Is your financial institution prepared to weather the storms ahead with a business impact analysis (BIA)?
We’ve all heard the phrase, “Hope for the best and prepare for the worst.” For financial institutions, preparing for the worst isn’t just good advice; it’s essential to the safety and security of the organization, its employees, its investments, and its customers.
Conducting a business impact analysis is the first step to preparing for business interruptions and disruptions by identifying how they could impact your financial institution.
Table of Contents
A BIA, which is also referred to as a business impact assessment, evaluates and analyzes the potential effects of an interruption in business operations. An interruption can result from an internal or external disaster, accident, or emergency.
Financial institutions must be prepared for business interruptions – everything from power outages and cybersecurity incidents to natural disasters and in-person threats, such as a gunman in the branch location or nearby. A BIA proactively analyzes the risks associated with these internal and external events so that your institution can prepare ahead of time and have the information it needs to respond promptly and thoroughly.
A BIA establishes and analyzes risks that could impact an institution’s operations and functions. It then leverages the information to strengthen the FI’s larger risk management strategy. Some of the ways a BIA can be helpful include:
While BIAs and risk assessments can work together, they serve different purposes.
A risk assessment provides an understanding of threats and opportunities in a specific risk area, such as operational or credit risk, and the controls in place to mitigate their impact. It asks questions such as:
Put simply, risk assessments are tools to help FIs quantify risk and ensure their risk exposure is aligned with strategic objectives and risk tolerances.
Related: Risk Management 101: Risk Assessments for Financial Institutions
While a risk assessment analyzes a specific risk area, a BIA takes the evaluation a step further by measuring the potential outcome and how it would impact business operations and finances. It asks questions like:
Once your institution understands the impact of disruptions, it can define recovery requirements for critical functions such as Maximum Tolerable Downtime (MTD) Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) and impact of loss, guiding the development of business continuity and disaster recovery plans.
Related: Key Resilience and Business Continuity Indicator
While BIAs and disaster recovery (DR) plans are both tools for fostering organizational resilience, they play different roles. A DR plan is a comprehensive roadmap that outlines how a financial institution will regain critical systems which support critical functions and resume normal operations following an unforeseen incident. It answers the questions:
An FI’s disaster recovery plan should address a wide range of potentially adverse events, including security controls and protocols, procedures for restoring backlogged activity or lost transactions, and instructions to access critical information and other resources “when primary systems are unavailable,” according to The Federal Financial Institutions Examination Council (FFEIC) IT Examination Handbook. This comprehensive approach ensures that FIs are secure and prepared for any eventuality.
Within a DR plan, the BIA can identify costs linked to failures, such as loss of cash flow, replacement of equipment, salaries paid for employees to catch up on work, loss of profits, and more. Once this is established, the BIA suggests the funding that should be allocated.
A business impact analysis is not a substitute for a disaster recovery (DR) plan. Still, a BIA can play a vital starting point for a disaster recovery (DR) plan. For instance, critical business process owners and leadership should identify essential systems that support critical business processes. Furthermore, critical business process owners and leadership should define recovery requirements such as maximum tolerable downtime (MTD), recovery time objectives (RTOs), recovery point objectives (RPOs), and resources and materials needed for business continuance. This process is vital for information technology professionals as they develop recovery and resiliency solutions based upon these recovery objectives.
Related: Business Continuity Planning vs. Disaster Recovery: Understanding the Difference
In 2019, the Federal Financial Institutions Examination Council (FFIEC) updated its Business Continuity Management booklet to emphasize the role of business continuity in the risk management lifecycle, not just in post-event recovery operations. The update also emphasized the importance of conducting a BIA.
BCP has a broad scope, looking at the enterprise as a whole and what it must do to maintain resilient operations. The BIA analyzes the critical systems, business functions, and services (and the elements that support them) to determine the potential impact of a business interruption.
The BIA is one of the initial steps in the BCP lifecycle once management aligns the BCM goals.
Related: Business Resiliency: Your Guide to Business Continuity Management
You may be wondering: How does BIA work, and how can I conduct a business impact analysis for my organization?
Below is a business impact analysis sample that outlines what your organization should review when conducting a business impact analysis. Leveraging best practices and guidance from the FFIEC, here are some recommended steps your financial institution can take when conducting a BIA across your organization.
Who are the “go-to” people within your organization? Who knows the critical business process best? Who can be held accountable for making important decisions on the organization’s behalf during recovery efforts? Note these individuals and ensure they are engaged immediately following an incident.
What vendors and services support your organization’s critical business processes? What would be the impact if a vendor suffered a disruption? Make sure you have updated contact information for those vendors and that you know how to reach them during a disruption.
