Seven Steps to Boost BCP to Ensure Regulatory Compliance
- Published on October 19, 2007
However, new business practices, change in technology, the severity of the 2004 and 2005 hurricane seasons, and increased terrorism concerns have focused even greater attention on the need for effective business continuity planning and have altered the benchmarks of an effective plan.
As an information technology bank examiner working for the State of
Illinois/Illinois Department of Financial and Professional Regulation
(IDFPR), Division of Banking, and as business continuity and disaster
recovery professional, this is where I step in.
My goal is to reduce risk exposure for the state-chartered banks, enhance business continuity management capabilities, and enforce regulatory guidelines. Some banks have elected to adopt suggested best practice from industry-independent and industry specific entities such as Disaster Recovery Institution International (DRII) and Business Continuity Management (BCM). As such, the task of pinpointing best practice consistencies across the majority of these groups is quite daunting.
In examining and evaluating the BCP over the last 13 years, I have worked with financial institutions ranging from retailers, wholesalers, trust companies, and service bureaus. In each of these situations, no matter how experienced and systematic they may have been, the planners often overlooked certain items which some may be crucial. The literature on building an effective plan will fill up bookshelves. In an effort to save storage space, I have condensed some of these overlooked items into the following seven bullet points:
1. Business Impact Analysis (BIA)FFIEC considers BIA as the first step in developing a BCP. Most banks have initiated the necessary steps to safeguard their institution assets by developing a BCP. However, quite a few include BIA in the development efforts. The BIA phase identifies the potential impact of uncontrolled, nom-specific events on the institution’s business processes. The BIA phase also should determine what and how much is at risk by identifying critical business functions and prioritizing them. It should estimate the maximum allowable downtime for critical business processes, recovery point objectives and backlogged transaction, and the costs associated with downtime. The BIA also considers the impact of legal and regulatory requirements such as the privacy and availability of customer data and required notifications to the institution’s primary federal and state regulator and customers when facilities are relocated.
A BIA should be performed at the beginning of disaster recovery and continuity planning to identify the areas that would suffer the greatest financial or operational consequences in the event of a disaster or disruption. There are different approaches for performing a BIA. One of the popular approaches is the questionnaire approach. The BIA team would develop a detailed questionnaire and contact the relevant business line managers for information. The information is gathered, tabulated, and analyzed. Other approaches include interviewing groups of key users and meeting relevant information technology (IT) and key staff in a room to come to a conclusion regarding the potential business impact of various levels of disruptions. The information should be gathered and documented in a clear and understandable format, which presented to management.
BIA is a very important step in BCP development and it is a pre-requisite for developing an effective BCP. Business continuity planners and IT examiners can offer management, build a stronger focus on BIA, and help identify critical business functions, threats, and the specific loss criteria that must be applied.
2. BCP Organization ChartOften, an organization’s disaster and business recovery plan requires a structure of approval and chain of command with specific roles and responsibilities. A pre-defined management succession list should also be available with job description to ensure continuity of management and that at no time will recovery operations be without appropriate authority and management. In a number of situations I’ve found that those structures were not developed and missing from the BCP document. Financial institutions are responsible to fulfill specific federal- and state-mandated requirements in order to be compliant with resiliency best practice requirements. One technique that can be used to achieve this is to develop current institutional, organizational, and business continuity charts, and succession order to ensure effective management during normal and recovery operations. The organizational charts should contain:
- Bank’s organizational chart
- Network topology and telecommunication diagrams
- Bank’s security chart
- Bank’s BCP team chart
- Bank’s succession plan and matrix
- Key staff members’ job description
3. Back-up Media and Privacy ConsiderationThe federal banking agencies jointly issued guidelines establishing standards for safeguarding customer information, which was effective July 1, 2001. The guidelines implemented section 501 of the Gramm-Leach-Bliley Act (GLBA), which requires the agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer records and information. GLBA requires each financial institution to implement effective measures to protect customer information.
