Professional Documents
Culture Documents
Document Information
Project Name: BCP Project
Prepared By: Tomas Nilsson MBCI Document Version No: 1.4
Title: Senior Consultant Document Version Date: 2008-02-06
Reviewed By: Ahmed Tawfiq Review Date: 2008-02-06
Distribution List
From Date Phone/Fax/Email
Tomas Nilsson 2008-02-06 tomas.nilsson@hp.com
* Action Types: Approve, Review, Inform, File, Action Required, Attend Meeting, Other (please specify)
Version History
Ver. No. Ver. Date Revised By Description Reviewer Status
0.1 2008-01-07 TN First draft Self Completed
0.2 2008-01-09 TN Phase 1 analysis Self Completed
0.3 2008-01-11 TN Findings compilation, exec summary Self Completed
1.0 2008-01-11 TN Final Draft AT Completed
1.1 2008-01-22 TN Final following client review TN n/a
1.2 2008-01-28 TN Final (staff observation added after review) AT Completed
1.3 2008-02-06 TN Final after additional QIIB review BC Commit. Completed
1.4 2008-02-06 TN Final after Committee review/workshop Approval
Table of Contents
Proprietary Notice.............................................................................................................................................. 4
1 Executive Summary................................................................................................................................... 5
1.1 Summary of Key Findings.................................................................................................................. 5
1.2 Summary of Main Recommendations................................................................................................6
2 Introduction................................................................................................................................................ 7
3 Acknowledgements.................................................................................................................................... 8
4 Scope, Objectives and Approach............................................................................................................. 9
4.1 Scope................................................................................................................................................ 9
4.2 Objectives.......................................................................................................................................... 9
4.3 Approach........................................................................................................................................... 9
5 Business Impact Analysis....................................................................................................................... 10
5.1 Purpose........................................................................................................................................... 10
5.2 General Observations...................................................................................................................... 10
5.3 Findings & Recommendations......................................................................................................... 10
5.4 Business Impacts............................................................................................................................ 13
5.4.1 Financial Impacts............................................................................................................................ 13
5.4.2 Qualitative Impacts.......................................................................................................................... 14
5.5 Recovery Time and Recovery Point Objectives...............................................................................15
5.5.1 IT Systems...................................................................................................................................... 15
5.6 Phone & Fax.................................................................................................................................... 17
5.7 Priorities........................................................................................................................................... 17
5.8 Critical Staff by Department............................................................................................................. 18
5.9 Dependence on Key Staff................................................................................................................ 19
5.10 Facilities and Services..................................................................................................................... 20
5.11 Critical Documents.......................................................................................................................... 20
5.12 Critical Suppliers.............................................................................................................................. 21
6 Recommended Action............................................................................................................................. 22
Appendix A - Contributors.............................................................................................................................. 23
Appendix B – RTO & RPO................................................................................................................................. 24
Proprietary Notice
No part of this document (including any designs) may be reproduced in any form, published, broadcast or
transmitted or have an adaptation made of it, except with the prior written permission of Hewlett-Packard
Company to parties outside of QIIB.
Hewlett Packard makes no warranty of any kind concerning this document, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose. Hewlett Packard shall not be liable for
errors contained herein or direct indirect, special incidental or consequential damages concerning the
furnishing, performance, or use of this material.
1 Executive Summary
Qatar International Islamic Bank (QIIB) has initiated a business continuity project, of which this
Business Impact Analysis (BIA) is the first step. The objective of this effort is to identify critical
business functions and to determine their business continuity requirements regarding people, data
and underpinning IT systems. This BIA addresses all business functions, primarily undertaken at
the QIIB headquarter and main branch site in Doha.
There is a high dependency on hard copy documentation, for which there is no resilience. These
files are often poorly protected, and the volumes are huge. The frequent usage of most hard
copy documentation presents an added challenge.
There is a strong and growing reliance on the IT infrastructure. IT is however not utilised to its full
extent, business processes are largely still manual and paper based.
Some critical business functions rely heavily on standalone PC applications, without utilising
available central backup capability.
There are virtually no manual fallback procedures for the functions relying on central IT.
There is not much current disaster readiness, only a limited IT DR solution for the AS/400
environment. The plan to establish a new DR site in Wakrah is a major step in the right direction.
