impact, threat to the company’s reputation or cause of internal disruption. It
also identifies the various resources needed to recover essential business functions. This
information is used as the basis for identifying an appropriate Business Continuity Management
strategy.
5.2 General Observations
Islamic banking is largely collateral based, and the financial products offered differ in most cases significantly
from those offered by commercial banks. In a BCP context this has two main implications; the heavy
dependence of hard copy documentation requiring a lot of manual processes, and the lack of commercially
available application software requiring a lot of software development and maintenance to be conducted in-
house.
Although IT is used for the most banking functions, it has not been utilised to a full extent. Overall QIIB
business is hard copy based, primarily because of the nature of Islamic banking but also by tradition. One
Assistant General Manager stated during the interview that “we want to get away from the papers”, so there is
certainly room for improvement. Business processes are mainly manual, and not always documented. This
situation has caused a high level of people dependency which poses a risk in continuity as well as pure
business terms.
Current disaster readiness is very limited. There is no corporate BCP programme, only a limited IT DR solution
for the AS/400 environment. Overall BCP maturity is low, although all department heads and most
interviewees appreciate the need for improvement.
5.3 Findings & Recommendations
 The most time critical functions identified are the ones directly related to daily transaction
management and are client interfacing. A failure of those functions will cause damage within a
single day and are very visible. Less time critical functions, such as treasury, reconciliation and
risk management, becomes critical after a few days, but are probably more critical to the banks
survival over time.
 Central Operations is most probably the single most critical business function. Although the direct
impact of a disaster will first affect the business functions, nothing can be resumed without the
back-office functions provided by Central Operations.
 Most departments are inter-dependent and the inability of one to produce its output has a serious
knock-on effect to the others. There is a significant reliance on the IT infrastructure and the bank
could not survive without IT support. IT will become even more critical as electronic banking
services are introduced.
The IS/IT environment is well documented and managed.
 Although IT is extremely critical, it is not utilised to a full extent. Most critical processes include a
significant amount of manual processing, e.g. front office – back office interface ismissing for

BIA Report
Project ID No.:
some functions. All trading and treasury notifications (within International Banking), including
SWIFT tickets, are on paper. It is significant that the more complex products and services,
typically involving higher amounts and risk, the more manual processing is required.
Manual processing must therefore be considered in a Business Continuity Plan, but this will be a
complex task since these processes are not always well documented.
Streamlining and documenting these processes, utilising more IT support, would have the
combined benefit of improving productivity and facilitating recovery.
 There are no practical manual fallback procedures for the fundamental banking functions such as
transfers and record keeping, so there is no question that the bank will not survive without
access to its IT infrastructure.
It is hence imperative that the IT systems are recovered within a very short time following an
incident.
 Several critical functions, primarily at within treasury, risk management and the business
departments, rely heavily on MS-Office applications running on standalone PCs. These are not
always backed up properly and neither are the applications (typically advanced Excel
spreadsheets) controlled in a secure way.
It is imperative that provisions are made to make PC based IT tools, and associated data,
recoverable within the timeframes identified.
 Recovery Time Objectives (RTO) for IT systems range from virtually 0 to 2 weeks. Most IT
managed systems has an RTO of 48 hours or less.
To ensure that an RTO of 12 hours or less can be met requires dedicated standby servers to be
available at a recovery site with applications pre-loaded and some form of data mirroring or
replication. An RTO in the area of 0 in addition requires the utilisation of cluster and/or automatic
failover technology.
An RTO of 1 day (24 hours) requires either dedicated standby hardware or a 3 rd party contract
for hardware provision at an alternative site within a very short time (the availability of such
services is however limited in Qatar). System/data restores may be performed from offsite
backup tapes.
An RTO of 2-3 days or longer can be achieved either via an equipment ship-in contract (again,
this service is not easily obtained in Qatar), or by procuring equipment post-incident, but with this
method availability cannot be guaranteed.
Practically, dedicated standby equipment is probably required to meet any RTO less than a
week or two.
 Recovery Point Objectives (RPO) are either 0 (i.e. no data loss) or 24 hours (i.e. last
backup). For systems hosted by IT this should be achievable with the existing backup strategies,
but needs to be confirmed.

