Business Continuity Planning: Beyond Compliance



Similar documents
Why Crisis Response and Business Continuity Plans Fail

Why Should Companies Take a Closer Look at Business Continuity Planning?

Business Continuity Planning Instructions

Building a strong business continuity plan

Disaster Recovery and Business Continuity What Every Executive Needs to Know

External Supplier Control Requirements BCM

Best Practices in Disaster Recovery Planning and Testing

Business Continuity Planning (800)

Pandemic Planning. Presented by: Ron Wagner, IT Examiner with FDIC & Dana Lavey, Supervision Analyst with NCUA

QUICK FACTS. Replicating Canada-based Database Support at a New Facility in the U.S. TEKSYSTEMS GLOBAL SERVICES CUSTOMER SUCCESS STORIES

Business Continuity Planning and Disaster Recovery Planning

Meeting FFIEC Requirements: Enterprise-Wide Testing of Your. Business Continuity Plan

Business Continuity Management Software

FIREWALL CLEANUP WHITE PAPER

Three Attributes of Every Successful Merchant Services Program

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

EMA Service Catalog Assessment Service

Top 10 Disaster Recovery Pitfalls

WHATEVER IT TAKES. Success Story Implementing a New EMR at Port Huron Hospital in Only 12 Months!

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

FREE REPORT: Answers To The Top 5 Questions Business Owners Have About Cloud Computing

Taming Big Data in the Credit Union

Disaster Preparedness & Response

Desktop Scenario Self Assessment Exercise Page 1

Is Recruitment Process Outsourcing Right for Your Organization?

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

Keys to Narrowing Business Continuity Planning Gaps: Training, Testing & Audits

The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them

GUIDEBOOK MAXIMIZING SUCCESS DELIVERING MICROSOFT DYNAMICS

a guide to the cloud Understanding the cloud and recreation management understanding the cloud and recreation management a guide to the cloud 683_14

The Eight Dimensions of Customer Experience for Financial Services

Effective Enterprise Performance Management

WHY BUSINESS CONTINUITY PLANS FAIL

BUSINESS CONTINUITY PLANNING

Business Continuity and Disaster Recovery Planning

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

D2-02_01 Disaster Recovery in the modern EPU

Business Continuity Planning Principles and Best Practices Tom Hinkel and Zach Duke

Disaster Recovery Policy

Best Practices for Developing a Strong Talent Pipeline

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

Disaster Recovery. Continuity in an Uncertain World

THE BUSINESS CASE FOR BUSINESS CONTINUITY MANAGEMENT SOFTWARE

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

DESIGNING A BUSINESS CONTINUITY TRAINING PROGRAM TO MAXIMIZE VALUE & MINIMIZE COST

Business Continuity Training and Testing: Narrowing the Gaps

Onboarding training program provides quantified results that add to recruiting firm s bottom line.

15 Principles of Project Management Success

ERP Software and Your Business

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Building a Disaster Recovery Program By: Stieven Weidner, Senior Manager

Disaster Recovery Strategies

True Stories of Customer Service ROI: The real-world benefits of Zendesk

Overview of how to test a. Business Continuity Plan

Automated Efficiency For Every Fast Moving Business

Is the Cloud Right for Your Business? 5 Reasons to Conquer the Cloud

Brokering. through. the. Bust. By Chris Ryan. 24 January/February

Case Study. SNW Asset Management. (866)

Managing business risk

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

BUSINESS CONTINUITY PLANNING GUIDELINES

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Interagency Statement on Pandemic Planning

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

Business Resiliency Business Continuity Management - January 14, 2014

Could a Managed Services Agreement Save Your Company Tens of Thousands of Dollars Each Year?

