Welcome to the seventh and final article in the series “Continuity at the Core.” In this series, I have attempted to share with you the time-tested structured process of designing, implementing, and maintaining an effective Business Continuity Program, with examples drawn from my experience at a credit union core processor and CUSO, serving more than 300 credit unions across the country. The principles of Business Continuity Management (BCM) span all industries for organizations small and large. The steps we address in this series are applicable at a core processor with multiple data centers as well as the financial institution with one or more branch locations.
First, let’s review the steps or stages in the BCM lifecycle that enable us to create a robust and effective program, building on previous investments and efforts, while remaining aligned with business goals and objectives.
- Business Impact Analysis and Threat Assessment – to identify a prioritized list of disruptive scenarios to plan for and to understand the potential impact to business operations, should the scenario occur.
- Continuity and Recovery Strategies – to evaluate, select, and implement controls and procedures, based on a cost/benefit analysis, that provide the desired level of protection including response capabilities for recovery within agreed upon Recovery Time and Recovery Point Objectives (RTO/RPO).
- Business Continuity Plan Development – to document the procedures and strategies required for the recovery of critical business functions and the technology that supports them, specific to predetermined (likely) scenarios.
- Awareness and Training – to provide regular and effective training for all staff, from the awareness level for emergency procedures to specific detailed instructional training for those with specific roles and responsibilities as documented in the Business Continuity Plan.
- Recovery Exercises and Testing – to validate the accuracy and completeness of documented procedures and strategies as well as for training and testing the capabilities of the response and recovery teams.
- Plan Maintenance and Improvement – to ensure the relevance of the Business Continuity Plan to current operations and changing threat landscape, as well as the readiness of response and recovery teams for the overall resilience of the organization.
If you’ve been following along in this series, you’ve seen how each step in the process provides valuable information for the next, keeping the project on track towards the goals and objectives set at the beginning. If you missed any of the prior six articles covering each step, please follow the link provided above for more information.
The initial quest through the steps of the BCM lifecycle typically requires more time and resources than subsequent efforts will. Over time, a repeatable process will naturally evolve to shorten the process and maximize results. Some may be tempted to jump ahead or take shortcuts, often the result of an imposed deadline or undervaluing the importance of the program to the organization. To do so is to risk creating a false sense of security and settling for a recovery effort that takes longer than needed and is more expensive than planned.
Plan and program maintenance
The Business Continuity Plan (BCP) is a “living” document that must be updated frequently to ensure it remains relevant to business operations. Likewise, your Business Continuity Program must be tested and practiced regularly. When neglected, the plan and level of preparedness will atrophy over time. Your policy should identify when the BCP is to be reviewed and updated and by whom. An independent review is encouraged to offer a fresh perspective and insight. The plan and program should be updated at least annually or more frequently if changes occur in the areas of:
- Potential threats and risks (e.g. frequency or severity of storms, increased cyberattacks, etc.)
- Business strategies, operations, functions, or processes (both internal and external vendors)
- IT systems or network architectures (both internal and external vendors)
- Weaknesses or deficiencies based on audit recommendations or regulatory changes
- From lessons learned during recovery exercises and adverse effects from actual incidents, both planned and unplanned (these include identifying any failures, determining causes, evaluating potential solutions, implementing timely corrective actions as appropriate, and recording and reviewing corrective actions taken)
If any of the above is true, follow the steps in the BCM lifecycle to properly update the plan. Determine if any business functions have been added (or omitted) and the level of criticality to your ability to serve your members. Reevaluate RTO and RPO objectives and the capabilities of strategies in place to meet them. Has the probability or impact of any threat and risk changed since the last assessment? If so, what controls should be considered to help mitigate the risk?
Areas within the Business Continuity Plan that are updated most often include operational requirements, security requirements, technical procedures, vital records, staff and vendor emergency contact information, alternate and off-site facility requirements, and hardware, software, and other equipment.
*Reference the FFIEC IT Examination Handbook on Business Continuity Management for more information.
As part of the plan maintenance process, always maintain version control of key business continuity documents and ensure the most recent versions are readily available to appropriate personnel in a timely manner. The level of detail in the plan should be commensurate with the nature and complexity of business operations and include evidence of periodic updates to the BIA, risk assessment, and policies and procedures. Documenting control measures, including storage, retention, and disposal should be part of your overall vital records preservation program.
After updating the BCP, changes should be disseminated to staff and recovery teams as part of the awareness and training programs as well as processes and procedures validated and confirmed as part of ongoing testing.
Reporting progress of the BCM program to the board of directors
An accurate measurement of the progress of the BCM program over time is key to obtaining support and funding for changes desired on the road to continuous improvement. Documented training efforts and recovery testing and exercises in the form of a gap analysis report demonstrates both results of the hard work you and your team have invested while providing the opportunity to sell the need for additional investment and expected benefits. Example reports can be found here.
The board of directors should set the expectations of the BCM program to the management team for reporting the status and progress and for the provision of credible challenges to drive continuous improvement.
On a regular basis (minimum of annually), management should report on the following to the board of directors:
- Summary of the Business Continuity Management program (status update from the previous report)
- Summary of the most current Business Impact Analysis
- Risk and Threat Assessment
- Copy of the Business Continuity Plan
- Exercise and test results (including gap analysis with issues and challenges observed, as well as action items and target dates for completion)
- Updates to strategies based on changes to personnel, roles, responsibilities, and business operations
The board should monitor business continuity and resilience activities regularly to verify that they are implemented as intended and periodically reviewed as changes dictate. The board should be updated in a timely manner and meeting minutes should reflect discussions and approvals.
The BCM lifecycle, full circle
If you have followed the steps as outlined in this series, you should now be right back where we started. Full circle back to step one of the BCM lifecycle. Only this time, equipped with the experience and knowledge of having walked through the process, improving as you go, learning more about your business than you knew before. You should now have a better understanding of what each business unit does, how each piece fits together, and how the process can break. We become more confident and prepared for those days when disruptive events threaten, full of ideas on how we can become even more resilient.
For review, let’s go back to the first article where we identified our goals for building and implementing a finely tuned BCM program and see how we did:
☑ Ability to anticipate and plan for disruptive events
☑ Aid in limiting the loss of assets, revenue, and members through reliable service and effective communications
☑ Helps to satisfy legal or regulatory compliance requirements
☑ Mitigate the negative effects of disruptions to business operations
☑ Minimize confusion and enables effective decisions during a crisis
☑ Facilitate a timely recovery of critical business functions
☑ Maintain the public image and reputation of the organization
☑ Ensure the survival of the organization
That’s a wrap!
Congratulations! We’ve checked all of our boxes and are well on our way to realizing our goals for the BCM program. Take time to celebrate each success but know that our job is far from complete. If 2020 and 2021 have taught us anything, it’s that our global business environment is changing quickly. From the pandemic and the supply chain issues that have followed to the ongoing threat of cyber-attacks and ransomware, disruptive incidents are all around us. The need for business continuity professionals is expanding. It is my hope that many of you will join us!
Thank you for your attention to each article in this series. I hope that you found them informative and with a desire to learn more. I look forward to publishing new articles in the areas of Business Continuity and Incident Response in CUSO Magazine. For more about the Business Continuity program at CU*Answers, please visit our website. There you will also find information on contacting us with questions and comments you might have.