BIA Report
Project ID No.:
The big issue here is the data kept on standalone PCs, for which the backup regime is not
sufficient to meet an RPO of 24 hours.
All data on the AS/400 is mirrored to the DR site, which facilitates an RPO of (close to) 0 for
most core banking applications.
The existing backup strategy involves daily backups, which would generally result in recovered
data being up to 24 hours old. Backup tapes are moved off site within Doha daily. An even
better solution would be to move the backup device to the DR site. QCB mandates that critical
data is also kept outside of Qatar, so shipping e.g. weekly full backups out of the country is
recommended.
A more detailed review is required to assess whether existing backup strategies and associated
processes are able to meet the identified Recovery Point Objectives.
 From a total headcount of approx. 150 (at the main site) 58 are deemed to be required within 4
hours, and up to 93 over the next few days. Considering also the main branch adds 10 and 13
heads respectively to these numbers.
It is assumed that the main branch staff will relocate to various other branches. Office space
available at the Wakrah DR site and the Hilal Call Centre should, once Wakrah is fully equipped,
meet the immediate requirement for headquarter functions, but additional workspace must be
made available after a few days.
 The printing and mailing equipment hosted in the mail room is a single point of failure, and should
be duplicated at the DR site. Alternatively, outsourcing of this non-core function could be
considered.
 In several departments there is a total reliance on hardcopy information. Although many critical
documents are kept in fire safes, the general impression is that important documents are poorly
protected. Most of these would be difficult or impossible to recreate, and would severely impact
the ability to recover if the originals were destroyed. The majority of these documents are stored
in the same building as the IT servers and other computer equipment and there is a real danger
that all could be lost in the same incident.
A few hard copy documents are sent to offsite storage, but only for archiving purposes. Most of
these documents are required in the day-to-day operations, why offsite storage is impractical.
Keeping copies, either in electronic or hard copy form, of critical documents off site would be
difficult for several reasons. First there are regulatory issues, as copies are not considered
legally binding, then the sheer amount would require enormous storage capacity and is hard to
manage. The big issue is the very large number of legal or financial documents where the
original, signed version is particularly vulnerable.
The “paper issue” is worth quite some consideration, primarily from a continuity perspective, but
also to improve productivity. It should be seriously assessed from both aspects, in conjunction
with business process improvement initiatives.
 There are a few critical suppliers, e.g. required to maintain transfers, cash handling and card
services, whose failure to deliver could cause significant damage to QIIB. If possible, alternatives
to these suppliers should be identified.

BIA Report
Project ID No.:
 The banks contractual and legal standing vs. clients, suppliers and other stakeholders in case of
a disaster is not clear. There are no internal Service Level Agreements (SLAs), but it is not clear
if there are SLAs with suppliers or clients.
All the bank’s contractual and legal obligations in the event of a major incident should be
reviewed, e.g. do all relevant contracts have a “force majeure” clause, and are there clear
continuity clauses in SLAs (if applicable)? The outcome of such a review may have a significant
impact on which continuity strategies to choose.
5.4 Business Impacts
Impact to the business was assessed in qualitative (reputation, internal disruption, non-compliance
etc.) and financial terms. Any of these indicators, if assessed as serious, can provide the justification
for expenditure on Business Continuity Planning.
When assessing impacts the interviewees were asked to assume the worst possible scenario striking
at the worst possible time (month-end, year-end, payroll etc.).
5.4.1 Financial Impacts
An accurate assessment of financial impacts proved difficult, or even impossible, for the majority of
interviewees. The main reason for that is that most departments are cost centres and their inability to
function would indirectly cause financial loss at business and corporate level. Furthermore, financial
reporting is primarily done on corporate level and financial data is not regularly communicated within
the organisation. All representatives of pure business functions, and of course IT, commented that
the loss could be considerable.
All numbers re financial impact of a disaster in the following paragraphs are based on interviewee
responses. They should therefore be validated by QIIB.
A few business functions were able to mention numbers. Corporate Banking Services, managing 2.2
Billion QAR in assets and equity, as well as Investments & International Banking estimated that
financial loss would be severe (100K$ - 250K$ per day) after 4 to 5 days following a disaster. SME
Business Finance expressed that their financial exposure is in the area of 1.7 Million QAR per week,
while the cash flow impact on Card Services is no more than 850K QAR per day.
Central Operations, who with their spider-in-the-web view of the whole bank, estimates that direct
losses from local and international operations combined could well be in the area of 60 to 65 Million
USD per day, more or less from day one.
Another aspect is the exposure to direct financial impact in terms of penalties and fines. Penalties
resulting from non-performance regarding client obligations are quite difficult to gauge, fines for non-
compliance with QCB regulations less so. Collateral Control estimates that the total exposure could
easily be above 2.5 Million USD, although most likely not from day one.
An additional interesting observation is that a failure of the Appraisal and Engineering functions could
have severe financial impacts, as real estate constitutes a large part of the overall portfolio.

