Business Continuity Planning: Process
Last Reviewed: September, 2014

Subject Material
BUSINESS IMPACT ANALYSIS (BIA)
DEFINING THE BUSINESS CONTINUITY STRATEGY
INTERNAL AND EXTERNAL COMPONENTS
MITIGATION STRATEGIES
RISK ASSESSMENT
RISK MANAGEMENT

Business Continuity Planning Process

The business continuity planning (BCP) process involves the recovery, resumption, and maintenance of the entire business, not just the technology. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be sufficient to restore business operations.

Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and operations essential for recovery. This enterprise-wide framework should consider how every critical process, business unit, department, and system will respond to disruptions and which recovery solutions should be implemented. This framework should include a plan for short-term and long-term recovery operations. Without an enterprise-wide BCP that considers all critical elements of the entire business, an credit union may not be able to resume customer service at an acceptable level. Management should also prioritize business objectives and the operations essential for survival of the credit union since the restoration of all business units may not be feasible due to cost, logistics, and other unforeseen circumstances.

Business continuity planning includes the integration of the credit union’s role in financial markets. Credit unions (generally corporate credit unions) that perform clearing and settlement activities for critical financial markets (core firms) and organizations that process a significant share of transactions in critical financial markets (significant firms) are required to follow inter-agency guidelines, designed to ensure the continued functioning of settlement and clearing activities for critical markets. Critical markets include, but may not be limited to, the markets for federal funds; foreign exchange; commercial paper; and government, corporate, and mortgage-backed securities. Based on these guidelines, key financial industry participants are expected to identify activities that support these critical markets, continually maintain their ability to recover and resume critical operations in a timely manner, and routinely use or test recovery and resumption arrangements. Since these organizations participate in one or more critical financial markets and their failure to perform critical activities at the end of a business day could present serious risk to financial systems, their role in financial markets should be addressed as part of the BCP process.

Credit Unions that do not directly participate in critical financial markets, but support other critical financial market activities for regional or national financial sectors, are also expected to establish business continuity planning processes commensurate with their importance in the financial industry. Similarly, smaller, less complex credit unions are expected to fulfill their responsibilities by developing a business continuity planning process that incorporates comprehensive recovery guidelines based on the credit union’s size and risk profile.

The business continuity planning process should include regular reviews and updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing. Changes in business processes include technological advancements that allow faster and more efficient processing, thereby reducing acceptable business process recovery periods. In response to competitive and customer demands, many Credit Unions are moving toward shorter recovery periods and designing technology recovery solutions into business processes. These technological advances underscore the importance of maintaining a current, enterprise-wide BCP.

Additional industry practices that are commonly used to maintain a current BCP include:

• Integrating business continuity planning into every business decision;
• Incorporating BCP maintenance responsibilities in applicable employee job descriptions and personnel evaluations;
• Assigning the responsibility for periodic review of the BCP to a planning coordinator, department, group, or committee; and
• Performing regular audits and annual, or more frequent, tests of the BCP.

While this approach is reflected as four steps, the business continuity planning process actually represents a continuous cycle that should evolve over time based on changes in potential threats, business operations, audit recommendations, and test results. In addition, this process should include each critical business function and the technology that supports it. As such, other policies, standards, and processes should also be integrated into the overall business continuity planning process.

Top of Page

BUSINESS IMPACT ANALYSIS (BIA)

The credit union’s first step in the business continuity process is the development of a BIA. The amount of time and resources needed to complete the BIA will depend on the size and complexity of the financial credit union. The BIA should include a work flow analysis that involves an assessment and prioritization of those business functions and processes that must be recovered. The work flow analysis should be a dynamic process that identifies the inter-dependencies between critical operations, departments, personnel, and services. The identification of these inter-dependencies, as part of the BIA, should assist management in determining the priority of business functions and processes and the overall affect on recovery timelines.

