Last Reviewed: January, 2015
The Threat Analysis risk assessment step is critical and has significant bearing on whether business continuity planning efforts will be successful. During the Threat Analysis step, business processes and the BIA assumptions are evaluated using various threat scenarios. This will result in a range of outcomes that may require changes to the BCP. The use of a Threat Spreadsheet will help track the threats identified and status of mitigation actions needed. (Sample Spreadsheet)
Credit Unions should develop realistic threat scenarios that may potentially disrupt business processes and their ability to meet stakeholders’ expectations (members, business partners, and others). Threats can take many forms, including malicious activity, natural and technical disasters, and pandemic incidents. Where possible, credit unions should analyze a threat by using non-specific, all-risk planning that focuses on the impact of the threat instead of the nature of the threat. For example, the effects of certain threat scenarios can include business disruptions that affect only specific personnel, work areas, systems, facilities (i.e., buildings), or geographic areas.
Additionally, the magnitude of the business disruption should consider a wide variety of threat scenarios based upon practical experiences and potential circumstances and events. If the threat scenarios are not sufficiently comprehensive, the resulting BCP may be too basic and omit reasonable steps that are needed for a timely recovery after a disruption.
Threat scenarios should consider the severity of the disaster, based upon the impact and the probability of business disruptions resulting from the identified threats. Threats may range from those with a high probability of occurrence and low impact to the credit union, such as brief power interruptions, to those with a low probability of occurrence and high impact to the credit union, such as hurricanes or terrorist attacks. The most difficult threats to address are those that have a high impact on the credit union but a low probability of occurrence. However, through the use of non-specific, all-risk planning, the BCP may be more flexible and adaptable to all types of disruptions.
When assessing the probability of a disruption, Credit Unions and service providers should consider the geographic location of all facilities, their susceptibility to threats (e.g., location in a flood plain), and the proximity to critical infrastructures (e.g., power sources, nuclear power plants, airports, major highways, railroads). Worst-case scenarios, such as destruction of the facilities and loss of life, should be considered. As part of this process, external factors should also be closely monitored to determine the probability of occurrence. External factors can be monitored through constant communication with community and government officials and regulatory authorities.
At this point in the business continuity planning process, the financial credit union should perform a “gap analysis.” In this context, a “gap analysis” is a methodical comparison of what types of policies and procedures the credit union (or business line) should implement to recover, resume, and maintain normal business operations, versus what the existing BCP provides. The difference between the two highlights additional risk exposure that management should address when developing the BCP
While a business continuity plan (BCP) should be focused on restoring the credit union’s ability to do business, regardless of the nature of the disruption, different types of disruptions may require a variety of responses in order to resume operations.
Many types of disasters affect not only the credit union but also the surrounding community. The human element can be unpredictable in a crisis situation, and it should not be overlooked when developing a BCP since employees and their families could be affected as significantly as, or more significantly than, the credit union. Therefore, management should consider various internal and external threats and determine the impact they may have on the entire credit union, including employees.
While the type and severity of internal and external threats may be different for each credit union, here section discusses four primary categories of threats that should be considered when developing the BCP. These threats include malicious activity, natural disasters, technical disasters, and pandemics.
Fraud, Theft, or Blackmail
Since fraud, theft, or blackmail may be perpetrated more easily by insiders, implementation of employee awareness programs and computer security policies is essential. These threats can cause the loss, corruption, or unavailability of information, resulting in a disruption of service to customers. Restricting access to information that may be altered or misappropriated reduces exposure. The credit union may be held liable for release of sensitive or confidential information pertaining to its customers; therefore, appropriate procedures to safeguard information are warranted.
Most credit unions have never had a strike but there is always a potential for disgruntled employees to call for a strike. Management must be prepared to ensure that the credit union is able to continue operations in this situation.
Personnel should know how to handle intruders, bomb threats, and other disturbances.