BIA Report
Project ID No.:
In spite of the difficulties obtaining hard financial numbers, it is obvious that the financial losses to
QIIB would be crippling if operations are not timely resumed after a disaster. This is of course hardly
surprising for a bank and a fair assumption is that QIIB is currently putting its survival at stake by not
having a proper BCP in place.
5.4.2 Qualitative Impacts
Respondents were asked to identify the non-financial impacts if their business unit were unable to
operate. These impacts were assessed by considering the effect on customers, company image,
regulators, employees, suppliers and management information. The next table shows the overall
impacts.
Time department unable to operate

Department
Intra-day 1 day 2-3 days 4-5 days 1-2 weeks > 2 weeks
Electronic Banking Services Critical Disastrous Disastrous Disastrous Disastrous Disastrous
Central Operations Disruptive Critical Disastrous Disastrous Disastrous Disastrous
Domestic Investment Ops /

Disruptive Critical Disastrous Disastrous Disastrous Disastrous
Collateral Control
Central Accounting Manageable Critical Disastrous Disastrous Disastrous Disastrous
Retail Banking Services Manageable Disruptive Disastrous Disastrous Disastrous Disastrous
Card Services Disruptive Critical Critical Disastrous Disastrous Disastrous
Call Centre Manageable Disruptive Critical Disastrous Disastrous Disastrous

Credit & Market Risk
Manageable Disruptive Critical Disastrous Disastrous Disastrous
Management
Manageable Disruptive Critical Disastrous Disastrous Disastrous
LoC Retail
Appraisal & Engineering Manageable Disruptive Critical Critical Disastrous Disastrous
Administrative Services Manageable Disruptive Critical Critical Disastrous Disastrous
Financial Control Manageable Manageable Disruptive Critical Disastrous Disastrous
Human Resources Manageable Manageable Disruptive Critical Critical Disastrous

Investment & International
Manageable Manageable Manageable Disruptive Critical Disastrous
Banking
Corporate Banking Services Manageable Manageable Manageable Disruptive Critical Disastrous
SME Business Finance Manageable Manageable Manageable Disruptive Critical Disastrous
Operational Risk Manageable Manageable Manageable Disruptive Disruptive Critical

Recovery & Past Due
Manageable Manageable Manageable Manageable Disruptive Critical
Collection
Media Communication Manageable Manageable Manageable Manageable Disruptive Critical
Internal Audit Manageable Manageable Manageable Manageable Manageable Disruptive
Information Services Critical Disastrous Disastrous Disastrous Disastrous Disastrous

(same as most critical user dept.)
Executive View Disruptive Critical Critical Disastrous Disastrous Disastrous

BIA Report
Project ID No.:
The above table shows that significant disruption would occur within relatively short timescales
The findings support the view that key functions need to be up and running quickly following a
disruption, and that a standby work area recovery facility is required to enable critical functions to
relocate and be operable within a day. Relocation of critical staff would provide an acceptable short-
term recovery solution, as long as sufficient office space, critical documents and critical IT systems
were available.
The only specialist equipment that seems to be required is the printing and mailing system that is
hosted in the mail room. The availability of this equipment could well add serious delay for recovery
and an alternative should be identified.
5.5 Recovery Time and Recovery Point Objectives
Recovery Time Objective (RTO) means the elapsed time between a declared disaster and the
required resumption of services. Recovery Point Objective means the elapsed time for which data
may be lost without causing severe problems at resumption of services following a disaster.
Basically, the RTO states longest acceptable resumption time and RPO states the amount af
acceptable data loss.
5.5.1 IT Systems
Respondents were asked to identify which IT systems they use, how important these are to them and
how quickly they would need to be restored in the event of an IT disaster or major incident (e.g. loss
of hardware, physical environment, power or telecom’s), as opposed to day-to-day problems (which
ideally should be covered by Service Level Agreements). The next table identifies the applications
that are critical to the departments over time. The following chart was produced from the
interviewee’s requests for the various systems, and must be validated by QIIB before any decisions
on recovery strategies are taken.
The table below is a subset of the complete table, showing the most critical applications with on RTO
of 3 days or less. A complete table including information on IT platforms utilised and location of the
backup devices can be found in appendix B.
Application User Department RTO RPO

