Cover Page

Title of the paper: Disaster Recovery Plan (DRP) and Business Continuity
Plan (BCP) for financial cooperatives in new market economy
Name of the Author: Dr. Manjusha S. Kadam

ADDRESS: Vaikunth Mehta National Institute of Cooperative Management, Ganesh Khind

Road, Shivaji Nagar, Pune 411039

Phone No.: 09881007006, Landline (O) : 020 66221512

e-Mail: manjukadam@gmail.com , mskadam@vamnicom.gov.in

Electronic copy available at: https://ssrn.com/abstract=2920431

 Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) for
Financial cooperatives in new market economy

“The only thing harder than planning for an emergency is explaining why you
didn’t”

“Plan ahead: it wasn’t raining when Noah built the ark!”

- ANONYMOUS
ABSTRACT

A large banking institutions based in India initiated an IT solution that provide link to data
redundancy towards large customer base. As per Reserve Bank of India Department of
Banking Supervision, Central Office, Mumbai has guidelines on information security,
Electronic Banking, Technology risk management, Disaster Recovery Plan (DRP) and
Business Continuity Plan (BCP). The banks must have prevention programme to reduce the
likelihood that banks operation will be significantly affected by a pandemic event for which
the banks need to setup disaster avoidance, disaster recovery committee at branch level.

The main objective of this research paper is to observe whether the particular cooperative
Bank has any effective Disaster Management System with reference to Disaster Avoidance,
Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) as per RBI guidelines
and other international standards. This was pursued by conducting structured interview of
branch head of the The Vishweshwar Sahakari Bank Ltd., Pune.

The researcher with the help of a questionnaire inquired from the branch head of The
Vishweshwar Sahakari Bank Ltd., Pune and compared the responses with the desired state
using GAP Analysis Worksheet.

The study reflected that the selected Bank in this research, backup its data at a Remote offsite
location, have a BCP / DRP Plan available with them on software but they do not apply
Disaster Management System as per RBI -“Guidelines on information security, Electronic
Banking, Technology risk management and cyber frauds” and other international standards.
The study concludes by providing recommendations to the Indian Banks.

KEYWORDS: Market Economy, Disaster Avoidance, Disaster Recovery Plan (DRP),

Business Continuity Plan (BCP), Basel Committee on Banking Supervision (BCBS), Data
backup.

INTRODUCTION

Business disruption can happen anywhere, anytime. Massive tsunamis, hurricanes, terrorist
bombings, power outages, and more have made recent headlines. It is not possible to predict

Electronic copy available at: https://ssrn.com/abstract=2920431

every time what may strike when even though we have all advance technology based system.
Today's 24x7x365 business world is running its operations with all the zest to meet the needs
of modern economy. In such situation, it has become mandatory to prepare for any of the
disastrous situation.

The dependence on banks has increased over the period of time for electronic as well as
traditional banking services. In view of the growth of Banking industry, securing themselves
with advanced technology tools as well as planning, monitoring, and maintenance of the
overall IT infrastructure is a crucial tasks at business front. It has become almost mandatory
for the banking industry to plan for 'Business Continuity'.

It may sound cliché to mention that much of the commercial activity that we see today is
dependent on banks. Banks, in turn, have turned to increasingly complex technology and
business models to deliver the services expected in this age of modern economy with
boundary less ecommerce. Sophisticated and interconnected Automated Teller Machine
(ATM) networks, Tele-banking, Core Banking Solutions and Internet Banking Solutions for
seamless customer access are but some of technologies currently deployed. Add to this, the
ever expanding branch network to provide banking services in semi-urban and rural areas in
India. With this background in mind, it is indeed disturbing to imagine a scenario where a
disaster may render a bank inoperative for an extended period of time.

DISASTER MANAGEMENT FOR BANKS AND FINANCIAL INSTITUTIONS

It involves disaster avoidance, disaster recovery and business continuity planning. The
meaning of the above mentioned terms is as below:

Disaster Avoidance: Disaster avoidancei is a series of measures designed to prevent, detect,

or contain potentially calamitous incidents.

It is a component of business continuity planning, which stresses an organization need to

have its critical business services available at all times.

Disaster Recoveryii: Disaster Recovery can be defined as the organization's ability to get back
into business quickly after an event that disrupts the flow of information. This is done
through a set of pre-planned, coordinated, and totally familiar procedures with an established
set of prioritiesiii.

