From military, government and healthcare institutions to large corporates, the legacy of terrorism has triggered awareness at board level of the need to understand and invest in businesses continuity planning (BCP) and disaster recovery (DR). Investment in IT was increasingly factored in as part of the operational risk.
FSIs are ahead of other corporate counterparts. Spend by FSIs on BCP/DR products and services is expected to grow from an estimated $2.2 billion in 2003 to $5.3 billion by 2005, a 65% increase in the space of just two years.
There are other contributing factors – globalization, the move towards 24/7 business, and straight through processing (STP) are also working in conjunction to drive IT investment. Yet, terrorism both served to spark off investment and remains an issue in risk planning.
Terrorism as a risk element
The possibility of a terrorist attack meant that internal reviews of the BCP/DR implications for business processes, building safety, and IT systems particularly were conducted to varying degrees.
The results of these reviews have been startling for many FSIs. Whilst protection against a terrorist attack remains an important issue, the implications of the natural faults and glitches are more important due to the high likelihood with which they may occur. For example, the disruption and monetary loss caused by a power cut or an IT error.
A shift in emphasis
The focus on disaster recovery is shifting away from hardware-based resilience and simple backup & restore solutions to IT architectures that are resilient to data corruption or loss, and are less likely to fail as a whole.
A great deal of the investment is linked to the increasing need for financial institutions to control their operational risk. This has been demonstrated by the advent of the Basel II risk level regulations, a key factor driving FSIs to assess the risks IT exposes them to.
The most powerful, and expensive, implications to BCP/DR relate to STP and process automation. FSIs are preparing the introduction of a new generation of IT infrastructure that is able to share data between systems and process transactions, like a mortgage application or a stock trade, more effectively.
Until now large parts of the IT systems of FSIs have operated on a batch basis, meaning that the interdependency between systems was low and a fault in one system would remain isolated at least until the next batch cycle. However, as systems are integrated, the failure of one system can halt all the connected systems.
Ultimately the ideal IT and business process layout should be of the nature where events such as maintenance, testing, system failure or a terrorist attack are not differentiable from each other. In other words, if one part of a system goes down, the remainder of the systems are automatically aware of this and invalidate any faulty transactions and continue normal operations. An excellent example of this is Deutsche Bank’s trading system, which is globally dispersed and load balanced to the extent where the said requirements are met.
The legacy
Following 9/11, business continuity saw a special amount of attention in the financial services sector, especially financial markets. While financial markets remain at the forefront of business continuity development and will continue to grow, there are also strong opportunities in insurance and, especially, in retail banking.
The legacy of terrorism is that it very publicly and clearly underlines the impact of uncontrollable events on to the performance of business processes. What previous IRA campaigns and the events of 9/11 have thereby done is raise the awareness at board level for the need to understand and invest in resilience. Corporates must recognize IT risk as a part of operational risk and act to identify, understand and reduce it.
