If your bank is like many others, you probably have a disaster recovery plan that was last overhauled for Y2K, and possibly updated and modified in the aftermath of 9/11. Unfortunately, these will no longer satisfy regulatory expectations - nor serve the bank's business needs.
Recent events, such as the blackout in the Northeast and severe fires in southern California, demonstrated the continued need for crisis plans that address infrastructure disruptions. In addition, new regulatory guidance - in the forms of a white paper from the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission, and a booklet on business continuity planning from the Federal Financial Institutions Examination Council, - has established new baselines for continuity plans.
Things have changed materially with respect to the scope and documentation for this type of planning. Perhaps the most significant change is reflected in the name - instead of "disaster recovery" the terminology is "business continuity." This shows an emphasis on the plan's scalability and application to a wide range of scenarios. Rather than focusing on full recovery after a major disaster, the business continuity plan addresses various scenarios of varying severity.
A good business continuity plan is a work in process. Because your bank is a dynamic organization with evolving processes and resources, the plan needs to keep pace with changes in infrastructure, strategy, technology, and human resources. It needs to be a living document that is updated regularly and included in change management.
Elements that must be addressed in your BCP process include the following:
Enterprisewide focus. Business continuity planning isn't just about IT anymore - it's about keeping the entire business going. That involves identifying critical business functions and ensuring that they can be promptly restored.
Scalability. Your plan needs to be applicable to a wide range of situations. This is an area where many banks' plans fall short - most of them deal solely with recovering from a large-scale disaster.
Business impact analysis and risk assessment. Regulatory guidelines now state that the business recovery plan must be grounded in business impact analysis and risk assessment. The analysis is meant to identify and prioritize processes, and the risk assessment evaluates the likelihood and probability of events that cause disruption. Both exercises must be documented and updated regularly. Examiners will be looking for these items when they evaluate your BCP.
Roles and responsibilities. A bank employee must be put in charge of maintaining the plan. However, the process should involve people from all important departments and functions - each department must have a continuity plan that is integrated with the overall plan, and recovery teams must be set up.
Data backup and contingency plans. An essential part of the BCP involves data backup, system redundancy, and restoration. Backup strategies must address both electronic and physical data.
Crisis management. Most banks have done a good job of addressing crisis management in their traditional disaster recovery plans. Emergency procedures, employee notification practices (calling trees, for instance), and lists of required supplies remain a crucial part of the BCP.
Communication. Several important lessons from 9/11 involved communication. The BCP must address who needs to be notified and how (including backup methods). Consider assigning pagers and cell phones to relevant personnel. Also consider the need for walkie-talkies and communication systems that could operate during power failures.
Testing and updates. A formal testing plan must be built into the BCP, and it must include a provision that the plan be reviewed at least once a year. The plan should spell out what the testing will entail and how the results will be documented.
Third parties. Today's BCP is an integrated effort. A variety of external parties may play important roles in the recovery process and therefore must be included in the planning stages. Roles and responsibilities of third parties (for example, service providers, business partners, correspondent banks) must be defined in the plan and in written contracts where possible. Contact information and notification requirements should be specified. Key third parties should be included in tests of the plan and your bank should consider participating in BCP tests conducted by its service providers.
Documentation. It is important that your bank's plan is not only written and board-approved, but that it meets the new regulatory requirements. Items to document include the business impact analysis, risk assessment, testing, and training. As always the roles, responsibilities, and procedures must be defined in writing and made available both electronically and in paper, with backup copies maintained off-site.
Training. All employees need to be aware of the existence of the plan and how it affects them - for instance, how they will be notified in an emergency and where to go for instructions.
So now is the time to put business continuity planning at the top of your 2004 to-do list. The following steps can help you use existing resources to achieve your goals:
- Build on your current disaster recovery plan.
- Evaluate your plan using the examination procedures in the FFIEC booklet.
- Consider a cross-department committee to oversee the development of the business impact analysis and risk assessment.
- Leverage existing inventories of hardware and software.
- Use the BCP process as an opportunity to reevaluate backup strategies.
- Provide for periodic updates, and be sure to consider plan's implications in the bank's change management process.
