If disaster struck your community right now, would your institution be ready? While no one wants to see the circumstances that would cause an institution to have to activate its business continuity and disaster recovery plan, the last time you would want to find out that yours is inadequate or hopelessly outdated is in an actual emergency.
For larger disasters, a financial institution’s ability to withstand the calamity and recover its ability to conduct operations quickly can be crucial to the larger community’s efforts to get back on its feet and to ensure continued confidence in the banking system. But just having a disaster recovery plan on the shelf isn’t enough.
In a recent episode of Risk Watch, we reviewed three key characteristics we’ve observed of a strong business continuity and disaster recovery program. They were: 1) testing, 2) customization, and 3) formalized system of notification. We’d like to analyze that first characteristic—testing—a little deeper.
BUSINESS IMPACT ANALYSIS
Testing begins with a business impact analysis. This kind of analysis focuses on how disasters would affect your departments, overall business operations, membership or customer base, reputation, revenue, and so forth. It is important to know the unique circumstances that affect how much disaster affect your institution.
The main goal of the business impact analysis is to determine the basic recovery requirements of critical department activities. Critical activities may be defined as primary business functions that must continue in order to support various departments within your organization.
For the BIA, you will need to identify:
- Critical business activities that occur in your department.
- What the impact to your department would be in the event of a disruption of each activity.
- How long your department could survive without performing this activity.
For that last one, you’d assign recovery time objectives (RTO) to each function. The RTO is the time from which a crisis/disaster is declared to the time that the critical business function must be fully operational in order to avoid serious financial loss or other meaningful risks.
After preparing the BIA, it is vital to periodically subject your business continuity plan to tabletop testing, where key members of each department come together and talk through potential disaster scenarios and how the institution would respond. This process of “role playing” through a disaster allows your financial institution to see how well your personnel, systems, and variables perform on a hypothetical level so that any needed changes can be made well before any actual disasters strike. This testing should accomplish four goals:
- Determine the feasibility of contingency plans and procedures.
- Identify areas in the plan that may require modification.
- Provide training opportunities for BCP committee team members and financial institution employees.
- Evaluate the impact of the disaster on critical functions identified in the business impact analysis (BIA) and whether there is a “domino” affect related to those functions. You may find that departmental functions have inherent dependencies to complete crucial functions and these are frequently identified during tabletop exercises when incorporating the BIA.
During your tabletop testing, youwould want to includescenariosthatare likely to happen in your area. Youmayalsowishtouseone or more different scenarios over the course ofseveralteststohelpensurethatyourBCPiswell-roundedandappropriateformanykindsofpotentialdisasters. It’s important to include natural disasters—earthquakes, hurricanes, floods, fires, etc.—as well as man-made disasters, like riots, viruses, and data breaches.
Because tabletop exercises and business impact analyses involve so many departments, many institutions ask for third-party assistance in orchestrating the effort leading up to it, conducting the exercise itself (including the selection of scenarios), and preparing the summary report and accompanying recommendations.
By thoroughly analyzing the impact of disasters on your institution and thoroughly testing your disaster recovery/business continuity plan, you’ll be well on your way to being ready when disaster strikes.
For more information on AffirmX’s business continuity and disaster recovery plan services, including its tabletop exercises assistance, please visit AffirmX.com/disaster.