Don Stewart, MBCP, MBCI, CCP

Disaster Recovery Planning

Process Intelligence: An Exciting New Frontier for Business Intelligence

Business Continuity Plan

Business Continuity (Policy & Procedure)

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Building and Maintaining a Business Continuity Program

Managed Service Providers for Mid-Sized Companies:

MHA Consulting. Business Continuity Management 101

Transcription:

Business Continuity Planning: January 3, 2011 8985 Balboa Ave. San Diego, CA 92123-1507 (888) SYMITAR 2011 Jack Henry & Associates, Inc. All Rights reserved

Spurred by new regulations, credit unions have sharpened their focus on business continuity planning and have discovered benefits that reach far beyond satisfying the examiners. Dwight D. Eisenhower said, I have always found that plans are useless, but planning is indispensable. Although he was referring to battle, not business, Eisenhower s observation applies perfectly to business continuity planning (BCP). The traditional approach to BCP has focused on the creation of a plan rather than on the knowledge and experience gained from the planning process. The results of this narrow focus are, in Eisenhower s words, useless: documents that are hidden away in dusty ring binders or forgotten in network file folders. We had a continuity plan for some time, but it sat on the shelf. It hadn t been updated, and it wasn t comprehensive, says Brandon Edwards, Physical Security and Safety Manager at Florida-based Grow Financial Credit Union. We realized we needed to put a process in place that delivered information that was current, easy to access, and valuable to our organizational needs on an ongoing basis, not just when we might need it to recover from a disaster. That realization led to the credit union s decision to partner with a BCP expert to revitalize its planning process. In doing so, Grow Financial and other credit unions highlighted in this paper have obtained benefits from BCP that extend far beyond compliance. Ultimately, they have discovered that true continuity planning is indispensable to operate most effectively in the modern financial marketplace. Elevating the Importance of BCP Without a continuity plan in place, a credit union has no predetermined strategy for identifying essential and critical processes and determining how to restore them, how to prioritize post-disaster efforts, or even how to set the media message around service outages. Continuity planning is not a theoretical exercise. In a cross-industry survey of companies with at least $10 million in revenue, 29 percent of respondents reported having invoked their BCP. 1 When the NCUA updated its guidselines for BCP in 2008, it further elevated the importance of the issue to credit unions nationwide. 2 However, forward-looking credit unions view compliance with FFIEC regulations as merely a starting point to effective continuity planning. Our previous continuity plan met the NCUA requirements, but we didn t feel that just meeting regulations was enough. We wanted a plan and planning process that would effectively guide us through disruptions, provide testing opportunities, and be proactive, says Cathy Smoyer, Chief Risk Officer at Mountain America Credit Union in Salt Lake City. That led Mountain America to revamp its planning process and choose Centurion as its new BCP consulting partner. Today s environment has made BCP more important than ever. The potential consequences of not having a planning process in place are too great for credit unions to risk. 1 2010 AT&T Business Continuity Study: U.S. National Results, October 2010. 2 2 NCUA Letter to Credit Unions on the FFIEC Release of Updated Business Continuity Planning Business Continuity Planning: Examination Handbook, April 2008.

Members expect always-available, real-time service. A few years ago, several hours of downtime might have been acceptable; however, that window has considerably shortened today. With the push to putting more real-time capabilities at members fingertips, maintaining system and service availability and restoring disrupted services quickly are essential. Financial institution failures have heightened members concerns over any disruption. Minor interruptions that might have been tolerated in the past are now seen as a sign that an institution is in trouble. Something as innocuous as a closed drive through or an out-of-service ATM in today s economy could cause members to fear that their credit union has failed or been taken over. Downtime can damage a credit union s reputation in the community. When we did an enterprise risk management assessment, we identified business disruption as a risk that was similar to a privacy breach in terms of damage to our reputation, said Chris Jacobs, Director of Compliance at San Antonio Federal Credit Union. That led us to recognize that our continuity and contingency planning process wasn t as robust as we needed it to be. The need for proactive crisis communication is essential in a 24/7, social networking world. Post-disruption crisis communication is a key component of BCP. Determining who is responsible for delivering the message and the parameters around how communications are framed is important to minimize the risk of public relations disasters and to keep the public confidence level as high as possible. Regulatory pressure has increased. Any grace period for the 2008-issued BCP requirements is over. Examiners today are looking for enhanced business impact analyses, better testing, and detailed multiyear planning. Regulations specify that credit unions need to consider not just physical disasters and facilities-related disruptions, but events that impact staffing levels, such as pandemics, and have plans in place to deal with those crises. 3 Additionally, in today s climate, failure to have BCP in place in the presence of other financial problems may be a factor considered in a regulatory takeover. BCP Benefits A proactive, ongoing BCP process addresses each of these areas of risk and delivers benefits that extend throughout a credit union s entire operations. Process improvement. The business impact analysis component of BCP should be a detailed review of each business process and employee job, breaking those down into a detailed list of sub-processes and dependencies. This analysis can identify cross-training opportunities, redundancies, and operational inefficiencies. There are definitely benefits to not just having a plan, but going through the planning process, says Edwards. The impact analysis gets to the heart of your operations. For organizations interested in continuous improvement, it s the chance to document your processes, including what you do, with whom, and why, and then find ways to make them better. 3 FFIEC, Interagency Statement on Pandemic Planning, 2008. 3 Business Continuity Planning:

