ITM PAPER 02

INFORMATION TECHNOLOGY
FOR MANAGEMENT

IT ROLE IN MY OFFICE

Created By:
ANNISA NURRACHMAN
1040002023

Business Management
Post Graduate Program
Binus Business School
 CHAPTER 1
Background

The Company’s Business

PT. Bank Mega Tbk is conducted by PARA GROUP (PT. Para Global Investindo and PT. Para
Rekan Investama) since 1996. As one of companies in the banking industry, Bank Mega has similar
basic principal in operating its business just like other banks that is managing in-out flow of society’s
money. In running the business, Bank Mega offers several products and services to the customers as
such following:
 Individually, which is offering the savings, loan, credit card, e-banking, and the other specific
service
 Corporate level, which is offering business saving, business loan, specific financing, and the
other specific business service
 Treasury, that serves for currency conversion, buy/sell foreign currency transaction with the
agreement to re-buy/re-sell it in the future
 Trade finance, some product services offered are money gram, Letter of credit, Bank Garansi
 Private banking, that is dedicated for high-class customers whom will be treated specially with
personalized service and facilities

Vision and Mission

With the vision to be “Pride of the Nation,” Bank Mega possesses a direction to become a
national asset that create added value by its presence, provide a high level of satisfaction and pleasure
for customers, improving the welfare of employees, provide a workplace environment that motivates
all employees to always giving their best for customers and for the sustainability of the company, invite
high quality of human resources to join in, become a role model of Indonesian banking for foreign
interests. Whereas for the mission of Bank Mega is delivering sustainable customer relationships by
means of superior financial service offerings and excellent organization capabilities to increase
shareholders’ values. With this mission, Bank Mega continuously provides attention and service to
customers, both individuals and institutions. Bank Mega is creating the optimal satisfaction by
fulfilling customers’ aspirations and anticipating their needs above their expectations. To this end Bank
Mega continues developing to the highest level capacity of its employees and its organizational
performance with the hope of raising the image in the eyes of the public, both at home and overseas.
The company values are entrepreneurship, ethics, teamwork, dynamic, and commitment [1].

The Company’s Data

Here are some recorded data of Mega Bank In 2007:

 The total amount of employees working in Bank Mega is 4,072,
 The total amount of branch offices throughout Indonesia is 160 that all are connected to head
office in Jakarta,
 Net Interest Income 1,391 (in billion of rupiah),
 Non Interest Income 245 (in billion of rupiah),
 Income before Tax and Minority Interest 746 (in billion of rupiah),
 Net Income 521 (in billion of rupiah),
 Bank Mega credit card transactions can be used as Mega Food, Mega Fashion, Mega Pay, Mega
Tronic and Mega Travel.

The Problems Context

Since all the company’s data and information is one of important assets that adding the
company’s value, the company needs security aspects to protect that asset and guarantee for business
continuity whatever unexpected wrong doings may occur in the future. The company’s asset and value
are divided into tangible and intangible category, as such the following:
 Tangible
o Physically asset: computer, real money
 Intangible
o Information: bank accounts data, confidential information, employment data, and
employees’ salary data, etc
o Trust and reputation is intangible asset
 Therefore, Bank Mega really requires the investment on security for its asset value. Bank Mega
has its own data center (server) that is centralized connected to the computer networks within and
across the company including its branch offices. The server is used to store all data/information asset
mentioned above that is bank accounts data, customer data, confidential information, employment data,
employees’ salary data, and bank transaction data, etc. Regarding to the need of protection on those
important asset, there are several security aspects to be considered which are involving
privacy/confidentiality, integrity, availability, non-repudiation, authentication, access control. Security
classification according to David Icove: physical security, personnel security, data and media and
communication technical security, operational security (policy & procedures). In case of availability in
security aspect, data/information must be available whenever needed.

However there is risk in the security which is the possibility of asset is vulnerable to threat, the
possibility of the actual occurrence of disadvantages disturbance. If the threat is not anticipated, the
company will be short-term and or even long-term suffered as the consequences. The attack can be in a
form of normal flow, interruption, interception, modification, fabrication. Then the attack on server
could be hang/down/crash, slow process, stolen, burned, flood, and other natural disasters. Those
attacks can touch one or more targeted key factors, the change in the future of unacceptable situation.

