Ncontracts’ Business Continuity Planning Resources for Banks and Credit Unions
You need a business continuity plan BEFORE you need a plan – one that outlines the steps to help your organization recover quickly and get back to work serving your community, and also helps you avoid compounding the initial incident with unforeseen costs and confusion.
When you are building your business continuity plan (BCP) for your bank or credit union, the resources on this page will act as valuable reference points. We want to help you plan for the events everyone hopes will never happen, so if they do, you can return to ‘business as usual’ as quickly as possible.
Some will recall the days without the many tools and resources now available to develop and maintain disaster recovery and business continuity plans. Few software applications were available for building and maintaining contingency plans and those in existence were very expensive, afforded only by Fortune 100 companies. In addition to limited availability of contingency planning software, the internet was not nearly mature as it is today. Information to help with building your business continuity program was limited at best.
The Vast Amount of Data for Business Continuity
Fast forward to today and one can argue that we’re now at the opposite side of this spectrum where there’s too much information available. Software applications to maintain our contingency planning efforts are plentiful. We can research anything, and everything related to BCP from natural risks such as earthquakes and tornados all the way to disaster recovery planning strategies such as co-location facilities and real time data replication solutions. The list of information sources is virtually endless.
But this creates a whole new challenge. With all these choices and information, how does one improve their bank’s, credit union’s or organization’s business continuity program without being overwhelmed by the process?
Apply the following ideas and bring contingency planning programs into the 21st century while empowering your team to impact the risk outlook in a meaningful manner.
Business Continuity Planning at 30,000 Feet
First, pause. Take a deep breath and pause. Spend some time to take a thirty-thousand foot view of the current state of your business continuity plan and overall program. Ask a few questions: What is good about it? What isn’t working? What needs to change? Keep this process simple by creating a T on a sheet of paper and put “like” in one column and “dislike” in another. Don’t worry about resolving the items in the dislike column for now. Just list them out. For instance, the plan may have a lot of positives, but the team finds making updates cumbersome and inefficient. So, in the ‘like’ column, place “plan information” as a like and place “plan maintenance process” in the dislike column.
After you’ve completed the list of likes and dislikes, review by starting with the column of things you like about your business continuity planning efforts. These are the things that are going well. Be proud of this! It’s easy to focus only on what is wrong rather than rather than appreciating the things done well.
Now, look at the items in the dislike column. While there are likely numerous items listed, in most cases these can be classified in one or both of the following:
Doesn’t have buy-in. Nearly every plan has some lack of buy-in. Although continuity planning is a regulatory requirement in the financial services industry, it doesn’t always receive the attention of executive management and department personnel it deserves. It is not unusual for business continuity planning to get buried by a plethora of high priority, strategic initiatives. In addition, department personnel are stretched thin, unable to spend the time to review and update business continuity plans. Or a combination of the two.
No automation. Again, not unusual. For instance, plans may be stored in Word and Excel documents along with all documentation related to tests and actual incidents. It’s very hard to maintain and distribute information and keep it all organized in one location. In addition, keeping current versions of the plan in the hands of everyone who needs them can be just as challenging. The simple fact of contacting people and documenting their response is a daunting task.
So how do we address each? Let’s start with buy-in since it’s most important.
Getting Buy-in for the Business Continuity Plan
First, provide the executive leadership with the risk of loss if plans are not kept current or recovery strategies are not in place. The business impact analysis (BIA) should reveal real data as it relates to loss of operations. Second, consider leveraging external or internal auditors. Ask them to reference areas that need improvement, so management realizes they must act to resolve a finding. In extreme cases, asking the regulatory examiner is not out of the question. As a last resort, a tactful reminder to the executive member about their responsibility to safeguard the financial institution as required by regulator oversite may be required. Usually, it won’t get to this point as executives and the Board of Director’s are aware of their responsibilities.
There are numerous software applications now available to help you organize and manage your business continuity program. The challenge is how do you choose? Here are few items you’ll want to use as you select solutions.
Ease of use is absolutely vital. Remember the concern about department personnel participation? If the application is extremely hard to use and understand, there is no way the necessary team members will want to use software to update their business continuity plans. When evaluating solutions, prioritizing ease of use will go a long way towards maximizing adoption rates among staff.
Covers all the bases. Make sure the application can maintain business impact analyses, risk assessments, BCP plan AND testing information. Each of these are a requirement under the FFIEC. Best of breed applications will not only include business impact analysis but will also incorporate this information into your plan documents saving you a great deal of time. Automated documentation of test results will be a huge time safer as well.
