Business Continuity Planning - At the Top of 2004's "To Do" List

Business Continuity Planning - At the Top of the "To Do" List

By: Cynthia A. Bonnette, Director of Information Security Risk Assessment, NETBankAudit

What is the current state of your bank's Business Continuity Plan? If your bank is like many others, you probably have a Disaster Recovery Plan that was last overhauled for Y2K and possibly updated and modified in the aftermath of September 11, 2001. Unfortunately, such will no longer meet regulatory expectations and also falls short of meeting the bank's legitimate business needs.

What's New in BCP and Why it Needs to be on Your Radar Screen
Clearly Y2K and September 11, 2001 were the most significant wake-up calls for Business Continuity and Disaster Recovery Planning. However, more recent events have had a material effect on the scope and focus of business continuity planning. The blackouts experienced in the northeast and severe fires in Southern California demonstrated the need for crisis plans that address material infrastructure disruptions. In addition, new regulatory guidance, in the form of a white paper from the Federal Reserve, Office of the Comptroller of the Currency, and Securities and Exchange Commission, and the Business Continuity Planning Booklet issued by the Federal Financial Institutions Council (FFIEC), has established new baselines for BCPs.

Things have changed materially with respect to the focus, scope, and documentation for Business Continuity Planning. Perhaps the most significant change is reflected in the name — instead of "disaster recovery" the new terminology is "business continuity." This emphasizes a new focus on the plan's scalability and application to a wide range of scenarios. Rather than focusing on full recovery following a major disaster, the business continuity plan addresses various scenarios with different levels of severity and disruptive consequences.

Another big change in BCP is an enterprise-wide focus. Business continuity planning is exactly that: keeping the business going. It's not just about IT anymore. Instead, the BCP is concerned with identifying critical business functions and ensuring that they can be restored in an appropriate timeframe. This includes both electronic and physical (paper-based) processes. Understanding the critical processes and information needs of the organization is the foundation of today's BCP.

What Makes Up a Good Business Continuity Plan?
A good business continuity plan is a work in progess. Because your bank is a dynamic organization with changing processes and resources, the BCP needs to keep pace with changes in infrastructure, strategy, technology, and human resources. Therefore, your BCP needs to be a living document that is updated regularly and included in the change management process.

Key elements that must be addressed in your BCP process include the following:

• Enterprise-wide focus - The goal of today's BCP is to reduce the impact of a disruptive event on business operations. The primary focus is not on IT, but on sustaining or quickly restoring essential information and processes. The data and processes can be electronic, paper-based, or a combination of both.
• Scalability - BCP is all about timely and appropriate resumption of critical processes, regardless of the scope or scale of the disruption. Your bank's BCP needs to be applicable for a wide range of situations. This is an area where many banks' plans presently fall short. Previously, recovery from a large-scale disaster was the sole focus of most plans.
• Business Impact Analysis (BIA) and Risk Assessment - Regulatory guidelines now state that the BCP must be grounded in a BIA and risk assessment. The objective of the BIA is to identify and prioritize critical business processes, while the risk assessment evaluates the likelihood and probability of adverse events that cause disruption and invoke the plan. The BIA and risk assessment represent key inputs that must be documented and regularly revisited and updated. Examiners will be looking for these items when they evaluate your BCP.
• Roles and Responsibilities - A designated individual must be charged with responsibility for maintaining the plan. However, the BCP process should involve representatives from all key business departments and functions. Every department must have a continuity plan that is integrated with the overall plan for the organization. Recovery teams must be established, and key individuals need to be informed and trained for their duties.
• Data Back-up and Contingency Plans - An essential part of the BCP involves data back-up, system redundancy, and plans for fail-over and restoration. Back-up strategies must address both electronic and physical data.
• Crisis Management - Most banks have done a good job of addressing crisis management in their traditional disaster recovery plans. Emergency procedures, employee notification practices (e.g., calling trees), and lists of required supplies remain a key part of the BCP.
• Communication - Several important lessons that were learned from September 11, 2001 involved communication. The BCP must address who needs to be notified and how notification will occur, including back-up methods. Consider assigning pagers and cell phones to relevant personnel. Also consider the need for walkie-talkies and communication systems that can operate during power failures.
• Testing and Updates - A formal testing plan must be built into the BCP. The objective of the testing plan is to ensure that all aspects of the BCP are reviewed at least annually. The testing plan should outline what types of tests will be used (full test, partial test, table-top discussion, etc.) and their frequency. The results of the tests must be documented and updates to the plan should be made, as appropriate.
• Third Parties - Today's BCP is an integrated effort. A variety of external parties may play key roles in the recovery process and therefore must be included in the planning stages. Roles and responsibilities of third parties (e.g., service providers, business partners, correspondent banks, etc.) must be defined in the plan and in written contracts, where possible. Contact information and notification requirements should be specified. Key third parties should be included in tests of the plan, and your bank should consider participating in BCP tests conducted by its service providers.
• Documentation - It is important that your bank's plan is not only written and board-approved, but that it meets the new regulatory requirements. Key items to document include the BIA, risk assessment, testing (plans and results), and training. As always, the roles, responsibilities, and procedures must be defined in writing and made available both electronically and in paper, with back-up copies maintained off-site.
• Staff Awareness and Training - Individuals with key responsibilities and roles in the plan need to receive appropriate training and guidance. All employees need to be aware of the existence of the plan and how it affects them (e.g., how they will be notified in the event of an emergency and where to go for instructions.)

Why Should this be a Top Priority for my Bank?
With all of the priorities facing bankers in the coming year, why is business continuity planning so important? At a minimum, all regulated financial institutions need to address the guidelines outlined in the new FFIEC Booklet on Business Continuity Planning. Examiners will be evaluating your bank's plan according to this new yardstick, so you need to be prepared. But it's not just about regulatory compliance. We operate in an environment where instant information access is expected 24/7. System downtime is increasingly unacceptable. We have also awoken to the harsh reality that natural and man-made disasters are a fact of life that we cannot escape. While we cannot predict when they may occur, we can take steps to be prepared and ensure our ability to respond promptly to minimize the disruption.

So now is the time to put BCP at the top of your 2004 "To Do" List. The process can be facilitated by taking the following steps and leveraging existing resources.

• Build on your existing Disaster Recovery Plan. There is undoubtedly some excellent content (e.g., crisis management guidelines, recovery team structures, etc.) that can be updated.
• Conduct an evaluation of your existing plan using the examination procedures in the FFIEC Business Continuity Planning Booklet. Identify the gaps that need to be addressed.
• Consider a cross-department committee to oversee the development of the BIA and risk assessment. This will provide diverse input and perspectives. Plan development and enhancement should be a team effort with a designated leader (e.g., the BCP Coordinator), who will be responsible for ongoing maintenance.
• Leverage existing inventories of hardware and software to identify, prioritize, and document essential items. This will be a key input for the BIA.
• Use the BCP process as an opportunity to re-evaluate back-up strategies and don't forget about back-up for physical documents and records.
• Provide for periodic updates to your plan and be sure to consider BCP implications in the bank's change management process. As modifications occur to the information systems' infrastructure, business processes, and strategic operations, the BCP must keep pace.

NETBankAudit specializes in information security and technology risk assessment services with a focus on high quality, low maintenance, cost effective solutions that help financial institutions meet regulatory requirements and industry best practices. Founded in 2000, NETBankAudit offers financial institutions the ability to audit and test their network security architecture, policy and procedures, and regulatory compliance. Visit www.netbankaudit.com for further information.

Copyright, 2003, BankersOnline. First published on BankersOnline.com 1/12/04. All rights reserved.