When we revamped our continuity planning process, we found that many operational areas didn t have their processes defined or documented. They didn t know what functions were priorities to restart in the event of a disaster. It really made people throughout our departments stop and think, says Jacobs. Ultimately, we created a plan that s easy to find, follow, and test, which lets us see where we have gaps that need to be addressed. Documentation of clearly defined roles, responsibilities and process ownership. Through the planning process, credit union employees better understand not just the how, but the why of their roles and responsibilities. Each department knows what it needs to do in the event of a disaster and each individual in that department shares that knowledge. Staff in each department also takes ownership of their portion of the continuity plan, which makes ongoing maintenance and testing a team exercise. People may know the set of tasks that they perform, but they may not always be aware of their interdependencies how they connect to other departments, who they rely on, and who relies on them. Therefore, the continuity planning process helps remove people from their silo, Edwards says. Centralization of information. Effective BCP is supported by a software solution that provides distributed access to centralized information related to essential technology, vendors, and business processes. The level of process detail that can be easily captured and updated in BCP software makes the solution a valuable resource to use in training and employee on-boarding. Additionally, part of the reason traditional continuity plans sit gathering dust in binders is that they are quickly outdated, yet difficult to change. Centralized BCP software ensures that any changes to the plan are easily propagated throughout the system without requiring multiple hard copies to be manually updated. In revamping our plan, we liked the idea that by having unlimited user access to the platform, one person wouldn t have to handle all the updates. Instead, we could get many administrators trained, have multi-user access to the system, and give authority and responsibility for business continuity to each unit within the organization, Jacobs says. Apple Federal Credit Union in Fairfax, Virginia, worked with Centurion to put a BCP process in place to respond to NCUA recommendations, but soon discovered the far-reaching benefits of electronic, centralized plan information. If there is a disaster and we need to implement our plan, it s accessible. We have it backed up on different drives for redundancy. We have fobs that can be carried by key individuals, rather than having to worry about hauling a 50-pound manual with them. It s completely electronic, and changes made in one place update every place that plan is maintained so everyone is on the same page, says John Harwell, Apple FCU s Associate Vice President of Risk Management. We re also able to keep all our vendor information up to date with the Centurion tool, Harwell says. By maintaining vendor names, contact information, and a description of services provided, contracts, and service level agreements, this information is readily available in a disaster and can make a significant difference to the speed of recovery. 4 Business Continuity Planning:

