Zach Duke, EVP Business Development
In my recent consultations with numerous financial institutions, I have found a significant number of institutions that have not engaged Senior Management on the Business Impact Analysis process. It seems that every week there is some new event that highlights the risks of a “business interruption” or “disaster” and the need for effective Business Continuity Planning. Are the leaders of your institution prepared and even more, do they fully understand the criticality of this process?
The Business Impact Analysis (BIA) is essentially the identification and prioritization of which critical functions should be up and working first after a “business interruption” or “disaster.” Here are some compelling reasons for your CEO and Board of Directors to take an active role in this process:
1) The BIA is required by examiners. In today’s regulatory climate it is more critical than ever to make sure that you are adhering to examiner’s expectations. The BIA needs to be created and owned by Senior Management and the Board of Directors. At Safe Systems, we often assist our financial institution customers through the IT Examination process, and we have found that the regulatory scrutiny is shifting from a focus on asset quality to the evaluation of management oversight. This includes all operational aspects of the institution, including business continuity planning. For more information check out the Compliance Guru’s blog on this topic.
2) The BIA also allows for all executive team members to be on the same page of prioritization and recovery. One way to remove the difference of opinion on departmental priorities is to make sure that the executive and IT Steering Committee team have the same understanding. It is common for each manager to believe that their department has the highest priority before being involved in the BIA process. The agreement on these high impact areas and the acceptable amount of downtime allowed is the crux of the BIA process.
3) During a disaster, it is critical that the financial institution have a plan of where to start the recovery process. The BIA provides the roadmap that the entire organization will use to guide decisions on the goals of recovery. During a disaster all items are high level critical events, and this allows for the appropriate resources to be dedicated to the highest impact areas.
4) By performing the BIA, the institution can begin the process of evaluating the ability to meet the recovery expectations. These expectations are driven by meeting the needs of your customers and maintaining the reputation of the institution. The BIA gives the ability of evaluating the current recovery processes and timeframes versus the expected recovery time (also called recovery time objectives). If the institution does not have an updated and accurate BIA, the recovery process is typically owned and created by the operational team. This typically results in the BIA becoming a mirror image of operational recovery (it will take us this long to recover), and does not address the critical business risks including strategic risk and reputation damage.
5) The last reason for having an up-to-date BIA is the ability to measure success of the business continuity plan. Testing of the BIA and the Business Continuity Plan allow for the institution to verify expectations, and at the same time highlight areas that need more work or different plans. It is no longer enough to just test the Core Processing system as the annual “disaster recovery” test. There are many other areas outside of just being able to get account information that are critical to your institution.
In today’s “always on” society, your customers expect to have continuous access to your institution. As technology continues to become more intertwined with the institution’s delivery of service to your customers, their own expectation of availability and access continue to increase. The BIA is the foundation of your recovery program, and everything else, from specific recovery procedures to testing, must flow logically from it. Ultimately, it is the responsibility of the Board of Directors and the CEO to make sure that the institution can meet the expectations of its customers…and its shareholders.