The Ultimate Guide To Business Continuity Management for Banks and Credit Unions
By Tom Hinkel
When I recently participated in a conference panel discussion with federal regulators, the FDIC representative said she was going to change her reference from Business Continuity Planning (BCP) to Business Continuity Management (BCM) from now on. The change makes sense, because “planning” is only one part of the business continuity process. Business continuity management encompasses the entire process by integrating resilience, emergency response, crisis management, third-party integration, disaster recovery, and business process continuity.
In the financial industry, community banks and credit unions are required to develop compliant business continuity plans that identify businesss processes along with their interdependencies that provide resilience to, and recovery from, all potential threats to the financial institution. BCM is designed to help organizations, regardless of their size, location or activity, prepare to handle disruptions of any kind, natural or man-made, including cyber.
Future posts will address the other BCM elements, but with so much at stake, it is important for financial institutions to understand the plan (hereafter also referred to as the BCP) itself:
- Regulatory requirements relevant to a compliant BCP;
- How to develop the BCP;
- The importance of integrating vendor management into the BCP;
- Steps to effectively update and test the plan; and
- The benefits of automating the BCP process.
To comply with regulatory expectations, financial institutions are required to focus on an enterprise-wide, process-oriented approach that considers technology, business operations, testing, and communication strategies that are critical to business continuity management for the entire organization, not just the information technology department. Regulations make it clear that institutions need to plan to perform their critical business functions, even if technology may be impaired or unavailable.
Auditors and examiners have also been scrutinizing business continuity plans to verify that the institution’s methodology and plan structure closely adhere to the regulatory guidance that has been put in place since 2015. Increasingly, they are looking at the interdependencies of how institutions interact with their third-party providers, and in particular scrutinizing institution resilience to the failure of a critical third-party. According to the FFIEC,
When a financial institution relies upon third parties to provide operational services, they also rely on those service providers to have sufficient recovery capabilities for the specific services they perform on behalf of the financial institution.
In addition, the guidance also identifies four primary categories of threats that should be considered when developing the BCP. These threats include malicious (including cyber) activity, natural disasters, technical disasters, and infectious diseases like pandemics.
How to Develop a BCP – What to Include in the Plan
It’s safe to say that most banks and credit unions have some sort of a BCP in place, yet many struggle with determining what to include in the plan to ensure it is both recoverable and compliant. This can be especially difficult if the plan has not been routinely updated, and the financial institution does not have a solid understanding of FFIEC guidelines and expectations.
While each financial institution has a unique operating model based on its services, demographic profile, organizational processes, and technologies, the first step when drafting or updating the BCP is to have a thorough understanding of all the functions and processes that make up those operations. This process, which we refer to as Enterprise Modeling, involves identifying all departments or functional units, with all associated processes and functions, and determining the team owners and members responsible for each department. Having representatives from each department take an active role in the planning process ensures the technologies and responsibilities for each area are accurately represented. This also helps the financial institution develop a more accurate assessment of its recovery time objectives and actual recovery capabilities. It is not feasible to have a single individual with all the knowledge and unique skill set required to put together a comprehensive BCP.
A plan should consist of all the steps required to ensure key products and services remain available to customers or members. The BCP consists of a business impact analysis; a risk/threat assessment; a comprehensive recovery strategy to minimize downtime; and a testing process to validate recovery time objectives. Furthermore, the BCP should be a “live” document that keeps pace with any changes in infrastructure, strategy, technology, and human resources. As soon as a plan is board approved, it should be tested, and a new draft plan should be initiated. At any point in time you should have both an approved plan, as well as a live draft to accommodate changes.
The Importance of Integrating Vendor Management into the BCP
The majority of banks and credit unions today rely on third-party service providers, or vendors, to conduct business on a day-to-day basis. When financial institutions outsource key functions to a service provider, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations within pre-defined recovery time objectives in the event of a disruption. When creating a BCP, financial institutions have to account for all interdependent third-party relationships, and identify the potential consequences a third-party disruption might have on it’s operations.
The criticality of the product or service the vendor provides is directly related to the criticality of the dependent process it supports, as identified by the business impact analysis. Some questions financial institutions should consider include:
- How important is this vendor to what we do?
- If they fail, how many of our dependent services would be negatively impacted?
Vendor criticality is expressed in terms of Recovery Time Objectives (RTOs), and each bank or credit union determines and assigns the same RTOs to the third-party vendor as they have to the underlying process they support. In other words, if you’ve identified a two-day recovery time objective for a particular process, any underlying vendors will also inherit that same two-day RTO. In the event that the vendor cannot match your RTO (validated by testing), you must have a contingency plan in place to compensate for the gap.
Successfully integrating vendor management and business continuity planning is essential for financial institutions to truly understand their actual recovery capabilities by validating whether or not their third-party providers “have sufficient recovery capabilities”.
Importance of Testing and Updating the BCP
Testing is an important part of the process, and in fact, the BCP is not complete until the plan has been thoroughly tested. Testing verifies the effectiveness of the plan by validating all recovery time objectives; helps train the team on what to do in a real-life scenario; and identifies areas where the plan needs to be strengthened. In addition, examiners are also verifying that a BCP has been tested, and the financial institution is able to execute the plan if and when the need arises. Because the financial industry is considered part of the nation’s critical infrastructure, testing will continue to be a focus going forward.
Every test should start with a scenario drawn from the top threats as identified by the risk/threat analysis phase of the planning process. Top threats are those determined to have both high impact and high probability ratings. While initial testing of a plan can be relatively straightforward, a bank or credit union should strive to extend the scope and severity of the exercise with each consecutive test by making the tests consecutively more complex and including different individuals. Conducting the very same test with the same participants every year will not satisfy examiners nor will it give your management the assurance they need.
In addition to the senior management and information security roles defined in a plan, the testing team should include key department heads with detailed knowledge of the processes and functions impacted by the scenario. Tests should cover the steps departmental managers must take to complete functions manually or in an alternate way. In addition, all departmental specialists should be included in the testing. There are two reasons for that, the first is so they are familiar with alternate procedures in emergency scenarios, the second is to make sure you have backups, or successors, to your primary recovery resources. Succession planning is another hot button item with examiners now. While regulators require proof of testing annually, more frequent testing is indicated whenever a previous test uncovered significant gaps in the plan, or if there are significant internal changes to processes or infrastructure or personnel.
Automating the Planning Process
To help streamline this time-consuming process, banks and credit unions can automate repetitive portions of business continuity planning. Automating these activities eliminates the need to update cumbersome spreadsheets and manually copy/paste information from various reports and previous assessments.
An automated BCP solution will also help guide banks and credit unions through the entire BCP process, assuring that all required elements are included. Automating the planning process also makes it easier and much less time-consuming to perform annual plan updates by allowing static portions of the plan to carry forward, but accommodating changes wherever necessary. Any automated solution should also allow you to identify all material plan changes from year-to-year, so management and board approval is easier.
Business Continuity Management is a critical process for banks and credit unions regardless of size and location, and the plan is central to that effort. To streamline the planning process, financial institutions should integrate business continuity into all business decisions; conduct periodic reviews of the plan, and perform regular testing. Everyone in the organization — from the tellers to the Board — should understand the importance of business continuity planning and how his or her unique role fits into the financial institution’s overall business continuity strategy.