Time for a BCP Status Check
Feb. 6 through today—that’s just over a four-month span, but consider what has happened in that relative blink of an eye. Record-breaking snowfall crippled sections of New England. Multiple twisters ravaged parts of tornado alley. A U.S. hospital treated the 11th healthcare worker suffering from Ebola. The worst measles epidemic in years sparked fierce debates about vaccines. And an ISIS fringe group threatened the U.S. with a cyberattack.
What do these events have in common with each other and, more importantly, with your institution? Any one of them could cause a business disruption to your institution or its technology service providers (TSPs). Is your institution prepared for such a wide gamut of possibilities? That’s the key question the FFIEC posed on Feb. 6 when it published Appendix J of its Business Continuity Planning Booklet. In those four months, has your institution begun aligning its Business Continuity Program (BCP) with Appendix J? It’s time for a status check.
Ensure Providers’ Dedication to BCP Compliance
Despite the challenges facing the financial services industry today, one luxury many banks enjoy is the ability to focus squarely on their core business: loans, deposits and investments. Just 10 or 15 years ago, this was not necessarily the case, but the evolution of information sharing over the Internet has given rise to an increasing number of TSPs that specialize in everything from web hosting to payments processing—and provide significant benefits to financial institutions.
The beauty of outsourcing is letting someone else with a particular expertise and/or facilities handle a function that is otherwise too costly, difficult or risky for your institution to handle itself.
With its Appendix J: Strengthening the Resilience of Outsourced Technology Services, the FFIEC acknowledges the importance of outsourcing, while also aiming to ensure that financial institutions perform their due diligence in making sure their TSPs, too, follow solid BCP procedures. In other words, in many cases it’s in your best interest to cede the operation of a certain function to a TSP, with the understanding that the responsibility remains with your institution.
To that end, a vital step toward ensuring your TSP’s compliance and alleviating your concerns is partnering with a provider that is as strictly audited as you are, and takes business continuity planning just as seriously.
The Buck Stops With The Board Of Directors and Senior Management
Appendix J also is very clear about who is ultimately responsible for the institution’s BCP and the resiliency of its outsourced relationships. “The responsibility for properly overseeing outsourced relationships lies with the financial institution’s board of directors and senior management.”[i] Does this mean that the board must attend every BCP-related meeting? Certainly not, but they should have a current working knowledge of the BCP, as well as a good understanding of changing conditions, both within and outside the institution, that could affect its operations. For instance, by now, members of the board and senior management should be aware of Appendix J and its implications for their BCP, and they should be actively supporting and encouraging the BCP committee to fulfill its requirements.
Framing Your BCP With The Right Tools
Following Appendix J’s publication, the director of IT for the Office of the Comptroller of the Currency noted that “the key message is that financial institutions need to understand what particular risks may be associated with each service being outsourced, determine the level of exposure to the financial institution, and then ensure appropriate controls and monitoring processes are implemented to the same extent they would be if the operation were conducted within the institution.”[ii]
Time for a Status Check
To help your institution complete its BCP status check, we’ve broken down the BCP process into a digestible framework with six key phases. Within each, we’ve highlighted how that phase needs to be updated or adjusted to ensure your institution and its providers are addressing Appendix J’s key elements.
General BCP Framework and Updates Related to Appendix J:
- Policies and Manuals: Your board-approved BCP policy and manuals should be reviewed and updated to reflect the guidance in Appendix J. For instance, make sure that both your Vendor Management Program and your Information Security Program reflect the requirements in Appendix J, and then fully integrate them into your BCP. This includes ensuring that your Vendor Management Program calls for comprehensive due diligence of TSPs and requires contracts that allow for transparent testing of them. And your Information Security Program should clearly delineate how and when the BCP kicks in if the network is breached.
- Business Impact Analysis and Risk Assessment: Your Business Impact Analysis (BIA) should establish functional priorities, recovery time objectives and the resources required for recovery (staff, IT, vendors, equipment, etc.). To be aligned with Appendix J, make sure your BIA clearly identifies all TSPs used to support critical processes, along with a current analysis of the impact on your institution should they suffer a disruption. This analysis also should document any dependencies associated with an outsourced relationship, including applications. In addition, your risk assessment should uncover the threats and exposures to your institution.
- Recovery Strategy: To be effective, your recovery strategy should consider the following factors required for your institution to get a function back to working order.
- Personnel: who is responsible for what, and how will they be contacted;
- Remote work: what’s possible, by whom, and where;
- Vendors: which are critical, and how will they be contacted when the BCP is activated;
- Equipment: which computers and other gear or supplies are required and where are they kept;
- Documents: will needed documents be available if normal system access is unavailable.
- Plan and Program Contents: Your BCP program can be divided into two parts. First, the Actionable Information portion includes Emergency Procedures, Crisis Management, Functional Recovery Procedures, IT Disaster Recovery, Emergency Contacts and Crisis Communications, Pandemic Preparedness and other relevant forms. Secondly, the Reference Information part includes the BCP Policy, BCP Program Manual, meeting notes, Exercise Documentation and Change Control.
- Training and Testing: All personnel should be trained on your institution’s BCP, including the board of directors and senior management, and existing BCP training should be updated to reflect the spirit of Appendix J. Testing can start small (i.e., a call tree test) and should advance in complexity so that your testing documentation demonstrates to examiners the progression and maturation of your BCP.
- Plan Maintenance: Regular maintenance of your BCP program ensures that it is an accurate reflection of your current production environment. In regard to Appendix J, your BCP committee should be actively discussing the FFIEC guidance and documenting its adoption strategy during quarterly meetings.
What To Expect at Your Next Exam
It’s important to remember that an effective BCP is a living organism, one that continues to evolve and mature through each cycle. At your next exam, regulatory examiners will expect the latest iteration of your BCP to reflect at least some progress toward incorporating the key messaging in Appendix J. In other words, “a financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP for all types of adverse events ...”i