Testing Times

One of the keys to success in any enterprise-wide initiative is consistent support by the Board and Senior Management. In order to support and emphasize the importance of business continuity planning within financial institutions, a new set of guidelines was published by Federal Financial Institutions Examination Council (FFIEC) in March of this year. These guidelines are far more stringent than prior guidance in defining all aspects of business continuity programs within financial institutions.

These guidelines place particular emphasis on both the process and scope of Business Continuity Testing, recommending that the Board of Directors and Senior Management establish a testing policy to include evaluation by a qualified independent party. It only makes sense that testing should be given this emphasis, because the Testing Program is the only true measure of the effectiveness of the institution’s continuity capability.

Testing is an area that has traditionally been a kind of stepchild to the more “glamorous” aspects of business continuity capability development such as Business Impact Analysis (BIA), Risk Assessment, Strategy Implementation, and Plan Documentation. The planning software industry has concentrated on these “development project” aspects, as there is a wide choice of tools available. For Testing, which is the majority occupation for the BCM department for the life of the organization after the initial strategy implementation and plan documentation, the tool choices are considerably more limited, and do not generally handle well the process development aspects that are crucial to meeting these new FFIEC requirements. The FFIEC has quite properly identified continuity testing as the linchpin of any business continuity capability within the financial institution.

These new guidelines are significant. For the first time, there is a requirement to audit not just the existence of an annual BC Test but also the processes and results of an integrated and ongoing Test Program that includes both the external and internal dependencies of critical business functions. In the past, the BC Plan was often regarded as a development project with one-off project funding. This reflects an associated failure by management to truly understand that the continuous and increasing complexity of testing, as well as the appropriate updating of plans and strategies, would require the establishment of a permanent business function with ongoing funding. It is this established Test Program that will constitute the bulk of the effort and funding for business continuity within the organization, and it must continue for the life of the organization. We have long since moved on from the standard disaster recovery test: restoring application systems (singly or in related groups or all of the internal data center) using backup tapes retrieved from offsite and laid down at a contracted external hot site. Just how far can be seen from a few of the specifics of this newest FFIEC guidance:

• The emphasis on required executive sponsorship. The Board and Senior Management are held accountable for “establishing and reviewing an enterprise-wide testing program.” Business line management “has ownership and accountability” for the testing of the business operations continuity capability.

• Enterprise-wide testing is required on at least an annual basis.

• Testing is the proving ground where financial institutions demonstrate to independent third parties that their continuity strategies, plans and trained staff members can deliver the objectives (RTO and RPO) as defined by the critical business functions in the organization’s BIA and Risk Assessment.

• Development of the Test Program over time. Testing should be seen as “a continuously evolving cycle…working toward a more comprehensive program” that includes the testing of various internal and external dependencies. It should evolve gradually across various planes such as complexity, level of participation, functions, and different locations, and should include external dependencies such as critical services suppliers.

• Identification of Inadequacies in the continuity strategies and plans is to be included as a test objective. Keeping the test simple and repetitive to ensure its 100 per cent success is no longer an option.

Fundamental to meeting these requirements is a more formal approach to test planning than has usually been the case. The specification of annual overall test objectives and the detailed planning of tests to accomplish those objectives, including their funding requirements for inclusion in an annual budget, will help to define and organize the work to be performed to meet this requirement. Any planned organizational changes or technology changes could also be taken into account in this planning and budgeting process. Development and implementation of a detailed individual test planning process, including the participants and their roles, and the definition of required meetings (pre- and post-test), timeframes, attendees and roles will create a repeatable process to drive the planning, performance and debriefing review for all tests. The application of this repeatable process to all tests will create familiarity and predictability over time, and will help to cement this planning process as the baseline of the ongoing test program within the institution.

The current weakness in the financial sector may make it more difficult to allocate the resources and funding required to create and maintain this ongoing Test Program in the near-term, but compliance with the business continuity testing guidelines in this FFIEC booklet is not optional. “Reviewing a financial institution’s business continuity planning process, which includes an assessment of the BCP, is an established part of examinations performed by the FFIEC member agencies.”=

Kathleen Lucey is President of the USA Chapter of the Business Continuity Association. She has more than 25 years of experience as an external consultant in business continuity and information security and in technical and managerial roles in information systems and security. Lucey has presented at industry-leading conferences in North America and Europe and has written contributed articles for several publications.