Summary: Need help with PR? If you are looking for a great PR firm, you've found one. Walker Sands is a leading Chicago PR firm with a strong track record that makes it one of top national PR agencies..

No one would deny that for the extremely sensitive nature of bank transactions, better safe than sorry is more than just smart policy on disaster recovery-it's the reality of today's code-red state of mind. But when is enough enough? A growing voice suggests the "reasonable" threshold has been breached, to the detriment of the entire industry.
(article continues below useful links)

"Banking is a risk-averse industry, so you have to balance your risk aversion with your competitive advantage," says Mark Vanston, a senior program director with Meta Group, an IT and e-business consulting firm. "You don't want to outspend the other guy, nor do you want to underspend."

Finding that equilibrium can be tough work for banks, but it's fast becoming a necessity in an industry characterized by narrower profit margins and a low tolerance for inefficiency. In a recently published study, Vanston argues that financial institutions are investing excessive amounts of money on disaster recovery / business continuity, and often in the wrong ways. "The reality is that the pendulum has swung from 'We don't care' to 'We care too much,'" he says. "People protect for the stupidest things-like nuclear attacks or terrorist attacks in Des Moines. You want to protect against statistically proven things, like a flood or a fire."

When it comes to preparing for the unforeseeable, banks certainly have no shortage of regulation to fall back on: the SEC, the Federal Reserve, the FDIC , NASD and the New York Stock Exchange have all issued guidelines of varying length and specificity aimed at establishing minimum requirements for disaster recovery and business continuity planning. But since the double-whammy cataclysms of the East Coast blackout of August 14, 2003, and the terrorist attacks of September 11, 2001, banks of all sizes have taken unprecedented initiatives to review and revise their emergency planning. Industry estimates put current disaster recover and business continuity spending at five to six percent of total IT budgets, with spending expected to grow to seven to eight percent within the next 18 months.

One of Vanston's concerns is the lack of coordination that usually accompanies the enthusiasm to spend. The study finds that fewer than 40 percent of surveyed organizations have comprehensive DR/BC plans that are not only current, but regularly and rigorously tested. This subset of firms is expected to increase to only 60 percent by 2005, the study says. Financial institutions are probably in better shape than most other industries, given the nature of real-time transactions and regulatory compliance, Vanston argues. Industry predictions are difficult to ascertain, he says, but the study finds that by 2005, 50 percent of Fortune 1000 companies will have established a strong organizational commitment to business continuity planning, characterized by a business continuity office and officer. By 2007, the study predicts, over 80 percent of Fortune 1000 firms will have implemented this model.

But organizational commitment doesn't always yield intelligent planning. Among banks' biggest mistakes, Vanston says, is the failure to conduct integration analysis of their core systems. "I can protect my payroll application at its highest level," he explains, "but if I don't protect that one crucial database, [the whole effort] is useless. It's an understanding from a business perspective [of] what to pick to protect." Many large financial institutions claim they don't have the resources to conduct impact scenarios, he adds. "So they end up wanting to protect everything. In the long term, that's going to hurt them."

Smarter spending often means choosing whether to outsource DR/BC operations, and there are plenty of firms willing to step in and do the job. Chicago-based Corigelan serves mid- to large-size banks in the Midwest, and in the last three years has seen a significant increase in the number of financial services clients wanting to bring disaster recovery in-house. "It's a huge trend," says Tim De Lisle, a managing principle at Corigelan. "The financial services clients we deal with are already doing something. What they come to us for is to determine if they're doing things appropriately."

Banks are looking for more control and greater flexibility when it comes to DR/BC, adds De Lisle. And they want it all at lower costs. De Lisle points to the growing number of hot sites-fully-networked back-up facilities that up to 100 banks can share-as an example of a more efficient means by which financial institutions can pool their operational risk. Corigelan is hardly alone in the DR/BC industry. Hundreds of big names like SunGard, HP and IBM vying for banks' dollars. According to an IDC report, the DR market is expected to grow 6.9 percent annually, with certain high-tech sectors growing by nearly twice as much.

Thus, with plenty of vendors at their disposal, most banks are more than prepared when it comes to IT continuity planning, says Michael Haney, a senior analyst at Celent. What continues to pose the biggest challenges are the people and other physical variables, such as roads, electricity and office space. While large financial institutions have the resources to spread their locations geographically and to create and maintain operational redundancy, smaller and regional banks must often devise more innovative approaches that are both cost-effective and operationally trustworthy.

In the end, the biggest threats facing banks of all sizes today are Internet-related. In 2003, the SoBig, CodeRed and Blaster viruses swept through the United States, costing banks millions of dollars in downtime. According to Celent's Haney, financial institutions cite downtime as the primary reason for business-continuity planning, with brokerages losing an average of $6.5 million per hour, and credit card businesses losing $2.6 million per hour. Prevention is the best medicine, but sometimes, too much medicine can sicken the patient. "It's not how much banks are spending but how they're spending," says Vanston. "People are panicking."

Copyright © 2004. Bank Technology News.