Best practices for Business Continuity
Depending on the organization, business continuity is something that is often considered to be more of a checklist task rather than a part of a strategic initiative. Business Continuity Planning (BCP) requires a collaborative effort of the entire organization and as a result the attention of key executives from all divisions to develop.
The basis for planning requires completing a Business Impact Analysis (BIA). This analysis requires business units to determine critical systems and functions within the organization that would need to be prioritized in a disaster situation. The business units are to develop processes, procedures and staffing to continue operations as Information Technology (IT) department is working on restoring the critical systems. This process provides IT a road map to commit technology resources, staffing, and critical vendor support required to ensure the institution is adequately prepared.
The first priority in developing a good BIA is to identify critical functions and resources needed to perform those functions. This would include everything from applications as well as internally developed checklists, manuals, policies, internet connections, spreadsheets, identifying backup personnel, workstations, printers, space assignment, and as applicable third-party dependencies. After identifying the resources, the next step in this process is to develop required timelines that are needed for Recovery Point Objectives (RPO) and Recovery Time Objectives (RPO). RPO refers to the maximum amount of allowable downtime and potential loss of data the financial institution is willing to accept in a disaster situation. This process is useful to develop the institution’s backup strategy. RTO on the other hand is the amount of time the business units would need for critical systems to be restored and being fully functional before the business is impacted negatively. The greater the RTO, the more time is given to the technology team to recover the applications. Business units here are challenged to look for alternate ways to provide services and/or develop manual processes to perform daily operations.
A comprehensive BCP requires a well thought out communication strategy for all levels within the institution. The development of a call tree is another critical component of a successful plan. This would not only include employees but also critical vendors and regulators. Furthermore, a communication plan would also need to be developed for customers or members. This can be performed in a multitude of ways including using existing resources such as websites, mass text messages, social media etc. Roles and responsibilities have to be outlined within the plan to identify who would be performing these various functions.
Overall, the BCP is as good as the time and effort placed into identifying the various threats as well as testing the plan. The challenge here is to determine what are truly considered to be realistic threats. Financial institutions have a regulatory requirement that provides guidance on significant threats and cybersecurity considerations. However, in the last few years, the threat environment has continued to change and so is the need to continue to enhance the BCP on a regular basis. It is therefore essential to ensure all personnel are trained through live exercises and tabletop exercises, testing the plan using various scenarios, and using lessons learned to further customize the plan to their environment.
CLA has assisted financial institutions with not only developing a plan but also reviewing their existing plan and providing value added guidance on best practices based on our industry experience and knowledge of regulatory requirements. See here for additional information.
Brittany has more than twelve years of experience and specializing in providing audit and accounting services to financial institutions. In addition to planning, managing and performing financial statement audits for institutions ranging in total assets from $10 million to $50 billion, she has performed engagements designed to test the adequacy of loan documentation and reserves, adherence to internal control policies, outsourced internal audit, and consulting engagements for various compliance requirements.
Comments are closed.