The locations of critical operation centers should not be publicized, and the facilities should be inconspicuous. A disgruntled employee may try to sabotage facilities, equipment, or files. Therefore, personnel policies should require the immediate removal from the premise of any employee reasonably considered a threat and the immediate revocation of that employee’s computer and facility access privileges. Locked doors, motion detectors, guards, and other controls that restrict physical access are important preventive measures.
Strike (Sponsor/SEG)/Civil Disturbance
A strike by a group of individuals affiliated with a credit union has the potential for disruption both physically and financially. Credit union staff may be reluctant to cross a picket line to enter the facility if the credit union is located on or near a sponsor or SEG facility. Management must be prepared to ensure that the credit union is able to continue operations in this situation.
From the financial perspective, a strike could result in a demand for cash as well as a potential for increased loan delinquency, as members may not be paid while on strike. In this case, the credit union should have a plan to address the situation.
Vandalism and Looting
Vandalism and looting represent a threat because individuals often seek financial gain by exploiting security weaknesses exposed during an emergency or disaster situation. In the event of an area-wide disaster, the credit union’s security staff may be unable to reach the damaged facility and it may be difficult to obtain services from outside security personnel without prior notification. Therefore, management should address these potential threats before a disaster occurs by implementing alternate security measures to protect both the credit union’s physical and logical assets.
The risk of terrorism is real and adequate business continuity planning is critical for credit unions in the event a terrorist attack occurs. Some forms of terrorism (e.g. chemical or biological contamination) may leave facilities intact but inaccessible for extended periods of time. The earlier an attack is detected, the better the opportunity for successful treatment and recovery. Active monitoring of federal and state emergency warning systems, such as those of FEMA and the Centers for Disease Control (CDC), should be considered.
Terrorism is not new, but the likelihood of disruption and destruction continues to increase. The loss of life, total destruction of facilities and equipment, and emotional and psychological trauma to employees can be devastating. Collateral damage can result in the loss of communications, power, and access to a geographic area not directly affected by the attack.
Terrorist attacks can range from bombings of facilities to cyber-attacks on the communication, power, or financial infrastructures. The goal of cyber-terrorism is to disrupt the functioning of information and communications systems. Unconventional attacks could also include the use of chemical, biological, or nuclear material. Bio-terrorists may employ bacterial or viral agents with effects that are delayed, making prevention, response, and recovery problematic. While the probability of a full-scale nuclear attack is remote, it is necessary to address the readiness to deal with attacks on nuclear power plants and industries using nuclear materials and for attacks initiated by means of “dirty” nuclear devices, which are weapons combining traditional explosives with radioactive materials.
A fire can result in loss of life, equipment, and data. Data center personnel must know what to do in the event of a fire to minimize these risks. Instructions and evacuation plans should be posted in prominent locations, should include the designation of an outside meeting place so personnel can be accounted for in an emergency, and should provide guidelines for securing or removing media, if time permits. Fire drills should be periodically conducted to ensure that personnel understand their responsibilities. Fire alarm boxes and emergency power switches should be clearly visible and unobstructed. All primary and back-up facilities should be equipped with heat or smoke detectors. Ideally, these detectors should be located in the ceiling, in exhaust ducts, and under raised flooring. Detectors situated near air conditioning or intake ducts that hinder the buildup of smoke may not trigger the alarm. The emergency power shutdown should deactivate the air conditioning system. Walls, doors, partitions, and floors should be fire-resistant.
Also, the building and equipment should be grounded correctly to protect against electrical hazards.
Lightning can cause building fires, so lightning rods should be installed as appropriate. Local fire inspections can help in preparation and training. Given government regulations to control ozone depletion, Current fire suppression systems utilize clean agents and include Inergen, FM-200, FE-13, and carbon dioxide.
Additionally, dry pipe sprinkler systems are being used that activate upon detection of a fire and fill the pipe with water only when required. Consequently, the risk of water damage from burst pipes may be minimized. These systems should be the staged type, where the action triggered by a fire detector permits time for operator intervention before it shuts down the power or releases fire suppressants.
