The Risk Assessment helps us identify and plan for likely scenarios that pose the greatest threat to the most crucial business activities. Armed with the information gathered during the BIA, we are able to establish our recovery time and recovery point objectives (RTO/RPO).
Managing the crisis
Crisis or incident management is the process that enables the response team to acknowledge a crisis, activate the business continuity plan, and manage the emergency procedures. Crisis management includes the ability to recover from a significant disruptive event through leadership and communication. Not every incident warrants a crisis management response. Management should consider the impact of the event on the organization’s reputation and safety of personnel. For example, management may declare and invoke crisis response procedures during a natural disaster (e.g. hurricane), a cyber attack (e.g. ransomware), or other high-profile event.
The crisis management section of the plan should address coordination with regulatory agencies, local and state government offices, law enforcement, and emergency first responders. Scenarios should detail disruptions and not be confined to a specific event or geographic area. In a crisis scenario, designated personnel should be authorized to make informed decisions in a timely manner. Key personnel may include:
- Senior management (event leadership)
- Facilities management (safety and physical security)
- Human resources (personnel issues and travel/lodging)
- Public relations (crisis communications)
- Accounting (funds disbursement, equipment acquisition, unanticipated expenses)
- Legal/compliance (legal and regulatory)
- IT (information security, operations)
As a financial institution, the plan should detail processes to address potential cash and liquidity needs during disruptive events. For example, during a natural disaster like a hurricane, power and communications system may fail such as ATMs, POS hardware, or debit/credit card systems, requiring cash to fulfill customer and business needs. Arrangements to help meet liquidity needs may include: emergency borrowing access, alternate cash deliveries, procedures to secure, deliver, and distribute funds, temporary purchase approval guidelines, expense reimbursement options, and higher limit credit or separate checking accounts for those authorized to sign checks in emergency scenarios.
Carefully walking through the stages of a recovery effort or combing through notes or case studies from prior disaster events can help your team identify those steps and procedures often forgotten until the incident occurs.
Documenting the business continuity program
We’ve now reached the stage where we document our policies, procedures, and plans so that the information can be disseminated throughout the organization (awareness and training) and that the content of the business continuity plan can be tested for accuracy, relevance, and completion. Both training and testing will be covered in future articles. For now, our focus is on designing and documenting the plan.
When designing the Business Continuity Plan, we want to address the safety of personnel (staff and guests), the security of data, and the protection of assets. To accomplish this, the plan should include emergency response procedures, steps for managing the crisis or event, and the recovery of facilities and IT.
Blending these components into a cohesive plan with the proper “flow” requires a level of business writing skills and input from the training and education departments. The most effective plans are those designed with formatting and language similar to other staff training documentation. Embedding business continuity awareness principles into the culture of the organization is instrumental to strengthening operational resilience.
The table of contents for a sample credit union Business Continuity Plan might look like this: