There’s no shortage of information about business continuity planning (BCP), but having lots of information is different from having the right information.
A BCP is only effective when it’s customized to cover the specific nuances of your institution. That includes everything from strategic goals and your risk environment to business functions and staffing. The bad news is that despite the mountains of information out there, there isn’t any template, white paper, regulatory guidance, or magazine article that’s going to be perfectly tailored to your institution.
That means your institution is going to have to put some work into creating a plan that is relevant, useful, realistically sustainable, and accessible in the event of a disaster. But where to start?
Follow these steps.
Recognize that business continuity planning can’t be limited to a single person
It’s an enterprise-wide activity that will require input from every department. In fact, involving different departments can actually save time and money, and it will result in a stronger plan. It will also cut down on work, as many departments already have existing information inventories that can be leveraged.
You can’t build a plan without knowing its components. That includes people, resources, vendors, and other third parties. It also includes your institution’s various locations, the teams who would carry out the plan, and critical documents for continuity including policies, procedures, desktop guides, and technical manuals. It’s the first opportunity to pull in other departments. Your IT department maintains an updated inventory of hardware and software and your HR department does the same for people. Ask for them.
Define key functions
Every institution has its own hierarchy and approach to dividing up departments and business lines. Start at as high a level as possible to identify high-level functions, which may include mortgage lending, consumer lending, loan servicing, account opening and deposit account servicing. Think about how your institution offers its products and services and how your processes might differ in a live event.
Divvy up responsibility
Identify who is responsible for managing and making decision for those functions on a daily basis. Now go beyond that to think about a disaster. What types of teams make sense to handle oversight in an incident? Maybe a crisis management team, recovery team and/or survey team? Who should be on those teams?
Identify critical functions
Conduct a business impact analysis to identify the most critical functions. It’s not enough to say a function is important. Quantify how long you could go without that function and the impact on your organization. This will help you prioritize recovery efforts and efficiently allocate resources.
The answers to these questions will give you the information you need to draft a BCP that addresses every function of your institution. Make sure you don’t leave anything out with Ncontracts BCP: Where to Begin?
And even though you’ve heard it before, it bears repeating. Even when you’ve finished your plan, you’re never really finished. Regularly practice and test your plan to ensure accountability. And don’t forget to periodically review and update the plan, going through the checklist each time to look for changes.
Now that you know where to start, it is time to get to work!