Personnel should know how to respond to these automatic suppression systems, as well as the location and operation of power and other shut-off valves. Waterproof covers should be located near sensitive equipment in the event that the sprinklers are activated. Hand extinguishers and floor tile pullers should be placed in easily accessible and clearly marked locations. The extent of fire protection required depends on the degree of risk a credit union is willing to accept, as well as and local fire codes or regulations.
Floods and Other Water Damage
A credit union located in or near a flood plain faces increased risk and should take the necessary actions to manage that level of exposure. Because water seeks the lowest level, if possible locate critical records and equipment to mitigate this risk. Raised flooring or elevating the wiring and servers several inches off the floor can prevent or limit the amount of water damage.
In addition, water damage can occur from other sources such as broken water mains, windows, or sprinkler systems. If there is a floor above the computer or equipment room, the ceiling should be sealed to prevent water damage. Water detectors should be considered as a way to provide notification of a problem.
A disaster resulting from an earthquake, hurricane, tornado, or other severe weather typically would have its probability of occurrence defined by geographic location. Given the random nature of these natural disasters, credit unions located in areas that experience these events should include appropriate scenarios in their business continuity planning process. Where early warning systems are available, management should implement procedures prior to the disaster to minimize losses.
Some disasters produce a secondary problem by polluting the air for a wide geographic area. Natural disasters such as flooding can also result in significant mold or other contamination after the water has receded. The severity of these contaminants can affect air quality at a credit union and even result in evacuation for an extended period of time.
Business continuity planning should consider the possibility of air contamination and provide for evacuation plans and the shutdown of HVAC systems to minimize the risks caused by the contamination. Additionally, consideration should be given to the length of time the affected facility could be inoperable or inaccessible.
Some credit unions have facilities close to chemical plants, railroad tracks, or major highways used to transport hazardous materials. A leak or spill can result in air contamination, chemical fires, as well as other health risks. Reasonable efforts should be made to determine the types of materials being produced or transported nearby, obtain information about the risks each may pose, and take steps to mitigate such risks.
The distributed processing environment has resulted in an increased reliance on telecommunications networks for both voice and data communications with customers, employees, electronic payment system providers, affiliates, vendors, and service providers. Credit unions lacking diversity in their telecommunications infrastructures may be susceptible to single points of failure in the event a disaster disrupts their critical systems.
Customer (members) reliance on their financial institutions for account information creates a critical need for timely recovery of communications systems. Credit unions should establish alternate forms of communication in the event local phone systems become inoperable including a plan for how customers will be advised of alternate means to contact the credit union.
In addition to restoring data communication lines with customers, restoration of communications with employees is also critical to any BCP. To make it easier for employees to contact the credit union during a disaster, management could distribute pre-established toll-free phone numbers to employees. This method of communication would enable employees to report their status using a centralized location and obtain current information about operational restoration.
Calling trees may not be useful during an area-wide disaster since employees may have evacuated to unknown locations and standard telecommunications systems may be inoperable. Therefore, use of voice landlines, text messaging via cell phones, wireless personal digital assistants, two-way radios or satellite phones, text-based pagers, corporate and public e-mail systems, and Internet based instant messaging systems, should be considered. In addition, secure connections may be established through a virtual private network (VPN) using a standard Internet connection and a laptop computer. Management should also ensure they have an adequate supply of batteries to operate any wireless devices or laptop computers.
Electronic Payment System Providers
Communications failures with electronic payment system providers may prevent the use of electronic forms of payment, such as debit and credit cards and electronic funds transfers. Therefore, cash needs become critical when customers and employees do not have access to funds electronically, and cash is in short supply during an area-wide disaster. It may be difficult to obtain additional supplies of cash and take delivery of sensitive documents when transportation and telecommunications services are limited.
As such, management should carefully analyze funding needs if they anticipate, or when they become aware of, a pending disaster to ensure that liquidity needs are met in a timely manner.
