Welcome to the first in a series of articles designed to give you an inside look at the Business Continuity Management (BCM) program at a core data processor and CUSO for a network approaching 300 credit unions with more than 2.5 million members. As Vice President and Manager of Business Continuity Services, my job involves working closely with each business unit across the organization to implement the appropriate strategies, maintain the documented policies and procedures, and coordinate the activities designed to manage the risk of business disruptions that could impact our ability to serve our credit unions, and ultimately their members. Whether the threat involves a weather-related scenario, failure of technology, or cyber-attack, it is critical that trained staff and test-validated plans are in place to ensure a prompt and effective response.
Approaches for creating business continuity
Today’s credit union members demand a wide range of financial services available from multiple devices with 24/7 access. State and federal regulators insist that those services function from within a secure and reliable environment to protect member information. Accomplishing this within budgeted resources requires a comprehensive structured approach with clear goals and objectives. Perhaps the single, largest factor for the progress in our business continuity program has been an approach with a cooperative mindset, where all parties involved participate in the planning process from partner CUSOs to vendors and especially the credit unions themselves.
With shrinking tolerance for downtime, the focus of business continuity seeks to minimize the impact of disruptive events through the implementation of controls and development of alternate or workaround methods for performing critical business functions where controls are not available or cost-effective. A significant portion of this involves strategic planning and an investment in technology to limit single points of failure, address potential bottlenecks, and provide the ability to scale to meet the fluctuating capacity demands regarding network bandwidth, number of users and transactions, and the exploding data storage requirements.
The BCM life cycle and benefits
Before this can occur, several steps must be performed as part of the BCM program life cycle*. This involves a: (1) Business Impact Analysis and Threat Assessment to identify a prioritized list of scenarios to plan for and to understand the potential impact to business operations, should those scenarios occur. Armed with this information, (2) Continuity and Recovery Strategies can be evaluated and implemented based on a cost/benefit analysis. The processes and procedures surrounding the strategies are included in the documented (3) Business Continuity Plan and disseminated to staff and response team as part of an (4) Awareness and Training campaign.
To validate the accuracy and completeness of the plan, as well as the ability of the response team, regular (5) Recovery Exercises and Testing are performed. Weaknesses and modifications identified during testing are corrected and procedures updated as part of the (6) Plan Maintenance process. We will address each of these steps in more detail, both at the core data processor and at the credit union, in future articles within this series.
As stated above, this is a life cycle approach that is repeated regularly with the goal of continuous improvement. The benefit and value to the organization of a finely tuned BCM program include:
- Enhanced ability to anticipate and plan for disruptive events
- Aid in limiting the loss of assets, revenue, and members through reliable service and effective communications
- Helps to satisfy legal or regulatory compliance requirements
- Mitigate the negative effects of disruptions to business operations
- Minimize confusion and enables effective decisions during a crisis
- Facilitate a timely recovery of critical business functions
- Maintain the public image and reputation of the organization
- Ensure the survival of the organization
Don’t stop looking for ways to improve
My goal in sharing details about our BCM program and what we’ve learned over the years developing it is to encourage you to review your program, whether you’re a CUSO, a credit union, or a vendor who serves the industry, and identify opportunities for improvement that strengthen the resilience of your business operations and provides a positive experience for your growing member base.
The path from the core processor to the end user has many connected points in between. Multiple relationships are required where data is shared and applications are integrated. Working together with a cooperative spirit, credit unions have a distinct competitive advantage, even in the area of business continuity.
Be sure to watch for the next article in this series where I will talk about and demonstrate the importance of conducting the Business Impact Analysis and Threat Assessment.
*A framework for this process is provided by the FFIEC in the recently revised Business Continuity Management IT Examination Handbook.