The monsoon fury over the last few years that we have seen is the proof that we live in an uncertain and unpredictable world today. As any resident of Mumbai or Chennai would testify, there is no alternative to being prepared for the eventualities. What these residents would also tell us, is that with experience, they are better prepared to handle the fury as they not only know its impact but also the probability of its occurrence. In these cities today, planning for disruption due to weather is not left to chance and is part of a very detailed and deliberate planning process.
What the weather taught our unfortunate residents of Mumbai and Chennai, the IT world confronted it 20 years ago, when they faced the Y2K challenge for which they diligently prepared for about three to four years ahead of the scheduled date. The Y2K challenge brought with it concepts like Business Continuity Plan (BCP), Disaster Recovery Plan (DRP) and data backups, that are routinely used. Soon thereafter, the 9/11 attack involving the World Trade Centre that shook the business world reinforced these concepts in the IT world and made them deeply embedded IT Practices.
DRP the Concept
BCP, DRP and data backups which may sound Greek and Latin to many, are the lingua franca of the IT world. The closest analogy from the real
word for these terms is the practice of automobile manufacturers giving their vehicle buyers a spare or duplicate key. This spare key is the equivalent of data backup.
Just because we have a spare key, it does not mean that we are secure when we lose our original key. To be secure, we need to have a defined system of where to keep the second or backup key, who can have access to the second key when required and who are the users who will be kept informed about where the key is kept and how to access it. This process of defining where, who and how to access backups is the essence of DRP.
Further, a good DRP system is also periodically tested to ascertain if the system is working. In our analogy of the second key, this would mean periodically substituting the first key with the replacement key and using the replacement key as the first key. This will ensure that the system of DRP does works, when required.
Two other key elements-RTO (Recovery Time Objective) and RPO (Recovery Point Objective) measure the effectiveness of the DRP system. RTO measures the time it takes for getting the system restarted after disruption. In the case of automobiles, it is the time taken to reach the place where the second or backup key is stored, retrieve it and bring it back to the place where it is required. RPO on the other hand measures the effort and/or cost required to reach the position when the disaster occurred.
BCP is much more than DRP and includes DRP as a subset. Taking the analogy of automobile spare key further, BCP not only defines the process of where, who and how to access backups, but also covers the surrounding systems that are required to be functional for the DRP system to work. In this analogy, it would be the availability of the transport to go get the replacement key and the personnel to undertake the effort for the same.
DRP in Company law
Company is an entity recognized in law without physical form. Consequently, all actions of the company are manifested only by the documents maintained by the company. Section 120 of the Companies Act, 2013 permits a company to maintain all their records required to be maintained in electronic form with some specific prerequisites for securing the same. Rule 28 ofCompanies (Management and Administration) Rules, 2014 provides guidance on how to ensure Security of Records Maintained in Electronic Form.
Clause 2 (b) of the said Rules specifies that the person responsible for maintaining the records should “ensure against loss of the records as a result of damage to, or failure of the media on which the records are maintained;”. Further clause (i) specifies the frequency at which backup of data needs to be taken, which is once every day. The clause verbatim reads “ensure that at least one backup, taken at a periodicity of not exceeding one day, are kept of the updated records kept in electronic form, every backup is authenticated and dated and such backups shall be securely kept at such places as may be decided by the Board;”.
While the Act only prescribes backups to be maintained, a prudent company secretary in collaboration with their IT department / IT Service Provider will ensure that the company not only has the backup, but also a functioning DRP and BCP system in place that is periodically tested and available when needed.