The disaster recovery is the concept of “failsafe”. That is, the bank’s ability to survive the
disaster it has so valiantly tried to avoid. The disaster recovery plan is extremely necessary to
the survival of a bank.
i
Disaster Avoidance, <http://en.wikipedia.com>
ii
“Disaster Recovery”, accessed on Dec 2011, <http://www.netsmithusa.com/pdf/netsmithusa_wp_dr.pdf>
iii
Beth Verity, “Guide to Network Cabling Fundamentals”, Canada: Cengage Learning, (2003) pp-269

Electronic copy available at: https://ssrn.com/abstract=2920431

Disaster Recovery Planning (DRP) is a very complex and labor-intensive process; it therefore
requires redirection of valuable technical staff and information processing resources as well
as appropriate funding. In order to minimize the impact such an undertaking would have on
scarce resources, the project for the development and implementation of disaster recovery
and business resumption plans should be part of the organization’s normal planning activities.

Business Continuity Planning: BCP is the process whereby financial institutions ensure the
maintenance or recovery of operations, including services to customers, when confronted
with adverse events such as natural disasters, technological failures, human error, or
terrorism.

The objectives of a BCP are to minimize financial loss to the institution, continue to serve
customers and financial market participants, and mitigate the negative effects disruptions can
have on an institution's strategic plans, reputation, operations, liquidity, credit quality, market
position, and ability to remain in compliance with applicable laws and regulations. Changing
business processes (internally to the institution and externally among interdependent financial
services companies) and new threat scenarios require financial institutions to maintain
updated and viable BCPBiv.

The difference between Disaster Recovery and Business Continuity: Disaster recovery is the
process by which you resume business after a disruptive event. The event often refers to
major disruption like a flooded building, Fire, earthquake or the terrorist attacks on the World
Trade Center, which disrupt an entire installation or something small, like malfunctioning
software caused by a computer virus. Disaster Recovery is REACTIVE; its focus is to pick
up the pieces and to restore the organization to business as usual after a risk occurs. The issue
of Business Continuity certainly arises when Disaster Recovery is required.

In daily practice Business Continuity often refers to disaster recovery from a business point-
of-view, or dealing with simple daily issues like illness or departure of key staffers, supply
chain partner problems or other challenges that businesses face from time to time such as a
failed disk, failed server or DB, possibly a bad communications line. It is often referred to as
the measure of lost time in an application, possibly a mission critical application. It is a plan
that will allow the organization to continue generating revenue and providing services –
although possibly with lower quality – on a temporary basis until the company has regained
its bearings.

Business Continuity is PROACTIVE; its focus is to avoid or mitigate the impact of a risk.
Despite these distinctions, the two terms are often married under the acronym BC/DR
because of their many common considerations.

iv
“Business Continuity Planning”, accessed on Dec 2011, http://www.bankinfosecurity.com/ten-stepsto-
effective-business-continuity-plan-a-186/p-2

Electronic copy available at: https://ssrn.com/abstract=2920431

OBJECTIVES
a. To observe whether the selected Bank have any effective Disaster Management
System with reference to Disaster Avoidance, Disaster Recovery Plan (DRP) and
Business Continuity Plan (BCP) as per RBI guidelines
b. To understand implementation of RBI guidelines with special reference to The
Vishweshwar Sahakari Bank Ltd., Pune
c. To understand the code for implementation of computerization in branches of
particular bank.

REVIEW OF LITERATURE

The floods in Mumbai, 2005 and Chennai seeing its worst rainfall in 100 years brought to
front one such concern for banks. Bank ATM terminals are typically located on the ground
floor of premises with the backup power generator being located in the basement. The
unprecedented floods made all such ATMs non-functional. In such crisis situations, lack of
access to financial resources could have severe consequence. Without these resources,
organizations and individuals would find it difficult to take measures to recover from the
disaster.

The World Trade Center attacks on September 11, 2001 brought about never-before-
imagined disaster which completely changed the perception of BCP preparedness.

Consequently, the Federal Reserve, Securities and Exchange Commission, Office of

Controller of the Currency and the New York State Banking Department released a white
paper in April 2003 which identified three business continuity objectives as having special
importance for all financial institutions:

· Rapid recovery and timely resumption of critical operations following a wide-scale

disruption.
· The ability to recover and continue operations following the loss or inaccessibility of
staff in at least one major operating location.
· A high level of confidence, through ongoing use or robust testing, that critical internal
and external continuity arrangements are effective and compatible.

The Basel Committee on Banking Supervision (BCBS) [2003] released a publication which
provided that all banks should have in place contingency and continuity plans to ensure that
they could continue to operate on an on-going basis and limit losses in the event of a severe
business disruptionv

v
Basel Committee on Banking Supervision – International Convergence of Capital Measurement and
Capital Standards: A Revised Framework (June 2004).

Electronic copy available at: https://ssrn.com/abstract=2920431

Jadhav Anil & Rajni Jadhav [2004] in their study suggests that the banks as well as customers
have a serious concern about the security of Internet access to client account which is the
biggest challenge. Banking through the Internet is increasingly becoming necessary rather
than innovative tool and with consumer demand banks have to upgrade and constantly think
of new innovative customized packages and services to remain competitive vi

The Basel II Framework identified and broad types of operational risk events having the
potential to result in substantial losses which included continuity risk events such as damage
to physical assets, business disruption and system failures, loss on account of external all
fraud such as computer hacking, etc.

The Reserve Bank of India (RBI) had recognized the importance of BCP way back in 1998
when it released a guidance note [1998] for management of banks to evaluate the adequacy of
controls in relation to risks related to Computer and telecommunication systems including
interruption risks. This was followed by the release of a report on “Information Systems
Audit Policy” [2004] including “Information Systems Security Guidelines” by the RBI in
2001 which provided indicative standards and procedures for Audit of Information Systems
including BCP as a componentvii viii

The RBI in its Guidance note on “Management of Operational Risk” [2005] has stressed the
need to establish a disaster recovery and BCP for technology related risks as a part of ORM
framework. The RBI, in its circular on Operational Risk Management and business continuity
Planning” [2005], clearly states that the responsibility for effective migrated BCP rests with
the Board of Directors and the management and has listed a set of minimum requirements for
effective BCM by banks. The circular also required banks to disclose information relating to
major failures of critical systems customer segment/services impacted due to failures and
steps taken to avoid such failures in future. The RBI, in its guidelines on “Outsourcing of
Financial Services by Banks” in 2005, has mandated banks to ensure that the service provider
has a BCP and the same is regularly and maintained.ix x
V. Radha [2008] in her study discussed about the technology based opportunities that the
thieves take advantage of and how to limit the frauds by building the future technology
accordingly.xi

vi
Jadhav A.S., Mrs. R.A. Jadhav, “Status of e-banking in India”, National annual convention of CSI
(2004).
vii
RBI Information Systems Audit Policy for the banking and financial sector (October, 2001).

viii
RBI circular Ref. RBI/2004-05/420 DBS.CO.IS Audit.No. 19/31.02.03/2004-05 on 'Operational Risk
Management; Business Continuity Planning (2004).

ix
RBI circular Ref. DBS.CO.ITC.BC. 10/31.09.001/ 97-98 on "Risks and Control in Computer and
Telecommunication Systems" (February 4, 1998).
x
RBI Guidance Note on Management of Operational Risk (October 2005).

xi
V. Radha, “Preventing Technology Based Bank Frauds”, “The Journal of Internet Banking and
Commerce”, Vol. 13, No. 3. (Dec. 2008) pp.22-29.

Electronic copy available at: https://ssrn.com/abstract=2920431

METHODOLOGY:

The research work was conducted with the objectives mentioned above to observe whether
the selected Indian Bank have any effective Disaster Management System with reference to
Disaster Avoidance, Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) as
per RBI guidelines.

The research work was conducted to prove the assumption that selected unit of Bank do not
apply Disaster Management System as per RBI guidelines and other international standards.

Since all banks follow the norms of the RBI and the computerization by banks is done as per
the recommendations of committees formed by the Central Bank from time to time, therefore
their policy for implementation of the computerization in branches of a particular bank are
same anywhere. Therefore, the selected study unit is The Vishweshwar Sahakari Bank Ltdxii.,
Pune, Maharashtra, as it is the first non scheduled Urban Co-op Bank in Pune District having
state of art independent own data centre under CBS with Disaster Recovery Centre in
different earthquake zone at Barshi.
Since all the information could not be obtained from secondary sources therefore for the
collection of firsthand information for primary data, the researcher prepared a structured
questionnaire containing various questions regarding the computerization in banking, the size
and business of the branch, which ensures that the branch will be fully computer equipped as
per bank norms.
Then the researcher conducted well scheduled interview responding to questions through a
face-to face structured interview. The Researcher also noted on-the-spot observations by
visiting the branches of the banks and using their various products and services like ATM’s,
Tele-Banking, SMS Banking, Net Banking, Mobile Applications, POS Terminals, Credit and
Debit cards.

ABOUT THE VISHWESHWAR SAHAKARI BANK LTD., PUNE

The Vishweshwar Sahakari Bank Ltd., Pune was established in the year 1972 by Founder
Late Shri Namdeorao Rukari, Bharatsheth Gadve & Baburao Harpale with the noble aim of
taking the Bank and the Banking to the common people by adopting the principle of
cooperation in Banking. And the same has been fulfilled up to a great extent and now bank is
developing as a large bank with the use of latest technology and infrastructure and best
customer service. The bank has made an exceptional progress and is developing its strength
in various locations.

xii
Growth of the Vishweshwar Sahakari Bank Ltd. ,Pune
http://www.vishweshwarbank.com/suben/aboutus.php?parent=101&sub=223

Electronic copy available at: https://ssrn.com/abstract=2920431

Business growth xiii
· Established on 07th Nov 1972
· Started as a small cooperative bank and gradually increasing its branches to 15, with
merger of Nipani Bank, Karnataka during the year 2011, bank has became multi state
coop bank with Jurisdiction Maharashtra State & Chikodi Taluka, Dist. Belgaum in
Karnataka.
· Now bank is having network of 28 branches.
· Bank has successfully implemented Vishweshwar Infra IT Project – VIP – a core
banking solution (CBS) project in 2007 having centralised data processing
· Is the first non scheduled Urban Co-op Bank in Pune District having state of art
independent own data centre under CBS with Disaster Recovery Centre in different
earthquake zone at Barshi.
· Bank has been awarded many awards from well known institutions like The Banking
Frontiers, Urban Banks Association Pune, Maharashtra State Federation.
· Bank has maintained the level of NPA percentage at 0% during last 6 years.
· Crossed total business of Rs 2100 crore.

ANALYSIS & GAP

1. Do Bank have following setup at branches?

Particular YES NO
ATM Yes -
Tele-Banking Yes -
SMS Banking Yes -
Net Banking Yes -
Mobile Banking Applications Yes -
POS Terminals Yes -
Access Credit and Debit cards of Yes -
various banks

The Vishweshwar Sahakari Bank Ltd. has the facilities of ATM, Tele-Banking, SMS
Banking, Net Banking, Mobile Banking, POS terminals, Access to Debit and credit cards of
various banks at various locations of its branches.

2. The inquiry about whether the Bank has any Disaster Avoidance Plans for its
branches and compared the responses with the desired state:

Current State Desired State Remark / GAP

YES As per Reserve Bank of India Department of Banking All branches
Supervision, Central Office, Mumbai - “Guidelines on have the system
information security, Electronic Banking, Technology for Disaster

xiii
http://www.vishweshwarbank.com/suben/aboutus.php?parent=101&sub=223

Electronic copy available at: https://ssrn.com/abstract=2920431

 risk management and cyber frauds”, the banks must Avoidance Plan
have a preventive programme to reduce the likelihood as a Preventive
that a bank’s operations will be significantly affected Measure.
by a pandemic event.

3. The researcher inquired about whether the Bank has any Disaster Recovery Plan
(DRP) or Business Continuity Plan (BCP) and compared the responses with the
desired stat

Current State Desired State Remark / GAP

Yes All the banks as per Reserve Bank of India All branches
Department of Banking Supervision, Central Office, has the system
Mumbai - “Guidelines on information security, for DRP and
Electronic Banking, Technology risk management and BCP.
cyber frauds” must have a Disaster Recovery Plan
(DRP) or Business Continuity Plan (BCP).

4. The researcher inquired whether the Bank setup any Disaster avoidance, Disaster
recovery committees at branch level and compared the responses with the desired
state

Current State Desired State Remark / GAP

No The banks must have a preventive programme No Branches
to reduce the likelihood that a bank’s operations will has Committees
be significantly affected by a pandemic event, for at branch Level
which the banks needs to setup Disaster Avoidance, for DRP and
Disaster Recovery committees at branch level BCP

5. The researcher inquired about whether the Bank backup its data at a Remote offsite
location and compared the responses with the desired state.

