Compliance Insight with David Schneier

Business Continuity Part 2: Too Many Plans Contain 'Blind Spots'

My recent post on Business Continuity Planning and its role in supporting institutions affected by the recent Midwest flooding generated more than its fair share of dialogue with my peers.

So much of what's required by regulation often presents itself as a documentation exercise and rarely transcends the theoretical domain into practical use. So, when it happens, when an institution needs to depend upon one of these documents to manage through the very situation it was intended to address, it's of great interest to the practitioner community.

One of the more interesting facts to emerge from my clients affected by the flooding is how many of them avoided any direct impact to their business operations. The worst of it was for one institution that needed to evacuate part of its back-office operations, but didn't directly rely upon their plan. They made decisions based upon office space available at different branches and redeployed as necessary until the threat subsided.

What was a bit surprising is that when I asked a few of my clients if they had at least reviewed their plans "just in case"... none had. Furthermore, when I asked if they intended to factor in the flood conditions into future business impact analysis and risk assessment activities in support of their BCP, they were mostly unsure. Based on my experience with BCP, I'm not surprised.

I've often encountered businesses that have BCP's that fall short of addressing all likely risk factors. I'm often amazed by how short-sighted some of these plans can be. Here are some examples:

One client based in the Northeast determined that threat of an ice/snow storm to be low, despite several incidents in the past decade in which winter storms caused road closures and loss of utilities for multiple days. This was particularly shocking because based on their industry and regulatory requirements, if they couldn't transact business for more than one day, they'd lose their license and effectively be out of business. Management accepted the assessment and elected to save money and not fund a DR site plan.
Another client had the threat of a tornado assessed as low, despite having had multiple related events in the past 12 months (warnings, not actual hits). Their BCP did not address this threat and left them exposed. I asked what would happen if they lost their core system mid-day due to a tornado striking their primary site, and they said they'd restore at their backup site. I asked how they would factor in all the transactions conducted since the start of business that day, and I was met with blank stares.
One client had virtually no consideration included in their assessment or plan for the risk of brush-fire, despite having been forced to address that very threat on multiple occasions in recent years.

Why do these "blind spots" exist? Because smaller institutions (and some large ones as well) develop their plans by simply filling in templates. They don't possess the broader exposure or experience in understanding the various points that need to be considered. However, once an event occurs and the plan needs to be relied upon, its deficiencies are brought to light in a heartbeat. I've often heard phrases such as "we never considered the possibility" or "we never encountered it before and didn't' think we ever would".

For the institutions I talked to about the recent flooding, this was a first-time occurrence. There was nothing historically to make them believe they needed to factor such conditions into their BCP. However, a properly developed, deployed and tested BCP addresses all likely scenarios.

I wonder how many financial institutions based throughout the United States would fare under similar conditions. I wonder how many are planning to review their strategy, as well.

About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.