In the aftermath of hurricanes Katrina and Rita in 2005, businesses and financial institutions are now reassessing their business continuity plans. Business continuity planning is the process whereby financial institutions ensure the maintenance or recovery of operations, including services to customers, when confronted with adverse events such as natural disasters, technological failures, human error, or terrorism1. This article is the first of a two-part series on the topic of business continuity planning. Part I outlines the essential elements of the planning process. Part II will focus on best practices and lessons learned and will appear in the Third Quarter 2006 issue of SRC Insights.
Business continuity planning was formalized to obviate Y2K issues and further strengthened to counter any act of terrorism in the post-9/11 era. In fact, initial business continuity planning regulatory requirements helped financial institutions to circumvent even greater disruptions during the 2005 hurricane season, when hurricanes Katrina and Rita devastated the Gulf and disabled the infrastructure of the entire region. Consequently, the focus on effective business continuity planning has been renewed. Business continuity planning is of particularly great importance within the financial services industry, as the functions of financial institutions are critical to both the national and global economies, and the results of any disruption to business operations must be minimal in order to preserve public assurance in the U.S. financial system.
The March 2003 Federal Financial Institutions Examination Council’s (FFIEC) Information Technology Examination Handbook includes a separate section on business continuity planning. During the planning process, financial institutions should utilize an enterprisewide process that addresses all critical business functions and includes plans to handle all types of disruptions. In addition, a financial institution’s business continuity plan (BCP) should correspond with its role in the support of critical markets, such as foreign exchange; federal funds; commercial paper; and government, corporate, and mortgage-backed securities. Lessons learned from 9/11 reinforce that a business continuity plan should not be limited to the recovery of data, but also should include people, technology, and the structures which house such resources.
The FFIEC guidance stresses that the responsibility of business continuity planning lies with senior management and the board of directors, who are ultimately accountable for identifying, assessing, prioritizing, managing, and controlling risk. More specifically, the board of directors and senior management are responsible for the following:
Furthermore, financial institutions are encouraged to adhere to a process-driven methodology, which includes the following four components:
1. Business Impact Analysis
2. Risk Assessment
3. Risk Management
4. Risk Monitoring
The foundation of a strong business continuity planning process is the completion of a business impact analysis (BIA) and a risk assessment. The effectiveness of a BCP must be validated through testing, and the results must be subject to an independent audit, as well as a review by the board of directors. The BCP must be updated periodically to accurately reflect changes related to functions, systems, personnel, and service providers. The BCP must be approved annually by the board of directors.
Business Impact Analysis
The BIA should reflect the complexity and volume of the institution’s activities and is considered the first step in developing a BCP. During this phase of development, the potential impact of nonspecific, uncontrolled events or risks is identified, and the estimated downtime is calculated along with the cost of that downtime. Furthermore, recovery priorities should be established, and the necessary resources, technology, systems, pertinent records, and data should be identified properly. Moreover, the effect of legal and regulatory requirements should be addressed during the BIA phase of development.
The risk assessment is vital to the business continuity planning process, and efforts should be made to ensure that threat scenarios are not unreasonably limited, which could undermine the overall adequacy of the BCP. Assumptions formed during the BIA phase must be stress tested according to various scenarios. The results will further determine which business processes will produce intended results and which processes will require additional development and resources. Threats should be realistic; emphasis should be placed on the overall impact to the institution and the likelihood of occurrence instead of the nature of the threat.
A gap analysis, which measures the necessary requirements to maintain or recover operations in comparison to what the current BCP provides, should be performed. Any noted deficiencies represent risk and therefore should be addressed by management and the board of directors in the development of the BCP. The risk assessment should also include all of the financial institution’s or service provider's locations and facilities. Worst-case scenarios, such as destruction of the facilities and loss of life, should also be addressed during the risk assessment phase of development.
A written BCP should be prepared following the completion of the BIA and the risk assessment, wherein plans and methodology to maintain, resume, and recover critical and noncritical business processes, functions, and services should be documented. Interdependencies and related risk should be carefully identified, and processes for eliminating identified risks should be detailed accordingly. The BCP should outline and specify some of the events that might lead to an activated BCP phase. Appointed personnel, procedures, and responsibilities should be identified and documented clearly, for the purpose of timely execution.
All banking organizations and other financial market participants are encouraged to consider the implementation of the sound practices highlighted in “The Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System,”2 written in response to 9/11. This paper describes practices which are designed to improve the resiliency of the clearing and settlement infrastructure and to facilitate the sound operation of the financial system in the event of a wide scale disruption.
Risk monitoring helps to ensure that a BCP is reliable. Risk monitoring includes annual testing, ongoing updates, and independent reviews. Based upon the importance of the specific business operation and the overall operating environment, management may opt to conduct recovery testing more frequently within specific operational areas, but overall testing should be completed at least annually. Strategies should be developed based on recovery needs and not based on an assumption of decreased demand for services. Evaluations of interdependencies, service providers, and recovery of backup data should be assessed properly to determine overall reliability and accuracy. Throughout the monitoring and testing phase, security measures should be taken to ensure that secure copies of the backup media remain available in the event of a problem during the testing phase.
FFIEC guidelines detail specific types of testing, including:
In order to ensure that the objectives of business continuity planning are met, as established by the board of directors, audit or an independent party should assess the efficiency and effectiveness of the process in its entirety and identify and report any weaknesses or recommendations to the board accordingly.
The importance of business continuity planning cannot be understated. The role of financial institutions is critical to the national and global economies, and in a time of misfortune or crisis, financial institutions help to provide a sound infrastructure and sustain consumer confidence. No one can predict with certainty the events of tomorrow; however, an effective, comprehensive, continuously updated, and tested business continuity plan can help to ensure an effective response and to facilitate the stabilization of local, regional, and global economies when the unexpected occurs.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.