What is a Business Impact Analysis (BIA)?
A bank’s business continuity plan has evolved to become the crucial blueprint for guiding a financial institution through the process of recovering from a business interruption. Examiners are reviewing these plans more closely looking for proof that banks not only have a well-crafted plan in place, but are also able to successfully execute it. Banks must thoroughly understand and evaluate their critical processes, functions, and the interdependencies that support them in order to develop a solid plan the institution can implement effectively in the event that a disruption occurs.
One of the first steps in the BCP process is completing a Business Impact Analysis (BIA). The BIA is designed to help banks determine and evaluate the potential effects of any interruption to critical business operations as a result of a disaster, accident, or emergency. However, there has been some confusion among financial institutions regarding exactly what a BIA is and why it is important to the overall plan. Some financial institutions may confuse conducting a BIA with completing a Risk Assessment (RA). While the two go hand-in-hand and are both important steps in the continuity planning process, it is important to note that they are two completely different exercises.
The Difference Between Risk Assessment and Business Impact Analysis
Simply put, conducting a risk assessment will outline different threat scenarios the bank could face that would negatively impact normal operations. This includes both natural and man-made disasters listed in Appendix C of the FFIEC’s Business Continuity Planning booklet – think flooding, fire, pandemic illness, looting, vandalism, loss of communications, hardware failure, etc. As part of the RA, risks are assessed on their probability and impact to the institution. The Risk Assessment should result in a list of top threats to the institution, its customers, and the financial market it serves. This list can then be used to inform testing priorities.
On the other hand, a BIA focuses on the different processes within the bank rather than the threats to them. How badly will the inability to complete a process harm your institution, regardless of why that process was interrupted? Completing a BIA includes performing a workflow analysis of all business functions and processes that must be recovered. The BIA will help rank the criticality of your different processes, determine how quickly you need to recover the different areas of your bank, and ultimately result in a ranked list of recovery priorities. This analysis should be a dynamic process that identifies the interdependencies between critical operations, departments, personnel, and services.
How to Complete a Business Impact Analysis for Your Bank
To conduct the BIA, financial institutions should review each individual business process and function that goes into completing that process. Participants evaluate the risks associated with the loss of each process due to a non-specific outage event.
There are four main categories of enterprise risk that should be evaluated for each process to determine an accurate assessment of the total business impact:
- Regulatory/legal risk
- Reputation risk
- Strategic risk
- Operational risk
Evaluating these categories allows the BCP team to prioritize and sequence time-sensitive or critical business processes, functions, and the interdependencies that support them. These interdependencies include technology components, personnel, and outsourced relationships. The BIA helps the bank make sense of all these moving parts, and which are more crucial than others. The end result of the BIA is a consensus list of processes, the Maximum Allowable Downtime (MAD) and Recovery Time Objectives (RTO) for each, the amount of data that must be restored (Recovery Point Objective, or RPO), and an order in which those functions should be recovered (recovery priority). This information provides the strategic direction of the recovery plan, and should be referenced when defining recovery procedures.
Driving Compliance Through Technology
Why the Business Impact Analysis is a Crucial Part of Your Bank’s BCP
Completing the BIA enables the financial institution to really define and understand what it is they do and how important those processes are to their operation. While the findings are different for each bank, there are some similarities. For example, most retail banks have a teller system that must be operational, as well as an ATM system and core processing network. However, the MADs and RTOs assigned to each function are often different for each financial institution. It is not uncommon today for regulators to demand that all RTOs be based on a methodical analysis of the tolerance for downtime for each process, and NOT simply a subjective value. Financial institutions need to be able to show how and why they have assigned rankings to each function. It is crucial to have representatives from all areas of the financial institution involved in the BIA process. Not doing so, or not completing the BIA at all, could lead to a misallocation of resources at minimum, or possibly violation of regulatory requirements (and a lower exam score), and potential reputational damage in worst case scenarios.
At Safe Systems, we understand that conducting a BIA has become a very time consuming yet necessary part of operating a compliant, resilient, and recoverable financial institution. Therefore, we have developed a Business Continuity Plan application, BCP Blueprint, to help facilitate and automate the process by automating processes that have previously been done manually, eliminating the need for cumbersome spreadsheets, and time consuming data gathering and reporting activities. The careful evaluation of individual business process and support functions enables the bank to better understand objectives regarding continuity of operations.
For more information download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks.