Ten Steps to An Effective Business Continuity Plan
The objectives of a BCP are to minimize financial loss to the institution, continue to serve customers and financial market participants, and mitigate the negative effects disruptions can have on an institutionâ€™s strategic plans, reputation, operations, liquidity, credit quality, market position, and ability to remain in compliance with applicable laws and regulations. Changing business processes (internally to the institution and externally among interdependent financial services companies) and new threat scenarios require financial institutions to maintain updated and viable BCPs.
New business practices, changes in technology, and increased terrorism concerns have focused even greater attention on the need for effective business continuity planning and have altered the benchmarks of an effective plan. For example, an effective BCP should take into account the potential for wide-area disasters that impact an entire region and for the resulting loss or inaccessibility of staff.
The threat of pandemics, in particular an outbreak of influenza caused by the bird flu virus, is causing many financial institutions to update their BCPs. Citibankâ€™s action plan, outlined in a July 2006 presentation by Greg Gist, senior policy advisor in Citibankâ€™s Office Of Business Continuity, includes a pandemic preparedness plan, headed by a Pandemic Preparedness Task Force consisting of senior staff from each region. The plan, which includes triggers and actions based on World Health Organization Pandemic Phases, provides all employees with pandemic preparedness communications and kits, modifies existing business continuity plans (e.g., to reflect high absenteeism rates associated with pandemics), and integrates pandemic awareness in financial and risk planning.
Citibankâ€™s plan also includes assumptions about the effect on customers, such as increased delinquencies, increased requests for additional credit, and an increase in Internet banking volume.
Key to any BCP is an impact analysis differentiating between critical and non-critical functions. A function may be considered critical if the implications for stakeholders or damage to the organization are regarded as unacceptable. Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law. Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the timeframe in which the critical function must be resumed after the disaster, the business requirements for recovery of the critical function, and/or the technical requirements for recovery of the critical function.
A BCP should consider and address interdependencies, both market-based and geographic, among financial system participants as well as infrastructure service providers. In most cases, recovery time objectives are much shorter than they were even a few years ago, and for some institutions recovery time objectives are based on hours, minutes and sub-minute.
BCP requirements within a firm can vary from application to application. In financial services, applications deemed critical require a high available and redundant architecture to meet ever-demanding service level agreements. The more critical the application is, the greater the need for continuous availability. For example, in the case of a fixed income trading system, it is imperative that trading can resume within seconds following a systems interruption. Rapid resumption of trading mitigates loss of business and preserves business reputation. The cost of downtime not only affects the lost trades but impacts the financial services business reputation.
Ten Steps to An Effective Business Continuity Plan
Step 1 â€“ Define strategy objectives by performing needs analyses and create a framework for strategy implementation
Step 2 â€“ Determine the business value of the organizationâ€™s applications and define recovery objectives through data risk and recovery time profiles
Step 3 â€“ Match technologies for safeguarding data, including backup, disaster recovery, vaulting, snapshot and replication, based upon business value
Step 4 â€“ Define infrastructure and personnel plans, including organizational and communications processes
Step 5 â€“ Implement technologies and educate critical personnel as to which business processes are impacted
Step 6 â€“ Test the documented plan continuously and under different circumstances
Step 7 â€“ Measure and validate test results relative to the planâ€™s overall objectives
Step 8 â€“ Implement required enhancements that have been prioritized as a result of continuous testing and evaluation
Step 9 â€“ Continuously review and enhance the business continuity plan to reflect organizational changes, fluctuating business conditions and the addition of new technologies
Step 10 â€“ Finally, remember to repeat the entire process continuously.