Business Continuity Planning Essentials
By Romir Bosu
Business Impact Analysis (BIA) is an important first step in developing an effective business continuity plan. The March 2003 Business Continuity Planning Guidelines published by the Federal Financial Institutions Examination Council (FFIEC) defines BIA as follows:
• Identification of the potential impact of uncontrolled, non-specific events on the institution’s business processes and its customers;
• Consideration of all departments and business functions, not just data processing; and
• Estimation of maximum allowable downtime and acceptable levels of data, operations and financial losses.
As with most FFIEC guideline documents, the definition is broad and without specific instruction on how to meet these requirements. The BIA is such an important step in the development of an effective business continuity plan that it is imperative banks know and understand what is necessary to make it useful.
Our firm has reviewed the disaster and business continuity plans of numerous institutions. Most have documented some sort of BIA, but few meet the standard set by the new FFIEC Guidelines.
AN EFFECTIVE ANALYSIS
The goal of the BIA is to place as much objectivity as possible into the process of selecting what business processes or functions are most important for the institution to recover in the event of a disaster. In the past, most disaster recovery plans focused only on recovering the technology that the institution uses. BIA should first identify all business functions for each department.
Once identified, the impact of each function’s loss needs to be assessed. There are several categories that the function should be measured against. Examples would be financial impact to the institution, impact on customers, impact on the institution’s ability to remain in compliance with regulations and impact on other business functions or departments.
Each of these areas should also be evaluated against length of the loss. Examples would be function lost for 24 hours or less, 24 to 48 hours, 48 hours to one week and greater than one week.
DETERMINE RECOVERY PERIODS
Once you have rated each business function on each of these criteria, the institution must then determine the required recovery period for each function. Using formulas to objectively define the recovery period based on the value of the business function to the institution provides the most practical method of prioritizing business functions across the institution’s departments. It is best to match the required recovery periods to the same time-of-loss criteria evaluated earlier.
Finally, based on the priority, detailed information should be gathered and defined that includes essential personnel, technologies, facilities, communications systems, vital records and data. From this point a specific business continuity plan can be developed for each of the institution’s highest priority business functions. If the BIA is improperly developed, specific business continuity plans may not be developed for critical functions and the institution may waste resources developing plans for functions that do not need to be recovered.
Following a specific methodology for BIA development that objectively sets the institution down the path toward creating effective continuity plans will assure successful continuity of the business through any disaster large or small.
Romir Bosu is president of Compushare Inc., an NJBankers Sponsoring Member and provider of information technology, consulting and implementation solutions for community financial institutions nationwide, including more than 50 banks in New Jersey. He can be reached via e-mail at firstname.lastname@example.org.