Expect the Unexpected: The Keys to Business Continuity Planning for Financial Institutions

From raging wildfires to hurricanes to a worldwide pandemic, there is no shortage of reminders to the financial services industry of the importance of maintaining a business continuity plan (BCP).

Most institutions follow the FFIEC’s recommended BCP process, which includes a business impact analysis (BIA), risk assessment, risk management and risk monitoring/testing. A tested, effective BCP ensures your organization is ready for the unexpected.

Looking for additional insight into business continuity planning? Check out our white paper, Your Institution’s Guide to IT Governance.

What is a Business Continuity Plan?

A BCP document includes critical information an institution needs to operate during an unplanned situation, helping to minimize financial loss and ensure continued service to customers or members. Effective business continuity planning provides a strategy for financial institutions to maintain and recover business operations and processes when they experience an unexpected disruption, such as a natural disaster, technology outage or terrorism.

According to the FFIEC, a BCP helps mitigate the adverse effects of disruption on an institution’s strategic plans, reputation, operations, liquidity and compliance. A BCP should be specific to your institution and provide employees with operational instructions for addressing and working through a disruptive event. As such, your BCP should define what constitutes an event, individual roles and specific responsibilities and your response to an event.

Even though your response should be defined, it’s impossible to know if the predetermined response will be completely effective. That’s why your plan should be flexible, and your institution should have defined leadership roles that are authorized to deviate from the plan if needed.

A business continuity plan helps minimize financial loss and ensure continued service to customers or members.

Business Continuity Plan vs. Disaster Recovery Plan

Since financial institutions are a key part of U.S. infrastructure and economy, it is critical that business operations remain resilient, effects of disruptive events are minimized, and data remains accessible and secure. That’s where both business continuity planning and disaster recovery come into play, though important distinctions exist between the two.

Business continuity relates to ensuring an institution’s operations continue functioning with minimal downtime during an unexpected event, whereas disaster recovery involves restoring access to data or IT infrastructure after a disaster. Disaster recovery is a component of an institution’s larger BCP. A disaster recovery plan (DRP) within the overall BCP helps institutions plan for protecting and accessing customer or member data in the event of a disaster or unexpected event. Both are critical to avoiding any negative reputational, financial or operational consequences.

A DRP varies depending on the severity of the incident and the unique nature of business processes or technology being restored. As a result, a DRP is comprised of individual processes and procedures designed to provide a temporary process/procedure until normal operations are resumed, as well as insight and guidance on how normal operations are expected to be restored. Since disaster events vary widely, processes or procedures within a DRP may be general and instruct the entire institution or more specific and instruct individual branches, lines of business or departments.

Why Should Institutions Have an Up-to-Date Plan for Business Continuity?

The financial sector has prioritized digital channels, making managing data fundamental from both a customer experience and compliance perspective. Financial institutions of every size must prioritize and plan for efficient, rapid disaster recovery to meet compliance requirements, minimize downtime and—most importantly—meet the expectations of customers or members during and after a disaster or disruptive event. Business continuity plans bolster institutional resilience and ensure that institutions can continue operating in the event of a system outage following a disaster or cyberattack.

Business Continuity Plan Examples: How to Develop a BCP

While threats of physical loss or disruption caused by pandemics and natural disasters pose risks, other threats to a business continuity plan include disruptive data loss, breach or corruption. These threats could affect any geographic region at any point in time.

To protect your institution from the impact of data being lost, breached or corrupted, include the following elements in your BCP:

  • Risk Impact Analysis: The RIA assesses the probabilities and consequences of risk events if they occur. The results of the RIA are used to prioritize risks by establishing a criticality ranking. This helps determine what events or risks are more probable and require consideration.
  • Business Impact Analysis: A modern BCP must account for the critical role of data in today’s banking environment, beginning with your BIA, which assesses and prioritizes all business functions and processes. A BIA is a systematic process to determine and evaluate the potential effects of an interruption to your institution’s critical business operations because of a disaster, accident or emergency. This analysis is critical in establishing the priority of restoration for services and systems. The BIA process also helps senior leadership evaluate disruptive events’ potential operational, financial and reputational effects.
  • Data Flow Diagram: This diagram visually represents your data and shows how information flows throughout your institution or within a specific line of business. This includes the origination of the data, intake of the data, data processing or manipulation, how various business units and internal systems interact with the data, how the data is shared with third parties and the final disposition of the data. The diagram is vital to your BCP and should be revised every few years or when introducing new business processes or lines of business.

Data flow diagrams help you understand how data flows and resides within your institution, facilitating the identification of risk and interdependencies within business processes that rely on data for fulfillment. These diagrams can also jump start your efforts to map processes and identify areas of possible unnecessary redundancy and automation.

In addition to these three components, your BCP should have a data classification policy to identify and classify all data based on its sensitivity and criticality levels. At a minimum, your institution must understand what data you have, what data is critical, where it is stored, how it is protected and how it can be recovered. Your BCP should also reference your network segmentation policy, which limits the access and movement of your data. Further, your BCP should also reference your data backup policy to eliminate any unnecessary connections into or out of your backup storage site, especially crucial in a ransomware attack.