Using a scale is helpful when rating vendor reliance. For example:
First, what makes a function critical? Your organization will need to develop this standard. For instance, many organizations define a critical business process or function as one that cannot be down for more than 24 hours without irreputable harm or a Maximum Tolerable Downtime (MTD) of 24 hours or less. Most departments have 10 to 20 critical business processes. Ask each department to identify and share their critical functions or business processes so that your organization has a priority list established for what needs to be done to keep operating.
From there, you can set the balance of recovery requirement expectations based on how the function supports the organization’s critical processes. Include:
Now define the impact of loss and develop a manual workaround for each critical function or business process.
Questions to consider: What does the function do, and who/what does it support? Why is the function essential to the department/institution? What could the function’s downtime result in? Create a narrative that describes this information so others not familiar with the business process or function may understand.
Next, develop in detail any approved or tested manual workaround. Key word is MANUAL. In this day of cyber-crime, ransomware may render the system supporting the critical business process inoperable for a period of time. So, what can you do manually until the system is restored? Document this manual workaround. For example, the accounting department may have a manual workaround for paying vendors when the accounts payable system is down. If there is no manual workaround, ensure it is clearly stated in the BIA.
Each department should assign a team to handle recovery for each critical department. Specify the leader, alternate leader, and team members. The recovery team will need to have decision making authority for the critical business processes they are responsible for recovering.
Identify staffing needs required to support critical operations during recovery efforts. Provide location information, the average number of staff working in that role, and the minimum number needed on the first day of recovery efforts post-incident. For example, the average number of accounting staff could be three, but one is the minimum required.
If applicable, provide the ramp-up time needed to increase the number of staff from the minimum to the number needed to recover the department’s critical processes.
Provide the resources (software, equipment, etc.) required for each department to perform its critical processes. For instance, the accounting department may need computers, access to software, printers, copiers, telephones, etc.
As you did in the previous section, provide the average number and minimum number of resources needed to operate during the recovery period. Include the ramp-up time if applicable.
List the critical workflows that come into and are sent from your department, such as requests, alerts, reports/data, and transactions.
Name the workflow and provide:
Consider the normal operations across your FI today. If there was an interruption, what time frames would have a higher impact? Some examples include payroll processing periods, tax season, and exam and audit periods.
Rate the potential severity of an outage on a scale. For example, accounting might mark the weeks in late January to mid-April as having a “high” impact because of tax season.
A department might have a backlog of work when an interruption occurs. Backlogs can occur because of high transaction or request volume, a lack of resources, and/or staffing challenges.
Encourage departments across the organization to note any backlogs, how the backlog(s) are handled, and whether there are any regulatory requirements associated with them.
Can any of your department’s critical business processes be performed by an alternate provider, such as another department (bandwidth permitting) or a third-party service provider, during a disruptive event? All workload-shifting strategies should be approved by leadership and reliable, with no additional training required during an event.
Identify critical physical and electronic documents which have the potential for loss during an incident. Examples include mortgages, collateral, auto titles or critical policies, procedures, forms, and reports. Note vital records, the media type, and the storage location.
Among the most important sections in a BIA are regulatory notification requirements, as agencies vary in how quickly they must be notified of incidents. For example, the FDIC, Federal Reserve, and OCC require a banking organization to notify its primary federal regulator of any significant computer security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred. Credit unions must notify the NCUA within 72 hours if they believe a cyber incident has occurred.
Note which departments are responsible for sending reports/updates to regulatory agencies. Include details like a report description, the recipient agency, reporting frequency, the penalties for reporting failures, and other important info.
If a department cannot perform its critical processes, at what point (hours or days) will it have a high impact on your financial institution?
List the type of interruption, the risk exposure (financial, operational, and regulatory risks, to name a few), the significance of the economic impact on a rating scale, and the corresponding threshold levels. For example, the financial implications for an accounting department’s critical operations would quickly escalate over three days.
Did you know? Many of these data points—and more—can be accessed in the Ncontinuity BIA questionnaire.
Conducting a BIA as a start to the development of your business continuity plan and program is a significant task. Thankfully, business continuity management software is available and valuable for helping FIs prepare for interruptions and manage risks across the organization effectively. However, while BCP solutions can be helpful, they can also be overly complicated.
That was the case for Montecito Bank & Trust in Santa Barbara, California. Once it switched from an overly complicated business continuity solution to Ncontinuity, a more flexible, scalable, and secure online banking continuity management solution, the bank benefitted from automated process for conducting their business impact analysis and having a playbook for crises that everyone on the team could access. Working with Ncontinuity empowered Montecito Bank to conduct BIAs and build, update, and test its business continuity plans, allowing the bank to measure and document results for assured compliance.
A BIA is essential for keeping your business safe during a disaster. Look into creating one for your company to protect it from risks involving accidents, disasters, emergencies, and more.
Does your FI have the tools to successfully navigate business interruptions? Ncontracts business continuity software, Ncontinuity, can help.