Developing a disaster recovery/business continuity plan, keeping it current and testing it at least once a year is one of the more black-and-white regulatory requirements for banks. In the wake (literally) of Hurricane Katrina and the 9/11 terrorist attacks—and in preparation for a possible avian flu outbreak of unknown proportions—regulators have made it clear that the absence of a comprehensive, tested business resumption plan is an unsafe and unsound practice.
In developing their business resumption solutions, many financial institutions have discovered that the preparation and interaction required to produce a plan can deliver other important benefits regardless of whether contingency plans are ever actually invoked. These include:
Business Impact Analyses: New Insights on Existing Functions
One of the first steps in developing a business resumption plan is to perform Business Impact Analyses (BIAs) for each of the operating units. BIAs provide a solid foundation for development of the business continuity plan.
Each department’s BIA documents existing disaster recovery capabilities (if any), business functions deemed critical by management, information flows within each unit and location and any interdependencies between them, existing business resources that support the unit including, but not limited to, electronic and paper-based information systems, hardware, software and communications.
The completed BIAs provide objective, contemporaneous information that will enable management to:
For many banks, development of the initial BIAs constitutes the first attempt to document and evaluate all areas of the bank using a common framework within a single time period for a particular purpose. Unless zero-based budgeting or similar enterprise-wide planning is, or has been, used, it’s doubtful that management has previously had access to a comprehensive, standardized database on the inner workings of the bank.
Identification of Potential Process Improvements
Prior to initiating the next phase—building the actual disaster recovery and business resumption plans—the information in the BIAs should also be reviewed to identify opportunities for improving normal operational processes before the contingent processing approach is devised.
In one institution, the BIA revealed that a software upgrade allowing automated feeds from the trust system to the general ledger had not yet been installed and daily manual entries were still being made. The timetable for implementing the automated interface was advanced—eliminating the possibility of manual error and reducing, by one, the number of manual processes to be performed in a contingent scenario.
Review of BIA information has also resulted in the identification and elimination of duplicate processing—in various combinations of manual and automated steps. By streamlining the day-to-day operation to eliminate duplication, greater efficiency is obtained in both normal and contingent operations, and it may be possible to reduce the size and cost of the backup infrastructure.
A first step in construction of the disaster recovery plan is identification of the various backup options for each process. This process may result in a rethinking of how the process is accomplished during normal operations. For example, a bank with a centralized in-house item processing capability may consider replicating it in another facility, perhaps a branch. For a smaller institution, replication may be too expensive and use of a service bureau as backup might make more sense. With the advent of relatively low cost branch capture devices, the bank may consider this approach to backup.
Often, banks conclude it makes good sense to adopt the contingent solution for day-to-day operations. Some institutions have gone to full outsourcing of item processing, transferring responsibility for primary and backup processing to the vendor. Others have decided to move to totally decentralized item capture, eliminating the central facility. Their plans assume that no disaster scenario will cause more than a small, acceptable fraction of capacity to be unusable.
Operations Documentation and Training Materials
Business resumption plans contain a variety of procedures including:
A key assumption in most business resumption plans is that personnel who normally perform functions may not be available—and this includes being unavailable to provide guidance or advice. Another employee or member of management may be required to assume responsibility, perhaps for an extended duration. And, although many plans provide for training of designated backups, it can not be assumed that a trained person will be available under all contingent scenarios.
Therefore, all manual processes must be completely and accurately documented. The preparation of detailed procedures is ideally performed by the individuals who are normally responsible for the functions, under guidance of persons skilled in creating these materials.
The investment in procedural documentation provides other benefits. Foremost is serving as the basis for training of new and transferred employees in normal operations. When the bank becomes subject to the provisions of the Sarbanes Oxley Act, the process of identifying internal controls over financial reporting (ICOFR) will be greatly facilitated. Similarly, written procedures provide an objective basis for internal and external auditors, as well as federal and state regulators, to evaluate internal processes and controls.
Identification of High Achievers
Development of business resumption plans requires the cooperation and assistance of virtually every unit in the bank (at least through completion of the BIA which could, theoretically, lead to a decision not to develop contingency capabilities for a low-value unit). Even when a vendor is retained to manage the project and perform much of the work, the plans can not be completed without input from those involved in current operations.
As with other incremental initiatives, employees and managers are expected to contribute to this process on top of performing their normal duties. And, as in other human endeavors, most will find a way to provide the required inputs and little more. There will be some employees who enthusiastically participate. They understand the importance of the effort to the bank, and share the vision of what can be achieved. These employees may have innovative ideas for improving operational efficiency. As described above, these could become the basis for both contingent and normal operations. Rather than brushing them aside, it may be possible to give them a larger role in the process.
Avoidance of Regulator-Imposed Solutions
As mentioned earlier, regulators have little tolerance for institutions which ignore or give superficial attention to business resumption planning. Most banks have made significant efforts to develop, maintain and test their plans. Those that lag behind are in jeopardy of being directed to adopt specific solutions that may be far more expensive, and sometimes less effective, than those which they could have developed on their own.
Some banks have been barred from rolling out new services such as electronic bill payment until they achieve milestones set by the regulator. Internal bank resources must often be diverted from other high-priority projects. The effort to identify and retain consultant assistance must be done quickly, and generally less methodically, resulting often in higher costs and perhaps not the best choice.
Simply put, regulators expect banks to recognize the need for a comprehensive business resumption capability, adopt a plan to develop one, and execute the plan.
Development and testing of a business resumption plan is not easy, but the benefits can be considerable. Maintaining operations and service to customers is the paramount goal. Other paybacks can come in the form of increased efficiencies, improved processes, better documentation of operations and identification of high achievers and future leadership. By embracing the effort, acknowledging its importance and allocating sufficient resources, management can protect their institution from disaster scenarios while reaping other rewards.
Author: Jay Bowman, CISA, CISM
Jay Bowman serves as Director of Compliance Technology for Integrated Compliance Solutions, a leading provider of compliance administration services to financial institutions. Prior to joining ICS, Mr. Bowman served as the Director of Information Technology Services for an internal audit firm. Mr. Bowman served over 25 years with the Federal Reserve Banks of Philadelphia and Atlanta, where he co-authored the Fed’s Information Security Manual and held senior official positions over information technology, customer service and wholesale payments. In the run-up to Y2K, he was responsible for assisting all Third District financial institutions in testing their funds transfer and ACH systems with the Philadelphia Fed.