Continuity at the Core: a Risk-Based Approach to Planning


In the previous article, we began our look inside the Business Continuity Management (BCM) program at a core data processor and CUSO by identifying six stages in the BCM development life cycle process. In this article, we will focus on the first stage, the Business Impact Analysis (BIA) and Risk/Threat Assessment, and the value it offers when performed within the boundaries defined by the business goals and objectives.

Understanding the process

If the desired outcome of a Business Continuity Management program is to ensure that the organization’s critical business functions (activities) will either continue to operate despite serious incidents or disasters that might otherwise interrupt them, or will be recovered to an predefined minimal operational state within an acceptable period of time, then there are four questions we must answer:

  1. What are our “critical” business functions?
  2. What is our exposure to “serious incidents or disasters”?
  3. What can be done to prevent or mitigate the risk?
  4. What is our plan to respond and recover?

First, we will use the Business Impact Analysis to identify and prioritize business functions and the technology that supports them. Next, we will perform a Risk/Threat Assessment to measure our exposure, uncover areas to mitigate risk with the implementation of cost-effective controls, and create a list of likely scenarios to plan for.

As a CUSO and core data processor, it’s important to approach these questions both from the customer’s perspective (credit union) and from a service provider’s perspective (delivery of products and services including the ability to support them). This is required in order to balance risk with the cost of prevention, mitigation, and contingency solutions. If impact is measured solely from a revenue standpoint as a CUSO, not factoring in the impact to the credit union and its ability to serve the member base, we risk violating the trust inherent to the cooperative relationship.

The FFIEC identifies five steps to the BIA process as:

  1. Assessment and prioritization of all business functions and processes, including their independencies (internal and external) and the supporting technology, as part of a workflow analysis.
  2. Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the business functions and processes over time.
  3. Identification of the legal and regulatory requirements for the business functions and processes.
  4. Estimation of maximum tolerable downtime (MTD) as well as acceptable level of losses associated with the business functions and processes.
  5. Estimation of recovery time objectives (RTO), recovery point objectives (RPO), and recovery of the critical path.

The critical path refers to those processes and functions that must be in place on time to avoid delays in implementing the full business continuity and disaster recovery plan. The more critical the path infrastructure you have in place in advance of a disruption, the more likely your organization will be able to recovery in a timely manner. With tolerance for downtime continually shrinking, strategies that include fully quipped hot-sites or redundant data centers, whether physical or cloud-based, are becoming the norm. This includes not only redundant systems and infrastructure, but also monitored and tested backup connectivity to client credit unions as well as third-party EFT vendor networks.

Assigning level of importance

Once all business functions (activities) have been identified, often through a survey and interview process with all business units, they are categorized based on impact to the organization in the event of a disruption. An example method for categorizing is as follows:

  • Non-essential (acceptable downtime of 30 days or more)
  • Normal (acceptable downtime up to seven days)
  • Important (acceptable downtime up to 72 hours)
  • Urgent (acceptable downtime up to 24 hours)
  • Critical (acceptable downtime up to 8 hours)

With the prioritized business function list in hand, an evaluation can be performed to see if existing controls in place are sufficient to recover and restore the listed functions within the acceptable amount of time. Any gaps and shortcomings should be addressed to see where improvements can be made. Consider how quickly equipment can be replaced in the event of a hardware failure. If your warranty states, “next business day” and your RTO is identified as “up to 8 hours,” that business function (and any other process that depends on it) is at risk.

We can then assess the exposure to risk from disruptive threats, whether natural (e.g. fires, floods, severe weather, pandemics…), man-made (e.g. sabotage, fraud, theft), or technical (e.g. power, communications, or software failures).

Al threats should be measured based on probability (inherent and residual) as well as impact to the organization (over time). The threat assessment process will identify the likely scenarios that should be included in the business continuity plan.

Looking forward

The Business Impact Analysis and Threat/Risk Assessment are the first steps in building an effective Business Continuity Management Program. With the information gathered from this step, we can now evaluate existing continuity and recovery strategies in place and identify gaps and weaknesses that must be addressed. This will be the topic of the next article in this series.

If you have any questions about building a Business Continuity Management program at your organization, I can be reached at my contact information below.

*A framework for this process is provided by the FFIEC in the recently revised Business Continuity Management IT Examination Handbook.


Your email address will not be published. Required fields are marked *