Encrypting of electronic customer information, while in transit or in storage media on networks or systems, is one of areas that it should be considered by the regulated institutions. With or without a legal requirement, banks still should safeguard their sensitive information while in transit or in storage facility. Failure to protect consumers’ personal data means a loss in consumer confidence and may result in reputation risk. Management should be aware of the implications of the reputation risk. The risk stems from errors, delays, or omissions in IT that becomes public knowledge or directly effect business partners, customers, and consumers, resulting in a loss of confidential information and potential customer withdrawals of funds.
During the summer we noticed the numbers just kept rising for consumers who were notified that their personal information exposed when storage media were gone missing from employee’s home or dislocated by the carrier. These headlines are from across the U.S. and all stories published during this summer. Many disaster plans fixate only on the need for backup and rotation strategy, while ignoring the need for encryption and password protection of the sensitive data.
Typically, we let it leave the door every night in backup media and equipment unencrypted, untracked, unsecured, and not password protected. In the age of global economy, it is essential for the business continuity planners to manage, control, and encrypt their data safely while in transit. Disaster recovery planners should take a good, hard look at their back-up strategies before they make the news and become victim of reputation risk.
4. BCP Revision Tracking
Generally, a BCP is revised following a test and also gets updated in
concert with changes in business activities it supports. At least
annually, senior management, the planning team or coordinator, team
members, internal audit, and the board of directors, should review the
plan. The business continuity planner coordinator and/or planning
committee should be given the responsibility for regularly updating the
BCP after plan test and after significant changes to the operations and
As part of that review process, the team, or coordinator should contact business unit managers throughout the financial institution at regular intervals to assess the nature and scope of any changes to the institution’s business, structure, systems, software, hardware, personnel, or facilities. The agencies expect that BCP updates will be documented to show that the plan is kept current and reflects the institution, as it currently exists.
Finally, when determining what should be tracked, the business continuity planner should consider all three of the items in Figure 1(below) important or very important.
The above listed matrix will provide adequate audit trail of the plan revision and maintenance and approval dates of required participants. The process of summarizing the BCP revisions provides an objective overview. The secret of good tracking summaries is the carefulness with which they are structured. From the top summary to the individual revision items, the viewer can go surely and accurately without having to use other means to reach a conclusion. The BCP planner(s) has done it for him/her.
5. Plan Distribution and DestructionFinancial institution should ensure the revised BCP is distributed throughout the organization. Extra care should be exercised when the plan is distributed to all concerned parties. The BCP document contains sensitive information about the financial institution, and it should be adequately safeguarded. Furthermore, policies should minimize the distribution of sensitive information, including printouts that contain the BCP information.
Exposures to information contained in the BCP document could be catastrophic. The institution needs to be aware of this and take additional steps when disposing of sensitive information contained in the business continuity plan records.
In particular, business continuity electronic records pose more difficult problems because even after deletion, residual data is commonly left behind. Financial institutions need appropriate disposal procedures for both electronic and paper-based media. As part of an institution’s information security program, appropriate measures should be taken to dispose of old or outdated business continuity documents.
The most common way of accomplishing this is through shredding. The guidelines require designating a single individual, department, or function to be responsible for disposal facilitates accountability and promotes compliance with disposal policies. Many institutions shred paper-based media on site and others use collection and disposal services to ensure the media are rendered unreadable and unlikely to be reconstructed. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience. Contracts with third-party disposal firms should address acceptable disposal procedures. Periodically, security staff, audit, and data owners should review destruction procedures and distribution lists to ensure they remain appropriate and current. The disposal of business continuity information and related outdated material should meet the requirements of the GLBA 501(b) guidelines.
I only want to add that a key consideration in distributing the BCP manual. There is no need to provide a full plan manual to all individual heads in the organization. Only a segment of the plan document with appropriate recovery information should be available for a particular department or business line. Finally, the master copy of the BCP manual should stay with BCP head planner for safekeeping and will be available for all BCP coordinators for quick access and reference.
