Business Continuity Plan Services

The threat of disaster and catastrophic business impact has never been more apparent than in the past decade. The FFIEC has established specific requirements for all financial institutions (and affiliated technology service providers) to establish and maintain effective business continuity, pandemic response, and IT disaster recovery programs. A technology solution is no longer a solely effective measure for an institution’s resiliency stance and capability to recover operations. It is also not the only required element for regulatory compliance and effective recovery/continuity capability. The complicated topography of business and resiliency and lack of internal resources for development and maintenance creates deep challenges for an institution and its capability to develop, train, maintain, integrate, and execute a viable and compliance business continuity program. HEIT’s Business Continuity Group is uniquely positioned to help your institution address these needs.

 

Business Continuity Plan

This module consists of a full BCP risk assessment (IT, Facility, Operations, BCP Preparedness), Business Function Impact Analysis, strategic development and disaster prevention, detection, response policies, and procedures replete with full business continuity considerations, resources, and management. The BCP program focuses on the continuity of the business operations during an interruption whereas DR deals with the recovery of IT infrastructure resources, connectivity and network operations and is therefore a separate module for operations (development and execution).

Note: The BCP solution provides compliant and viable operational business continuity methodology, development, and policy and procedure standards. It also incorporates many of the required policy tenets for IT DR and pandemic considerations; however, it does not fully incorporate all necessary regulatory required strategic, development, procedural, and execution aspects as these modules require different risk, BIA, development and execution methodologies than the BCP.

The tenets of HEIT’s BCP Program exceed the minimum regulatory requirements for Disaster Recovery and Business Continuity by leveraging FFIEC regulatory mandates, NIST guidance, and BCP/DR industry best practices into a cohesive and unified solution. The development cycle is focused on providing a knowledge base and process to all participants, ensuring the program does not just become another bookshelf paper relic in a year’s time. Our approach guides our clients through the requirements and methodology, assisting with the customized development of a truly viable, compliant, and maintainable program. Each phase of the BCP Program engagement is identified and broken into components to detail how they apply to federal requirements, industry best practices, and your institution’s objectives.

• Phase I – Engagement Initiation and Management Phase
• Phase II – Risk Identification, Management, and Functional Requirements
• Phase III – Client Risk Evaluation and Control
• Phase IV – BCP Strategy Development
• Phase V – Emergency Response and Operations
• Phase VI – BCP Development and Implementation
• Phase VII – Awareness and Training
• Phase VIII – Plan Maintenance

IT Disaster Recovery Plan (IT DR)

This module focuses primarily on the recovery capability of the technology infrastructure of the institution. DR is about the recovery of physical assets and infrastructure and BCP is about the continuity of the business during an interruption. Technical operations are unique as they have very tight Recovery Time Objectives (RTO) and therefore require a separate initiative for inclusion into the overall BCP. This module consists of an IT function and resource risk assessment, IT function business impact analysis, inventory effort, strategy development, and disaster recovery policies and procedures (process mapping and scripting). HEIT will require access to your IT staff and any affiliated technology service provider to ensure complete recovery requirements and technical details are included in the IT DR Plan.

Pandemic Preparedness Program

The threat of a pandemic looms constantly over the human condition. Devastating effects with immense impact have been recorded for over two centuries. As shown in the graph below, pandemics are a recurring theme in the evolution of the species. Unlike natural disasters, technical disasters, malicious acts, or terrorist events, the impact of a pandemic is much more difficult to determine because of the anticipated difference in scale and duration. Traditional disasters and disruptions normally have limited time durations whereas pandemics generally occur in multiple waves, each lasting two to three months. Additionally, typical non-specific disasters are restricted to a geographical area but a pandemic is a fluid event that is able to cross borders, oceans, and continents at the speed of jet aircraft with little or no resistance. Pandemic outbreaks may occur simultaneously throughout the country making the reallocation of human and material resources more difficult than in other disaster or emer gency situations.

