CIO Asia - Issue - The Business of Security:
How two financial services giants tied business continuity planning to the business--not to security.
By Ann Toh
* Discover how two financial services giants institute business continuity and disaster recovery plans to get back to normal as soon as possible when disaster strikes
* Glean strategies to sell the expense of business continuity to senior management
FEAR, UNCERTAINTY AND DOUBT--for years that was how CIOs sold security. Today, as two best-practice financial services organisations show, there are more effective ways to get that security spend and keep people's eyelids from drooping than by painting disaster scenarios.
BUSINESS CONTINUITY CHAMPION
Global financial services provider Deutsche Bank AG was a survivor of the Sept 11 terrorist attacks in New York on Sept 11, 2001. The Singapore branch of the bank, its Asia Pacific headquarters, has since been facing the challenging task of getting the bank and its employees interested in business continuity planning, and high on disaster recovery readiness.
An employee who knows a disaster when he sees one is Kenny Seow, head of Business Continuity Management (Asia Pacific), who has been facing the quiet challenge of getting his colleagues excited about business continuity planning at the bank for the last five years. The 14-year business continuity planning (BCP) veteran heads the bank's BCP function, which liases with and brings together various internal units and experts dealing with risk--be it information risk, physical risk or business risk--to coordinate plans and strategies that address the loss of facilities, personnel or critical systems, and get them implemented.
'The work of business continuity planning requires a diverse set of skills,' says Seow. That is why the bank harnesses individual teams of experts--from people who are responsible for the business lines and operations to those dealing with IT and physical security--to formulate a total protection programme.
Seow is lucky to work for an organisation that has always cared about business continuity planning, even before the horrific events of Sept 11 and Severe Acute Respiratory Syndrome (SARS). The Bank takes an integrated, risk-centric approach to information security, physical security and business continuity. It has created a structure to manage and govern business continuity management (BCM). BCM is a board-level concern at Deutsche Bank. It has full-time teams in Singapore, the bank's Asia Pacific headquarters, and in its bigger locations, Hong Kong, Japan, Australia and India, to manage BCM. The role of these units is to ensure that processes and resources are in place so that when an incident occurs, the bank can respond effectively, says Seow. He adds: 'In Deutsche Bank, because BCM is recognised as such an important function, it has a direct line of reporting to the regional Chief Operating Officer. Business continuity risk is considered one aspect of the various risks we manage, such as operational risk, market risk or credit risk."