Meeting FFIEC Requirements: Enterprise-Wide Testing of Your Business Continuity Plan April 25, 2012 Robin Remines, CBCP, AMBCI Certified Business Continuity Professional
The OGO Difference Focus on making business continuity planning an organization wide initiative and process Holistic - People, Processes AND Technologies Financial Impact Analysis (FIA) as well as Business Impact Analysis (BIA) Award winning BCP software platform Leader in building private/public partnerships Certified Professional Staff Plan. Prepare. Protect.
Key Outcomes Understand FFIEC Requirements regarding Business Continuity Program / Business Impact Analysis (BIA) and the relationship to Testing Financial Impact Analysis (FIA) Using the results to develop a stronger Business Continuity Program and to provide Continuity of Service to our Members NO MATTER WHAT HAPPENS!
Meeting FFIEC Requirements: Enterprise- Wide Testing of Your Business Continuity Plan
Goal of Business Continuity Plan People safety first! Minimize financial losses to the institution BIA to identify business processes with potential for greatest impact (including Risk and Financial Impact Analysis) Continue member service with minimal interruption Be a community resource (CIKRP) Mitigate negative effects of disruption on Operations Solutions include redundancy, failover, resiliency, procedural documentation and manual alternative procedures Prioritize implementation of solutions
FFIEC Testing Guidelines Roles and responsibilities should be specifically defined The BIA and risk assessment should serve as the foundation of the testing program, Enterprise-wide testing should be conducted at least annually Testing should be viewed as a continuously evolving cycle Mitigation strategies should sustain the business until permanent operations are reestablished The testing program should be reviewed by an independent party Test results are compared against the BCP to identify any gaps
We all have a role! Business line management - the testing of business operations; IT management - testing recovery of the institution's information technology systems, infrastructure, and telecommunications; Crisis management - testing the institution's event management processes Facilities management - testing the operational readiness of the institution's physical plant and equipment, environmental controls, and physical security The 3 rd party/audit - responsibility for evaluating the overall quality of the testing program and the test results.
Business Impact Analysis Assess and prioritize business functions and processes Identify potential impact of business disruptions on the business functions and processes Severity of impact Member Impact Member Confidence Increased Fraud Identify legal and regulatory requirements of the business functions and processes Estimate RTOs and RPOs
BIA Outcomes Establishes solid foundation for your planning process Meet regulatory and audit requirements Senior Management Support Top ranked Risk items with plans to protect, assign, accept or eliminate the threat Creation of an IT recovery plan that uses the outcome of the BIA to establish a priority for recovery
Risk Assessment Evaluate BIA assumptions using various threat scenarios Analyze threats based on likelihood and potential impact to institution, members and financial market Prioritize potential business disruptions based on severity which is determined by impact on operations and probability of occurrence Perform gap analysis that compares existing BCP to policies and procedures to be implemented based on prioritized disruptions and resulting impact
Risk Management (Mitigation) Based on comprehensive BIA and Risk Assessment Documented Reviewed and approved by Board and Senior Management annually Disseminated to employees Properly managed when outsourced to 3 rd party Specific regarding what conditions should prompt implementation of the plan and the process for invoking
Risk Management (cont) Immediate steps that should be taken during a disruption Flexible for unanticipated scenarios and changing internal conditions Focused on impact of various threats that could potentially disrupt operations Developed based on valid assumptions and interdependencies
Testing/Exercising Develop Exercise Scenarios which incorporate BIA and Risk Assessment Include C-level and Department level staff Gain buy-in thru role-playing and inclusion Consider tabletop vs. walkthrough http://ithandbook.ffiec.gov/it-booklets/business-continuityplanning/risk-monitoring-and-testing/principles-of-thebusiness-continuity-testing-program/testing-policy.aspx Complete at least annual tests of the BCP (more than the annual IT/DR exercise)
Exercise your plan Critical processes and locations Is the plan to work from home or alternate site? Perform processes from the alternate location What processes are included How are communications handled? Successful exercise? Issues identified and revisions assigned for additional planning Everything was smooth and no opportunities identified
Testing Creating the Lifecycle Senior Management and BOD evaluate program and test results 3 rd party assessment of program and test results Revise BCP and testing program based on operational changes, audit and examination recommendations, and test results
Financial Impact Analysis (FIA)
FIA Tool Potential financial impact Uses 5300 Report provided to NCUA Coming soon! www.ongoingoperations.com Easily customized to fit your credit union s business strategies and operating practices
What does the FIA measure? Delinquency Risk Daily Transaction Risk Fee Income Risk Check & ACH Risk Daily Loan Risk Reputational Risk
Fee Income Risk
Summary BCP Testing FFIEC Guidelines Spend resources ( time, people, $$$ ) on performing an indepth Business Impact Analysis (BIA) and Risk Assessment Without this, there is no foundation from which to measure your testing Create a testing plan/cycle Using various scopes/objectives, create a yearly calendar to test at various levels Enterprise-wide testing should be conducted at least annually DR (IT) tests at least annually Departmental annually AND when any significant process change occurs
Summary BCP Testing FFIEC Guidelines Mitigation strategies should sustain the business until permanent operations are reestablished You may not always have the right mitigation strategy document your decision making process Should consider 3 rd party stand in availability (such as card processing, ATMs, etc) Always have an independent reviewer look at it as a chance to improve your plan, not grade it Update your plan IMMEDIATELY after testing to close gaps identified by the exercise
Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional www.ongoingoperations.com