A platform for continuous updating of information. A shift in focus from static to dynamic planning is a key differentiator between traditional continuity plans and an ongoing BCP process. In the contract with Centurion, we have a six-phase approach to keep our plan up to date. Every year the cycle starts over in phase one, which ensures we don t miss anything over time and also provides annual opportunities for process improvement, said Harwell. What we continue to learn is that we don t know what we don t know, Smoyer says. Every time we go through the planning process, and every time we test the plan, we learn more about different gaps we hadn t recognized before. Improved pre- and post-disaster communication. It takes years to build a reputation, but just one comment to ruin it. Creating, testing, and practicing a communications procedure as part of BCP is essential in today s era of instant media scrutiny. Through the planning process, we found a lot of communication gaps that we were able to address, Smoyer says. Sometimes what people believed to be the correct process wasn t actually what the process was supposed to be, so we were able to correct that through communication. Additionally, we ve had to respond to a couple of minor disruptions at branches since putting our new plan in place. Having gone through testing in the planning process where everyone knew their responsibilities, we could quickly notify people internally and communicate to members externally and head off any concerns. Choosing a Partner Despite the myriad of advantages gained through BCP, credit unions face a number of challenges in putting a comprehensive and ongoing planning process in place. First, continuity planning is complex; in fact, 57 percent of midsized companies across all industries cited complexity as a barrier to the adoption of a continuity plan. 4 For credit unions, it may not be practical to reassign employees who are busy performing their regular work to a planning team. Additionally, BCP has changed dramatically in a relatively short period of time, requiring knowledge of current regulations and requirements as well as proven best practices in plan implementation. Therefore, it is valuable for credit unions to partner with an expert in continuity planning. We did consider undertaking the process ourselves, but we didn t have the needed expertise on staff to accomplish it or the time to build a program from scratch. It is a daunting task that takes every single person in the organization, Harwell says. Additionally, credit unions may face resistance from staff members who do not fully understand the need for continuity planning. A third party can help overcome these objections. When we started the planning process, people found it difficult to understand why we were doing all these activities in addition to the work we already needed to do. Hiring Centurion was one of the smartest things we did, because without them it wouldn t have gotten done, says Harwell. 3 Marks, Howard, Practical Disaster Recovery For Midsize Companies, InformationWeek, 5 December 20, 2008. Business Continuity Planning:

Credit unions should look for five essential qualities in a BCP planning partner. 1. Specializes in financial institutions. The continuity planning process is markedly different from one industry to another; what works best for health care may not work in financial services. Few consulting firms have a singular focus on financial services, and even fewer understand the unique operating and regulatory environment of credit unions. 2. Provides a credit union-specific BCP template that can be further customized. Cross-industry BCP consultants offer generic plan templates; however, some information collected in the planning process for a manufacturing firm may have no relevance to a credit union. Additionally, NCUA s 2008 guidelines for BCP put more pressure on financial institutions to customize their plans based on their unique needs, with expanded requirements for business impact analysis, risk assessment and plan testing. We chose Centurion because they spoke the same language as we did, Edwards said. They had a template that was well-structured, that was completely relevant to us, and that our employees could easily relate to. 3. Offers an easy-to-use software tool. Given the complexity and detail of today s continuity planning, it s almost impossible to manage the process without a software tool. However, that tool must be intuitive or it will not be effective. Additionally, keeping a plan current is essential. An easy-to-learn system makes it more feasible to distribute updating tasks across departments or individual employees. The software Centurion provided is comprehensive, but not overly complex, said Jacobs. We also liked that the plan is web-based, so that if our operations room is disrupted we can still get our disaster recovery plans. 4. Has experience in disaster recovery. Disruptions do happen. Therefore, the partner a credit union chooses for BCP planning should have actual recovery experience. It was important that we partnered with someone who had been there and done that, Harwell says. When Centurion came in and ran disaster scenarios, they could show us exactly how confusing it could be to have a disaster as well as just what we d need to do to get back up and running, says Smoyer. That really helped everyone here understand the benefits of BCP. 5. Provides ongoing support. Because BCP is an ongoing process, a consultant s service shouldn t end after the initial plan is created. From implementation testing, to training, to ongoing plan refinement, the BCP provider should continue to support the credit union s continuity planning objectives. The provider should also stay abreast of regulatory changes to ensure that plans are updated to reflect them. 6 Business Continuity Planning:

Moving Forward Whether driven by regulatory necessity or by the desire for deeper operational improvement, credit unions are increasing their emphasis on business continuity planning. Credit unions have to understand that continuity needs to be part of their culture, Edwards says. It needs to be championed from the executive level and built into what people do as part of their daily work, and people need to understand the benefits to the entire organization. Making BCP an indispensable part of your operations not just an exercise that creates a static plan requires an active and ongoing planning process, the buy-in of staff across all levels, and the support of an experienced planning partner. To implement continuity planning throughout the credit union and make it part of your culture takes time, Smoyer says. Eventually, when everyone can see the ability to recover quickly from small disruptions, they can see the benefit. And when they see what happens to other financial institutions that aren t prepared, they can really recognize the importance of continuity planning. Centurion Disaster Recovery, a business unit of Jack Henry & Associates Inc., provides business continuity services to Symitar and non-symitar credit unions alike. 7 Business Continuity Planning:

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information