Besides being trustworthy, loyal, thrifty, and brave, a Boy Scout is always prepared. After all, that’s their motto. Be prepared. It’s a good motto. You may laugh at your former Boy Scout friend who packs an extra heavy sleeping bag and winter clothes to the weekend summer camping trip, but as soon as the dark clouds roll in and the temperature drops 30 degrees, you’ll be wishing you had been a little more prepared. Preparedness doesn’t only apply while camping. Financial institutions face constant risks, and disaster could strike at any time. Smart institutions would do well to adopt the Boy Scout motto of “be prepared,” especially when it comes to a disaster recovery plan. No one wants to see the circumstances that would cause an institution to activate its business continuity and disaster recovery plan, but the last time you would want to find out that yours is inadequate or hopelessly outdated is in an actual emergency.
For larger disasters, a financial institution’s ability to withstand the calamity and recover its ability to conduct operations quickly can be crucial to the larger community’s efforts to get back on its feet and to ensure continued confidence in the banking system. But just having a disaster recovery plan on the shelf isn’t enough.
There are three key characteristics we’ve observed that constitute a strong business continuity and disaster recovery program: 1) testing, 2) customization, and 3) formalized system of notification. We’d like to analyze that first characteristic—testing—a little deeper.
BUSINESS IMPACT ANALYSIS
Testing begins with a business impact analysis (BIA). This kind of analysis focuses on how disasters would affect your departments, overall business operations, membership or customer base, reputation, revenue, and so forth. It is important to know how unique disaster circumstances would affect the different aspects of your institution.
The main goal of the business impact analysis is to determine the basic recovery requirements of critical department activities. Critical activities may be defined as primary business functions that must continue in order to support various departments within your organization.
For the BIA, you will need to identify:
- Critical business activities that occur in your department.
- What the impact to your department would be in the event of a disruption of each activity.
- How long your department could survive without performing this activity.
For that last one, you’d assign recovery time objectives (RTO) to each function. The RTO is the time from which a crisis/disaster is declared to the time that the critical business function must be fully operational in order to avoid serious financial loss or other meaningful risks.
TABLETOP TESTING
After preparing the BIA, it is vital to periodically subject your business continuity plan to tabletop testing, where key members of each department come together and talk through potential disaster scenarios and how the institution would respond. This process of “role playing” through a disaster allows your financial institution to see how well your personnel, systems, and variables perform on a hypothetical level so that any needed changes can be made well before any actual disasters strike. This testing should accomplish four goals:
- Determine the feasibility of contingency plans and procedures.
- Identify areas in the plan that may require modification.
- Provide training opportunities for BCP committee team members and financial institution employees.
- Evaluate the impact of the disaster on critical functions identified in the business impact analysis (BIA) and whether there is a “domino” affect related to those functions. You may find that departmental functions have inherent dependencies to complete crucial functions and these are frequently identified during tabletop exercises when incorporating the BIA.
During your tabletop testing, you would want to include scenarios that are likely to happen in your area. You may also wish to use one or more different scenarios over the course of several tests to help ensure that your BCP is well-rounded and appropriate for many kinds of potential disasters. It’s important to include natural disasters—earthquakes, hurricanes, floods, fires, etc.—as well as man-made disasters, like riots, viruses, and data breaches.
Because tabletop exercises and business impact analyses involve so many departments, many institutions ask for third-party assistance in orchestrating the effort leading up to it, conducting the exercise itself (including the selection of scenarios), and preparing the summary report and accompanying recommendations.
By thoroughly analyzing the impact of disasters on your institution and thoroughly testing your disaster recovery/business continuity plan, you’ll be well on your way to being prepared when disaster strikes.