System
Electronic Clearing Retail Banking Services 0 0
System Central Operations
USwitchware Card Services 0 0
Electronic Banking Services
Call Centre System Call Centre 0 0
Equation Investment & International Banking 30 min 0
Corporate Banking Services
SME Business Finance
Retail Banking Services
Financial Control
Credit & Market Risk Management
Appraisal & Engineering

BIA Report
Project ID No.:
Domestic Investment Ops/Collateral

Control
Central Operations
Domestic Investment Ops/LoC Retail
Past Due Collection
Card Services
Call Centre
Central Accounting
Internal Audit
Cashier Retail Banking Services 30 min 0
SWIFT Investment & International Banking 30 min 0
Central Operations
Trade Innovations Domestic Investment Ops/LoC Retail 30 min 0
Estisna’a Domestic Investment Ops/Collateral 4h 0
Control
Ijara Domestic Investment Ops/Collateral 4h 0
Control
Musawama Domestic Investment Ops/Collateral 4h 0
Control
Mudarabah Domestic Investment Ops/Collateral 4h 0
Control
Murabaha Domestic Investment Ops/Collateral 4h 0
Control
Wakala Domestic Investment Ops/Collateral 4h 0
Control
Network International Card Services 4h 0
Call Centre
ATM Electronic Journal Retail Banking Services 4h 0
Housemaid Financial Control 4h 0
Customer Card Call Centre 12h n/a
Management System Retail Banking Services
PIN Mailer Call Centre 12h n/a
IVR Retail Banking Services 12h n/a
SMS Gateway Retail Banking Services 12h n/a
Collateral Management Domestic Investment Ops/Collateral 24h 0
System Control
Asset Management Administrative Services 24h 24h
System
Maintenance Administrative Services 24h 24h
Management System
Mail System Administrative Services 24h 24h
Placid Financial Control 24h 24h
Central Accounting
Delta Administrative Services 48h 24h

BIA Report
Project ID No.:
MS-Office SME Business Finance 48h 24h

Internal Audit
Investment & International Banking
Financial Control
Domestic Investment Ops/Collateral
Control
Administrative Services
Human Resources
AutoCAD Appraisal & Engineering 3 days 24h
Ofuq / Payroll and HR Human Resources 3 days 24h
System Financial Control
A few critical applications, and very critical Excel Macros, and associated data reside on stand-alone
PCs which more often than not are not backed up properly.
In addition to these application systems, IT infrastructure functions underpinning the applications,

such as firewalls and catalogue services, must be considered to have RTOs and RPOs
corresponding to the most critical applications.
5.6 Phone & Fax

A few functions (Investments & International Banking, Central Operations, Card Services) have implicitly stated
a reliance on fax communications. Considering the very low email utilisation, also for external communication, it
must be safe to assume that fax services are quite frequently used throughout the bank and that a considerably
amount of fax traffic is of a critical nature. Therefore fax capability must be made available instantly at any used
recovery location.
That voice communications is critical goes without saying in banking, and the existence of a state-of-the-art
PABX verifies that. Hence it goes without saying that provisions must be made to provide ample line capacity
and PABX functionality following a disaster. The telecom monopoly situation in Qatar may however cause
some concern here.
5.7 Priorities
The qualitative table illustrated in section 6.3.2 shows the relative priorities for recovery of the key
business functions within the scope of this review, and the timescales within which each
department/function should be operational. The underpinning IT systems must be recovered in the
same priority sequence.
It is important to understand however, that the table shows the maximum time within which an
acceptable level of service must be re-established and does not suggest that business units can “do
nothing” during this time. For instance, business partners, suppliers, regulators and other external
agencies may need to be contacted on day 1. This is reflected in the critical staff requirements shown
in section 6.6 and must be reflected in (planned) Incident Management procedures.
It is also important to note that the timescales are for restoration of the critical “normal” operations of
each function. Certain other departments or individuals, such as IT and Media Communication would
be required immediately to perform technical recovery and to manage external communication.

