Time to Revisit and Revitalize Banks’ Crisis Preparedness

Considering the location of our major cities in and around the East African Rift Valley region, known for its turbulent seismic movements; given the average decade and half experiences of private banks and insurances, and taking into account the novelty of the concept and practices related to developing and using Disaster Recovery and Business Continuity (DR/BC) plans.

I have always wondered if the business community in general and financial institutions like banks, insurances, micro finance institutions and audit firms in particular have done enough in factoring disaster recovery, crisis management and business continuity budget provisions in their investment plan. Or whether or not private banks adequately addressed such critical issues during the acquisition and deployment of Core Banking Solutions.

For public and business organizations delivering key products and services to customers, building and maintaining a multi-hazard based strong crisis prevention, response and management capability is not a matter of choice but an obligation. Because failure to do so may expose them to all kinds of risks (technical, natural and human) that could affect or destroy their mission critical resources and force them to totally or partially disrupt their business operations and services.

Basically, the underlying principles and practices of ensuring crisis preparedness are the same across the board, although the volume and complexity of work done in that direction varies from one organization to the other. The reason why the writer particularly chose to focus on banks is because crises affecting this sector can have far-reaching impacts on the performance of the market in particular and the national economy at large. But the intention must not be associated with underestimation of essential business enabling services rendered by EEPCO and ethio-telecom, for instance.

The breadth and depth of crisis preparedness depends on the understanding we have on the similarity and differences existing between these undesirable events. Simply put, a crisis refers to a threat evolved overtime with potentials of inflicting injuries or loss of human life, disrupting operations and damaging mission critical resources if it occurs in the absence of adequate preparations.

Unlike this, a disaster is a catastrophe that strikes suddenly with potentials of causing wide-ranging impact on businesses. The occurrence of power blackout, in the absence of a generator, is a disaster. The failure of a mission critical computer server, during non-existent of a backup server, is also a disaster. The crash of a primary data center, in the absence of a disaster recovery site is a disastrous event for a bank.

Thanks to early warning systems, it is possible to predict likely occurrence of natural disasters, but cannot exactly tell when and at what magnitude.

Crisis and disaster events can be caused by: technical failures, natural calamities, and illicit human acts.

Avoiding crises and disasters is completely inconceivable, but the impact can be reduced by proactively and adequately strengthening preparedness. This necessitates of exploring internal and external business environments to identify potential risk exposures, conduct risk analysis and assessment to determine impact, isolate those with medium to high impact magnitude and finally develop appropriate crisis prevention, mitigation and response strategies around them.

Reliable crisis or disaster preparedness embraces what needs be done before, during and after a disruptive event.

The occurrence of earthquakes in the rift valley region is common, it is only recently that their reverberations started being felt as far as the capital, as evidenced by the earthquakes on December 4, 2016 and January 27, 2017. The recurrence of such minor tremors can be taken as a warning sign for the imminence of a disastrous event with wide-ranging impact.

The banks plans are mainly confined to setting up and maintaining a disaster recovery (DR) site equipped with the state-of-the-art IT products and services. The knowledge they have on the range of administrative and logistic capabilities to be developed and used to accomplish crisis management and business continuity related activities is far from desirable.

Such a knowledge gap is critical, as it is the management who must primarily initiate and provide guidance and leadership on issues related to building and maintaining all-rounded crisis prevention and response capability.

This does not mean, however, that CEOs need to be knowledgeable on the subject, but having basic awareness and insights on essential components is highly desirable. It is vital to know that organizations crises vulnerability exacerbates when they fail to understand the interplay and interdependence between three crisis related plans: the emergency/contingency plan, DR and business continuity (BC) plan.

There is also a confusion regarding the scope of a DR and a BC plan. The mistaken belief that “the DR plan takes care of everything the bank needs to ensure its crisis preparedness” looks to be quite common.

This reminds me about a remark given by the famous literary critic on the need to strike a balance and maintain harmony between ‘form’ and ‘content’ in literary works: “What is the use of having a beautiful forehead if there is no brain behind it.” The writer commends efforts made to create and manage the DR site which technically and concurrently replicates and stores mirror copies of transactions created and updated on the Primary Data Center (PDC) housed at the Headquarters (HQ). But utilizing the data backed up by the DR site for the purpose of recovering and resuming mission critical functions and services is difficult in the absence of a BCM plan.

Since it contains, guidelines and structures for crisis declaration and activation of emergency response actions for saving employees’ lives, logistics arrangements for moving and deploying resources to recovery locations, mobilizing and deploying crisis response teams to undertake preset crisis tasks. Consequently, it is due to the overall business and administrative guiding frameworks and tools encompassed in it that makes it indispensably the center or ‘brain’ of crisis preparedness.

The other misconception relates to the objective of crisis preparedness itself. Many of them believe that it is about protecting the security and integrity of data and physical IT resources. Such erroneous belief makes them give less importance in putting a contingency plan in place for preventing and minimizing injuries and loss of lives among employees. Thus, building employee-centered crisis preparedness is imperative.

The distance that needs to be maintained, which is 100Km, between the location of the bank’s PDC and Secondary Data Centers (SDC) is mandatory to avoid simultaneous exposure of both sites to the same disastrous event.

Hence, for a bank whose PDC is located in the Ambassador area, it appears to be a tragic mistake to place its SDC/DR site at the Bole area, because a powerful earthquake striking the capital can reduce both centers to debris.

Investments made on such misplaced and vulnerable solution looks a waste of resource, as it gives no guarantee to the bank’s survival.

It is vital to note that banks and other concerned parties must recognize that building crisis/disaster prevention and response capability cannot be achieved with lone effort but by joining hands and working in collaboration with different stakeholders such as banks, districts, fire brigades, police and army forces, weather forecasting and early warning institutions, disaster prevention and response agency, clinics and hospitals and the public at large.

It is also essential to understand that building a reliable robust crisis preparedness for banks is not a one-time business. It needs to be revised and updated regularly to make sure that it is comprehensive and responsive enough in meeting their current and emerging technical and business requirements. Enabling them to effectively control and prevent key operations and services from risks posed by multiple hazards found both in their internal and external business environments.

For banks and other organizations keeping client and business sensitive data and computing facilities, reconsidering the location of their backup sites and making necessary adjustments is of urgent need.


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.