Once business functions and processes have been assessed and prioritized, the BIA should identify the potential impact of uncontrolled, non-specific events on these business functions and processes. Non-specific events should be identified so that management can concentrate on the impact of various disruptions instead of specific threats that may never affect operations. At the same time, management should never ignore potential risks that are evident in the credit union’s particular area. For example, Credit Unions may be located in flood-prone areas, near fault lines, or by areas subject to extremely severe weather (e.g. tornadoes or hurricanes).

In addition to identifying the impact of non-specific events on business functions and processes, the BIA should also consider the impact of legal and regulatory requirements. For example, management should assess the impact of compromised customer data, which can result in regulatory concerns and a loss of public confidence. By identifying the potential impact of this issue, management may have a better idea of the business functions and processes that could potentially be affected. Management should consider the regulatory requirement regarding notification to the credit union’s primary federal regulator when facilities are relocated. The BIA should also estimate the maximum allowable downtime for critical business functions and processes and the acceptable level of losses (data, operations, financial, reputation, and market share) associated with this estimated downtime. As part of this analysis, management should decide how long its systems can operate before the loss becomes too great and how much data the financial credit union can afford to lose and still survive. The results of this step will assist credit union management in establishing Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), and recovery of the critical path, which represents those business processes or systems that must receive the highest priority during recovery. These recovery objectives should be considered simultaneously to determine more accurately the total downtime a financial credit union could suffer due to a disaster. In addition, these recovery objectives require management to determine which essential personnel, technologies, facilities, communications systems, vital records, and data must be recovered and what processing sequence should be followed so that activities that fall directly on the critical path receive the highest priority. One of the advantages of analyzing allowable downtime and recovery objectives is the potential support it may provide for the funding needs of a specific recovery solution based on the losses identified and the importance of certain business functions and processes.

Personnel responsible for the BIA should consider developing uniform interview and inventory questions that can be used on an enterprise-wide basis. Uniformity can improve the consistency of responses and help personnel involved in the BIA phase compare and evaluate business process requirements. This phase may initially prioritize business processes based on their importance to the credit union’s achievement of strategic goals and the maintenance of safe and sound practices. However, this prioritization should be revisited once the business processes are modeled against various threat scenarios so that a comprehensive BCP can be developed.

When determining a financial credit union’s critical needs, all functions, processes, and personnel should be analyzed. In documenting the mission critical functions performed, each department should consider the following questions:

• What critical inter-dependencies exist between internal systems, applications, business processes, and departments?
• What specialized equipment is required and how is it used?
• How would the department function if the mainframe, network and/or Internet access were not available?
• What single points of failure exist and how significant are those risks?
• What are the critical outsourced relationships and dependencies?
• What are the required responsibilities of the credit union and the third-party service provider as defined by the service level agreement?
• What critical operational or security controls require implementation prior to recovery?
• What is the minimum number of staff and amount of space that would be required at a recovery site?
• What special forms or supplies would be needed at a recovery site?
• What equipment would be needed at a recovery site to communicate with employees, vendors, and customers?
• What is the potential impact if common recovery sites serve multiple Credit Unions?
• Have employees received cross training, and has the department defined back-up functions/roles that employees should perform if key personnel are not available?
• Are the personal needs of employees adequately considered?
• What are the critical cash management/liquidity issues?

Once the BIA is complete, it should be evaluated during the risk assessment process and incorporated into, and tested as part of, the BCP. The BIA should be reviewed by the board and senior management periodically and updated to reflect significant changes in business operations, audit recommendations, and lessons learned during the testing process. In addition, a copy of the BIA should be maintained at an offsite location so it is easily accessible when needed.

Top of Page

RISK ASSESSMENT

The risk assessment step is critical and has significant bearing on whether business continuity planning efforts will be successful. During the risk assessment step, business processes and the BIA assumptions are evaluated using various threat scenarios. This will result in a range of outcomes that may require changes to the BCP.