Assessing Risks and Threats for Your Business Continuity Plan

Conducting a risk assessment is a critical phase in the business continuity planning cycle, during which the FFIEC recommends institutions develop scenarios of threats that could disrupt business processes and continuity. Institutions should develop a formal threat analysis to assess how various risk factors increase the likelihood of business disruption at each location.

Your institution should develop a formal threat analysis to assess how the following risk factors increase the likelihood of business disruption at each location, starting with cyber risk:

  • Cyber interconnectivity: Keep track of all internet connections at each site and consider any factors that increase a particular site’s threat from cyberattacks.
  • Regional location: Consider areas prone to different types of natural disasters, such as sites in coastal states subject to hurricanes and other storms or those where wildfires are known to occur.
  • Terrorist plots: Stay in tune with federal and local terrorism alerts, especially for sites in high-value targets, such as New York or Washington, D.C.
  • Environmental factors: Consider nearby facilities that could pose an environmental threat, such as natural gas, chemical plants or nuclear power plants.
  • Transportation accidents: Gauge the impact of severe accidents at or on nearby transportation points, such as airports, railways or interstate highways.
  • Internal atmosphere: Take into account corporate instability, such as layoffs or other significant changes, that could increase the risk of insider sabotage.
  • Health issues: Note how well your institution’s surrounding areas are prepared to handle disease epidemics or pandemics.
  • Local conditions: Determine particular risk factors of each site’s vicinity, such as high crime, new construction, civil unrest, etc.

Prevailing conditions should determine the frequency of such formal threat analyses: every 18 to 24 months when things are stable and six to 12 months if change is occurring in any of the above factors. Conducting a formal threat analysis of your main location and disaster recovery sites and on any internal or external sites that house critical data and backups is also important.

And make sure to do a thorough formal threat analysis on your primary location, disaster recovery sites, and any internal or external sites that house critical data and backups.

Ensure your institution assesses how different risk factors increase the likelihood of a disaster or unexpected event.

Testing Your Business Continuity Plan

Testing your plan is the last phase of the BCP process and should not be overlooked, as it is integral to ensuring preparedness. In the past, many institutions conducted one large-scale BCP test at annual or semi-annual intervals. However, this approach makes it difficult to manage the testing process and discern the results. Modern planning narrows the scope of testing while increasing its frequency. Consider conducting small, function-specific tests or simulations monthly or quarterly, starting with the most critical functions.

By accumulating these tests over time, your institution will have a more accurate picture of your BCP’s overall effectiveness. The increased flexibility and resiliency that testing provides, coupled with a robust infrastructure, goes a long way in weathering or avoiding many issues. Additionally, your institution should review and update its plan to ensure optimal effectiveness.

How Does Cyber Insurance Factor into Your Business Continuity Plan?

The FFIEC indicates that the primary objective of the risk management BCP phase is to identify, assess and reduce risk to “an acceptable level.” A key component of this phase is analyzing the adequacy of insurance coverage, which is especially important in today’s digital environment.

As some organizations have learned the hard way, general liability and other traditional insurance policies often do not cover cyberattacks and their resulting business disruptions or data breaches. Cyber liability insurance, or cyber insurance, is a type of insurance policy that provides businesses with coverage in the aftermath of a cyberattack, minimizing disruption and covering some costs of the incident. According to the FFIEC, “use of cyber insurance may offset financial losses resulting from cyber incidents.” And like most insurance, there are different types of cyber insurance to consider.

The Federal Trade Commission maintains that first-party coverage protects your data—including employee and customer information—and includes costs related to legal counsel, recovery of lost or stolen data, crisis management, forensic services to investigate the breach and more. Meanwhile, third-party coverage protects your institution from liability if a third party files claims against you, and includes payments to consumers affected, costs for litigation or settlements.

Cyber insurance helps minimize disruption in the aftermath of a cyberattack.

How Does IT Governance Relate to Business Continuity Planning?

For some institutions, business continuity planning can be resource-intensive, and it can be helpful to partner with a third party. IT governance consultants collaborate with your institution’s stakeholders to develop a BCP and provide additional departmental disaster recovery planning guidance. Additionally, IT governance services can moderate and facilitate BCP tabletop exercises virtually, then provide guidance on improvements, remediate issues and cover lessons learned during the exercises.

Enhance Your Preparedness with an Effective Business Continuity Plan

Past disasters demonstrate that business disruptions can occur quickly and without much warning. Having an up-to-date BCP helps institutions prepare for unforeseen circumstances while minimizing effects to customers and members.

Learn more about IT governance’s role in planning and preparing your institution’s business continuity plan by downloading our white paper.





Get In Touch

Are you looking for the edge to outperform the competition? CSI is a full-service technology and compliance partner.

Let’s talk