Booklet: Business Continuity Planning
Section: Risk Management
Subsection: Business Continuity Plan Development
 

 

 

 

 

 

Action Summary additional information.

The BIA and risk assessment represent the foundation of the BCP. The BCP should be written on an enterprise-wide basis, reviewed and approved by the board and senior management at least annually, and disseminated to financial institution employees for timely implementation.additional information. All financial institutions should develop a BCP that documents business continuity strategies and procedures to recover, resume, and maintain all critical business functions and processes.

Some financial institutions may choose to develop their BCP internally, while others may choose to outsource the development and maintenance of their BCP. While outsourcing BCP development may be a viable option, the board and management are ultimately responsible for implementing and maintaining a comprehensive BCP. Therefore, financial institution management should understand the business impact of potential threats, have the ability to implement mitigating controls, and ensure that the BCP can be properly executed by financial institution personnel and validated through comprehensive testing. When outsourcing BCP development, management should ensure that the chosen service provider has the expertise required to analyze the financial institution’s business needs. The service provider should also be able to design executable strategies that are relevant to the financial institution’s risk environment, create education and training programs necessary to achieve successful deployment of the BCP, and integrate necessary changes so that the BCP is properly updated.

A well-written BCP should describe the various types of events that could prompt the formal declaration of a disaster and the process for invoking the BCP. It should also describe the responsibilities and procedures to be followed by each continuity team, have current contact lists of critical personnel, address communication processes for internal and external stakeholders, identify relocation strategies to alternate facilities, and include procedures for approving unanticipated expenses.

The BCP should specifically describe the immediate steps to be taken during a disruption in order to maintain the safety of personnel and minimize the damage incurred by the institution. The BCP should include procedures to execute the plan’s priorities for critical versus non-critical functions, services, and processes. Specific procedures to follow for recovery of each critical business function should be developed so that employees understand their role in the recovery process and can implement the BCP in a timely manner.

The BIA and risk assessment should be integrated into the written BCP by incorporating identified changes in internal and external conditions and the impact of various threats that could potentially disrupt operations rather than on specific events that may never occur. Examples of the potential impact of various threats include the following:

  • Critical personnel are unavailable and they cannot be contacted;
  • Critical buildings, facilities, or geographic regions are not accessible;
  • Equipment (hardware) has malfunctioned or is destroyed;
  • Software and data are not accessible or are corrupted;
  • Third-party services are not available;
  • Utilities are not available (power, telecommunications, etc.);
  • Liquidity needs cannot be met; and
  • Vital records are not available.

Assumptions

When developing the BCP, financial institutions should carefully consider the assumptions on which the BCP is based. Institutions should not assume a disaster will be limited to a single facility or a small geographic area. Additionally, institutions should not assume they will be able to gain access to facilities or that critical personnel (including senior management) will be available immediately after the disruption. Public transportation systems such as airlines, railroads, and subways also may not be operating, and telecommunication systems may be overburdened and unavailable.

Internal and External Components

A BCP consists of many components that are both internal and external to a financial institution. An effective BCP coordinates across its many components, identifies potential process or system dependencies, and mitigates the risks from interdependencies.additional information. The activation of a continuity plan and restoration of business in the event of an emergency depends on the successful interaction of these various components. The overall strength and effectiveness of a BCP can be decreased by its weakest component. Internal components that should be addressed in the BCP to ensure adequate recovery of business operations may include interdependencies between various departments, business functions, and personnel within the institution. These interdependencies can also include single points of failure with internal telecommunications and computer systems. External components that can negatively affect the timely recovery of business operations and that should be addressed in the BCP may include interdependencies with telecommunications providers, service providers, customers, business partners, and suppliers.

Mitigation Strategies

Management should develop comprehensive mitigation strategies to resolve potential problems that may result from internal and external interdependencies. Mitigation strategies will depend upon the results of the BIA and risk assessment, but should always ensure that processing priorities can be adequately implemented and that business operations can be resumed in a timely manner. The following represent examples of appropriate mitigation strategies:

  • Strengthening the physical facility using dependable construction materials;
  • Establishing redundant vendor support;
  • Establishing media protection safeguards and comprehensive data back-up procedures;
  • Implementing redundant or alternative power sources, communication links, data back-up technologies, and data recovery methods;
  • Increasing inventories of critical equipment;
  • Installing fire detection and suppression systems; and
  • Purchasing and maintaining adequate reserves of food, water, batteries, and medical supplies.

Once the BCP is complete, the viability of the plan must be assessed as part of the risk monitoring and testing step, which involves the development, execution, evaluation, and assessment of a testing program. The testing program is then used to update the BCP based on issues identified as part of the testing process.