Ten Steps to An Effective Business Continuity Plan

Ten Steps to An Effective Business Continuity Plan
A Business Continuity Plan (BCP) is the process whereby financial institutions ensure the maintenance or recovery of operations, including services to customers, when confronted with adverse events such as natural disasters, technological failures, human error, or terrorism.

The objectives of a BCP are to minimize financial loss to the institution, continue to serve customers and financial market participants, and mitigate the negative effects disruptions can have on an institution’s strategic plans, reputation, operations, liquidity, credit quality, market position, and ability to remain in compliance with applicable laws and regulations. Changing business processes (internally to the institution and externally among interdependent financial services companies) and new threat scenarios require financial institutions to maintain updated and viable BCPs.

New business practices, changes in technology, and increased terrorism concerns have focused even greater attention on the need for effective business continuity planning and have altered the benchmarks of an effective plan. For example, an effective BCP should take into account the potential for wide-area disasters that impact an entire region and for the resulting loss or inaccessibility of staff.

The threat of pandemics, in particular an outbreak of influenza caused by the bird flu virus, is causing many financial institutions to update their BCPs. Citibank’s action plan, outlined in a July 2006 presentation by Greg Gist, senior policy advisor in Citibank’s Office Of Business Continuity, includes a pandemic preparedness plan, headed by a Pandemic Preparedness Task Force consisting of senior staff from each region. The plan, which includes triggers and actions based on World Health Organization Pandemic Phases, provides all employees with pandemic preparedness communications and kits, modifies existing business continuity plans (e.g., to reflect high absenteeism rates associated with pandemics), and integrates pandemic awareness in financial and risk planning.

Citibank’s plan also includes assumptions about the effect on customers, such as increased delinquencies, increased requests for additional credit, and an increase in Internet banking volume.

Key to any BCP is an impact analysis differentiating between critical and non-critical functions. A function may be considered critical if the implications for stakeholders or damage to the organization are regarded as unacceptable. Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law. Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the timeframe in which the critical function must be resumed after the disaster, the business requirements for recovery of the critical function, and/or the technical requirements for recovery of the critical function.

A BCP should consider and address interdependencies, both market-based and geographic, among financial system participants as well as infrastructure service providers. In most cases, recovery time objectives are much shorter than they were even a few years ago, and for some institutions recovery time objectives are based on hours, minutes and sub-minute.

BCP requirements within a firm can vary from application to application. In financial services, applications deemed critical require a high available and redundant architecture to meet ever-demanding service level agreements. The more critical the application is, the greater the need for continuous availability. For example, in the case of a fixed income trading system, it is imperative that trading can resume within seconds following a systems interruption. Rapid resumption of trading mitigates loss of business and preserves business reputation. The cost of downtime not only affects the lost trades but impacts the financial services business reputation.

Ten Steps to An Effective Business Continuity Plan

Step 1 – Define strategy objectives by performing needs analyses and create a framework for strategy implementation

Step 2 – Determine the business value of the organization’s applications and define recovery objectives through data risk and recovery time profiles

Step 3 – Match technologies for safeguarding data, including backup, disaster recovery, vaulting, snapshot and replication, based upon business value

Step 4 – Define infrastructure and personnel plans, including organizational and communications processes

Step 5 – Implement technologies and educate critical personnel as to which business processes are impacted

Step 6 – Test the documented plan continuously and under different circumstances

Step 7 – Measure and validate test results relative to the plan’s overall objectives

Step 8 – Implement required enhancements that have been prioritized as a result of continuous testing and evaluation

Step 9 – Continuously review and enhance the business continuity plan to reflect organizational changes, fluctuating business conditions and the addition of new technologies

Step 10 – Finally, remember to repeat the entire process continuously.

About the Author

Andrew Miller

Andrew Miller

Contributing Writer, ISMG

Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.