According to other information source [CSI Computer Crime and Security Survey (1999)],
these attacks are also identified as disaster in which the sources are: system downtimes or failures
(72%), inadvertent errors (71%), viruses (46%), malicious acts by employees (29%), malicious acts by
outsiders (19%), natural disasters (17%), unknown source (15%), and industrial espionage (8%).

CHAPTER 2
IT in my ex-office (Bank Mega)

Information Technology (IT) in the organization

According to the condition when I was there in 2007, the performance of the Information
Technology department in Mega Bank is supported by implementation of infrastructure development in
accordance with international standards, succeeded in making a major contribution to the rapid
development of Bank Mega throughout 2007. The major applications used across the organization is
F@st application, to support the job activities in front area (Teller and customer services) and the Host
/ IBM AS400 application, to support mostly in back area (back-office and department units in head
office).
The speed growth of the company has affected the growth of many new opening branch offices,
ATM and electronic channel (e-channel) in a big number. This is the challenge of Mega Bank IT team
to provide infrastructure and reliable IT support as the business growth requirement. The reliable
hardware, software, and brainware infrastructures that support Mega Bank’s operational to facing the
tight competition in banking world are:
 The use of banking system for core banking, ATM, credit card, treasury and other
systems
 The availability of Disaster Recovery Center (DRC) at the company in Bogor. The DRC
had been successfully tested, it proved that the company is able to run the whole main
system of core banking and ATM through data center at Bogor, this is done alternately
(flip flop) between both data center (Jakarta and Bogor), the intention is keep data
center system and personnel readiness if on of those data center can not be functioned
well or experiencing disturbance. Other backup systems for other applications will be
soon completed at Data Center Bogor 69
 Implementation and development of other supporting applications with ne features or
new applications
o e-channel: New delivery channel of mobile/sms banking
o New added features in payment via ATM: PLN, XL, IM3, StarOne, Citibank
Online, Flexi
o those new added the similar features aligned on other application so the
transaction facilities on ATM can be done from phone banking, internet banking
and mobile / SMS banking
o auto-pay

Based on the regulation of Indonesia Bank (SK Bank Indonesia No 27/164/Kep/DIR Tanggal 31
Maret 1995), DRC must be implemented by all banks in Indonesia, but it is very difficult to be applied,
due to very high cost, it involves many units whose interests vary among them. This would be even
harder if the technology used of the bank contains of various applications that are supplied by various
vendors. In Indonesia, there were only two banks who claimed that the function of their DRC has been
running well and stable at that time. Bank Mega, as a large-sized bank, is one of those two banks who
is already has its own DRC and run well.
 The large company as Mega Bank is requiring the risk management in which the concepts are:
 Risk Avoidance  decreasing the possibility of occurrence
 Risk Mitigation  decreasing the consequences of occurrence
 Risk Exposure = Probability of occurrence X Consequence of occurrence (severity)
Here is the disaster timeline that is showing risk management in concept:
PRE DISASTER (RISK AVOIDANCE) ---- DISASTER ---- POST DISASTER (DISASTER
RECOVERY / RISK MITIGATION)
Attacks on DRC:
 Physical
 Nature: fire, flood
 Intentionally: facility is broken, and burnt, IT infrastructure failed
 Unintentionally: incident (spoiled coffee), terrorism attack, large-scale electricity broken
 Personel: death of key person

Data Center
The data centre of Mega Bank is located in the head office at eight floor of IT Services Division
(ITSD). IT in Mega Bank is split into two divisions that IT Services Division (ITSD) and IT
Development Division (ITDD). ITSD has three sub-ordinates: ATM Monitoring, IT Security, and
Implementation and Support (IT Helpdesk & User Acceptance Test / UAT). Data Centre itself is
managed under ATM Monitoring sub-ordinate. The three pictures below are showing the data center as
central storage of all data from many different applications running in Mega Bank. Picture 1 shows the
data center scheme, Picture 2 is the physical form of servers gathered and located inside the data center
room, and Picture 3 shows the data center room where must be dust-free, very clean and sterile.

Picture 1. Picture 2. Picture 3.

Disaster Recovery Center (DRC)

What is DRC?
It is so important a bank to have Business Continuity Management (BCM). BCM consisting of
Business Continuity Plan (BCP) that holds the business-driven, and Disaster Recovery Center (DRC)
that holds technology-driven. DRC is a location where backup servers are allocated. DRC is designed
and prepared to substitute the function of the main Data Center server, so branch offices of Mega Bank
keep continuously running the On-Line transaction if there was disturbance on host or if disaster
occurred at main Data Center in Jakarta. Bank is said to own well-running DRC if the DRC has been
tried out / tested and successfully run. The test is done by switch off the main server (so called
Production Center) at Data Center and run the banking activity at backup server (DRC) (see picture 4.).

