Tom Hinkel, Account Manager
The new Business Continuity Planning (BCP) booklet replaces the March 2003 version and contains many significant revisions. The most significant changes deal with the reliance on a Business Impact Analysis (BIA) as the first step in the BCP process and the understanding that business continuity should not be treated as a plan, rather as a continuous process. This means another committee, another binder, and another agenda item at the annual Board meeting!
The guidance was fairly specific on the methodology that financial institutions should follow when developing their BCP. So much so in fact, that many institutions should be able to compare their own disaster recovery (DR) program step by step with the new guidance. In the end, the decision whether to simply upgrade the existing program or scrap it completely and start over will be a function of how far out of line the current BCP plan is with the new guidance. In most cases, unless the bank has not updated their program since Y2K, they should be able to salvage most of it.
The DR/BCP methodology has been defined as an orderly process that follows these steps in a cyclical fashion: BIA -> Risk Assessment -> Risk Management -> Risk Monitoring and Testing. Anyone who has performed a recent risk assessment will find this process familiar:
Generally, the Business Continuity Planning Process should incorporate the following steps:
Step 1: Establish a committee, empowered by the Board to oversee the development, implementation, maintenance and testing of the BCP program. The committee should be representative of all the critical business process groups. The committees’ first objective is to determine the extent to which the existing plan measures up to the new guidance.
Step 2: Perform a work flow analysis to ensure that all business process interdependencies have been identified.
Step 3: Prepare a BIA by identifying all critical business processes, prioritized by the impact of the loss of the process to the institution. Classify each process as Critical, Urgent, Important, Normal or Non-essential. Assign a Recovery Time Objective to each classification based on the maximum allowable downtime.
Step 4: Using the BIA, assess the severity of the risk to the institution based on the probability and impact of the threat. The guidance recommends that institutions should focus on the impact, not the specific nature, of the threat.
Step 5: Develop a written plan specific enough to both define the conditions to trigger implementation and the immediate steps to take. The plan should be focused on the impact and flexible enough to adapt to changing conditions. Don’t forget the interdependencies identified in Step 2.
Step 6: Develop a testing program and conduct annual (or more frequent) tests. Consider having the testing procedures and results assessed by an independent third party.
Although the recommendation is not to focus on the specific nature of the threat, four general types of threats should be considered: Malicious Activity, Natural Disasters, Technical Disasters and Pandemics. Of the four, Pandemic Planning is singled out in Appendix D as one threat that should be specifically addressed.
The extent to which the institution’s existing plan adheres to the new guidance can be quickly determined by having the committee review Objectives 2 through 10 of the Tier I Examination Procedures (Appendix A). For each objective, assign one of the following values:
- Our existing plan address this objective, and documentation is adequate – 0 points
- Our existing plan addresses this objective, but documentation is either lacking or insufficient – 1 point
- Our existing plan does not address the objective – 2 points
If the total is 10 or more, the institution may wish to consider scrapping the existing plan and starting over. The good news is that the new guidance provides more than enough detail to quickly create a workable framework. The bad news is that it will still require a significant internal resource commitment. For banks unwilling or unable to make the necessary commitment, outsourcing all or part of the program’s development may be an option. Safe Systems has resources available in this area, from the BIA, to on-going testing. Ask your Account Manager for more details.
View the new FFIEC Business Continuity Planning Booklet here.