In the previous four articles of this series, we began our journey to design and implement an effective Business Continuity Management (BCM) program, applicable for any organization that participates in or supports the financial services industry. For the purpose of this series, we are focusing on credit unions, CUSOs, and core data processors.
Before we continue, let’s revisit the goals and objectives of an ongoing BCM program:
In a nutshell, allow us to serve our members with minimal disruptions. The environment we work in and the market we participate in are in a state of continuous change. New products and services are being deployed, new technologies are evolving, and we are now connected to more vendors, partners, and service providers than ever before. Our level of control over a potentially disruptive event depends on the circumstances at the moment and our ability to manage the crisis. In this 24/7 world, our corporate reputations are on the line every day. This is the drive behind the business continuity professional.
The Continuity at the Core series began by defining the concepts, goals, and objectives of the BCM program and the value it can deliver if the proper steps of the program lifecycle are followed. The BIA and Threat/Risk Assessment helped us identify and prioritize those scenarios that have the greatest capacity to disrupt our most critical business functions.
The output of the BIA provides us the appropriate recovery time and recovery point objectives (RTO/RPO) as well as Maximum Allowable Downtime (MAD) goals that all response and recovery efforts are to seek to achieve. Selecting cost-effective continuity and recovery strategies helps provide the controls we need to best manage the risk and prepare us for a prompt and effective response should an incident occur.
We concluded our last entry in the series with the documented plan, which provides stakeholders with the strategies, process, and procedures for making informed decisions and conducting a response and recovery effort that minimizes impact to the organization and the members it serves. The documented plan is the playbook, the training content to ensure that all response team players are on the same page and have the same goals.
“We can invest in the best technology, write a comprehensive continuity and recovery plan, and check all of the compliance boxes, but if effective response and recovery is not a normal part of the day-to-day activities, your business disruptions will catch you by surprise, last longer than they should, and increase the level of frustration for you, your staff, and your members.”
That brings us to the next step in our journey, the Awareness and Training Program. Up until this point, the select group who has participated in designing and implementing the BCM program has been limited to those with specific skills and knowledge, for their input and discussion related to technology and business operations. During the awareness and training stage, information about the program must be disseminated to all staff across the organization, providing at least a baseline level of awareness, with detailed instructions and training provided for those with documented roles and responsibilities within the plan. Like in a cyber or incident response scenario, the weakest link is the uninformed human (staff).
To use a sports metaphor: “What is the value of having a well-designed and thought-out playbook if the players on offence and defense have not seen it or have practiced the plays as a team?” I’m sure you would agree, little to no value, and maybe even lead to a false sense readiness.
The first priority in every BCM program is the safety of personnel. At a minimum, all staff (and guests in the building) should be aware of the associated risks at the business and how they are expected to respond in an emergency or crisis. What are the appropriate procedures to follow in an evacuation or safe-shelter scenario? Where do they assemble and who should they report to? What are the procedures and safety precautions to follow when there is a power outage or a security incident at the branch office?
These are just a few examples that are covered in the Emergency Response section of the BCP. Emergency procedures should be visible (evacuation routes, etc.), communicated frequently, and practiced regularly (both planned and unplanned).
Other scenarios are more operational. What are the manual workaround procedures to follow during a data communication outage? What is the process when the corporate phone system is unavailable? Regular awareness training is required to ensure that all personnel are equipped to make calm, prompt decisions and actions during emergency situations. Staff who are caught off guard and unprepared are more likely to demonstrate fear and panic, both to peers and members they are serving. Not the level of confidence you want demonstrated.
For those with specific roles and responsibilities identified in the BCP, additional training and cross-training is needed to ensure that they are able to carry out the required procedures in a timely and effective manner. For leaders identified as key decision-makers (i.e., Incident Manager) during a response and recovery effort, relevant and complete information must be made available early in the process, including questions to be considered in advance.
Technology recovery teams must have the appropriate skills, knowledge, and access to relative tools to restore critical systems and networks. Roles without alternate staff listed should be addressed quickly, either by training another internal person or seeking an outsourced provider.
Personnel with the role of crisis communications (aka public relations) must have the capacity and aptitude to keep key stakeholders up to date with the recovery effort, including the public, while considering legal and reputational risk associated with statements made on behalf of the organization. Statements communicated hastily, whether factual or assumptions, are very difficult to retract. Poor timing and frequency of communications can negate a successful recovery effort through bad publicity.
As you can see, attempting a response and recovery effort without an effective awareness and training program may be an even greater risk than the incident itself. So where does one begin? How does one create an effective awareness and training program, or if they have one, how do they know it is sufficient? That process starts with a needs assessment to identify the current state of the program and gaps in skills sets that need to be addressed. This may be a great opportunity to reach out and engage with a Business Continuity Professional consultant who can assist you and help you design the roadmap to better understand where you are today and a plan to get to the desired target state.
Successful awareness and training programs often will follow a similar format to existing training programs and are aligned with overall corporate goals and objectives. The key to embedding continuity and resilience into the culture of the organization is to include the principles, concepts, goals, and objectives into the everyday language, conversations, and meetings across the organization. Training content should be designed with the target audience in mind, whether for the frontline staff, IT, HR, Management, Board of Directors, etc. Educational and training resources are available including online learning, webinars, conferences, user groups, and certifications.
Tools to help you measure the effectiveness of your awareness and training program include testing and exercising, which happen to be the focus of the next article in this series. Scenario-based walkthrough exercises and simulation drills can help improve overall readiness and provide opportunities to practice until proficient. The frequency of awareness and training activities should depend on the size and complexity of the organization.
Success factors for maintaining an effective program include:
Experience shows that this is perhaps the area where most organizations fall short and improvise, resulting in a lack of adequate preparation, and a frustrated staff and member base when disruptions occur. Skipping this step and jumping directly to testing and exercising is often seen as a permissible shortcut that will go unnoticed. Having a well-trained staff who is prepared for emergencies, able to execute response and recovery procedures with little direction, and feels a part of the process, is an invaluable asset to the organization.
In the next article in this series, we will look at conducting exercises and testing to help us measure the effectiveness of our BCM program, identify areas for improvement, and document our efforts.
If you have any questions about building a Business Continuity Management program at your organization, I can be reached at my contact information below.