Credit Unions should develop realistic threat scenarios that may potentially disrupt business processes and their ability to meet clients’ expectations (internal, business partners, or customers). Threats can take many forms, including malicious activity, natural and technical disasters, and pandemic incidents. Where possible, credit unions should analyze a threat by using non-specific, all-risk planning that focuses on the impact of the threat instead of the nature of the threat. For example, the effects of certain threat scenarios can include business disruptions that affect only specific personnel, work areas, systems, facilities (i.e., buildings), or geographic areas.

Additionally, the magnitude of the business disruption should consider a wide variety of threat scenarios based upon practical experiences and potential circumstances and events. If the threat scenarios are not comprehensive, the resulting BCP may be too basic and omit reasonable steps that are needed for a timely recovery after a disruption.

Threat scenarios should consider the severity of the disaster, which is based upon the impact and the probability of business disruptions resulting from identified threats. Threats may range from those with a high probability of occurrence and low impact to the credit union, such as brief power interruptions, to those with a low probability of occurrence and high impact to the credit union, such as hurricanes or terrorist attacks. The most difficult threats to address are those that have a high impact on the credit union but a low probability of occurrence. However, through the use of non-specific, all-risk planning, the BCP may be more flexible and adaptable to all types of disruptions.

When assessing the probability of a disruption, Credit Unions and service providers should consider the geographic location of all facilities, their susceptibility to threats (e.g., location in a flood plain), and the proximity to critical infrastructures (e.g., power sources, nuclear power plants, airports, major highways, railroads). Worst-case scenarios, such as destruction of the facilities and loss of life, should be considered. As part of this process, external factors should also be closely monitored to determine the probability of occurrence. External factors can be monitored through constant communication with community and government officials and regulatory authorities. For example, credit unions should monitor alerts issued by such organizations as the Department of Homeland Security and the World Health Organization, which provide information regarding terrorist activity and environmental risks, respectively.

After analyzing the impact, probability, and the resulting severity of identified threats, the credit union can prioritize business processes and estimate how they could be disrupted under various threat scenarios. The resulting probability of occurrence may be based on a rating system of high, medium, and low.

At this point in the business continuity planning process, the financial credit union should perform a “gap analysis.” In this context, a “gap analysis” is a methodical comparison of what types of policies and procedures the credit union (or business line) should implement to recover, resume, and maintain normal business operations, versus what the existing BCP provides. The difference between the two highlights additional risk exposure that management should address when developing the BCP.

Top of Page

RISK MANAGEMENT

The BIA and risk assessment represent the foundation of the BCP. The BCP should be written on an enterprise-wide basis, reviewed and approved by the board and senior management at least annually, and disseminated to financial credit union employees for timely implementation. All Credit Unions should develop a BCP that documents business continuity strategies and procedures to recover, resume, and maintain all critical business functions and processes.

Some Credit Unions may choose to develop their BCP internally, while others may choose to outsource the development and maintenance of their BCP. While outsourcing BCP development may be a viable option, the board and management are ultimately responsible for implementing and maintaining a comprehensive BCP. Therefore, the credit union should understand the business impact of potential threats, have the ability to implement mitigating controls, and ensure that the BCP can be properly executed by financial credit union personnel and validated through comprehensive testing. When outsourcing BCP development, management should ensure that the chosen service provider has the expertise required to analyze the financial credit union’s business needs.

The service provider should also be able to design executable strategies that are relevant to the financial credit union’s risk environment, create education and training programs necessary to achieve successful deployment of the BCP, and integrate necessary changes so that the BCP is properly updated.

A well-written BCP should describe the various types of events that could prompt the formal declaration of a disaster and the process for invoking the BCP. It should also describe the responsibilities and procedures to be followed by each continuity team, have current contact lists of critical personnel, address communication processes for internal and external stakeholders, identify relocation strategies to alternate facilities, and include procedures for approving unanticipated expenses.

The BCP should specifically describe the immediate steps to be taken during a disruption in order to maintain the safety of personnel and minimize the damage incurred by the credit union. The BCP should include procedures to execute the plan’s priorities for critical versus non-critical functions, services, and processes. Specific procedures to follow for recovery of each critical business function should be developed so that employees understand their role in the recovery process and can implement the BCP in a timely manner.