BCP maturity is low, but all department heads and most interviewees appreciate the need for
improvement. There are no resources allocated to implement and maintain a business continuity
programme.
Recovery Time Objectives (i.e. the tolerable downtime according to users) for IT systems range
from virtually 0 to 2 weeks. Most IT managed systems has an RTO of 48 hours or less. This is
currently not achievable.
Recovery Point Objectives (i.e. the tolerable level of data loss) was either 0 (i.e. no data loss) or
24 hours (i.e. to the backup point of the day before). This should be achievable with the current
replication and backup regime, with the exception of critical standalone PCs.
Printing and mailing of statements and bills requires special equipment and is a single point of
failure.
From a total headcount of approx. 150 (at the main site) 68 are deemed to be required within 4
hours, and up to 93 over the next few days. Assuming the main branch staff will relocate to
various other branches. Office space available at the (planned) Wakrah DR site and the Hilal
Call Centre should meet the immediate requirements.
Some departments seen to be critically understaffed. In some cases critical business functions
stand or fall with one single individual. The reliance on a largely expatriate workforce presents an
added risk.
These recommendations are mostly high level, and such that more or falls outside the scope of the on-going
BCP project. More specific recommendations will be presented in the sub-sequent Continuity Strategy
Document, which will be based on this BIA report and the Risk Assessment report.
Assign a full time Business Continuity Manager and plan for resources required to maintain the
total BC programme over time.
On completion of the initial BCP project, plan for on-going training and awareness activities.
Assess from all aspects (legal, regulatory, technical etc.) all possible options to duplicate or
digitalise critical hard copy documents. Additionally, review physical storage for critical paper
documents both on and off site. Identify those documents that require extra protection, especially
those that are difficult or impossible to recreate.
Assess the availability of commercially available provisioning of workplace recovery space and
ship-to-site IT recovery services in Qatar.
Review current replication and backup regime against stated RPOs (when verified). Consider
moving backup equipment to another location.
Check contractual obligations with vendors and suppliers in the event of a “disaster” or major
incident, e.g. do all relevant contracts have a “force majeure” clause, are there clear continuity
clauses in SLAs (if applicable)? Establishing SLA’s between Information Services and the
businesses could also be considered.
Check the level of Business Continuity capability/provision for key suppliers, especially where
they are a single-source supplier (e.g. NI, G4S), consider alternate supplier arrangements.
Reduce reliance on key members of staff (and if at all possible of expatriates) by cross training
and succession planning.
2 Introduction
Qatar International Islamic Bank (QIIB) is the leading Islamic bank in Qatar, managing 8 Billion QAR
of assets & equity and employing 310 staff. Islamic banking is a rapidly growing business, prompting
more and more banks to offer Islamic banking services. This increases the competitive pressure on
QIIB. Qatar Central Bank (QCB), the governing body of the Qatari financial services sector, has
recently regulated that a business continuity programme is mandatory for all banks. To protect its
competitiveness and to meet regulatory requirements QIIB has therefore initiated a business
continuity project with the objective to implement a business continuity programme. The first and
significant step of that process is to conduct a Business Impact Analysis (BIA).
The BIA interviews were conducted by Tomas Nilsson MBCI between 11 th December and 18th December
2007, and are part of the QIIB Business Continuity Management project encompassing this BIA, a risk
assessment of the security and infrastructure of the site, a Business Continuity plan framework, and a
policy document. Information was gathered via questionnaire and interviews with client selected
personnel. The results were validated by the QIIB project lead, Mr. Ahmed Tawfiq.
This document summarises the findings from the BIA study of QIIB operations within the Doha
headquarter and main branch site. It describes how the business operations would be impacted in
the event of a disaster or major incident affecting this site. The report also considers appropriate
Business Continuity Management (BCM) strategies and makes recommendations for ensuring the
strategy and recovery solutions meet the requirements of the business.
It should be read in conjunction with the Risk Assessment conducted by Bob Draper FBCI between
8th January and 11th January 2008.
3 Acknowledgements
The author would like to take this opportunity to thank all QIIB participants and contributors to the
study - a list can be found in Appendix A – who gave their time and responded positively to requests
for information, and in particular Mr Ahmed Tawfiq for coordinating this effort and for his hospitality.