Picture 4.

Right after running within certain duration, then doing the similar process in reverse, that is
switch off the backup server and switch on the main server. This process is called switch over process.
The testing process is successful if after switch over all transaction data at backup server and main
server is identical, all F@st application transaction and e-channel functioned well. While most other
banks that are prior having their own DRC has been failed in data synchronizing process when switch
over being tried out. Up this time they has not been dare yet to retesting again their DRC, because there
is a potential of risk the transaction data vanishing during the Switch Over.
The success of Mega Bank DRC

One of key successes of DRC switch-over process in Bank Mega is because of Initial Recovery
Process (IRP) application. The use of IRP is for accelerating Switch-Over time by doing automatically
switch-over by system. Other than switch-over process, the switch-over duration is incredible result for
Mega Bank DRC. Switch Over process of DRC Mega Bank (cut-off time) occurring within 23 minutes,
Then comparing with the process in other private bank which is achieving 1 hour. The foreign Bank in
Indonesia is able to reach 30 minutes only. At this time, banking activity which is served by DRC
server is inter-branch online transaction (host transaction) and ATM-on us. At the time, Bill payment
transaction, and ATM bersama or Bank Central Asia (BCA) ATM had not been processed on DRC.
DRC was also not covering treasury transaction. Those are not the weaknesses. Those are only the
steps to be reached on in further.
Second phase of DRC development is covering up the whole payment transaction and all ATM.
And the last one is Treasury transaction. If the all phases already covered, Mega Bank DRC is the most
completed DRC ever owned amongst all banks in Indonesia.
The increase of Disaster Recovery Centre (DRC) quality that is the live test successfully done
for DR on Core Banking and ATM system which is operating for a whole week with no significant
problems, by switch-over process that was only taking 20 minutes.
Information Technology development in 2007 had been widely contributing on the company’s
growth. Bank Mega owns a Disaster Recovery Center (DRC) with facilities such as a mirroring system
(Mimix) of data backup network, and an additional network accelerator system. Results of a trial test
proved that the Company can run the main core banking system and ATMs entirely from the DRC.
Systems run alternately (flip-flop) between both data centers. This is a sophisticated form of system
and personnel preparedness to cope with malfunction or trouble in the data center. The backup system
for other applications will soon be applied to complete the Bank Mega Disaster Recovery Center.

Automation of technology system infrastructure with SILVERLAKE and IBM

SILVERLAKE provided SIBS license and implementation and maintenance services, as well as
technology of data center and infrastructure, recovery plan facility and data center operation services
for Mega Bank in Indonesia. Whole aspect in banking and ATM third-party systems integrated. This
project is developed by team containing 80 personnels from SILVERLAKE and internal IT staff of
Mega Bank conducted in the fully integrated environment and robust.
 SILVERLAKE having partnership with IBM in delivering infrastructure services for Mega
Bank, covering production data center, site for Disaster Recovery, hardware and operation support.
Mega Bank decided to have partner with SILVERLAKE and IBM because of their tested experience in
banking sector, and their ability in technology related to core customers and strong integrated
architecture with its supports from office’s frontline through backline, it is helpful in finding innovative
ideas for new products and services that will bring abundance business opportunity to the company.
This software application can increase efficiency in Mega Bank operational, innovative products to
provide reliable services to customers, and risk management.

This intuitive and flexible platform system to simplify operations jobs and system management
because of the availability of banking applications and the bank’s financial data protection as the main
attention, therefore Mega Bank trust on IBM to manage its Data Center and Data Recovery Centre
Solution as well, to increase stability and security of banking operational. It is located in separated
locations, these both facilities made to supporting core banking clients and the related database, by
using IBM AS/400 that is well known of the robust system in handling the bank’s transactions and
integrated database to provide perfect performances, scalability has been proved as the right platform
choice.

