Business Continuity: A History
advertisement
Meeting FFIEC Requirements – Conducting your Business Impact Analysis January 29th 2013 Don Stewart, MBCP, MBCI, CCP Senior Business Continuity Professional Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. About Ongoing Operations • Leading provider of business continuity services to credit unions nationwide • CUNA Strategic Services provides credit unions with access to quality products, services and technologies through 3rd party providers such as Ongoing Operations • OGO facilities – – – – Phoenix, Arizona Longmont, Colorado Hagerstown, Maryland Thousand Oaks, California Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. The OGO Difference • Focus on making business continuity planning an organization wide initiative and process • Holistic - People, Processes AND Technologies • Financial Impact Analysis (FIA) as well as Threat and Business Impact Analysis (BIA) • Award winning BCP software platform • Certified Professional Staff Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Key Outcomes • Discuss FFIEC Requirements regarding Business Continuity Plan / Business Impact Analysis (BIA) • Financial Impact Analysis (FIA) component, Enterprise Threat Assessment, Business Impact Analysis • Using the results to develop a stronger Business Continuity Program and to provide Continuity of Service to our Members NO MATTER WHAT HAPPENS! Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. FFIEC Requirements related to Business Continuity Plan / Business Impact Analysis Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Goal of Business Continuity Plan • Minimize financial losses to the institution – BIA to identify business processes with potential for greatest impact (including Threat and Financial Impact Analysis) • Continue member service with minimal interruption – Focus on “Continuity of Member Service” • Mitigate negative effects of disruption on Operations – Solutions include redundancy, failover, resiliency, procedural documentation and manual alternative procedures – Prioritize implementation of solutions Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Board & Senior Management Responsibilities • Oversee the BCP Process • Establish policy for managing risks • Personnel and financial allocation • Annual review of the program • Support employee training and awareness • Ensure regular enterprise-wide testing of the BCP • Review BCP testing program and test results • Support continual updates to keep program Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Objectives to include in plan • Include recovery, resumption and maintenance of the business – not just technology • Enterprise-wide BCP and prioritization of business objectives and critical operations essential for recovery • Integration of role in financial markets • Regular updates based on changes in business processes, audit recommendations and lessons learned • Cyclical process-oriented approach including BIA, Threat Assessment, Risk Management, Vendor Management, and the Exercise life-cycle Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. The BIA • Assess and prioritize business functions and processes • Indentify potential impact of business disruptions on the business functions and processes • Identify legal and regulatory requirements of the business functions and processes • Estimate maximum allowable outages and acceptable level of losses associated with functions and processes • Estimate RTOs and RPOs Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. The Threat Assessment • Evaluate BIA assumptions using various threat scenarios • Analyze threats based on impact to institution, members and financial market • Prioritize potential business disruptions based on severity which is determined by impact on operations and probability of occurrence • Perform “gap analysis” that compares existing BCP to policies and procedures to be implemented based on prioritized disruptions and resulting impact Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Threat/Risk Management • Based on comprehensive BIA, Threat, and Risk Assessment tools • Documented with audit trail • Reviewed and approved by Board and Senior Management annually • Disseminated to employees • Properly managed when outsourced to 3rd party • Specific regarding what conditions should prompt implementation of the plan and the process for invoking Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Event Management • Immediate steps should be taken during a disruption • Flexible for unanticipated scenarios and changing internal conditions (all hazards approach) • Focused on impact of various threats that could potentially disrupt operations (specific event docs) • Developed based on valid assumptions and interdependencies • Effective minimizing disruptions and financial loss through implementation of mitigation strategies Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Exercising the program • Incorporate BIA and Threat Assessment into BCP and Exercise Program life-cycle • Develop enterprise-wide exercise program • Assign roles and responsibilities for exercise program • Complete at least annual exercise of the BCP (this is much more than the annual IT/DR exercise) Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Exercise life-cycle • Senior Management and BOD evaluate program and exercise results • 3rd party audit/assessment of exercise results • Revise BCP and exercise program based on operational changes, audit and examination recommendations, and test results Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Integrate Policies & Standards into the BC Planning Process • Security Standards • Project Management • Change Control Policies • Data Synchronization/backup Procedures • Crisis Management • Incident Response • Employee Training • Notification Standards • Insurance • Government and Community Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Financial Impact Analysis Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. FIA Tool • Potential financial impact • Uses your 5300 Report and NCUA statistics on what the impact of actual events has been • Available to use at www.ongoingoperations.com • Executive team MAO! Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. What does the FIA measure? • Delinquency Risk • Daily Transaction Risk • Fee Income Risk • Check & ACH Risk • Daily Loan Risk • Reputational Risk Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Delinquency Risk Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Daily Transaction Risk Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Fee Income Risk Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Check & ACH Risk Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Daily Loan Risk Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Reputational Risk Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Using the BIA results to develop a stronger BCP Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. BIA Outcomes • Core to your planning process • Meet regulatory and audit requirements • Senior Management Support • Top ranked Threat items with plans to protect, assign, accept or eliminate the threat • Creation of an IT recovery plan that uses the outcome of the BIA to establish a priority for recovery – must include an annual life-cycle of testing/exercising for all critical systems and connectivity Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Exercise your plan • Critical processes and locations – Is the plan to work from home or alternate site? Perform processes from the alternate location – What processes are included – Who is involved in the exercise • Successful exercise? – Issues occurred and revisions assigned for additional exercise – Everything was smooth and all goals were achieved Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Strategy • Integrate DR and BCP into daily operations • Separate the roles of DR Administrator and BCP Administrator Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect. Don Stewart, MBCP, MBCI, CCP Senior Business Continuity Professional www.ongoingoperations.com Test Copyright 2010 Ongoing Operations Plan. Prepare. Protect.