4.1 Scope
4.2 Objectives
Identify critical business functions and supporting systems
Identify Recovery Time and Recovery Point Objectives (RTO and RPO)
Summarise recovery requirements over time (people, facilities, IT)
Identify vital records required for recovery
Produce BIA report
4.3 Approach
Information was gathered from key personnel from each business area via interviews and associated
questionnaire. A list of interviewees can be found in Appendix A.
The results were consolidated by the author and validated by Mr. Ahmed Tawfiq. It is this validated
impact analysis and IT systems information that is contained in this report.
The questionnaire forms used have been typed up and will be made available to QIIB. T hey must however
not be regarded as a formal part of, or appendices to, this report.
5.1 Purpose
The Business Impact Analysis (BIA) study identifies those parts of a business whose loss has the
potential for significant impact, threat to the company’s reputation or cause of internal disruption. It
also identifies the various resources needed to recover essential business functions. This
information is used as the basis for identifying an appropriate Business Continuity Management
strategy.
Islamic banking is largely collateral based, and the financial products offered differ in most cases significantly
from those offered by commercial banks. In a BCP context this has two main implications; the heavy
dependence of hard copy documentation requiring a lot of manual processes, and the lack of commercially
available application software requiring a lot of software development and maintenance to be conducted in-
house.
Although IT is used for the most banking functions, it has not been utilised to a full extent. Overall QIIB
business is hard copy based, primarily because of the nature of Islamic banking but also by tradition. One
Assistant General Manager stated during the interview that “we want to get away from the papers”, so there is
certainly room for improvement. Business processes are mainly manual, and not always documented. This
situation has caused a high level of people dependency which poses a risk in continuity as well as pure
business terms.
Current disaster readiness is very limited. There is no corporate BCP programme, only a limited IT DR solution
for the AS/400 environment. Overall BCP maturity is low, although all department heads and most
interviewees appreciate the need for improvement.
The most time critical functions identified are the ones directly related to daily transaction
management and are client interfacing. A failure of those functions will cause damage within a
single day and are very visible. Less time critical functions, such as treasury, reconciliation and
risk management, becomes critical after a few days, but are probably more critical to the banks
survival over time.
Central Operations is most probably the single most critical business function. Although the direct
impact of a disaster will first affect the business functions, nothing can be resumed without the
back-office functions provided by Central Operations.
Most departments are inter-dependent and the inability of one to produce its output has a serious
knock-on effect to the others. There is a significant reliance on the IT infrastructure and the bank
could not survive without IT support. IT will become even more critical as electronic banking
services are introduced.
Although IT is extremely critical, it is not utilised to a full extent. Most critical processes include a
significant amount of manual processing, e.g. front office – back office interface ismissing for
some functions. All trading and treasury notifications (within International Banking), including
SWIFT tickets, are on paper. It is significant that the more complex products and services,
typically involving higher amounts and risk, the more manual processing is required.
Manual processing must therefore be considered in a Business Continuity Plan, but this will be a
complex task since these processes are not always well documented.
Streamlining and documenting these processes, utilising more IT support, would have the
combined benefit of improving productivity and facilitating recovery.
There are no practical manual fallback procedures for the fundamental banking functions such as
transfers and record keeping, so there is no question that the bank will not survive without
access to its IT infrastructure.
It is hence imperative that the IT systems are recovered within a very short time following an
incident.
Several critical functions, primarily at within treasury, risk management and the business
departments, rely heavily on MS-Office applications running on standalone PCs. These are not
always backed up properly and neither are the applications (typically advanced Excel
spreadsheets) controlled in a secure way.
It is imperative that provisions are made to make PC based IT tools, and associated data,
recoverable within the timeframes identified.
Recovery Time Objectives (RTO) for IT systems range from virtually 0 to 2 weeks. Most IT
managed systems has an RTO of 48 hours or less.
To ensure that an RTO of 12 hours or less can be met requires dedicated standby servers to be
available at a recovery site with applications pre-loaded and some form of data mirroring or
replication. An RTO in the area of 0 in addition requires the utilisation of cluster and/or automatic
failover technology.
An RTO of 1 day (24 hours) requires either dedicated standby hardware or a 3 rd party contract
for hardware provision at an alternative site within a very short time (the availability of such
services is however limited in Qatar). System/data restores may be performed from offsite
backup tapes.
