Business continuity planning is a critical requirement for every institution; however, it is typically one that is given the least consideration. A well-developed program includes several key factors: assessment of the risk; an analysis of the impact the event may have on the institution; the development of the actual plan; education of employees; risk monitoring and testing; and periodic Plan updates. Each of these areas should be well documented in order to fully demonstrate your efforts.
Most likely you are not starting from scratch. But even if that is the case, the IT Examination Handbook provided by the Federal Financial Institutions Examination Council, FFIEC, provides a great resource to walk you through the entire process. The Booklet - Business Continuity Planning is available on the FFIEC’s website. It is strongly recommended that you are familiar with the various chapters. This is the guide your regulators will be considering when they review your business continuity program. https://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx Over the next few months we will provide sessions with a high level break down of the various considerations and requirements of business continuity planning.
So, let’s start from the top, who is responsible? As is the case in most everything related to banking, the Board of Directors, is ultimately responsible. They must ensure the program is appropriate to the size of the institution, identified risks and potential effects of an event. The Board should establish a policy which outlines their intent to manage and control the risk identified in the impact analysis and the risk assessment. It is important that the Policy is reviewed and approved by the Board annually.
In addition, the Board should select a knowledgeable employee to implement their Policy. Depending on the size of your institution, this may be a single employee, a person that serves as Chair of the Business Continuity Committee, or an entire department dedicated to continuity. Often this position is held by the Information Security Officer or IT Department Manager. However, it is important to ensure that considerations within the program expand beyond just technology. Is the IT Department the right fit for oversight/coordination of your institution’s Plan? The person selected by the Board must also be provided with the appropriate resources and authority to implement the Plan. Resources will be different for each institution; the size and complexity of the institution being a major factor.
We will talk about the Plan itself in a later session, but let’s continue with responsibilities. The Plan must be reviewed by an independent party. Typically, this is performed during the IT audit, but does the Plan review go beyond just technology testing? Internal audit can review the Plan; however, it is important to consider their role in the Plan and if they are truly independent. There is an expectation that the review will be completed annually. The Plan must also be approved at least annually. The words “at least” are an important consideration here as the Plan is a living/dynamic document. If the institution has a significant change in any of the critical areas, the Plan should be updated and re-approved by the Board at the time of the change.
Employee education is another critical factor of the Business Continuity Plan. It is important that everyone is aware of the Plan and their responsibilities. Calling trees and/or notification systems must be kept up to date with the latest addresses and phone numbers for all employees. The Plan should be provided in a form that employees can access during an event. Have you considered the possibility of little to no internet service? Many institutions keep their Plan on a share drive or through a web-based software service. However, it is important that critical employees have a physical copy of the Plan. At a minimum, they should have a copy of the critical areas and knowledge of the location of the complete plan. A complete copy of the Plan should be available on-site and at the back-up site location. Speaking of back-up sites, do your employees know the location of your back-up site? All employees, critical and non-critical should know where to go in the case of an event.
As we wrap up this first session of the BCP, we must also mention the Board is responsible for ensuring the Plan is tested and updated on a regular basis, but at least annually. We will discuss this process in greater detail in a future session, but it is a key factor of the overall program. Stay tuned as we break down the business impact analysis and risk assessments in our next sessions.