Financial institutions, more than any other industry group, spend considerable resources on business continuity planning – and for good reason. Banks are a critical element of our economy’s infrastructure and, as a result, an ever growing body of regulations impose significant penalties for those who don’t comply. For many organizations, compliance, and its associated “satisfactory rating”, continues to be an elusive goal.
Based on our work with a diverse group of financial institutions, we have developed a common list of problems faced by many financial services organizations.
As the above problems surface, they often impact one another. This article outlines each challenge in greater detail and offers high-level, proven solutions that can be considered by business continuity and risk management professionals in financial services organizations.
Quality and Viability
Many larger banks have 500+ plans. With so many plans to manage, it’s difficult to determine which business units are prepared and which could use additional help to prepare better. It’s true that real world events are the best measure of readiness, followed by exercises and simulations. However, a number of financial services organizations have developed a continuous process to assist with their measurement of program readiness by forming Quality Assurance teams. These experienced business continuity professionals develop measurement standards, interact with planners and plan owners, review processes and documentation and participate in exercises. Most importantly, they develop quantitative measures designed to gauge business continuity readiness, and communicate results to executive management.
Quality Assurance can be a cumbersome, time-consuming process, therefore leveraging planning tools and relying on data management strategies are keys to success. The automated gathering of business continuity program information is important to allow Quality Assurance personnel to focus on their most important task – coaching planners to improve their plans and strategies.
Regulators, internal audit, risk management, business executives, plan owners, planners, business partners, and employees are all stakeholders in a business continuity program. Each of these stakeholder groups has differing requirements. Daily, requirements are communicated to business continuity teams, and if managed incorrectly, these requirements will be applied in a disorganized manner, often adding unneeded complexity to the program. Even worse, these requirements can act as a distraction, paralyzing the business continuity team. As a result, annual program objectives are missed.
This is a difficult problem to address. To mitigate the risk of conflicting requirements reaching all members of the business continuity team, and to minimize distraction, a “gatekeeper” role should be considered. This is a person who owns the role of evaluating recommendations and requirements. The gatekeeper can be a method providing clarity, thereby efficiently introducing approved measures into the business continuity program.
Related to the gatekeeper role, business continuity teams can define a process to capture recommendations and requirements, which amounts to a repository that manages these recommendation and requirements in a prioritized manner.
“Business Continuity Educated” employees are very rare, unless they just experienced a business interruption or participated directly in well-planned exercise. As a result of this problem, employee training and awareness is often cited as an area for improvement during bank examinations and internal audit reviews. Below are a few methods to increase internal business continuity awareness.
The barriers between business continuity and IT disaster recovery teams can be high. Without coordination, even the most advanced business continuity and IT disaster recovery programs will have trouble performing effectively. Below are a couple ideas on how to break down these barriers.
Shrinking Budgets - Shrinking Recovery Objectives
Shrinking budgets and shrinking recovery objectives are not mutually exclusive; they are happening to many financial services organizations simultaneously. Below are ideas that address one or both of these challenges simultaneously.
Participate in Change
Change in banks is constant. Reacting to change – as opposed to being proactive with change – can result in more business continuity strategies that are more expensive than necessary because recoverability is designed and implemented after the fact. Additionally, there will be recoverability gaps with a reactive approach to change since new processes and technologies are introduced into the business while viable recovery strategies catch up weeks later.
Work with your organization’s Project Management Office (PMO) and other change managers to play an advisory role in meeting the organization’s business continuity standards before projects “go live”. There is a time investment for the business continuity team, but this investment is much less when compared to working on plans and strategies after the project is operational.
As business continuity programs grow, the amount of information increases exponentially. Repositories multiply (even with robust software solutions), data doesn’t flow as easily between systems as it once did, and complexities grow with multiple people working on the same data at the same time.
Do not delay, allowing more information to back-up. It’s important to take a step back to inventory your data within all tools, repositories and hard-copy formats. Once inventoried, consolidation is the key to developing an efficient data management system. If providing one system for all data is not possible, you can consider linking systems and reports so that they feed each other. The last component is to allow processes to be altered to meet your data management process, but not to complicate or compromise the integrity of the processes. If implemented correctly, having your data under control can have a major impact on program quality and efficiency.
The financial services industry will always have a unique set of challenges. Continuity programs continue to mature, but expectations are rising as well. The past ten years have seen rapid change, from technology-centric disaster recovery programs to today’s enterprise-wide business continuity management efforts. More change should be expected. Can you say your program is characterized as:
If so, it’s highly likely your executive management team and regulators will find great value, comfort and confidence in your ability to deliver continuity and availability now and into the future.