An RTO of 2-3 days or longer can be achieved either via an equipment ship-in contract (again,
this service is not easily obtained in Qatar), or by procuring equipment post-incident, but with this
method availability cannot be guaranteed.
Practically, dedicated standby equipment is probably required to meet any RTO less than a
week or two.
Recovery Point Objectives (RPO) are either 0 (i.e. no data loss) or 24 hours (i.e. last
backup). For systems hosted by IT this should be achievable with the existing backup strategies,
but needs to be confirmed.
The big issue here is the data kept on standalone PCs, for which the backup regime is not
sufficient to meet an RPO of 24 hours.
All data on the AS/400 is mirrored to the DR site, which facilitates an RPO of (close to) 0 for
most core banking applications.
The existing backup strategy involves daily backups, which would generally result in recovered
data being up to 24 hours old. Backup tapes are moved off site within Doha daily. An even
better solution would be to move the backup device to the DR site. QCB mandates that critical
data is also kept outside of Qatar, so shipping e.g. weekly full backups out of the country is
recommended.
A more detailed review is required to assess whether existing backup strategies and associated
processes are able to meet the identified Recovery Point Objectives.
From a total headcount of approx. 150 (at the main site) 58 are deemed to be required within 4
hours, and up to 93 over the next few days. Considering also the main branch adds 10 and 13
heads respectively to these numbers.
It is assumed that the main branch staff will relocate to various other branches. Office space
available at the Wakrah DR site and the Hilal Call Centre should, once Wakrah is fully equipped,
meet the immediate requirement for headquarter functions, but additional workspace must be
made available after a few days.
The printing and mailing equipment hosted in the mail room is a single point of failure, and should
be duplicated at the DR site. Alternatively, outsourcing of this non-core function could be
considered.
In several departments there is a total reliance on hardcopy information. Although many critical
documents are kept in fire safes, the general impression is that important documents are poorly
protected. Most of these would be difficult or impossible to recreate, and would severely impact
the ability to recover if the originals were destroyed. The majority of these documents are stored
in the same building as the IT servers and other computer equipment and there is a real danger
that all could be lost in the same incident.
A few hard copy documents are sent to offsite storage, but only for archiving purposes. Most of
these documents are required in the day-to-day operations, why offsite storage is impractical.
Keeping copies, either in electronic or hard copy form, of critical documents off site would be
difficult for several reasons. First there are regulatory issues, as copies are not considered
legally binding, then the sheer amount would require enormous storage capacity and is hard to
manage. The big issue is the very large number of legal or financial documents where the
original, signed version is particularly vulnerable.
The “paper issue” is worth quite some consideration, primarily from a continuity perspective, but
also to improve productivity. It should be seriously assessed from both aspects, in conjunction
with business process improvement initiatives.
There are a few critical suppliers, e.g. required to maintain transfers, cash handling and card
services, whose failure to deliver could cause significant damage to QIIB. If possible, alternatives
to these suppliers should be identified.
The banks contractual and legal standing vs. clients, suppliers and other stakeholders in case of
a disaster is not clear. There are no internal Service Level Agreements (SLAs), but it is not clear
if there are SLAs with suppliers or clients.
All the bank’s contractual and legal obligations in the event of a major incident should be
reviewed, e.g. do all relevant contracts have a “force majeure” clause, and are there clear
continuity clauses in SLAs (if applicable)? The outcome of such a review may have a significant
impact on which continuity strategies to choose.
Impact to the business was assessed in qualitative (reputation, internal disruption, non-compliance
etc.) and financial terms. Any of these indicators, if assessed as serious, can provide the justification
for expenditure on Business Continuity Planning.
When assessing impacts the interviewees were asked to assume the worst possible scenario striking
at the worst possible time (month-end, year-end, payroll etc.).
An accurate assessment of financial impacts proved difficult, or even impossible, for the majority of
interviewees. The main reason for that is that most departments are cost centres and their inability to
function would indirectly cause financial loss at business and corporate level. Furthermore, financial
reporting is primarily done on corporate level and financial data is not regularly communicated within
the organisation. All representatives of pure business functions, and of course IT, commented that
the loss could be considerable.
All numbers re financial impact of a disaster in the following paragraphs are based on interviewee
responses. They should therefore be validated by QIIB.