Affiliates, Vendors, and Service Providers
The restoration of communication with affiliates, vendors, and service providers is also paramount to the timely recovery of a credit union. Alternate methods of communication and procedures for accessing, downloading, and uploading information should be pre-established with the credit union’s technology service providers, correspondents, affiliates, and third-party vendors to ensure continuity of service.
The loss of power can occur for a variety of reasons, including storms, fires, malicious acts, brownouts, and blackouts and may result in widespread failure of the power grid and inoperable power distribution centers. A power failure could result in the loss of computer systems; lighting, heating and cooling systems; and security and protection systems. Additionally, power surges can occur as power is restored, and without proper planning, can cause damage to equipment. As a means to control this risk, voltage entering the computer room should be regulated to prevent power fluctuations. In the event of power failure, use of an alternative power source, such as an uninterruptible power supply (UPS), gasoline, kerosene, natural gas, or diesel generators should be considered.
A UPS is essentially a collection of standby batteries that provide power for a short period of time. When selecting a UPS, Sufficient capacity to provide ample time to shut down the system in an orderly fashion and ensure that no data is lost or corrupted should be factored into the configuration. Some UPS equipment can initiate the automated shut down of systems without human intervention.
If processing time is more critical, a credit union may arrange for a generator to provide power for mission critical equipment during extended power outages. If a generator is used, management should maintain an ample supply of fuel on hand, such as propane, natural gas, or diesel fuel, and arrange for replenishment. Therefore, proper planning involves careful consideration of which equipment and facilities need power and which operations should be scaled back.
It is also important to ensure that alternative power supplies receive periodic maintenance and testing to maintain operability. Moreover, management should discuss with local authorities the ordinances relative to the location of generators and the storage and delivery of fuel.
Equipment and Software Failure
Equipment and software failures may result in extended processing delays and/or the inability to implement the BCP. The performance of preventive maintenance enhances system reliability and should be extended to all supporting equipment, such as temperature and humidity control systems and alarm or detecting devices.
While these types of incidents are rare, credit unions should be aware of the potential that aircraft/rail/ship incidents could have on their operations. Railroads and ships can transport large amounts of hazardous material (including nuclear waste) and if an incident occurred, the credit union facility may be closed until the situation is resolved.
Aircraft pose a threat primarily to credit unions that are on the approaches to an airport. While aircraft do not carry the quantities of material that railroads or ships do, there is still a likelihood of hazardous materials being released.
Management should be aware of the potential for these types of incidents occurring in their vicinity and prepare for such actions as may be required.
Nuclear Power Plant Incidents
While these types of incidents are rare, credit unions should be aware of the potential that a nuclear power plant incident could have on their operations. Nuclear power in the worst case could release radioactive material into the atmosphere and flood the nearby areas with radiation, both very harmful to human life.
All nuclear plants are required to have an emergency notification program in place and perform periodic testing of their response program. If a credit union is close to a nuclear plant, they should be aware of the plants response program and how they would be notified in the event of an incident.
Management should be aware of the potential for these types of incidents occurring in their vicinity and prepare for such actions as may be required.
Transportation System Disruptions
Credit Unions should not assume regional or national transportation systems will continue to operate normally during a disruption. Air traffic or trains may be halted by natural or technical disasters, malicious activity, or accidents. In instances of area-wide disasters, delivery of essential services may be diverted for humanitarian and other emergency efforts. This can adversely affect cash distribution, fuel delivery, check clearing, and relocation of staff to back-up sites. The use of using private, ground-based carriers (e.g., messenger services, trucking companies, bus companies) to ensure the continuation of these vital functions should be investigated.
Water System Disruptions
Other essential necessities, such as water, could be limited or non-existent during a disaster. HVAC systems may be dependent upon water to operate, and initial supplies of drinking water for employees may be quickly exhausted or difficult to find since new shipments may be delayed due to transportation problems. Credit unions should plan for potential disruptions in water services by determining the impact of such a disruption on business operations and maintaining adequate reserves on hand.
Top of Page
Excerpted and adapted from the FFEIC Business Continuity Planning IT Examination Handbook, January 2015