Integration opportunities. Vendor and risk management have exploded as responsibilities for financial institutions, so utilize software applications which support these requirements. Since business continuity planning requires risk assessments and typically reference critical vendors, it makes sense to have a solution that integrates continuity planning with vendor and risk management software.
To conclude, taking a step back to review the current business continuity program is always a good idea. Doing so will most likely reveal opportunities to make improvements on a regular basis, bringing and keeping your business continuity plan into the 21st century.
We’ve opened up our business continuity planning content library at no cost to you. Below you’ll discover 4+ hours of video + whitepapers and checklists all speaking to various aspects of business continuity. At Ncontracts, we know business continuity can easily get moved to the bottom of the priority list, but we hope you’ll find some nuggets within these resources that make planning, testing and executing your BCP plan easier and equips you with the knowledge need.
There is no specific regulation addressing business continuity planning (BCP) or disaster recovery planning (DRP). It is the responsibility of the financial institutions (FI) to have a plan for disasters based on the guidance provided from various agencies.
A review of guidance published across the various regulatory entities finds that all bodies refer to the FFIEC IT Handbook and the section addressing business continuity (“Business Continuity Planning” booklet). All published guidance at some point also refers to the basic elements of a BCP/DRP to include:
- Business Impact Analysis
- Risk Assessment
- Risk Management
- Risk Monitoring and Testing
We have linked to the relevant guidance.
OCC BCP Guidance
OCC BULLETIN 2015-9 – Description: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet
OCC BULLETIN 2012-28 – Description: Supervisory Guidance on Natural Disasters and Other Emergency Conditions
This OCC published guidance replaced and rescinded all previous guidance (2008 and prior) on the topic of responding to natural disasters.
NCUA BCP Guidance
LETTER NO.: 09-CU-13 – SUBJ: Hurricane Preparedness and Pandemic Planning
Published in 2009 the NCUA through this Letter to Credit Unions instructed Credit Unions to update their Business Continuity and Disaster Recovery Plans to include content related to Hurricanes and the Pandemic Flu.
LETTER NO.: 01-CU-21 – SUBJ: Disaster Recovery and Business Resumption Contingency Plans
Published in 2001 the NCUA through this letter outlined elements of a BCP /DRP
LETTER NO.: 08-CU-07 – SUBJ: FFIEC Release of Updated Business Continuity Planning Examination Handbook
Published in 2008 the NCUA through this letter announced an update to examiners, credit unions, and technology service providers to identify business continuity risks, evaluate controls, and implement risk management practices for effective business continuity planning. NOTE: The guidance is an update to the original “Business Continuity Planning Booklet” which was issued in March 2003.
Letter to Corporate Credit Unions
2004-05- SUBJ: Business Continuity Planning and Business Critical Processes
Published in 2009 the OCCU (Office of Corporate Credit Union) through this letter an explanation of the basic elements of a BCP/DRP was provided.
FDIC BCP Guidance
FIL-9-2015 – Business Continuity Planning Booklet Appendix J Update to FFIEC IT Examination Handbook Series
Published in 2015 this letter provided notice to all FDIC regulated entities about the FFIEC issued appendix to the BCP booklet of the FFIEC handbook. The appendix was entitled “Strengthening the Resilience of Outsourced Technology Services.”
The Federal Financial Institutions Examination Council (FFIEC) has issued an appendix to the Business Continuity Planning (BCP) booklet of the FFIEC Information Technology Examination Handbook entitled “Strengthening the Resilience of Outsourced Technology Services.” The booklet is part of the IT Examination Handbook series and provides guidance to assist examiners in evaluating the risk management processes of financial institutions and service providers to ensure the availability of critical financial services.
FIL-40-2003 – SUBJ: New Guidance for Examiners and Financial Institutions on Business Continuity Planning and Supervision of Technology Service Providers
On May 20, 2003, the Federal Financial Institutions Examination Council (FFIEC) issued revised guidance for examiners and financial institutions to use in evaluating risk- management processes to ensure the availability of critical financial services. This guidance – The Business Continuity Planning Booklet – is the second in a series of updates to the 1996 FFIEC Information Systems Examination Handbook.
The FDIC published a work program questionnaire addressing the various examination questions an FDIC Examiner may use when addressing Business Continuity and Disaster Recovery.