Current Desired State Remark / GAP

State
Yes As per Reserve Bank of India Department of Banking Yes, Remote
Supervision, Central Office, Mumbai - “Guidelines on offsite location
information security, Electronic Banking, Technology is at Barshi.
risk management and cyber frauds” - All Banks
must backup their data at a Remote offsite location.

Electronic copy available at: https://ssrn.com/abstract=2920431

 6. Guidelines for BCP methodology to be followed:
Sr. Guideline Remark (Y/N)
No.
1 Structured risk assessment based on YES
comprehensive Business Impact Analysis(BIA)
2 Formulating Recovery time objectives (RTO) YES
based on Business Impact Analysis
3 Identification of the Recovery Point Objective YES
(RPO) for data loss
4 Clearly documented and tested processes for YES
shifting to secondary/backup systems and sites
5 Addressing HR issues and training aspects NO, Training aspects
create manpower shortage.
6 Documentation of Action plans, practical YES
manuals and testing procedures.

The data of GAP analysis worksheet clearly suggests that the bank selected by the researcher
do not setup any committees for Disaster avoidance and Disaster Recovery at their branches.

Findings and Suggestions:

The gap analysis for desired state of Disaster Recovery Plan (DRP) and Business Continuity
Plan (BCP) of the selected cooperative bank was analyzed on various parameters and
following points were suggested to the Bank to be more competitive in the current changing
market paradigm.

1) Banks must consider implementing a BCP process to reduce the impact of disruption,
caused by disasters and security failures to an acceptable level through a combination of
preventive and recovery measures.
2) BCP should include measures to identify and reduce probability of risk to limit the
consequences of damaging incidents and enable the timely resumption of essential
operations. BCP should amongst others, consider reputation, operational, financial, regulatory
risks.
3) A senior official needs to be designated as the Head of BCP activity/function
4) The failure of critical systems or the interruption of vital business processes could prevent
timely recovery of operations. Therefore, financial institution management must fully
understand the vulnerabilities associated with interrelationships between various systems,
departments, and business processes. These vulnerabilities should be incorporated into the
BIA, which analyses the correlation between system components and the services they
provide.
5) Various tools can be used to analyse these critical interdependencies, such as a work flow
analysis, an organisational chart, a network topology, and inventory records. A work flow
analysis can be performed by observing daily operations and interviewing employees to

Electronic copy available at: https://ssrn.com/abstract=2920431

determine what resources and services are shared among various departments. This analysis,
in conjunction with the other tools, will allow management to understand various processing
priorities, documentation requirements, and the interrelationships between various systems.
The following issues when determining critical interdependencies within the organisation:
i. Key personnel;
ii. Vital records;
iii. Shared equipment, hardware, software, data files, and workspace;
iv. Production processes;
v. Customer services;
vi. Network connectivity; and
vii. Management information systems.
6) Banks should consider looking at BCP methodologies and standards–BS 25999 by BSI–
which follows the “Plan-Do-Check-Act Principle”.
BCP methodology should include:

Phase 1: Business Impact Analysis

− Identification of critical businesses, owned and shared resources with supporting functions
to come up with the Business Impact Analysis (BIA)
− Formulating Recovery Time Objectives (RTO), based on BIA. It may also be periodically
fine-tuned by benchmarking against industry best practices
− Critical and tough assumptions in terms of disaster, so that the framework would be
exhaustive enough to address most stressful situations
− Identification of the Recovery Point Objective (RPO), for data loss for each of the critical
systems and strategy to deal with such data loss
− Alternate procedures during the time systems are not available and estimating resource
requirements

Phase 2: Risk Assessment

− Structured risk assessment based on comprehensive business impact analysis. This
assessment considers all business processes and is not limited to the information processing
facilities.
− Risk management by implementing appropriate strategy/ architecture to attain the bank’s
agreed RTOs and RPOs.
iii) Impact on restoring critical business functions, including customer-facing systems and
payment and settlement systems such as cash disbursements, ATMs, internet banking, or call
centres
• Dependency and risk involved in use of external resources and support.

Phase 3: Determining Choices and Business Continuity Strategy

• BCP should evolve beyond the information technology realm and must also cover people,
processes and infrastructure
• The methodology should prove for the safety and well-being of people in the branch /
outside location at the time of the disaster.

Electronic copy available at: https://ssrn.com/abstract=2920431

• Define response actions based on identified classes of disaster.
• To arrive at the selected process resumption plan, one must consider the risk acceptance for
the bank, industry and applicable regulations
7) A sufficiently large “question bank”, related to security health of the organisation, should
be prepared and given to RBI's inspection teams. A random subset of these queries could then
be given to the bank's IT or security teams and related personnel, for eliciting answers in
quick time.
8) Banks should periodically move their operations (including people, processes and
resources(IT and Non-IT)) to the planned fall-over /DR site in order to test the effectiveness
of the BCP and also gauge the recovery time needed to bring operations to normal
functioning.
9) It is highly suggested to look after the training needs of the management IT infrastructure
at Bank.

Conclusion
The selected Indian bank has a BCP / DRP Plan available with them on software but they do
not apply Disaster Management System as per RBI -“Guidelines on information security,
Electronic Banking, Technology risk management and cyber frauds” and other international
standards. The importance of a good BCP cannot be emphasized enough. There are seven
steps that you should take into account while implementing a BCP.

Ø BCP is a 'process' not a 'project': BCP does not stop at insurance, or documentation of a
plan on paper. Ongoing updating and pre-defined business continuity teams are some of the
elements of a successful BCP.

Ø Holistic approach: BCP evolves beyond the information technology realm and should
cover people, processes and infrastructure.

Ø Focus: The plan should focus on critical business processes and their dependencies.

Ø BCP governance: Commitment, control and guidance from management, clearly

documented roles and responsibilities and formal governance process ensures that the BCP is
updated regularly.

Ø Resilience: The recovery procedure should not compromise on the control environment at
the recovery location.

Ø Involvement of business partners: All critical business partners should be considered at the
time of plan preparation including testing.

Ø Media management: It is important to maintain corporate image during a disaster. A media

management strategy enables the organization respond to media coverage proactively /
systematically

Electronic copy available at: https://ssrn.com/abstract=2920431

Given the increasing threats due to terrorism and natural disaster and ever growing
dependence on banks in every sphere of life, implementation of BCP by Indian banks is no
longer a matter of choice.

Bibliography:
1. Disaster Avoidance, <http://en.wikipedia.com>
2. “Disaster Recovery”, accessed on Dec 2011,
<http://www.netsmithusa.com/pdf/netsmithusa_wp_dr.pdf>
3. Beth Verity, “Guide to Network Cabling Fundamentals”, Canada: Cengage Learning,
(2003) pp-269
4. Business Continuity Planning”, accessed on Dec 2011,
http://www.bankinfosecurity.com/ten-stepsto-effective-business-continuity-plan-a-
186/p-2
5. Basel Committee on Banking Supervision – International Convergence of Capital
Measurement and Capital Standards: A Revised Framework (June 2004).
6. Jadhav A.S., Mrs. R.A. Jadhav, “Status of e-banking in India”, National annual
convention of CSI (2004).
7. RBI Information Systems Audit Policy for the banking and financial sector (October,
2001)
8. RBI circular Ref. RBI/2004-05/420 DBS.CO.IS Audit.No. 19/31.02.03/2004-05 on
'Operational Risk Management; Business Continuity Planning (2004).
9. RBI circular Ref. DBS.CO.ITC.BC. 10/31.09.001/ 97-98 on "Risks and Control in
Computer and Telecommunication Systems" (February 4, 1998).
10. RBI Guidance Note on Management of Operational Risk (October 2005).
11. V. Radha, “Preventing Technology Based Bank Frauds”, “The Journal of Internet
Banking and Commerce”, Vol. 13, No. 3. (Dec. 2008) pp.22-29.
12. Growth of the Vishweshwar Sahakari Bank Ltd. ,Pune
<http://www.vishweshwarbank.com/suben/aboutus.php?parent=101&sub=223>
13. Tool kit for BCP & DRP Audit http://www.isaca.org
14. Agatino Grillo (2003). "Information Systems Auditing of Business Continuity Plans".
Upgrade. Vol 4. No 6. pp:12-16
15. Young-Fai Lee & John R. Harrald (1999). "Critical issue for business area impact
analysis in business crisis management analytical capacity". Disaster Prevention and
Management. Vol 8 No 3. pp:184-189

Electronic copy available at: https://ssrn.com/abstract=2920431