On November 1, 2005, the White House issued the National Strategy to discuss the threat and potential impact of a pandemic influenza event. It also identified the roles and responsibilities for the federal government, the private sector, and others. The National Strategy states that the "private sector should play an integral role in preparedness before a pandemic begins, and should be part of the national response." Financial institutions and your service providers supply essential financial services and, as such, should consider your preparedness and response strategy for a potential pandemic. The main components of the National Strategy address:

• Preparedness and Communication: Activities that should be undertaken before a pandemic to ensure preparedness and the communication of roles and responsibilities to all levels of government, segments of society, and individuals.
• Surveillance and Detection: Domestic and international systems that provide continuous “situational awareness,” to ensure the earliest warning possible to protect the population.
• Response and Containment: Actions to limit the spread of the outbreak and to mitigate the health, social, and economic impacts of a pandemic.

HEIT has developed a program that addresses all aspects of the regulatory requirement and the best practices set forth by the FFIEC, Center for Disease Control, World Health Organization, and numerous other industry experts. Our methodology leverages existing BCP/DR elements and incorporates the human aspect (strategy, training, resiliency, response, and operational continuity) with regards to pandemic impact and enterprise resiliency and response.

IT Functional Testing

HEIT IT professionals, together with the Risk Management Group subject matter experts, can assist with the development and annual execution of the required operational and IT functional failover BCP test requirements. HEIT professionals will assist in the development, success factors, execution, risk identification, and reporting of the institution’s formalized IT Disaster Recovery Program according to FFIEC regulatory mandates. The testing scenarios will include impacts to staffing, technology, and facilities.

BCP Recurring Confidence Program (RCP)

To ensure effectiveness, compliance, and continued viability, the RCP includes regularly scheduled evaluations, re-assessments, maintenance, and exercises. Updates to the plan are implemented through a formalized process including semi-annual attended BCP Committee Meetings, change control procedures, preparedness, and consulting efforts. As a result, the RCP option aids in maintenance, training, testing, exercising, and compliance of the selected solution(s) and ensures that the institution is effectively prepared and fully capable to successfully respond to any compliance exam, outage, or disaster event.

The recurring program continues the relationship between HEIT’s BCP subject matter experts and the institution for 3 or 5 years, thus establishing repeating phases that include the following attributes:

• Annual compliance and risk assessments
• Annual readiness/preparedness evaluation
• Employee training materials and leadership
• Annual BIA reviews and updates
• Consulting and support
• Annual Table Top Exercises replete with reporting and recommendations documentation
• Regular compliance updates and modifications to the plan per FFIEC requirement changes and new best practices
• Scheduled document maintenance and reviews

What Will Your BCP Review Include?

Operating disruptions can occur with or without warning, and the results may be predictable or unknown. Because financial institutions play a crucial role in the United States economy, it is important their business operations are resilient and the effects of disruptions in service are minimized in order to maintain public trust and confidence in our financial system. Effective business continuity planning establishes the basis for financial institutions to maintain and recover business processes when operations have been disrupted unexpectedly.

HEIT will review the adequacy of the institution’s Business Continuity Plan in accordance to the FFIEC mandates and the following objectives.

• Determine examination scope and objectives for reviewing the business continuity planning program
• Determine the existence of an appropriate enterprise-wide business continuity plan
• Determine the quality of BCP oversight and support provided by the board of directors and senior management.
• Determine if an adequate business impact analysis (BIA) and risk assessment have been completed.
• Determine if appropriate risk management over the business continuity process is in place.
• Determine whether the BCP(s) include(s) appropriate testing to ensure the business process(es) will be maintained, resumed, and/or recovered as intended.
• Determine if the information technology environment has a properly documented BCP that complements the enterprise-wide and other departmental BCPs.
• Determine whether the BCP(s) include(s) appropriate hardware backup and recovery.
• Determine whether the business continuity process includes appropriate data and application software backup and recovery.
• Determine whether the BCP(s) include(s) appropriate preparation to ensure the data center recovery processes will work as intended.
• Determine that the BCP(s) include(s) appropriate security procedures.
• Determine whether the BCP(s) address(es) critical outsourced activities.