Continuity at the Core: Documenting Your Response Plan

0

If you’ve been reading along in this series, you will recall that in the first article, we introduced the stages of the Business Continuity Management (BCM) program life cycle and identified the benefits of following the time-tested steps in the program development process. Cutting corners may get you to the finish line more quickly, but the outcome will be an incomplete program and ineffective strategy, putting your organization at risk during an outage that will likely result in a costly recovery effort and more operational downtime than is necessary.

History has shown that the market acknowledges disasters will occur. Hurricanes, wildfires, and global pandemics are going to happen. What the market finds unacceptable are the ill-prepared financial institutions with unreliable member services. Fortunately, demonstrating your level of preparedness may be as simple as having a well-developed, documented, and test-validated Business Continuity Plan.

In part two of this series, we focused on the Business Impact Analysis (BIA) and Risk/Threat Assessment. In part three of this series, we discussed continuity and recovery strategies that enable us to continue serving our members during a disruptive event through the use of redundant components or alternate/workaround processes, and to respond in a prompt and effective manner to bring operations back to normal in an acceptable timeline.

In this article, we asked four key questions that are instrumental in our strategy to manage risk and develop our response plan. For a review, these questions are:

  1. What are our “critical” business functions?
  2. What is our exposure to “serious incidents or disasters”?
  3. What can be done to prevent or mitigate the risk?
  4. What is our plan to respond and recover?

The Risk Assessment helps us identify and plan for likely scenarios that pose the greatest threat to the most crucial business activities. Armed with the information gathered during the BIA, we are able to establish our recovery time and recovery point objectives (RTO/RPO).

Managing the crisis

Crisis or incident management is the process that enables the response team to acknowledge a crisis, activate the business continuity plan, and manage the emergency procedures. Crisis management includes the ability to recover from a significant disruptive event through leadership and communication. Not every incident warrants a crisis management response. Management should consider the impact of the event on the organization’s reputation and safety of personnel. For example, management may declare and invoke crisis response procedures during a natural disaster (e.g. hurricane), a cyber attack (e.g. ransomware), or other high-profile event.

The crisis management section of the plan should address coordination with regulatory agencies, local and state government offices, law enforcement, and emergency first responders. Scenarios should detail disruptions and not be confined to a specific event or geographic area. In a crisis scenario, designated personnel should be authorized to make informed decisions in a timely manner. Key personnel may include:

  • Senior management (event leadership)
  • Facilities management (safety and physical security)
  • Human resources (personnel issues and travel/lodging)
  • Public relations (crisis communications)
  • Accounting (funds disbursement, equipment acquisition, unanticipated expenses)
  • Legal/compliance (legal and regulatory)
  • IT (information security, operations)

As a financial institution, the plan should detail processes to address potential cash and liquidity needs during disruptive events. For example, during a natural disaster like a hurricane, power and communications system may fail such as ATMs, POS hardware, or debit/credit card systems, requiring cash to fulfill customer and business needs. Arrangements to help meet liquidity needs may include: emergency borrowing access, alternate cash deliveries, procedures to secure, deliver, and distribute funds, temporary purchase approval guidelines, expense reimbursement options, and higher limit credit or separate checking accounts for those authorized to sign checks in emergency scenarios.

Carefully walking through the stages of a recovery effort or combing through notes or case studies from prior disaster events can help your team identify those steps and procedures often forgotten until the incident occurs.

Documenting the business continuity program

We’ve now reached the stage where we document our policies, procedures, and plans so that the information can be disseminated throughout the organization (awareness and training) and that the content of the business continuity plan can be tested for accuracy, relevance, and completion. Both training and testing will be covered in future articles. For now, our focus is on designing and documenting the plan.

When designing the Business Continuity Plan, we want to address the safety of personnel (staff and guests), the security of data, and the protection of assets. To accomplish this, the plan should include emergency response procedures, steps for managing the crisis or event, and the recovery of facilities and IT.

Blending these components into a cohesive plan with the proper “flow” requires a level of business writing skills and input from the training and education departments. The most effective plans are those designed with formatting and language similar to other staff training documentation. Embedding business continuity awareness principles into the culture of the organization is instrumental to strengthening operational resilience.

