For nearly 20 years now, Dr Pradeep Bery has been taking rescue and medical teams to hotspots around the world, from the former Soviet republics, to Iraq and Afghanistan to Africa, and back home in India after the 2004 tsunami. Even so, he was stunned when he landed in Japan recently to evacuate Axa staff from the Tokyo and Osaka regions if required, after the March 11 earthquake and tsunami nearly led to a meltdown at the Fukushima nuclear power plant.
"The Japanese were totally unprepared for anything of this scale, even though they had built the nuclear plants taking into account earthquakes and tsunamis," says Dr Bery, who had launched Meera Rescue 20 years ago to service foreign companies and is now the Managing Director of Axa Assistance India.
Venu Srinivasan, TVS Motor
The Japanese had never experienced a power failure and so were unprepared when utilities collapsed, he says. "In some villages, dead bodies were piled up for days as not more than 15 or 20 could be cremated a day," he adds. If a disciplined and high-technology society like Japan can be overwhelmed, how ready is India to face unknown risks and natural calamities? And how well are Indian companies prepared to tackle a disaster? India, after all, has seen terrorist attacks and killer floods in its commercial capital Mumbai, and even the destructive power of a tsunami on the Indian east coast. Black Swan, a term coined by philosopher Nassim Nicholas Taleb for unpredictable events that have an extreme impact, entered the corporate lexicon. Or did it?
In 2007, Chemplast Sanmar, one of India's largest producers of polyvinyl chloride or PVC, acquired Trust Chemical Industries, Egypt's largest manufacturer of caustic soda. The plant is located at the Mediterranean end of the Suez Canal. When protests erupted against the Hosni Mubarak regime in Egypt in January, the plant had to be shut down for over a month. "We were caught completely unawares," says P. Jayaraman, chairman of Chemplast Sanmar.
At a large Indian company, managerial awareness did not help when it came to planning for a disaster. The head of its information technology function challenged Mahindra Special Services Group to breach its security. The consultant started a phishing campaign in the guise of a survey - sending seemingly official e-mails to staff asking for their e-mail IDs and password. More than 80 per cent of the 300 employees complied, with most of them sending in their passwords as well. Mahindra used these to get into the "impenetrable" web-server within a week of the challenge. The company was let down by the human factor.
The battle here is against the "unknown unknowns" as Donald Rumsfeld once described the problems of West Asia when he was US defense secretary. There are three clear areas of action: People safety, business continuity and data security. On the people safety front, the Indian hotel industry was the first to ramp up security to unprecedented levels following the November 2008 terrorist attacks on two luxury hotels and other high-profile locations in Mumbai. So did the retail sector. The business of both depends on large numbers of people floating in and out of their buildings every day.
Susan M. Cischke, Ford Motor's group Vice President for sustainability, environment and safety engineering and a member of CEO Alan Mulally's core team, shares the automaker's global perspective: "The financial crisis of 2008 taught us a few things. We also learnt to know our suppliers better...we came to know more about a supplier's operation than the supplier itself. This came in handy when the earthquake and tsunami hit Japan. Our operations have not been affected so far."
| Risking a rating|
Rating agencies work in the realm of assumptions, hypothesis and theories, but there is one area in which they fear to tread. That is about challenging the statement that all risk (read non-financial ones) can be mitigated. "All risks cannot be mitigated," says the head of a domestic rating agency and then adds with scorn: "To say that a credit rating agency is equipped to handle disaster analysis is the height of all assumptions."
"This is actually the practical picture when it comes to looking out for disaster preparedness in a company," he says, on condition of anonymity. A rating agency's job is to give an opinion on a company's ability to make timely payment of interest and principal amount on a rated instrument especially debt. "Rating agencies look at the financials of the firm being rated," says Rajesh Mokashi, deputy managing director at Care Ltd, a rating agency. The agencies also look out for fire safety compliance certificates. But fires can still happen. Remember how terrorists attacked the 100-year-old Taj Mahal Hotel in Mumbai and started fires?
Indian companies, too, are aspiring for the level of preparedness that Cischke talks about. Chemplast Sanmar is now strengthening its global sourcing. It gets vinyl chloro monomer partly from Japan and the rest from the Arab world. Luckily for it, the suppliers in Japan were not in the impact zone, else the first quarter of 2011 would have been bad for its revenues.
An evacuation drill at HUL's new headquarters in Andheri.
Hindustan Unilever Ltd, or HUL, has strict guidelines prohibiting not just its top management, but also other grades, from traveling together. Following its Anglo-Dutch parent Unilever, HUL now mandates that every employee must have two safety engagements every month to discuss safety, deal with something he finds unsafe on the way, and so on. In fact, as the BT team visited the HUL headquarters for this report, some members of the team it was scheduled to meet had to go for a meeting called by CEO Nitin Paranjape. The subject: safety. HUL's general manager for corporate realty, R.K. Mutreja, points out that all travellers have to log their details on a travel portal and the Unilever organisation tracks them and can organise evacuation in case of a crisis.
Safety and fire drills, including emergency evacuation, are now commonplace in many top companies. Siddarthan M., head of human resources and administration at HyperCITY Retail, says: "If you had asked us about disaster management five years back, we would not have had much to show." Today, the company also trains its employees to handle emergencies like earthquakes, terrorist strikes, floods and bomb threats.
