Originally published on CUInsight.com.
If disaster struck your community right now, would your institution be ready? While no one wants to see the circumstances that would cause an institution to activate its business continuity and disaster recovery plan, the last time you would want to find out that yours is inadequate or hopelessly outdated is in an actual emergency.
For larger disasters, a financial institution’s ability to withstand the calamity and recover its ability to conduct operations quickly can be crucial to the larger community’s efforts to get back on its feet and to ensure continued confidence in the banking system. But just having a disaster recovery plan on the shelf isn’t enough.
There are three key characteristics we’ve observed that constitute a strong business continuity and disaster recovery program: 1) testing, 2) customization, and 3) formalized system of notification. We’d like to analyze that first characteristic—testing—a little deeper.
BUSINESS IMPACT ANALYSIS
Testing begins with a business impact analysis. This kind of analysis focuses on how disasters would affect your departments, overall business operations, membership or customer base, reputation, revenue, and so forth. It is important to know how unique disaster circumstances would affect the different aspects of your institution.
The main goal of the business impact analysis is to determine the basic recovery requirements of critical department activities. Critical activities may be defined as primary business functions that must continue in order to support various departments within your organization.
For the BIA, you will need to identify:
- Critical business activities that occur in your department.
- What the impact to your department would be in the event of a disruption of each activity.
- How long your department could survive without performing this activity.
For that last one, you’d assign recovery time objectives (RTO) to each function. The RTO is the time from which a crisis/disaster is declared to the time that the critical business function must be fully operational in order to avoid serious financial loss or other meaningful risks.
After preparing the BIA, it is vital to periodically subject your business continuity plan to tabletop testing, where key members of each department come together and talk through potential disaster scenarios and how the institution would respond. This process of “role playing” through a disaster allows your financial institution to see how well your personnel, systems, and variables perform on a hypothetical level so that any needed changes can be made well before any actual disasters strike. This testing should accomplish four goals:
- Determine the feasibility of contingency plans and procedures.
- Identify areas in the plan that may require modification.
- Provide training opportunities for BCP committee team members and financial institution employees.
- Evaluate the impact of the disaster on critical functions identified in the business impact analysis (BIA) and whether there is a “domino” affect related to those functions. You may find that departmental functions have inherent dependencies to complete crucial functions and these are frequently identified during tabletop exercises when incorporating the BIA.
During your tabletop testing, you would want to include scenarios that are likely to happen in your area. You may also wish to use one or more different scenarios over the course of several tests to help ensure that your BCP is well-rounded and appropriate for many kinds of potential disasters. It’s important to include natural disasters—earthquakes, hurricanes, floods, fires, etc.—as well as man-made disasters, like riots, viruses, and data breaches.
Because tabletop exercises and business impact analyses involve so many departments, many institutions ask for third-party assistance in orchestrating the effort leading up to it, conducting the exercise itself (including the selection of scenarios), and preparing the summary report and accompanying recommendations.
By thoroughly analyzing the impact of disasters on your institution and thoroughly testing your disaster recovery/business continuity plan, you’ll be well on your way to being ready when disaster strikes.
For more information on AffirmX’s business continuity and disaster recovery plan services, including its tabletop exercises assistance, please visit AffirmX.com/disasterrecovery.
Ken Agle, President of AdvisX, brings more than 25 years of experience covering almost all facets of financial institution risk management operations. He has conducted more than 350 compliance reviews and has assisted more than 200 financial institutions throughout the United States. He has developed and implemented systems and training programs on all phases of banking risk management, including, but not limited to BSA/AML, fair lending, loan review, HMDA, CRA, BSA, operational compliance, TILA, and RESPA. He has written numerous regulatory responses and appeals and has been instrumental in assisting institutions with challenging circumstances while facing regulatory enforcement orders. He has partnered with McGladrey & Pullen, RSMI, Promontory, Sheshunoff and other multi-region firms to provide support services to financial institutions. Mr. Agle specializes in strategic regulatory response and in developing and implementing both proactive and reactive tools and systems to preempt and resolve issues affecting today’s financial institution.