The table of contents for a sample credit union Business Continuity Plan might look like this:

  • Introduction (policy statements)
    • Scope and objectives
    • Awareness and training
    • Testing plan
    • Audit plan
    • Succession plan
  • Corporate Environment (overview)
    • Locations (sites)
    • Critical business functions
    • Core-processing (online or inhouse)
    • Critical outsourced vendors
      • Check processing, payments, ATM/ACH, cash management, etc.
      • Contact center, bookkeeping, payroll, benefits, etc.
  • Recovery at a Glance (high-level)
    • Impact due to loss of Main Office
    • Impact due to loss of data center
    • Impact due to loss of Branch
    • Impact due to loss of critical vendor service
    • Alternate recovery options
    • Hot/warm/cold/mobile sites
      • Reciprocal agreement
    • Additional workaround strategies
  • Recovery Timeline
    • Stages of a typical recovery
    • Criteria for declaring a disaster
  • Crisis Management Plan
    • Crisis Management Team
      • Roles and responsibilities
    • Emergency Response Plan and Procedures
      • Scenarios
    • Evacuation (fire/gas leak, explosion, etc.)
    • Shelter-in-place (severe weather)
    • Hurricane
    • Earthquake
    • Flood/water damage
    • Power outage
    • Pandemic/mass absenteeism
    • Cybersecurity incident
    • Etc.
  • Crisis Communications
    • Methods for communicating with key stakeholders
    • Prepared scripts and templates
  • Disaster Recovery Plan (Facilities and IT)
    • Loss of site
    • Loss of data/voice communications
    • Loss of network/infrastructure
    • Loss of system/server
    • Loss of PC/workstation
    • Etc.
  • Appendices
    • Emergency contact information
      • Staff and families, Board of Directors, etc.
      • Vendors, emergency responders
      • Call trees
    • Network diagrams
      • Recovery procedures
    • Vital records
      • Off-site storage
      • Etc.

The scope and level of detail included in the documented plan should align with the size and complexity of the organization, its operations, and relationships with external vendors. Select staff from all business units should contribute to the development of the plan and implementation (whether internally or outsourced). The completed plan and supporting documentation should be stored so that it is readily accessible by personnel during adverse, disruptive events.

Tools for creating and maintaining the plan range from a standard Microsoft Word or compatible document to a relational database application maintained by multiple contributors. The finished plan should be easy to read and digest, not intimidating to those with specific roles and responsibilities during a recovery effort. The plan itself will not restore your business operations during a disaster or disruptive event, but the people assign to execute the plan. Keep that in mind when designing the plan.

How to know when your business continuity plan is complete?

For anyone who has been responsible for maintaining the business continuity plan, you know that this is a trick question. From some perspectives, the plan is never quite finished. It’s a living and dynamic document that reflects your operations today but must be continuously updated as the environment changes around us, whether inside our facilities, our external networks, or the threat landscape at large.

Before we close this article, here is a checklist that is often used to help you know when your plan is ready for the next step in the process, one that is likely to pass the auditor’s and examiner’s scrutiny:

  • Is the plan based on a comprehensive BIA and risk/threat assessment?
  • Does the plan specify which immediate steps should be taken during a disruption and what considerations should prompt invoking the plan?
  • Does the plan provide key information that enables effective decision-making based on the changing circumstances of the disaster or service disruption?
  • Does the plan establish a timeline for restoring critical systems compatible with established RTO/RPO?
  • Does the plan provide pre-event planning and preparation guidance?
  • Does the plan identify multiple alternate methods of communications with internal and external stakeholders (including members) during a crisis?
  • Does the plan include up-to-date emergency contact information for key external and internal stakeholders?
  • Does the plan include the restoration process of key servers and systems (Email, imaging, file/print, etc.)?
  • Does the plan address the preservation and ability to restore vital records?
  • Is the plan appropriate for the size and complexity of the organization?

In the next article in this series, we will look at disseminating the documented plan and preparing your staff to execute the procedures it contains through an effective awareness and training program.

If you have any questions about building a business continuity management program at your organization, I can be reached at my contact information below.

Author


  • Vice President, Business Continuity, CU*Answers

Your email address will not be published. Required fields are marked *