A few business functions were able to mention numbers. Corporate Banking Services, managing 2.2
Billion QAR in assets and equity, as well as Investments & International Banking estimated that
financial loss would be severe (100K$ - 250K$ per day) after 4 to 5 days following a disaster. SME
Business Finance expressed that their financial exposure is in the area of 1.7 Million QAR per week,
while the cash flow impact on Card Services is no more than 850K QAR per day.
Central Operations, who with their spider-in-the-web view of the whole bank, estimates that direct
losses from local and international operations combined could well be in the area of 60 to 65 Million
USD per day, more or less from day one.
Another aspect is the exposure to direct financial impact in terms of penalties and fines. Penalties
resulting from non-performance regarding client obligations are quite difficult to gauge, fines for non-
compliance with QCB regulations less so. Collateral Control estimates that the total exposure could
easily be above 2.5 Million USD, although most likely not from day one.
An additional interesting observation is that a failure of the Appraisal and Engineering functions could
have severe financial impacts, as real estate constitutes a large part of the overall portfolio.
In spite of the difficulties obtaining hard financial numbers, it is obvious that the financial losses to
QIIB would be crippling if operations are not timely resumed after a disaster. This is of course hardly
surprising for a bank and a fair assumption is that QIIB is currently putting its survival at stake by not
having a proper BCP in place.
Respondents were asked to identify the non-financial impacts if their business unit were unable to
operate. These impacts were assessed by considering the effect on customers, company image,
regulators, employees, suppliers and management information. The next table shows the overall
impacts.
The above table shows that significant disruption would occur within relatively short timescales
The findings support the view that key functions need to be up and running quickly following a
disruption, and that a standby work area recovery facility is required to enable critical functions to
relocate and be operable within a day. Relocation of critical staff would provide an acceptable short-
term recovery solution, as long as sufficient office space, critical documents and critical IT systems
were available.
The only specialist equipment that seems to be required is the printing and mailing system that is
hosted in the mail room. The availability of this equipment could well add serious delay for recovery
and an alternative should be identified.
Recovery Time Objective (RTO) means the elapsed time between a declared disaster and the
required resumption of services. Recovery Point Objective means the elapsed time for which data
may be lost without causing severe problems at resumption of services following a disaster.
Basically, the RTO states longest acceptable resumption time and RPO states the amount af
acceptable data loss.
5.5.1 IT Systems
Respondents were asked to identify which IT systems they use, how important these are to them and
how quickly they would need to be restored in the event of an IT disaster or major incident (e.g. loss
of hardware, physical environment, power or telecom’s), as opposed to day-to-day problems (which
ideally should be covered by Service Level Agreements). The next table identifies the applications
that are critical to the departments over time. The following chart was produced from the
interviewee’s requests for the various systems, and must be validated by QIIB before any decisions
on recovery strategies are taken.
The table below is a subset of the complete table, showing the most critical applications with on RTO
of 3 days or less. A complete table including information on IT platforms utilised and location of the
backup devices can be found in appendix B.
A few critical applications, and very critical Excel Macros, and associated data reside on stand-alone
PCs which more often than not are not backed up properly.
That voice communications is critical goes without saying in banking, and the existence of a state-of-the-art
PABX verifies that. Hence it goes without saying that provisions must be made to provide ample line capacity
and PABX functionality following a disaster. The telecom monopoly situation in Qatar may however cause
some concern here.
5.7 Priorities
The qualitative table illustrated in section 6.3.2 shows the relative priorities for recovery of the key
business functions within the scope of this review, and the timescales within which each
department/function should be operational. The underpinning IT systems must be recovered in the
same priority sequence.
It is important to understand however, that the table shows the maximum time within which an
acceptable level of service must be re-established and does not suggest that business units can “do
nothing” during this time. For instance, business partners, suppliers, regulators and other external
agencies may need to be contacted on day 1. This is reflected in the critical staff requirements shown
in section 6.6 and must be reflected in (planned) Incident Management procedures.
It is also important to note that the timescales are for restoration of the critical “normal” operations of
each function. Certain other departments or individuals, such as IT and Media Communication would
be required immediately to perform technical recovery and to manage external communication.
