Posted by: David Schneier
Audit, bcp, BIA, business continuity plan, business impact analysis, exam, examiners, FFIEC, GLBA, regulatory, Regulatory Compliance, risk, risk assessment
One of the first things I had to work on this week (and thus one of the first things to work on in the new year) was finalizing a report from last year. The report covered the results of a Business Continuity Plan desktop test and the client needed some clarifications around the results.
I’ve been working on BCP’s since the late 90′s, cutting my teeth on a plan for the technology business unit I worked in at Citigroup and have continued working with clients on their plans in a variety of business verticals in the years since. Whether the client is a multi-billion dollar enterprise or a single branch bank, there remain commonalities that defy the entities complexity. On one hand it’s difficult to compare the plan I worked on at Citigroup to one I recently reviewed at a banking client with a single physical location (everything was quite literally under one roof) but on the other hand, the key elements were exactly the same.
Ask questions about who is responsible for activating the plan, who has copies and where are they located and you’d get similar replies (mostly shoulder shrugs, lots of “um’s” and finger tapping). Select a sampling of employees and ask them what they’d do in the event of a business disruption and you’ll get a wide range of answers that are typically intelligent and sensible but have nothing to do with what’s documented in the plan. Review the plan and conduct a logical walk through to determine if someone without intimate knowledge of the various sections could rely on it in order to help navigate through a disruption and you’re likely going to have a list of questions longer than your own arm. Of course one of my favorite measures of a plans effectiveness is to gauge its overall size and complexity relative to the entity it’s supporting. The single branch banking client had a binder filled with a plan that was nearly twice the size of the one I worked on at Citigroup. Despite the fact that the Citigroup entity clearly dwarfed the small banking client, you couldn’t tell from the plan. I’m not suggesting there’s a size rule to apply but typically the thicker the plan the less effective it becomes after a certain point.
However, the reason we’re talking business continuity to kick-off the new year isn’t so I can rant but rather to illuminate an important aspect of a BCP (and perhaps any of your regulatory activities as well). Your business environment is dynamic, it’s ever-changing with new considerations, concerns and risks emerging almost daily. Employees come and go, business needs change to keep pace with the economy and your physical and logical infrastructure changes to accommodate both. It’s just about impossible that any plan you developed last year remains relevant this year. Thus the reason why the FFIEC guidance hammers home the point about conducting frequent risk assessments and conducting periodic reviews of your key compliance activities. You simply cannot rely upon any documented procedure that hasn’t been reviewed recently and assessed for accuracy and relevance.
In terms of a BCP, you need to conduct an annual business impact analysis to determine if each critical area of the institution is properly factored into the plan, if the area’s needs have changed since the last update and if the current set of procedures adequately support its needs. You need to update your contact lists, inventories and your escalation plans. You need to reissue the updated plan and make sure that all stakeholders are aware of it’s changes and have access to the new version readily available. Perhaps the most important recurring activity is to conduct a basic test of the BCP to ensure that it will work and that your staff knows how and when to rely on it.
As for the client for whom the report was issued, they’re in good shape. The test revealed some common issues (e.g. critical stakeholders answers were often extemporaneous and did not come from the plan itself, many in the room did not think to bring a copy of the BCP) but by and large they did well. They did well because the plan had been updated earlier in 2010 and reflected on what they knew had to be done in the event of a disruption. Although they didn’t rely upon the actual document, they didn’t need to because they were the ones who contributed to its content and were able to react rather than read. Unfortunately they’re part of the minority because typically the plans I review are detached from reality to the point where they’re almost fictional and almost completely useless as written.
Like all compliance requirements there’s real value to be derived from addressing them properly and you shouldn’t need an examiner, an auditor or a blogger to point that out. It’s the first week of the first month of a new year; is there a better time to plan reviews of your key procedures and activities?