Business Continuity Planning and the FFIEC

Strohl Systems
November 22, 2004

In 2004, the Federal Financial Institutions Examination Council (FFIEC) issued revised guidance for examiners and financial institutions on business continuity planning (BCP). In the BCP booklet, the FFIEC advises that comprehensive planning should be conducted using the following, sequential structure:

Business impact analysis Risk assessment Risk management Risk monitoring Business Impact Analysis

The first step in the process is to conduct a business impact analysis (BIA). It is a management-level assessment of financial and operational impacts that would result from a prolonged disruption of business operations and is usually conducted via a survey to senior management and key constituents.

In addition to financial and operational impacts, a sound BIA survey should identify extraordinary expenses that could be incurred from a disaster, the organization’s current state of preparedness, any single points of failure, technology requirements for recovery, special recovery resources needed, and the organization’s critical information systems. The results of the BIA are used to develop recovery requirements for computer processing, telecommunications, and business units.

Risk Assessment

The next step is to conduct a risk assessment, which involves identifying specific risks a credit union may face. When conducting a risk assessment, it is important to remember to focus on the impact of possible threats rather than the nature of the threat. For example, a severe winter storm may not necessarily cause physical damage to your facilities, but it could disrupt the power, making it impossible to conduct most business processes.

A risk assessment produces a risk matrix that plots the likelihood or probability that an event will occur versus the severity of a possible disaster. Using the results of a risk assessment, organizations can try to mitigate as many risks as possible, avoiding certain business disruptions altogether. For the risks that either cannot be mitigated, the organization will need to build continuity plans.

Risk Management

The FFIEC defines the risk management phase as “the development of a written, enterprise-wide BCP.” The contents of a plan vary widely from one organization to another. But, at a minimum, a plan should contain the following:

Documented procedures and resources necessary to recover critical business functions A prioritization of recovery for processes and operations Information about who can declare a disaster and under what circumstances Contact lists of critical personnel (including employees and vendors) An inventory of critical equipment, office supplies, computer equipment, software, and documents Specifications for an alternate site (if necessary) Descriptions of the responsibilities and procedures to be followed by each continuity team Risk Monitoring

The final sequential step outlined in the FFIEC guidance is risk monitoring, which includes testing, review, and updating. Testing helps financial institutions adjust recovery time objectives by giving realistic, tested time estimates needed to complete tasks. A thorough testing program also makes sure that the plan does not overlook resources needed for recovery or are not used elsewhere in the recovery process.

The FFIEC guidance outlines four types of tests a financial institution may perform:

Walk-through: Consists of key planning participants discussing how to handle a crisis Tabletop Drill: Consists of a scenario with a specific event for which recovery personnel have to run the continuity plan Functional Test: Involves actually completing some of the recovery tasks and may include sending personnel to alternate sites Full-scale Test: Involves testing all aspects of a continuity plan Additional Considerations

The FFIEC guidance also provides other suggestions for BCP. It outlines five specific areas of responsibility for senior management and boards of directors with regards to BCP. Among the things auditors will be reviewing are whether a financial institution’s leadership is allocating sufficient resources and personnel to the planning process and whether the senior management is ensuring that the BCP is kept up-to-date.

The booklet also recommends that plans be developed on an enterprise-wide basis, not just for IT. The plans should take into account people, technology, and facilities. In fact, the FFIEC advises that “an automatic red flag should go up in examinations that reveal BCP to be the sole responsibility of a systems administrator.”

Finally, the guidance calls for examiners to determine if credit unions have appropriate strategies that include “alternatives for interdependent components and stakeholders, including utilities, telecommunications, third-party technology providers, key suppliers or business partners, and customers and members.”

The complete booklet is located at www.ffiec.gov/ffiecinfobase/booklets/bcp/buscontinuityplan.pdf and contains over 60 questions that auditors will be asking of financial institutions. Credit unions who don’t want to fail their next safety audit would be wise to review the booklet and plan accordingly.

This is a summary of a more in-depth white paper by Strohl Systems entitled “Business Continuity Planning and the New FFIEC Guidance.” For more details, contact Kevin Miller at 800-634-2016 or kmiller@strohlsystems.com, or visit www.planetstrohl.com.