2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level Tracy L. Hall, MBCP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C.
Meet Our Presenter Tracy Hall, MBCP IT Assurance Manager Wolf & Company, P.C Direct: 413-726-6884 thall@wolfandco.com
Agenda Taking your Business Continuity Program to the Next Level Statistics and Recent Disaster Events FFIEC Guidelines / Latest Updates Appendix J: Strengthening the Resilience of Outsourced Technology Service Other considerations / Lessons Learned
Not So Fun Facts A 2012 Survey showed that the Top 4 causes of downtime that year were: Hardware Failure 55% Human Error 22% Software Failure 18% Natural Disasters 4% Don t Let The Door Hit You 40% of business severely compromised by a disaster go out of business within 6 months 90% of businesses that are down for 7 days do not reopen Cost of Not Being Prepared: Of businesses that experience a major loss of data without a plan: 51% close within 2 years 43% never reopen 6% survive long-term
Increased Scrutiny It is no longer sufficient to point to the Large Book on the shelf
Recent Events Changes in preparedness and scrutiny by regulators and examiners began after 9/11 & Katrina and continue to increase with each incident. Hurricanes Irene & Sandy Winter 2011 Blizzard The East Coast Earthquake Tornadoes and thunderstorms Boston bombing 6
FFIEC Guidelines 2008 Revision Board and Senior Management Responsibilities Executive Overview of the BCP Process Board of Directors responsibility Business Continuity Planning Process Enterprise-wide approach to planning Business Impact Analysis Define critical functions Impact to business if those functions were interrupted Resources required to support those functions Critical Timeframes to Recover Risk Assessment What threats could possible impact your operations? Where are your vulnerabilities? Risk Management Implementing Controls Developing a sound BCP Implementing a reliable Recovery Strategy Risk Monitoring Testing Maintenance Other Policies, Standards, and Processes Vendor Management Pandemic Planning
FFIEC Guidelines 2015 Update February 2015: Appendix J: Strengthening the Resilience of Outsourced Technology Services Result of increasing dependency on outsourced technology providers for critical systems and infrastructure Four Specific Areas
FFIEC Guidelines 2015 Update Third Party Providers More and more processes are outsourced; must consider vendor response and recovery plans Ask for detailed SLAs Widespread regional events have identified issues with suppliers Contingent business interruption loss: A loss that a business suffers as a result of damage to other property that prevents one of the suppliers from providing goods and/or services to the business, or that prevents the business customers from accepting goods and/or services from the business.
FFIEC Guidelines 2015 Update Area One Third-Party Management addresses a financial institution management s responsibility to control the business continuity risks associated with its TSPs and their subcontractors.
FFIEC Guidelines 2015 Update How To Prepare Third-Party Management Validate that third party resilience considerations are part of your vendor management program, including due diligence, contract negotiations and ongoing monitoring. Evaluate the use of subcontractors by your TSPs. Ensure TSPs are reviewing their subcontractor s business continuity plans.
FFIEC Guidelines 2015 Update Area Two Third-Party Capacity addresses the potential impact of a significant disruption on a third-party servicer s ability to restore services to multiple clients.
FFIEC Guidelines 2015 Update How To Prepare Third-Party Capacity Ensure that your TSPs have adequate planning and testing strategies to support multiple clients in a regional event. Identify a comprehensive set of alternative resources to provide services in the event your TSPs are unable to recover from a wide-scale disruption.
FFIEC Guidelines 2015 Update Area Three Testing with Third-Party Technology Service Providers addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program and including third party providers in the client s testing.
FFIEC Guidelines 2015 Update How To Prepare Testing with Third-Party Technology Service Providers Participate in BCP testing with TSPs, whenever possible. If not possible, review TSPs test results, remediation plans and status reports on their completion. Identify any gaps following testing. Draft a plan to ensure all gaps are addressed.
FFIEC Guidelines 2015 Update Area Four Cyber Resilience covers aspects of BCP unique to disruptions caused by cyber events
FFIEC Guidelines 2015 Update How To Prepare Cyber Resilience Ensure that Cyber threats are addressed in the BCP Risk Assessment. Validate that TSPs have an up-to-date incident response plan. Ensure the plan is periodically tested. Research and identify third-party forensic investigators that may be required following a cyber incident.
Other Considerations / Lessons Learned Executive Oversight FFIEC guidelines require annual signoff on the BCP by Board of Directors Ensuring a sufficient plan is in place Allocating responsibility of the plan Plan must be reviewed and updated at least annually Employee awareness Testing Supporting any actual recovery effort
Other Considerations / Lessons Learned Enterprise Wide Approach to Planning BCP is no longer an IT driven initiative FFIEC guidelines call for a business driven recovery plan
Other Considerations / Lessons Learned Scenarios Examiners are looking for responses to a wider range of possible scenarios Considering multiple scenarios while still focusing on worst case How do we avoid the vicious What If cycle? How do you determine worst case?
Other Considerations / Lessons Learned Business Impact Analysis (BIA) Is this business driven? Identifying MAD, RTOs, & RPOs for critical processes and systems Helps determine recovery strategy Do they coincide? Prioritizing processes and resource requirements into more condensed, well defined RTOs MAD= Maximum Allowable Downtime RTOs= Recovery Time Objective RPOs= Recovery Point Objective
Other Considerations / Lessons Learned Recovery Reality How realistic is your recovery strategy? Have you tested that your recovery strategy supports the business critical RTOs and RPOs? Is your DR site equipped with the appropriate requirements? How often is this reviewed? Are changes to business incorporated?
Other Considerations / Lessons Learned Granularity More detailed Action Plans at the department level, especially focusing on the initial phase of incident response
Other Considerations / Lessons Learned Communications Plans Identify methods of communicating to employees, clients, etc. throughout the incident, not just at the onset Develop a procedure for communicating prior to incidents that have warning Ensure the plan adequately identifies who is responsible for what, including internal and external communications 24
Other Considerations / Lessons Learned Alternate Site Selection Geographic Diversity Accessibility Vulnerabilities
Other Considerations / Lessons Learned Testing Requirement for more dynamic testing Different types of exercises More frequent tests that are smaller in scope can make testing more manageable Incorporating user community
Other Considerations / Lessons Learned Awareness & Training How often are employees made aware of plan details? Do employees understand their role in the BCP?
Other Considerations / Lessons Learned Incorporating BCP into every day business Considering how changes to the business affects your BCP is essential to ensuring your BCP stays current and sufficient Personnel changes- growth System/Application changes consider redundancy in budget Vendor/Provider changes Other technology changes New and updated policies and procedures Audit Feedback
Conclusion
Thank You! Questions? Tracy Hall, MBCP IT Assurance Manager Wolf & Company, P.C Direct: 413-726-6884 thall@wolfandco.com