BIA Report
Project ID No.:
5.8 Critical Staff by Department
Respondents were asked to state their minimum staff requirements for working at an alternative,
temporary location. Although they were asked to minimise their requirements and not to try and
replicate their normal working environment, it turned out that in most departments the entire staff is
required even to fulfil the basic business operations. One of the most significant observations made
during the interviews was that QIIB is severally understaffed (from an operational point of view). As
well as being a business risk as such, this will have a strong negative impact on the ability to recover
from a disaster. Also, it will make it rather difficult to implement and maintain a business continuity
programme.
The following table summarises the critical staff requirements which would need to be catered for
following a disaster or major incident affecting the headquarters site.
Please note that the total staff numbers were the sum of the departments represented in the
interviews. Although it may not match the HR official figures, it is used as a representative figure for
illustration purposes.
Required critical staff

Department
ASAP After 2-4 days
Information Services* 10 10
Electronic Banking Services 3 7
Central Operations 6 8
2 5
Collateral Control
Central Accounting 4 4
Retail Banking Services HQ 1 1
Per Category A Branch 10 15
Per Category B Branch 6 10
Per Category C Branch 3 3
Card Services 3 6
Call Centre 8 8
Credit & Market Risk Management 2 2
Domestic Investment Ops / LoC
5 5
Retail
Appraisal & Engineering 2 4
Administrative Services 3 6
Investment & International Banking 5 8
Financial Control 4 4
Human Resources 2 3
Corporate Banking Services 4 4
SME Business Finance 2 5
Operational Risk 1 2

BIA Report
Project ID No.:
Recovery & Past Due Collection 1 2

Media Communication 1 1
Internal Audit 0 0
Totals HQ Functions 59 85
Totals HQ Site incl. Main Branch 69 95
*Information Services not included in totals as space for IT staff will be available in the DR data
centre.
Generally, each recovery team member would require a workstation (desk, chair and PC). The above
recovery team staff numbers therefore also indicate the number of workstations that would need to
be provided at a recovery site over the time period indicated.
Working from home offices as often a suitable short term solution, providing VPN access to IT
systems and data can be provided. The high dependency upon collateral and other hard copy
documentation however makes this less practical for several critical business functions.
5.9 Dependence on Key Staff
As previously stated, most critical business processes are highly people dependent because of the
mainly manual processes and understaffing. Therefore there are several key staff whose absence
would be very difficult to cover. Some of the most critical areas in this respect are:
 Investment & International Banking

 Corporate Banking Services
 Financial Control
 Credit & Market Risk Management
 Domestic Investment Operations/Collateral Control
 Domestic Investment Operations/Loc Retail
 Operational Risk
 Information Services
At least these departments should review “single points of failure” to ensure that all critical work
functions are adequately covered should one or more the key persons be absent.
It is very likely that there are others who were not identified in the interview process, e.g. in various
back-office functions.
A general observation, valid for virtually all businesses in the Gulf Area, is the heavy reliance upon
an expatriate workforce. Several business critical positions at QIIB are held by expatriates, which
must be considered as a major risk factor when considering the relative political instability of the
greater Middle East. An unforeseen exodus of expatriates would indeed damage QIIB business.
5.10 Facilities and Services
The current contingency site at Salwa Road is by no means adequate. This is appreciated by QIIB and this site
will be replaced by another site that is fully adequate for IT recovery.

BIA Report
Project ID No.:
Workplace recovery capability is available as follows:

 New DR site at Wakrah; room for 40 - 60 seats, not equipped
 Call Centre Training Room; 14 seats, fully equipped
 Main Branch functions, and staff, can be spread out over other branch offices.
Should the entire main QIIB site be inaccessible, the immediate workplace requirement is 58 seats growing to
83 seats over the next few days. This means the soon to be available capacity of up to 74 seats, assuming the
positions at the new site will be adequately equipped, is sufficient for the initial requirements but a few more
positions must be made available within two to four days. HP suggests that QIIB assesses the availability of as
commercially available recovery suites or other suitable office space and if there is available space at any of
the other branch offices.
A few staff, primarily at management level, could possible work from home, but the dependence on access to
shared hard-copy documentation means that is not a viable option for most functions.
5.11 Critical Documents
Most critical computer data is regularly backed up, and much of it would be available following a disaster.
All data stored on the AS/400 platform (i.e. most core banking applications, see Appendix B) are mirrored to the
DR site, and also backed up to tape at least daily.
All other data stored on storage equipment hosted by IT is backed up daily.
Some data stored on standalone PCs are backed up to file servers hosted by IT, and hence backed up to tape
daily, but most are typically backed up to CDs on a daily or weekly basis, but there are far too many PCs not
being regularly backed up.
Backup equipment are hosted in the main data centre, but tapes are brought off site weekly (full backups only).
Most departments rely heavily on collateral and other critical hard copy documents, often more than on
electronically stored data. The very large amount of hard copy documentation made it impossible to identify
each and every critical document during the BIA interviews. There is however no doubt that the bank can not
function without access to a very large amount of hard copy documents. The following table summarises
the critical documents identified and the current methods of storage:
Department Documents Comments