Personnel should be adequately trained as to their specific responsibilities under the plan(s) and whether there are adequate processes in place to ensure the plan(s) are distributed to the right people and it is not accessible by unauthorized users. Management should consider developing a plan distribution checklist. The checklist should help banks identify who has the plan, what plan version was provided, and any other pertinent information.
6. Employees’ and Humanitarian ConcernsHuman concerns of business continuity are emerging as key components of an effective BCP. Plans and preparations must take human behavior into account to be effective. So ignoring human factors while focusing on technology, business needs, and data reduces the business continuity and recovery effectiveness. When it comes to addressing the humanitarian concern business continuity professionals should know the right questions to ask and what the answers mean. For example:
- Why should I understand human factors?
- What is to be addressed?
- What provisions have been made for some that have special needs?
- How will staff with special needs get to the recovery site?
- Who is responsible for collected data?
- Do we need temporary help to supplement for unexpected shortage?
- How are contractors, visitors and temporary staff to be handled?
- When was the last time we tested this aspect of the plan? What was the result of the testing?
Consequently, answers to the above questions would be formulated during the BAI processes and ultimately shed some lights in dealing with items such as panic situations and irrational actions, response to disaster/event (or lack of), impacts all aspect of life safety, queuing arrangement, and interface with egress systems.
Additionally, READY Business (www.ready.gov), an outreach of the U.S. Department of Homeland Security, has helpful guidelines on the following topics:
- How to involve co-workers in emergency planning
- Practice the plan with co-workers
- Guidelines to promote family and individual preparedness
- How to write a crisis communication plan to use during and after a disaster
Today, human continuity is an integral component of BCP, and it should include resources on how to prepare employees during and after a disaster. People who have experienced a disaster may have special recovery needs. Echoing these points no doubt will be essential for an effective BCP.
7. Telecommunication and Network DiagramThe plan should contain the financial institution’s telecommunication networks. Today, telecommunication networks are the key to business processes in both large and small institutions, therefore, the procedures to ensure continuous telecommunication capabilities should be given a high priority. Telecommunications capabilities to consider include telephone voice circuits, wide area networks (connections to distributed data center), local area networks (work group PC connections), and third-party electronic data interchange providers.
The critical capacity requirements should be identified in the diagram for the various thresholds of outage for each telecommunications capability, such as three hours, seven hours, or 24 hours. Uninterruptible power supplies should be sufficient to provide backup to the telecommunication equipment, as well as the computer equipment.
I want to add that a key consideration in developing and completing a business continuity plan document is to ensure that in addition to understanding the telecommunication and network infrastructure for your plan, a telecommunication and network diagram document would be needed. Such a document is very beneficial for the management of your business continuity process, and I can say that there are but few that offers such documentation. My point is that having a diagram depicts all your financial institution links, and connection is very important for business continuity purposes.
In my work I try to use comparative examples such as, “Imagine trying to connect to your service provider data center after a line disconnection with all the maintenance procedures involved without the help of a document that explains your connection.”
Impossible to do, right?
This presents a greater risk because if part of the information needed during a contingency is not there and updated and a disaster occurs, it will not only lose your connection, but you lose your business. It is too hard and frustrating to handle a business continuity management program without adequate documentation. In the long run, it is more costly and of greater risk.
Finally, I recommend you review the guidelines and best practices on telecommunication and network infrastructure recovery strategies provided by FFIEC, DRII, and BCM.
ConclusionBusiness continuity planning and preparedness is a critical component of every financial institution’s compliance responsibilities. This is often viewed as a complex and challenging requirement.
It is important to remember that this is a fast changing area, and new technical, threats, and regulatory developments are frequent. You should be alert to changes in regulatory requirements that may be mandated by Congress or federal and state agencies.
"Appeared in DRJ's Spring 2007 Issue"