Six years after terrorist attacks in New York and Washington exposed glaring weaknesses in banks' data security and disaster recovery systems, a pair of research groups have developed a standardized approach that companies can use to benchmark their own readiness.
The Resiliency Engineering Framework is designed to be a tool for any industry, not just banking, according to representatives of the Financial Services Technology Consortium and Carnegie Mellon University's Software Engineering Institute, which developed the framework.
However, Carnegie Mellon sought out experts in the banking industry because their security and continuity practices are considered more advanced than in most other sectors, the representatives said.
Charles Wallen, the managing executive of the consortium's business continuity standing committee, said the industry has recognized the need for a collaborative approach, with banks working with one another on a wide range of potential problems that could affect the financial services industry — from fraud and computer failures to hurricanes and floods.
"There are a number of models and frameworks out there, but most of them are proprietary, and they lack the depth that Carnegie brings," Mr. Wallen said. "You're not going to solve the pandemic flu issue by doing it alone in your organization."
Rich Caralli, a senior technical staff member at the Carnegie Mellon institute's computer emergency readiness team, said the resiliency issue is different from issues his team has tackled in the past.
The institute has said its Capability Maturity Model framework for analyzing software engineering — an effort backed by the Defense Department — has produced results, but there is no guarantee that an approach like that will even work in disaster planning and security, he said.
"Security is perhaps the only area where the lack of a positive response is an indicator of success," Mr. Caralli said.
Carnegie Mellon began working on resiliency in 2002 and formed a partnership with the consortium in April 2004 after learning that it was pursuing a similar strategy independently, Mr. Caralli said. Since then, the two groups have held several workshops with bankers, vendors, auditors, and others to define and refine the issues.
The financial companies that participated in the exploratory study included: Bank of America Corp., Citigroup Inc., Discover Financial Services Inc., the Federal Reserve Bank of New York, JPMorgan Chase & Co., KeyCorp, MasterCard Inc., U.S. Bancorp, and Wachovia Corp.
The result was a descriptive framework covering a set of practices that now codifies 25 areas of processes, he said. "Down the line there will be an appraisal methodology that the Software Engineering Institute will build."
The goal is to develop a way for organizations to measure their competence, including benchmarking against peers and the industry, in a way that "it isn't just based on opinion," he said.
The first case studies from banks should begin to come out in three to six months, and Carnegie Mellon plans to begin introducing the framework in 2008 and 2009 in other critical industries, such as utilities, telecommunications, food and pharmaceutical processing, and government agencies.
Mr. Wallen said the framework also should provide regulators with a reference point for measuring companies' compliance, though that is not the point of the exercise.
"Managing operational risk is a board issue. This framework provides an objective way of making those decisions. Compliance is a byproduct," he said.