Investment & International Banking Collateral, e.g. deeds Stored locally in filing cabinets or
fire safes
Corporate Banking Services Client files, client reviews, Stored locally in fire safes
collateral
SME Business Finance Approvals, client files, collateral Stored locally in fire safes
Credit & Market Risk Rating reports Stored locally in filing cabinets
Management
Appraisal & Engineering Appraisals, collateral, blueprints Stored locally in filing cabinets or
(Huge volumes!) openly
Domestic Investment Ops / Collateral, approvals, Stored locally in fire safes
Collateral Control agreements, client files
Domestic Investment Ops / LoC Collateral, client files, transaction Stored locally in filing cabinets or
Retail summaries, insurance policies fire safes
(Huge volumes!)
Central Accounting Data entry forms, vouchers, Stored locally but moved off site
checks daily for archiving

BIA Report
Project ID No.:
Internal Audit Audit reports Stored locally in filing cabinets

Administrative Services Contracts, purchase agreements, Stored locally in filing cabinets or
insurance policies, compliance openly
registrations
Human Resources Employment contracts, passports, Stored locally in filing cabinets or
work permits, personnel files fire safes
5.12 Critical Suppliers
Comparatively few functions are outsourced, so there are a relatively small number of critical suppliers. Of
course some departments, in particular Administrative Services and Information Systems, work with several
suppliers, but they have identified alternative channels to source from.
The table below lists all critical suppliers for which there is no identified alternative. Some of the suppliers, in
particular service providers and software houses, are solid and stable (in terms of delivery capability) enough
not to be considered an issue from a continuity point of view, while others could potentially be a cause for some
concern.
Department Supplier Comments

Investment & International Clearstream Extranet based service, will
Banking become critical.
Not an issue.
Retail Banking Services G4S, NCR Cash replenishment, checks
Alternatives recommended.
Central Operations NCR, G4S, Proaeses Soft Several Back-office functions
Transfers & Clearing
Scanning etc.
Card Services Network International (Visa, Card supply and transaction
MasterCard) management.
Not an issue.
Electronic Banking Services G4S, NCR ATM replenishment, ATM
maintenance, checks
Alternatives recommended.
Call Centre EastNets Group, Network Call routing, Payment services,
International, Qtel, Nortel transaction management, phone
and comms lines, PBX.
Alternatives recommended
(although Qtel still has monopoly)
Administrative Services Qtel Phone and comms lines
Alternatives recommended
(although Qtel still has monopoly)
Information Systems ITS, MiSys, EastNets, GBM Application SW, Swift gateway
(IBM), Sun Not an issue.

BIA Report
Project ID No.:
6 Recommended Action
QIIB has already initiated a Business Continuity project (of which this BIA is one task), so assuming
this project will continue as planned there are few additional actions to recommend. A single project
is however not the same as a complete, implemented and working, Business Continuity Management
Programme, so the following actions should be planned and performed in addition the the current
project:
 Assign a full time Business Continuity Manager
 Plan for additional resources to maintain the BC programme over time
 Plan for on-going training and awareness activities
 Review regulatory requirements, particularly re legality of copies of hardcopy collateral

BIA Report
Project ID No.:
Appendix A - Contributors
Department/Function Represented Name

