Business Continuity Planning: Key StepsLessons Learned in Wake of Disasters
Learning from past incidents, such as Superstorm Sandy, organizations should make sure their business continuity plans address all key business processes and customer-facing applications, says Dan Shannon, who oversees the consulting services division for core processor Fidelity Information Services.
See Also: OnDemand | Transforming Third Party Risk
When Superstorm Sandy hit, FIS worked with one of its banking customers to handle, among other things, call-center services, Shannon explains in an interview with Information Security Media Group [transcript below]." .
"The one thing that surprised the bank was just the magnitude of the impact, not only to the technology but to the people that worked for the bank," he says. "They just were not able to get into the call center, and the ones that were able to get in really needed to focus on recovering their families."
When building disaster-recovery plans, Shannon says organizations also need to review their back-office processes that touch customers.
For all organizations, having a comprehensive plan with a technology or business process partner is critical, he says. "You really need to focus on all the touchpoints your customers have with your organization," Shannon says. "All those potential touchpoints need to be covered in the disaster-recovery scenario."
During this interview, Shannon discusses:
- Why distributed-denial-of-service attack response plans should follow the same steps outlined in broader business continuity plans;
- How poor business continuity planning can adversely impact an organization's brand; and
- Why interdepartmental collaboration is critical when it comes to addressing cross-department business processes.
At FIS, Shannon serves as a senior vice president, leading the company's consulting services division. Before taking on this role, he was managing director of the European division of Metavante Technologies Ltd. Earlier, Shannon led Metavante's consulting and professional services group.
TRACY KITTEN: What can you tell us about recovery efforts during Hurricane Sandy, which struck last year?
DAN SHANNON: It's really interesting. When Superstorm Sandy was coming, one of the things we did at FIS is we proactively looked at where this storm was coming and who and what our customer base was in that area. Specifically for our core banking customers, we collectively went out and did a calling campaign two days before the storm and reminded them of the different types of capabilities we had in the event that they needed assistance. We told them about the disaster-recovery capabilities that we had, but also shared with them the call-center strategy that we had and that, if they needed help, we'd be able to, because we were their technology provider, fairly rapidly assist them in any concerns that they had.
In the New York and New Jersey area, we had a number of customers that used us for different types of call-center services. We provided some additional planning for those customers.
One of the more interesting situations was we had a very large bank that was headquartered in New York and New Jersey that was close to $20 billion in assets with nearly 100 offices. While we did have a call-center contract with that bank, we also are the provider of their integrated core banking and all of their channel solutions. Once the storm hit, they lost power at over half of their branches, and nearly 20 percent of their branches were in actual evacuation zones.
They called us to ask, "How can you help us better serve our customers? But as important, they asked, "How can you help us deal with the large number of our employees that are in their call centers that now have been impacted by this storm? They can't go to work. They need to focus on their families and their recovery. What can we do to work together?"
We went through the different types of services we could provide and within 24 hours we brought them online, leveraging our call centers in Little Rock, Ark., and Tampa-St. Pete [Fla.] to provide additional call-center capabilities. ... As the days went on, we took over one of their key call-center shifts. We staffed the call center from 3 to 8 p.m. and took over that shift for a number of weeks so that they could really manage the impact that it had to both their clients and to their employees. We did a quick, smooth transition. It drove the bank to really rethink how they handle disaster recovery and what different business processes, along with technology, they should look at.
Then, from a technology perspective, the first step was to invoke the capabilities of the bank operations team, our information security team and our enterprise risk management office, and their chief risk officer walked through a plan to make sure that all customer data was protected and all security protocols were in place. Then we tested the call center across their environment to make sure that we were able to route calls both to us and back to the bank. Within 24 hours, the plan was approved by the executive management team of the bank. We began receiving the calls, when routed directly to us, and then we rerouted calls based on the way we had set up the call priority. Then we would route them back to the bank and then jointly worked a call-center plan and kept that in place for a number of weeks after the disaster.
KITTEN: From a banking perspective, what lessons were learned?
SHANNON: While many financial institutions really focus on looking at their hardware environment, their software environment and their outsourcing environment, from a technology perspective, they really also need to look at what their business processes are and the customer-facing applications in business processes that can be impacted in a disaster like this. The one thing that surprised the bank was just the magnitude of impact, not only to the technology but really to the people who worked for the bank. They just were not able to get into the call center, and the ones that were really needed to focus on recovering their families as well. It was a lesson learned to really look at all the back-office processes that are touching customers.
Insights for Other Industries
KITTEN: What could other industries learn from some of the disaster-recovery initiatives that financial institutions have put into place?
SHANNON: Obviously, the importance of a comprehensive plan with a technology or a business process partner is critical. You also really need to focus on all the touchpoints your customers have with your organization. All those potential touchpoints really need to be covered in any disaster-recovery scenario. Your brand is your most important asset and you really need the continuity of the touchpoints with your customers and the quality of the interaction with those customers.
DDoS and Other Concerns
KITTEN: Beyond natural disasters, what other types of business-continuity concerns and challenges, such as distributed-denial-of-service attacks, should organizations be addressing in their disaster-recovery plans?
SHANNON: One of the things that we focus very heavily on at FIS is we have an enterprise risk management office and an information security office, and we work very closely with them and our financial institutions to lay out all the different types of scenarios that are occurring in the financial services world today and to have plans in place in case they're either attacked or that they have plans in place for recovery from any information security or risk management event. In fact, just last month alone we had 12 different seminars and webinars with our clients talking specifically on the different categories, tactics and strategies that the bank can invoke. We partner with them to help recover in any type of activity like that.
KITTEN: How does FIS view and approach DDoS, when it comes to disaster recovery?
SHANNON: We have a very large and sophisticated enterprise risk management office as well as chief information office that work directly within our organization. We coordinate all our products and services with that team. Then, we use that team to be the primary interface to our clients, to help partner with them to look at all the risks in their environment. We take it very seriously, and it's a very important component today of financial services.
Role of Third Parties
KITTEN: How would you say third parties such as FIS are ensuring that information is secure and that data that's outsourced for the purpose of business continuity and disaster recovery is encrypted?
SHANNON: I think it's important for financial institutions to really partner on their business continuity plans, to understand what the capabilities are of your partner, what are the capabilities of the organization, and constantly assess their core competencies and capabilities as well as their partner's, because it's important to do that as a partnership to ensure the highest level of security and continuity possible.