In the competition for customers, banks hold proprietary marketing plans and strategies close to the vest. But when the subject turns to continuity planning, everyone's cards should be on the table. Charles Wallen, a project director for the Financial Services Technology Consortium, says financial institutions realize that a single bank going offline after a major disaster or snafu can smack consumer confidence across the entire sector. "Everybody's in the same game," he says.
Wallen, a former technology operations veteran at Bank of America, leads the FSTC's business continuity standing committee currently developing the first industry benchmarks for planning and measuring resiliency standards. The project involves meshing global continuity regulations and terms into a single, common-language framework of solutions and guidance. The FSTC announced in September that 15 major institutions and technology companies have teamed under the Resiliency Maturity Model Project-based on Carnegie Mellon methodology-to develop those benchmarks.
Explain why a common model or standard to measure an institution's continuity planning is needed.
Wallen: It cuts to the very core of communication. If we're not sharing a common vernacular, it's hard to create a catalyst for the kind of collective action that's needed to ensure that the financial sector can recover. If we're trying to figure out where are we vs. the other guys, where are we vs. our peers, where are the organizations we work with relative to their continuity planning, and we don't have a common way of measurement, it's very difficult to be able to know where you need to invest money or suggest to your vendors [where to] invest money.
Why hasn't a benchmark system for resiliency grown out of regulatory and compliance examinations?
I think it has. Regulatory industries have asked...financial organizations to work more closely together in making sure that recovery works. [But] one of the things that has really concerned folks about regulatory input is it is perceived to be prescriptive. What we're trying to do is, rather than come up with another best practices [list], we're trying to leverage some of the existing standards and practices that are already out there. We focus on the what, not the how.
How does this benchmarking work figure into the FSTC's overall business continuity compliance project?
With all the new regs, banks are trying to figure out what's most important, especially given that there are multiple agencies issuing them, some at the state level, some at the federal. The compliance project just pointed out what a lot of folks already knew, that they needed a more comprehensive view-a less stove-piped view-of risk management.
What are some examples of how to measure a continuity plan?
A real simple one would be what's the awareness in your organization? What kind of training is going on to make sure people recognize it's everybody's job to deal with business continuity? What level of training is being provided? A low-performing organization would be one that might bring it up in new employee training or maybe not at all. A high-performing organization would have regular, thorough training and awareness programs, and potentially even compensation, so that everybody was tied to activities around business sustainability and resiliency.
What were some issues discovered and clarified in the first phase of this resiliency maturity model project?
We identified a common taxonomy. We went out and we gathered terminology from multiple sources-GRII [global reach information infrastructure], NFPA 1600 [disaster/emergency management standards], all of the key glossaries that were out there-and boiled all those down from 5,000 terms to 1,000 terms. We also identified around 40 capabilities that organizations should have at some level in order to be able to be resilient, and we began to drill into those capabilities and identity what are characteristics of those capabilities, what are the goals that one might look for in regard to capabilities. And we've done some work in terms of documenting how we got here.
Are there hurdles to developing continuity planning benchmarks that work for any size bank?
One of the great benefits of identifying this model, in particular for organizations that don't have the resources to devote to resiliency activities and business continuity activities, is providing a roadmap on what you should be doing. So, over the next few months in our phase two, [the committee] is doing some self-assessments within the organizations, validating our model, and looking for gaps and opportunities to apply the process improvement ideas that are in the model. Our goal is to start looking for gaps, but also to try to validate, improve and refine the model.
What are the project's next phases?
We're going to deepen the model. We're building some questionnaires around some of the capabilities that we've identified, and we're going to do a lot more documentation, drilling down into what exactly it takes to move from one capability to another, and identify more clearly some of the relationships between the various capabilities, various characteristics and establishing those plateaus. Obviously our taxonomy is going to be refined and tuned throughout the process to make sure our model stays consistent. And the last thing is we need to gather empirical data based on these self-assessments to validate that in fact our model does measure what it should.