Executives Mohsen Moustafa
Investment & International Banking Lotfi Zairi
Mohannad Quaddoura
Corporate Banking Services Alaa Eldin Ismail Mohamed
SME Business Finance Mahmoud Mohamed Mahmoud
Retail Banking Services Ali Hamad Al-Mesaifiri
Financial Control Ahmed Ayoub
Mahmoud El-Zayat
Credit & Market Risk Management Samir Abdel Naem
Appraisal & Engineering Dr. Abdul Raouf Al-Rasheed
Mortada Eltahir Mohamed Ahmed
Domestic Investment Operations & Fouad Said Ahmed Saleh
Collateral Control Abd Ul-Muniem Ali Marrie
Central Operations Syed Asim Mahmood
Hesham Mohamed Saad El Din
Domestic Investments Operations / Ekram M. Mohamed
LoC Retail Hesham Mohamed Saad El Din
Recovery & Past Due Collection Nabil Hamdi Allulu
Card Services Magdi Ali Fayed
Electronic Banking Services Magdi Farah
Call Centre Mohamed Saeed Mubarak
Central Accounting Sadat Badran Ibrahim
Internal Audit Faiha Al-Qodah
Administrative Services Hajjaj Mussad Atta
Media Communications Emad Husien Shaban
Human Resources Khaled Al-Sayeh
Kamal Mustafa
Information Services Nasser Hassan Mohamed Mahmoud
Zulqurnain Khan

BIA Report
Project ID No.:
Appendix B – RTO & RPO

Application System User Department RTO RPO Comments Platform Backup Location
Electronic Clearing System Retail Banking Services 0 0 Red Tide Windows Client/Server Main Data Centre
Central Operations
USwitchware Card Services 0 0 Solaris Main Data Centre
Call Centre System Call Centre 0 0 Windows Client/server Helal
Equation Investment & International Banking 30 min 0 Includes: AS/400 DR Salwa
Corporate Banking Services EXP system
SME Business Finance Branch Automation
Financial Control
Domestic Investment Ops/Collateral Control
Central Operations
Past Due Collection
Card Services
Call Centre
Central Accounting
Internal Audit
Cashier Retail Banking Services 30 min 0 Windows Client/Server n/a
SWIFT Investment & International Banking 30 min 0 Standalone and Integrated Windows Client/Server Main Data Centre
Central Operations
Trade Innovations Domestic Investment Ops/LoC Retail 30 min 0 Windows Client/Server Main Data Centre
Estisna’a Domestic Investment Ops/Collateral Control 4h 0 AS/400 DR Salwa
Ijara Domestic Investment Ops/Collateral Control 4h 0 AS/400 DR Salwa
Musawama Domestic Investment Ops/Collateral Control 4h 0 Windows Client/Server Main Data Centre
Mudarabah Domestic Investment Ops/Collateral Control 4h 0 AS400, so assign same RTO as rest AS/400 DR Salwa
Murabaha Domestic Investment Ops/Collateral Control 4h 0 AS400, so assign same RTO as rest AS/400 DR Salwa
Wakala Domestic Investment Ops/Collateral Control 4h 0 AS400, so assign same RTO as rest AS/400 DR Salwa
Network International Card Services 4h 0 Link, hosted by NI n/a n/a
Call Centre
ATM Electronic Journal Retail Banking Services 4h 0 Windows Client/Server n/a
Housemaid Financial Control 4h 0 AS/400 DR Salwa
Customer Card Management System Call Centre 12h n/a Interface, no own data Windows Client/Server n/a
Retail Banking Services Solaris
PIN Mailer Call Centre 12h n/a Windows Main Data Centre
IVR Retail Banking Services 12h n/a Windows Client/Server Main Data Centre
SMS Gateway Retail Banking Services 12h n/a Windows Client/Server n/a
Collateral Management System Domestic Investment Ops/Collateral Control 24h 0
Asset Management System Administrative Services 24h 24h Local PCs Windows Local (if any)
Maintenance Management System Administrative Services 24h 24h Local PCs Windows Local (if any)
Mail System Administrative Services 24h 24h Standalone, in mailroom ?? n/a
Placid Financial Control 24h 24h Not in IT? Windows Main Data Centre
Central Accounting
Delta Administrative Services 48h 24h Local PCs Windows Local (if any)
MS-Office SME Business Finance 48h 24h Excel critical Windows Local (if any)
Internal Audit
Investment & International Banking
Financial Control
Human Resources
AutoCAD Appraisal & Engineering 3 days 24h Local PCs Windows Local (if any)
Ofuq / Payroll and HR System Human Resources 3 days 24h Windows Client/Server n/a
Financial Control
Email Investment & International Banking 4 days 24h Card services need it in 30 min!?! Windows Client/Server n/a
(Exchange) SME Business Finance Mailboxes not backed up?
Central Operations
Card Services
Central Accounting
Internal Audit
Media Communication
Human Resources
CRM System Call Centre 1 week 24h Hosted at Call Centre
Dociware Electronic Banking Services 1 week 24h General archiving/retrieval interface, used by Windows Client/Server n/a
all functions. RPO refers to accessed
databases!
Primavera Appraisal & Engineering 1 week 24h Local PCs Windows Local (if any)
Signature Verification System Call Centre 1 week 24h Windows Client/Server Main Data Centre
QCB Online System Corporate Banking Services 2 weeks n/a Interface Windows Client/Server n/a
Internet SME Business Finance 2 weeks n/a Card services need it in 30 min!?! Windows Client/Server n/a
Card Services
Media Communication
Reuters Investment & International Banking 2 weeks n/a Feed only. Implemented Jan 2008. n/a n/a
Sharepoint All n/a n/a Not deemed critical Windows Client/Server Main Data Centre