Silverlake Axis Integrated Banking Solution (SIBS) is well tested on core banking, its adaptive
and comprehensive architecture was built to facilitate and automates banking operational. SIBS is
designed in a modular foundation to offering efficiency and high performance, better control. This
totally integrated solution providing straight-through processing, multi products, multi currency. SIBS
has characteristics of integrating system, customer-centric, robust, dynamic and parametric product, to
accommodating the speed and product development innovation with variety segments of customers.
The integrated architecture is allowing multi-channel flexibility, integrating and effieciency of
operational.

SILVERLAKE is a robust core banking solution operated optimally adjacent with IBM Power
System i platform and scalable to manage ten million more of critical banking transactions and hundred
million customers’ accounts. Easy to operate, robust, reliable, scalability, and secure.
 Chapter 3
If I were the CEO of Mega Bank

The result of IT good performance is made by management decision in investing to renew and
increasing IT facility along with all the supporting staff. Disaster Recovery should being paid more
attention since the investment for this kind of security is very costly, and the biggest benefit of this
Disaster Recovery is significantly reducing the impact of sales, financial, and customer losses during
unforeseen interruptions to the company’s business operations. If I were a CEO of Mega Bank, There
are aspects should be concerned in this case, I would direct the related division / department unit to
creating clear Policy & Procedures that consists of the implementation of Disaster Recovery Plan
(DRP) rule. A DRP is a proactive measure to minimize a company’s downtime during sudden
emergencies. However, Preparation is always the best defense against unanticipated events.
As part of this Policy & Procedures, it should be declared who will be assigned as a
representative of decision maker in each division / department unit in case the disaster occurred in the
origin site, they are all must collaborate of each other to determine the synchronized real action. With a
Disaster Recovery Plan (DRP), the company could control the strategy as if experiencing an unforeseen
event (i.e. fire, flood, earthquake, etc.), how to mobilize key human resources to a “second site
location” where backup IT systems and working spaces allow for continuous business activities.
DRP phases are covering: DRP process, DRP testing, Disaster Recovery (DR) procedures.
When a disaster is declared, Mega Bank also needs an area for certain employees to move into
quickly to continue the business operations. These working areas must provide office functionality with
working tables and chairs, telephones, printers, faxes, Internet connectivity – all intended for providing
business continuity. There must be processes set in place to bring updated data information to the
workers at the new site. So the company is able to recover its valuable company data, fully functional
office working areas available for the evacuated employees during emergencies.
The important of DRP objectives are:
 Minimizing the risk of the company being late in providing services
 Guaranting the system reliability through testing and simulation
 Accelerate the decision made by personnels during disaster.
I will address the following key business requirements:
 Identify what are the Functional Areas that must be recovered during an emergency. At
this time, the functional areas chosen to be stand by is in Bogor.
  Define the Recovery Time – How much downtime if any, can be tolerated.
 Define the Recovery Point – How much data if any, can you afford to lose. Recovery
Time and Recovery Point must be in right balance.
As the goal of implementing DRP is to minimizing the company’s chaos or mess up and
increase the ability to dealing and adjusting with that crisis. I recommend that the company should do
the plan and testing for multiple times / periodically and the company should aware when the event
happened, the company will be likely not capable to create and conduct the recovery plan as soon as
possible. By the more frequent the number of plans and testing actions of DRP is conducted, it will
help to determine the company’s capability in overcoming and handling the real disaster. These are the
DRP testing steps scenario that should be tried out:
1. Customer Site

2. Emergency Event Declared

3. Personnel Mobilized to Backup DR Site

4. Company Systems Run from DR Site

 If I were a CEO, I would try looking for other alternative considerations that is common for
Mega Bank’s DR process, such as the following:
 Mutual aid agreements
An agreement with other company that has the similar computation needs. Other company may
have typical software and hardware form, or requiring similar data communication network, or the
same internet access with Mega Bank’s. In this agreement, both sides agree to support each other
when the unexpected disaster/disturbance happened. Each company’s operational has capacity to
support the same kind of operation of the other company when needed. The benefit of this is
enabling the company to get temporarily place in doing its operational activities during disaster
with the minimum cost or even no-cost at all. However, this agreement is having disadvante too, to
be considered only if the organization has perfect partner and no other alternatives disaster recovery
available.
 Multiple centers
Variation for alternative locations is called multiple centers. In a multiple-center concept,
processes are spread over in several centers, this is using a reduncancy method approach and
dividing the available human resources over those locations. For example, is considering of adding
more DRC at other new location. Recalling about the site location of Mega Bank’s DRC at Bogor,
which is not too far away from the origin site data center (at head office in Jakarta) is a right choice,
concerning that the movement of the company’s employees into DRC site can be done easier and
quickly. But if I were a CEO, I have another wider consideration what if the disaster happened in
Jakarta and covering the surrounding area including Bogor, surely there would be nothing to do
with the DRC to support the bank’s backup operational. I also recommend that the need to develop
another one more DRC in any further new location, such as outside West Java recalling Jakarta and
Bogor are within West Java, so let say the new location is in Central Java, or East Java, or even
outside Java Island. But, at this time that looks like difficult to implement because of the highly
cost in this investment. However, if there is nothing (disaster) happened, so to be assumed it would
 be so much cost wasting. This imply the need of return on security investment analysis which
involving the financial department unit.

