3 ways to avoid unplanned outages in Asian banks
By Reto Gruenenfelder PhD High Availability is a Business Decision
Before automated teller machines, customers looking to access banking services had no choice but to wait in line at a bank, during its opening hours. Today, online and mobile banking platforms have provided customers with instant access to the majority of banking services, creating a new reality for banks.
Customers today have little tolerance for downtime. They want banks to be responsive to their needs at all times and offer services that can address their financial concerns or increase the efficiency of their transactions.
Banks have worked hard to put in place detailed processes to ensure security and quick recovery from unplanned outages – all in hopes of mitigating potential service disruption. Despite all the positive measures, the pressure to ensure continuity continues to mount.
It’s time banks realise that high availability is a multi-faceted challenge. It involves a hard look at business and operational processes, IT infrastructure, planned maintenance, security mitigation, risk management as well as business continuity and disaster recovery policies.
In short, availability is a strategic business issue that requires commitment from top management and even the Board. To ensure continuity, there are several fundamental issues that banks have to address.
Simplification – Understanding organisational complexity
Management needs to gain insights into internal business processes and understand the complexities of its operations. Over the years, banks have developed organisational and product line complexities that put a strain on flexibility and ultimately, availability.
Complex dependencies can slow down operations. Banks need to be able to identify and isolate potential single points of failure and eliminate them, or build redundancies for failover.
When downtime occurs, management looks to IT to reinstate operations and conduct a post-mortem on how to avoid the same failure. However, these discussions are usually focussed on how to solve the technical challenge, when what is needed is a long and hard look at the processes that brought such failures.
For example, most banks today are organised by product lines, with many common processes and services across deparments. These duplicate and siloed processes are making banks into complex matrix organisations. Any single failure within this complex matrix will have repercussions on multiple processes within the organisation.
To address this challenge, the board and management must give the mandate to simplify the bank’s “operational ecosystem” -- eliminating process complexities and creating dynamic business structures that empower the frontline.
Simplification begins with a due diligence on all business processes and services, even those that are not technology-driven. A simplified business process will aid in the development of defined IT and management systems as well as transparent process hierarchies, improving the ease and speed of problem solving and troubleshooting. Management’s visibility into processes and their relative potential for failure will also enhance risk mitigation and operational resilience.
Balancing – Cost and availability equation
Just like other organisations, banks operate within defined budgets. The allocation of budget must therefore be prioritised in accordance with the desired levels of availability, once critical business processes and services are identified.
This process begins with understanding the actual uptime measurement. For example, 99 percent uptime (or ‘two nines’) will translate to 3.65 days of downtime a year. High availability involves defining the agreed and pre-determined levels of performance, and this can only be driven by the highest level of authority in the organisation.
Availability is a numbers game: the relationship between price, Recovery Time Objectives and Recovery Point Objectives is a natural law. There is no magic formula that allows banks to achieve perfect availability at low cost.
Achieving ‘five –nines’ would require a level of investment that is substantially more than ‘two-nines’. It requires the management to set reasonable service level agreements and establish acceptable downtime tolerance levels, all within budget requirements. This involves defining which mission critical applications must be up and running 24x7, and which ones can afford some downtime, thus setting clear expectations for all departments, including IT.
Managing availability also requires banks to prioritise risk according to the likelihood of its occurrence, and its impact on the institution. Risk mitigation is akin to purchasing insurance. Disaster recovery and mirror sites, though costly, provide the added security that can readily kick in when needed. Investments in the right redundancies mitigate risk exposures and minimise possible losses.
Once management has established the priorities in terms of technology investments, IT can align their strategies and processes to achieve the agreed availability goals.
Compliance – Minimum bar to clear, not ceiling to reach
Regulators generally impose standards as well as incremental capital requirements on banks to enforce a measure for availability. Yet, this minimum standard may not be acceptable to customers adversely affected by the downtime. Bank transactions can be highly time-sensitive. Any downtime that halts or delays transactions could result in substantial losses to customers.
Regulatory requirements notwithstanding, outages have a direct negative impact on a bank’s reputation. Therefore, banks would do well to look at recovery times of competitors as the benchmarks to beat.
Aligning service levels with customer satisfaction should take precedence over meeting compliance levels set by regulators and this mindset change must be led by top management.
High availability begins at the top
The discussion on availability needs to shift from simply buying more technology, to one that focuses on business factors that impact availability. Discussions should encompass process dependencies, application and service criticalities, reputational risks as well as overall business goals. All of these will require clear mandates from the board of directors, and buy-in from the entire management team.
The quest to reduce business interruptions and maximise availability must come from the top, driven by management’s decision on availability levels that will best reflect the bank’s business goals.