Hewlett-Packard Company Business Impact Analysis Report For BCP Project Qiib

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hewlett-Packard Company Business Impact Analysis Report For BCP Project Qiib

Uploaded by

Copyright:

Available Formats

Hewlett-Packard Company

Business Impact Analysis

To Action* Due Date Phone/Fax/Email

HP Global Method HP Restricted Page 2 of 24

HP Global Method HP Restricted Page 3 of 24

© Copyright 2007 Hewlett-Packard Company

HP Global Method HP Restricted Page 4 of 24

1.1 Summary of Key Findings

HP Global Method HP Restricted Page 5 of 24

1.2 Summary of Main Recommendations

 Update documentation of business processes, departmental procedures and staff contact

 Prepare and commission the Wakrah DR facility as soon as possible.

 Ensure there is a contingency solution for printing and mailing.

HP Global Method HP Restricted Page 6 of 24

HP Global Method HP Restricted Page 7 of 24

HP Global Method HP Restricted Page 8 of 24

4 Scope, Objectives and Approach

The business functions addressed by the BIA comprise the following:

 Executive and administrative Head Office functions

The sites addressed by the BIA comprise the following:

 Bank Street Doha Headquarter site and Main branch

Not in scope is:

HP Global Method HP Restricted Page 9 of 24

5 Business Impact Analysis

5.2 General Observations

5.3 Findings & Recommendations

The IS/IT environment is well documented and managed.

HP Global Method HP Restricted Page 10 of 24

HP Global Method HP Restricted Page 11 of 24

HP Global Method HP Restricted Page 12 of 24

5.4 Business Impacts

5.4.1 Financial Impacts

HP Global Method HP Restricted Page 13 of 24

5.4.2 Qualitative Impacts

Time department unable to operate

Central Operations Disruptive Critical Disastrous Disastrous Disastrous Disastrous

Domestic Investment Ops /

Retail Banking Services Manageable Disruptive Disastrous Disastrous Disastrous Disastrous

Card Services Disruptive Critical Critical Disastrous Disastrous Disastrous

Call Centre Manageable Disruptive Critical Disastrous Disastrous Disastrous

Administrative Services Manageable Disruptive Critical Critical Disastrous Disastrous

Financial Control Manageable Manageable Disruptive Critical Disastrous Disastrous

Human Resources Manageable Manageable Disruptive Critical Critical Disastrous

SME Business Finance Manageable Manageable Manageable Disruptive Critical Disastrous

Operational Risk Manageable Manageable Manageable Disruptive Disruptive Critical

Internal Audit Manageable Manageable Manageable Manageable Manageable Disruptive

Information Services Critical Disastrous Disastrous Disastrous Disastrous Disastrous

Executive View Disruptive Critical Critical Disastrous Disastrous Disastrous

HP Global Method HP Restricted Page 14 of 24

5.5 Recovery Time and Recovery Point Objectives

Application User Department RTO RPO

HP Global Method HP Restricted Page 15 of 24

Domestic Investment Ops/Collateral

HP Global Method HP Restricted Page 16 of 24

MS-Office SME Business Finance 48h 24h

In addition to these application systems, IT infrastructure functions underpinning the applications,

5.6 Phone & Fax

HP Global Method HP Restricted Page 17 of 24

5.8 Critical Staff by Department

Required critical staff

HP Global Method HP Restricted Page 18 of 24

Recovery & Past Due Collection 1 2

5.9 Dependence on Key Staff