Mega Bank’s DRC Technology is using mirrored server replication technology to minimizing
the server downtime. In this Mirrored server there is the need of IT Administrator intervention to do the
Switching or Server TakeOver by running the scripts for the passive server to taking over the active
server when it is down. If I were a CEO, I would recommend this case to using clustered server
replication technology where the IT Administrator intervention would not be needed there because this
clustered server can do the TakeOver automatically and very fast/quickly. Clustered System is
combining technique of the capability or strength on several physically servers become into one
powerful Server System. Clustered Server is a manifestation or miniature of very high costly Server
Mainframe, then by having the Clustered Server the cost of Server Mainframe purchases can be
substituted by building the Clustered Server. It is very beneficial in case of the company’s cost
consideration.
However, Disaster Recovery Plan is often expired. If I were a CEO, I would do evaluating and
maintaining the Disaster Recovery Plan because it is very important. Mega Bank should reorganize its
DRP. The critical unit business may be changing compared to the time when plan was being made at
the first time. Commonly the network infrastructure or computing infrastructure is changing (hardware,
software, and other components). But considering that the complexity of DRP administrative is not
easy to be renewed, personnels are lost interest, or employees turn-over which affecting their
involvement. Whatever reasons the planning for maintenance technique must be started since the
beginning to make sure that the plan always be up-to-date and applicable. It is important to create
processing procedure into organization by putting it into each staffs’ job descriptions, focused on
responsibility to be always updated. Creating audit procedure which will be able reporting regularly on
the planning status, Guaranteeing that no duplicate version on that plan, because it can messing up
everyone when disaster or emergency event is suddenly happened.
The processes of backup are the important things in disaster recovery plan. If I were a CEO, I
would coordinate all parties across Mega Bank to implement the disaster recovery testing, because the
level of progressiveness and accuracy in disaster recovery testing conducted by the company is
indicating the level of the company’s actual responsibility. These are the five testing types of Disaster
Recovery Plan (from simplest through comprehensiveness) that I would recommend Mega Bank to
implement:
  Checklist Test.
The plan duplicated then distributed to every management business units. The plan is reviewed
to guarantee that plan is related to all procedures and critical organization areas. This is a
beginning step of testing prior to the fact and not yet a satisfying test.
 Simulation Test.
During simulation test, all operational and support personnels are expected to run the actual
emergency meet in training session. The objectives are to test the personnels’ ability in
responding disaster simulation. This simulation refers to the relocation point of alternative
backup site or determining recovery procedures, but the actual and alternative recovery
processes are not conducted.
 Paralel Test.
This is the full test recovery plan, by involving all employees/personnels. The different between
paralel test and the next part of full interruption test is the main business of production process
keep running (not stopping). This testing type’s objective is to make sure that the critical system
will actually run on the alternative backup process site. Those systems are relocated to the
alternative site, parallel process started to run and transaction results and other corresponding
elements are compared. This testing type is the most common in the disaster recovery plan.
 Full – Interruption Test.
During full interruption test, a disaster is replicated direct to the event when the normal
production process stopped. This plan is implemented fully like a real disaster, and involving
emergency sevices as well (the local authorities may even be informed and to help
coordinating). This form of testing type is terrifying, but this is the best way and surely to try
out disaster recovery plan. This is a kind of replication as if disaster is there.
The types of testing for the last two tests need huge investation in time, human resources, and
coordination in the implementation.

References:

1. www.bankmega.com
2. [Source: By chip team, Press Release/Jakarta, 17 April 2009]
3. [Source: Disaster Recovery Plan by taufiqur rahman akbar / Jumat, 16 April 2010]