Respondents were asked to state their minimum staff requirements for working at an alternative,
temporary location. Although they were asked to minimise their requirements and not to try and
replicate their normal working environment, it turned out that in most departments the entire staff is
required even to fulfil the basic business operations. One of the most significant observations made
during the interviews was that QIIB is severally understaffed (from an operational point of view). As
well as being a business risk as such, this will have a strong negative impact on the ability to recover
from a disaster. Also, it will make it rather difficult to implement and maintain a business continuity
programme.
The following table summarises the critical staff requirements which would need to be catered for
following a disaster or major incident affecting the headquarters site.
Please note that the total staff numbers were the sum of the departments represented in the
interviews. Although it may not match the HR official figures, it is used as a representative figure for
illustration purposes.
*Information Services not included in totals as space for IT staff will be available in the DR data
centre.
Generally, each recovery team member would require a workstation (desk, chair and PC). The above
recovery team staff numbers therefore also indicate the number of workstations that would need to
be provided at a recovery site over the time period indicated.
Working from home offices as often a suitable short term solution, providing VPN access to IT
systems and data can be provided. The high dependency upon collateral and other hard copy
documentation however makes this less practical for several critical business functions.
As previously stated, most critical business processes are highly people dependent because of the
mainly manual processes and understaffing. Therefore there are several key staff whose absence
would be very difficult to cover. Some of the most critical areas in this respect are:
At least these departments should review “single points of failure” to ensure that all critical work
functions are adequately covered should one or more the key persons be absent.
It is very likely that there are others who were not identified in the interview process, e.g. in various
back-office functions.
A general observation, valid for virtually all businesses in the Gulf Area, is the heavy reliance upon
an expatriate workforce. Several business critical positions at QIIB are held by expatriates, which
must be considered as a major risk factor when considering the relative political instability of the
greater Middle East. An unforeseen exodus of expatriates would indeed damage QIIB business.
The current contingency site at Salwa Road is by no means adequate. This is appreciated by QIIB and this site
will be replaced by another site that is fully adequate for IT recovery.
Should the entire main QIIB site be inaccessible, the immediate workplace requirement is 58 seats growing to
83 seats over the next few days. This means the soon to be available capacity of up to 74 seats, assuming the
positions at the new site will be adequately equipped, is sufficient for the initial requirements but a few more
positions must be made available within two to four days. HP suggests that QIIB assesses the availability of as
commercially available recovery suites or other suitable office space and if there is available space at any of
the other branch offices.
A few staff, primarily at management level, could possible work from home, but the dependence on access to
shared hard-copy documentation means that is not a viable option for most functions.
Most critical computer data is regularly backed up, and much of it would be available following a disaster.
All data stored on the AS/400 platform (i.e. most core banking applications, see Appendix B) are mirrored to the
DR site, and also backed up to tape at least daily.
Some data stored on standalone PCs are backed up to file servers hosted by IT, and hence backed up to tape
daily, but most are typically backed up to CDs on a daily or weekly basis, but there are far too many PCs not
being regularly backed up.
Backup equipment are hosted in the main data centre, but tapes are brought off site weekly (full backups only).
Most departments rely heavily on collateral and other critical hard copy documents, often more than on
electronically stored data. The very large amount of hard copy documentation made it impossible to identify
each and every critical document during the BIA interviews. There is however no doubt that the bank can not
function without access to a very large amount of hard copy documents. The following table summarises
the critical documents identified and the current methods of storage:
Comparatively few functions are outsourced, so there are a relatively small number of critical suppliers. Of
course some departments, in particular Administrative Services and Information Systems, work with several
suppliers, but they have identified alternative channels to source from.
The table below lists all critical suppliers for which there is no identified alternative. Some of the suppliers, in
particular service providers and software houses, are solid and stable (in terms of delivery capability) enough
not to be considered an issue from a continuity point of view, while others could potentially be a cause for some
concern.
6 Recommended Action
QIIB has already initiated a Business Continuity project (of which this BIA is one task), so assuming
this project will continue as planned there are few additional actions to recommend. A single project
is however not the same as a complete, implemented and working, Business Continuity Management
Programme, so the following actions should be planned and performed in addition the the current
project:
Assign a full time Business Continuity Manager
Plan for additional resources to maintain the BC programme over time
Plan for on-going training and awareness activities
Review regulatory requirements, particularly re legality of copies of hardcopy collateral
Appendix A - Contributors