Is Your Business Continuity Plan Really Recoverable?

For many community banks, developing a business continuity plan can be a time-consuming process that requires careful evaluation of the institution’s critical processes, functions, and the interdependencies that support them. Even after you determine the strategic direction of your recovery plan, establish Recovery Time Objectives, define recovery priority, detail key recovery procedures, and Board approve the document, your BCP process is not complete until you thoroughly test your plan. Testing verifies the effectiveness of your plan, helps train your team on what to do in a real-life scenario, and identifies areas where the plan needs to be strengthened. Examiners are reviewing business continuity plans more closely to verify that banks not only have a well-crafted, compliant plan in place, but are also able to successfully execute it. Without proper testing, how will you know if your team can successfully follow these strategies for recovery?

Test Your Business Continuity Plan

Every test should start with a realistic scenario designed to simulate your institution’s top threats. From there, the FFIEC suggests 4 different test methods of increasing intensity from a Tabletop Exercise/Structured Walk-Through Test through a Full-Interruption/Full-Scale Test. While initial testing of a plan can be relatively small-scale and straightforward, the institution should strive to extend the scope/severity of the exercise with each subsequent test. Running the very same test every year will not satisfy examiners.

2018 Community Bank Information Technology Outlook

Primary Research and Analysis of Your IT Priorities in 2018

Business Continuity is much bigger than simply the IT department. The FFIEC guidance states that:

It is important to make sure that all functional areas of the institution are involved in testing. This means that in addition to the Senior Management and Information Security roles defined in your plan, the team should also consist of key department heads with detailed operating knowledge of the processes and functions impacted by your scenario. These individuals must be aware of how to quickly recover and adequately support customer needs, regardless of whether normal operating procedures are available. Therefore, tests should cover the steps departmental managers must take to complete functions manually or in an alternate way. Although technology is important, the disaster response must not hinge on waiting for technology glitches to be resolved. Your departmental specialists know how to do their job under normal circumstances, but including them in testing allows them to gain familiarity with their alternate procedures in a specific emergency scenario.

One of the primary objectives of testing is to validate that the recovery time objectives for each process are achievable. Testing exercises help identify errant assumptions and gaps in the plan to make sure what you have on paper matches your most likely threat scenarios. According to the 2017 Community Bank Information Technology Outlook Study, a survey conducted by Safe Systems in Q4 2016, 78% of respondents reported formally testing their BCP plan every 12 months. While regulators require proof of testing annually, more frequent testing may be indicated if a previous test uncovered significant gaps in your plan or if there are significate internal changes to your processes or infrastructure.

Finally, don’t forget to include significant third-parties in your testing. The guidance states:

Stay Current: Review and Update the Plan

While simulated testing scenarios are helpful in adjusting your plan to enhance recoverability of your bank’s processes and functions, it is also important to review and update the full plan on a regular basis. The BCP must be regularly updated as new services and technologies are implemented internally and as regulatory guidance and best practices change. According to the Safe Systems study, 75% of survey respondents indicated they are already in the habit of reviewing and updating their Business Continuity Plan every 12 months, but only 12% are taking the extra step to update their Business Continuity Plan whenever a new vendor, application or process is added.

To streamline this process, community banks should integrate business continuity into all business decisions, assign responsibility for periodic reviews of the plan, and perform regular testing and third-party reviews. The importance of the BCP should be communicated to the entire organization. The board, senior management and other stakeholders should also be kept up-to-date on the status of the BCP, review test results, and approve plan updates.

Meet Examiner Expectations and Ensure Recoverability

In the current regulatory climate, it is critical to ensure you are adhering to the examiner’s expectations. It is no longer enough to simply test restoring the same key systems annually; instead, you must test that the entire BCP plan is actionable and realistic. A comprehensive Business Continuity Plan limits the impact a disaster will have on your financial institution and ensures that you can continue to provide services to your customers, no matter what disaster may strike.

Your BCP should provide specific instructions for employees to follow, and testing makes sure those instructions can actually be followed. At Safe Systems, we have been working with community banks to manage their business continuity planning process for more than 20 years. With our knowledge of banking applications, technology, and compliance we can help you ensure your plan will meet your objectives while also satisfying all regulatory requirements.