Author: Eric Flick, EFlick@jackhenry.com
According to the FFIEC, “It is the responsibility of an institution's board and senior management to ensure that the institution identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process.”
Here are the steps to a successful Business Continuity Planning process:
- Business Impact Analysis (BIA). When you conduct the Business Impact Analysis, look at all of the business functions and processes at the department level. Then identify interdependencies between functions and departments. And, finally pinpoint the risks to the institution as the result of unplanned or uncontrolled events that impact the ability to do business at the department level.
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The RTO is the maximum amount of time that the institution can be without the function. The RPO is the maximum amount of data loss. As an example, if you say you need your core software running again within four hours of the incident and that you can’t lose any data, your RTO is “within four hours” and your RPO is “all data” up to the time the incident occurred. For the next step in your Business Continuity planning, you must determine all RTO and RPOs for those business functions determined in the Business Impact Analysis.
- Risk Assessment. The Risk Assessment looks at the Business Impact Analysis assumptions and applies various threats to those assumptions and measures the potential impacts to the business. Base the threats on the most likely risks to the business. Institutions closer to the Gulf of Mexico or the Atlantic coast should give high risk to hurricanes, where institutions located in Tornado Alley should place a high potential on that risk. During this time, the RTO’s and RPO’s should be reviewed for gaps – the difference between senior management expectations and the IT department’s actual abilities to deliver on those expectations. Citing the previous example, where senior management is expecting the core system back within four hours and zero data loss, does IT actually have those capabilities in place today?
- Risk Management. Once documented, you’ve laid the foundation for all of the details that will comprise the Business Continuity Process. Now define steps as to how your people, processes, and places will resume business following the unplanned interruption.
- Risk Monitoring and Testing. This is a cyclical process. Just as you wouldn’t make a loan without reviewing credit history, and you wouldn’t make another loan to the same person a year from now without reviewing their credit history again, the institution needs to regularly monitor the risks and conduct an exercise at least once each year to see how the employees and management team perform in responding to the various business impacts.
Business Continuity Planning is manageable if you follow the elements and processes as defined by the FFIEC. It is also an important component of your institution’s overall enterprise risk management program. Regular review of the plan, along with annual exercises and results reported to the board and senior management are critical to the overall risk position of the institution.
Do you have a question about the Business Continuity Planning process? Send us your questions in the comments section and we’ll be in touch!