At the Mahindra Group headquarters at Worli in Mumbai, drills are common. Xerxes P. Adrianwalla, a retired armoured corps brigadier who handles the group's security, says the group tries to mitigate all risks that have a high probability of occurrence as well as a high impact on business. "All our units have their own business continuity plans in place. We also have a host of service providers to whom we can outsource in case of an emergency," he says.
Godrej Industries, for example, has a business continuity plan in place for its factories. V. Swaminathan, Executive Vice President for Corporate Audit and Assurance, says: "Some of our plants are in a high earthquake zone. So if one of our hair dye plants in either Guwahati or Sikkim were to be affected, the other would act as a back up. We have identified third-party vendors who can turn around supply within a month and a half." Often such plans have to involve customers: Godrej has included safety escape chutes for the inhabitants of Planet Godrej, a premium realty project in South Mumbai.
And companies are also ready to bring in specialists when they are in trouble. Dinesh Pillai, CEO of Mahindra SSG, recalls how a company once called them in after some people died in a chimney collapse at its factory. "We had to ensure rescue work and also take care to see that the angry workers did not turn violent," says Pillai.
Mauritius is best-known for being a paradise for sun worshippers. But, for Infosys Technologies, India's second largest software exporter, the island nation has a critical business significance. Nearly a decade ago, Infosys set up its own disaster recovery centre there. As Infosys expanded, so did its investment in Mauritius - to a $25 million campus that backs up all its critical data. "The key was to find a location that was connected yet geographically distant from our main operations, mainly in India, but also in other nations with substantial software development centres," says T.V. Mohandas Pai, a board member for Infosys, who was once its finance chief and now oversees administration.
Technology experts agree. Deepak Verma, a regional head at storage solutions firm EMC, says: "A company may want to go to one country or city, but its network services provider needs to be able to reach that location and also have its own failsafe mechanism." Sridhar Sarathy, a Vice President at Juniper Networks, which provides software and hardware to build networks, says that the key is to quickly identify data -such as customer records - that is required for long periods and data that has a short life span.
A fire drill at Mahindra Towers at Worli, Mumbai.
Talking of long periods, Singapore-based CordLife, a cord-blood bank that entered India in 2009, has to plan for 100 years. While customers pay a monthly storage rental only for the first four years, the samples have to be kept safe for an indefinite period to be couriered to customers whenever they require it, wherever they are. Cordlife chose Kolkata over Chennai, which is the same distance from Singapore, for the Indian facility, undaunted by Kolkata's reputation for bandhs and strikes. Simon Hoo, general manager, says Kolkata is safer from the point of tsunamis, floods and earthquakes. Cord blood and tissue, which can be used to recreate damaged organs among other things, are kept in a tank of liquid nitrogen. The facility has a score of guards, whose other job is to carry the heavy tank and take it outside the building in emergencies till a special team can pick it up.
Venu Srinivasan, chairman and managing director of TVS Motor, says India as a country is reactive and not proactive. Companies are not used to dealing with international crises, he says bluntly. "The ability to anticipate events and prepare for them stems from maturity and learning. We are not there yet," Srinivasan says.
So where are the holes? Data security and information technology are areas where India is doing well, given how advanced the IT industry is in India. Rahaju Pal, director of enterprise risk services at Deloitte, says: "Even for global multinationals operating in India, business continuity is not clearly thought out - especially what to do when key people are impacted."
KPMG's Arvind Mahajan says there are large gaps, especially when it comes to interactions between the private sector and vital government agencies. He says the new generation of airports run by private operators require to put in place an efficient interface with government utilities and services. Power is another area where new processes have to be created, with a large number of private sector projects scheduled to go operational in three years.
Pal of Deloitte notes that it took regulatory prods for the financial services sector to beef up their IT systems and data recovery. ICICI Bank lost a huge number of customer paper records in the Mumbai floods of July 2005, and had to reach out to customers to rebuild the know-your-customer database made mandatory only in the last decade. The bank declined to comment for this story. The main stock and commodity exchanges also declined interviews, apart from stating that they have business continuity plans, even if the main building is destroyed.
Mumbai-based HDFC Bank has its disaster recovery, or DR, centre in Bangalore, which is in a different seismic zone. In case of normal floods, it can switch all its branches over to the centre in 30 minutes. In case of a sudden outage, the DR centre takes control automatically; the main data centre is managed remotely. "We do a switchover run twice a year and run our bank from our DR for a day and then switch it back to the main data centre," says Anil Jaggia, chief information officer. "You cannot plan for loss of people in a disaster... So our DR has a skeletal staff, who can run the system if our main centre goes out suddenly."
Pillai of Mahindra SSG has a word of caution for companies that feel it is enough to get a risk and safety audit done by the audit department. "Audit, compliance and control will tell you whether the systems are in place, but are the systems working? Audits cannot tell you that," he says. For example, many companies have a 'call-tree' in which every employee is supposed to call up two others. But, no one had factored in the possibility of mobile phones not working, as happened during the 2005 flooding that led to a power failure.
Neville Dumasia, head of governance, risk and compliance at KPMG, says: "The biggest challenge relates to embedding risk thinking into an organisation's business decisions. Do you think about risk only during a downturn or is it factored in at all times?" Adds Axa's Dr Bery: "Companies are not aware what kind of services are available, especially for evacuating people. Also one must be aware that government agencies are often late in reaching a site of a disaster, and companies need to fend for themselves."
So may be former Intel CEO Andrew Grove was right to say: "Only the paranoid survive." Additional reporting by T.V. Mahalingam Rajiv Bhuva and Somnath Dasgupta