The Do’s and Don’ts of Business Continuity Planning for Financial Institutions
Business continuity planning for financial institutions is an extensive, ever-changing process that has many pitfalls for the unprepared. Often, organizations will build business continuity plans that lie dormant until an interruption. For others, the planning process becomes too granular. They focus on all of the potential issues they could experience and spend too little time fleshing out the scenarios they are most likely to face. This guide will give helpful advice and insight into common mistakes to avoid to help you create an effective business continuity plan for your organization.
Business Continuity Planning for Financial Institutions (Don’ts)
Don’t: Assume Your “Big Book” Is Going To Cut IT
You likely have some experience with the proverbial business continuity binder. It’s about 300 pages and sits on a shelf, gathering dust. Much of the information is likely out of date or duplicated, and it only gets picked up when an auditor comes by.
However, your business continuity plan needs to be treated like a small child – change it when it needs changing, and never leave it alone for very long. Given that your customers can find other providers, along with the increasing number of cybersecurity breaches, any downtime can translate to a serious impact on your bottom line.
Don’t: Leave Business Continuity Planning Solely to the IT Department
10-15 years ago, businesses primarily focused on disaster recovery and IT departments took care of system recovery planning. This led to IT departments with amazing IT recovery plans, but no sound model for getting the larger business back up and running.
Your business objectives, not the technology, need to guide how your business continuity plan takes shape. This is why your BCP should start with a business impact analysis (BIA). The BIA is meant to determine:
- Your critical business functions,
- The impact to your business if those functions are interrupted,
- The resources needed to support those functions, and
- The necessary timeframe for recovery.
With this information, it immediately becomes evident what:
- Business objectives the BCP should be protecting and
- Risk parameters the institution can work within before significant losses.
Now the business can give the IT department specific requirements and collaborate to determine how those needs are met.
Don’t: Confine Your Plans to Regional Disasters
There have been devastating natural disasters in recent years. This includes:
- Fires in the West,
- Flooding in the Midwest, and
- Hurricanes making landfall in the Southeast.
It’s easy to imagine why business continuity and disaster recovery plans are made to create contingencies for the “next big thing”. However, data tells a different story about threats businesses face.
Statistically, the causes of most business disruptions are location specific, not regional events. Most downtime is caused by equipment or software failure, human error, or cyberattack. It is important that your organization is planning for many different types of business interruptions in order to stay available to your customers.
Through each of these potential interruptions, what does the worst case scenario look like? Likely, it will be a situation that severely impacts your ability to service customers, while your customers expect you to be running normally. If everyone in a regional area is being impacted by an outage, your customers will likely be understanding while you’re trying to recover. If you are the only organization down, they might not be as sympathetic, and losses to your reputation (and revenue) could be significant.
Business Continuity Planning for Financial Institutions (Do’s)
Do: Keep Communication Open
During an outage, communication is imperative. You must keep everyone in the company apprised of the situation throughout. The most important thing is to plan for communication before something happens. The last thing your organization needs is several people disseminating different or inaccurate information, or giving their own potentially incorrect or emotional version of what is happening, to clients and the media.
Best practice is to assign one person responsible for internal communication, and one person responsible for external communication (the media, suppliers, and customers). This communication needs to be ongoing within the plan, as it is critical to have continuous information during an outage. With this documented in your incident response plan, you’ll know that messaging to your clients and employees will be reliable and accurate. Be sure your staff understand that if they aren’t responsible for external communication, they should be not be interacting with the media or clients on the topic of the outage.
This communication should also reach into disaster planning. Open up a dialogue with the fire and police departments about specifics in your plan. They likely have some insight that can help you create a more efficient process.
Do: Vet Your Technology Service Providers
Technology service providers (TSP) are third parties that provide and support the technology your organization uses. Due to the growing importance of technology, especially outsourced technology that supports functions within your company, you need to understand how each TSP fits into your BCP.
General guidelines include ensuring that you are asking providers for their business continuity plans, how they:
- Are testing them,
- Encompass their subcontractors, and
- Plan to service the many customers that rely on them in the face of a disruption.
Also, you should check their Service Level Agreements and understand what the business continuity plans for their organization look like before partnering. Make sure your providers take business continuity planning as seriously as you do, because if they go down, you’ll be dependent on their plan to recover your services.
The importance of testing a business continuity plan cannot be overstated. Having good documentation used to be enough for peace of mind that all things have been considered for recovery, but it is more important to see if what you have documented will actually work. It is vital that you’re not just doing the same test year after year, but that you’re testing your plan on different scenarios, with different levels of severity. Instead of testing the whole system at once annually, it is often more manageable on your team and resources to do smaller tests more frequently.
Testing has the added bonus of giving not only the plan itself some practice, but the people. Employees need to understand their role in the business continuity plan. Testing is a great way to prepare them. When your systems are down every moment is a loss of revenue and reputation. As a result, an employee who is trying to learn what their role is in the middle of your outage can mean wasting valuable time.