The BIA and risk assessment should be integrated into the written BCP by incorporating identified changes in internal and external conditions and the impact of various threats that could potentially disrupt operations rather than on specific events that may never occur. Examples of the potential impact of various threats include the following:

• Critical personnel are unavailable and they cannot be contacted;
• Critical buildings, facilities, or geographic regions are not accessible;
• Equipment (hardware) has malfunctioned or is destroyed;
• Software and data are not accessible or are corrupted;
• Third-party services are not available;
• Utilities are not available (power, telecommunications, etc.);
• Liquidity needs cannot be met; and
• Vital records are not available.

ASSUMPTIONS

When developing the BCP, credit unions should carefully consider the assumptions on which the BCP is based. Credit unions should not assume a disaster will be limited to a single facility or a small geographic area. Additionally, credit unions should not assume they will be able to gain access to facilities or that critical personnel (including senior management) will be available immediately after the disruption. Public transportation systems such as airlines, railroads, and subways also may not be operating, and telecommunication systems may be overburdened and unavailable.

Top of Page

DEFINING THE BUSINESS CONTINUITY STRATEGY

The business continuity strategy represents a critical aspect of the BCP and is derived from the information collected during the business impact analysis (BIA) process. The following components should be considered when defining the business continuity strategy and developing the BCP:

• Personnel;
• Communication;
• Technology issues;
• Facilities;
• Electronic payment systems;
• Liquidity concerns;
• Financial disbursement;
• Manual operations; and
• Other considerations.

When developing the continuity strategy, consideration should be given to both short term and long-term goals and objectives. Short-term goals and objectives may include:

• Critical personnel, facilities, computer systems, operations, and equipment;
• Priorities for processing, recovery, and mitigation;
• Maximum downtime before recovery of operations; and
• Minimum resources required for recovery.

Long-term goals and objectives may include:

• Management’s enterprise-wide strategic plan;
• Coordination of personnel and activities;
• Budgetary considerations; and
• Supervision of third-party resources.

Top of Page

INTERNAL AND EXTERNAL COMPONENTS

A BCP consists of many components that are both internal and external to a financial credit union. An effective BCP coordinates across its many components, identifies potential process or system dependencies, and mitigates the risks from inter-dependencies. The activation of a continuity plan and restoration of business in the event of an emergency depends on the successful interaction of these various components. The overall strength and effectiveness of a BCP can be decreased by its weakest component. Internal components that should be addressed in the BCP to ensure adequate recovery of business operations may include inter-dependencies between various departments, business functions, and personnel within the credit union. These inter-dependencies can also include single points of failure with internal telecommunications and computer systems. External components that can negatively affect the timely recovery of business operations and that should be addressed in the BCP may include interdependencies with telecommunications providers, service providers, customers, business partners, and suppliers.

Top of Page

MITIGATION STRATEGIES

Management should develop comprehensive mitigation strategies to resolve potential problems that may result from internal and external inter-dependencies. Mitigation strategies will depend upon the results of the BIA and risk assessment, but should always ensure that processing priorities can be adequately implemented and that business operations can be resumed in a timely manner. The following represent examples of appropriate mitigation strategies:

• Strengthening the physical facility using dependable construction materials;
• Establishing redundant vendor support;
• Establishing media protection safeguards and comprehensive data back-up procedures;
• Implementing redundant or alternative power sources, communication links, data back-up technologies, and data recovery methods;
• Increasing inventories of critical equipment;
• Installing fire detection and suppression systems; and
• Purchasing and maintaining adequate reserves of food, water, batteries, and medical supplies.

Once the BCP is complete, the viability of the plan must be assessed as part of the risk monitoring and testing step, which involves the development, execution, evaluation, and assessment of a testing program. The testing program is then used to update the BCP based on issues identified as part of the testing process.

Top of Page

Excerpted and adapted from the FFEIC Business Continuity Planning IT Examination Handbook, March 2008