Financial institutions, more than any other industry group, spend considerable resources on business continuity planning – and for good reason. Banks are a critical element of our economy’s infrastructure, and as a result, an ever growing body of regulations impose significant penalties for those who don’t comply. For many organizations, compliance, and its associated “satisfactory rating”, continues to be an elusive goal.
Based on our work with a diverse group of financial institutions, we have developed a common list of problems faced by many financial services organizations.
- Quality and Viability: Many business continuity managers have little comfort in how their plans would perform if implemented during a business interruption. Are they detailed enough? Are they practical? Are they up-to-date?
- Stakeholder Diversity: Multiple regulators with differing expectations and business managers with competing priorities lead to additional work and (often) unfulfilled expectations.
- Employee Awareness: In spite of so much work, the average employee knows very little about their role in the business continuity effort.
- IT Transparency: Information Technology disaster recovery is reliable, but only under a few pre-planned scenarios. Past experience indicates the assumptions are often impractical.
- Shrinking Budgets / Shrinking Recovery Objectives: Without fail, you will regularly be asked to plan for lower (and lower) recovery objectives with a smaller budget.
- Participate in Change: The financial services business and its associated technologies are constantly changing (and changing more frequently when compared to many other industries). Reorganizations, acquisitions, new applications, quality and risk management initiatives, new federal and state regulatory requirements and above all, new people, result in continuous business continuity program maintenance.
- Data Management: It’s one thing to recover data, but managing business continuity data (requirements, alternate location detail, plans, test results and assessment findings) becomes difficult as programs grow in scale. Organizations that can’t manage this large amount of information introduce inefficiencies in their planning processes.
As the above problems surface, they often impact one another. This article outlines each challenge in greater detail and offers high-level, proven solutions that can be considered by business continuity and risk management professionals in financial services organizations.
Quality and Viability
Many larger banks have 500+ plans. With so many plans to manage, it’s difficult to determine which business units are prepared and which could use additional help to prepare better. It’s true that real world events are the best measure of readiness, followed by exercises and simulations. However, a number of financial services organizations have developed a continuous process to assist with their measurement of program readiness by forming Quality Assurance teams. These experienced business continuity professionals develop measurement standards, interact with planners and plan owners, review processes and documentation and participate in exercises. Most importantly, they develop quantitative measures designed to gauge business continuity readiness, and communicate results to executive management.
Quality Assurance can be a cumbersome, time-consuming process, therefore leveraging planning tools and relying on data management strategies are keys to success. The automated gathering of business continuity program information is important to allow Quality Assurance personnel to focus on their most important task – coaching planners to improve their plans and strategies.
Regulators, internal audit, risk management, business executives, plan owners, planners, business partners, and employees are all stakeholders in a business continuity program. Each of these stakeholder groups has differing requirements. Daily, requirements are communicated to business continuity teams, and if managed incorrectly, these requirements will be applied in a disorganized manner, often adding unneeded complexity to the program. Even worse, these requirements can act as a distraction, paralyzing the business continuity team. As a result, annual program objectives are missed.
This is a difficult problem to address. To mitigate the risk of conflicting requirements reaching all members of the business continuity team, and to minimize distraction, a “gatekeeper” role should be considered. This is a person who owns the role of evaluating recommendations and requirements. The gatekeeper can be a method providing clarity, thereby efficiently introducing approved measures into the business continuity program.
Related to the gatekeeper role, business continuity teams can define a process to capture recommendations and requirements, which amounts to a repository that manages these recommendation and requirements in a prioritized manner.
“Business Continuity Educated” employees are very rare, unless they just experienced a business interruption or participated directly in well-planned exercise. As a result of this problem, employee training and awareness is often cited as an area for improvement during bank examinations and internal audit reviews. Below are a few methods to increase internal business continuity awareness.
- Give them something physical: Wallet cards are a great way to give employees a physical item that continuously reminds them of key business continuity information. Typically wallet cards contain information such as key numbers and tools to use in the case of emergency. Most employees will keep wallet cards with them throughout the day, enabling them to participate effectively in crisis communications and initial response activities. Other great ideas include magnets, desk mats or even emergency bags with key supplies.
- Get the word out online: In addition to the requisite informational website, new tools allow online training to be developed once and delivered to thousands of employees on demand. This training can be built with your content, your pictures, and your logo, meeting your specific training objectives. These tools can also provide the ability to develop an awareness “quiz” as a method of measuring awareness or compliance. Common tools used for this type of development include Adobe Presenter (formerly Breeze), Captivate and Articulate.
- Involve them during drills and inspections: Fire drill evacuations are a great time to provide employees with additional information on disaster preparedness, emergency response and business continuity. Taking advantage of their free time as they mill about the parking lot will provide you with an audience already thinking about emergency response and business continuity.
The barriers between business continuity and IT disaster recovery teams can be high. Without coordination, even the most advanced business continuity and IT disaster recovery programs will have trouble performing effectively. Below are a couple ideas on how to break down these barriers.
- Establish an official business-side liaison that understands IT: By introducing a role that understands both business and IT objectives, both groups will be able to relate and work together to meet and enable objectives, requirements and recovery strategies. In addition, having “one of their own” working with IT will further break down any cultural barriers that may exist.
- Execute activities together: Conducting activities together, such as a joint business/IT test, is a great way to test coordination, and showcase business and technology capabilities.
- Invite internal audit: Internal audit can provide a fresh perspective and should not be seen as threatening organization. They can provide oversight to ensure that objectives and requirements between IT and the business align.
Shrinking Budgets – Shrinking Recovery Objectives
Shrinking budgets and shrinking recovery objectives are not mutually exclusive; they are happening to many financial services organizations simultaneously. Below are ideas that address one or both of these challenges simultaneously.
- Create program activity awareness: Business continuity management is often misunderstood by executive managers. Viewed as a technology, a project or even worse, a plan on a shelf, business continuity managers need to focus on obtaining buy-in for their team’s annual objectives. They should seek approval for a policy document, outlining the organization’s business continuity lifecycle, and detailing key activities, and the roles and responsibilities necessary to effectively execute these activities. With tight budgets, the business may have to assume a number of key business continuity related tasks, which should be clearly communicated and understood by all responsible groups.
- Communicate the value: Decreasing budgets are often a symptom of poor internal communications and “internal sales”. The answer to a shrinking budget should focus on communicating the level of protection afforded by the continuity group. A common metric for showing an increase in protection levels is a comparison of overall annualized loss expectancy (ALE) figures.ALE is easy to calculate for your organization by using the following formula:Single loss expectancy (the amount of money that would be lost for a single failure) multiplied by the annualized rate of occurrence (i.e., once every 25 years equals a 1/25 ARO).This level of analysis will quantify continuity planning’s contribution to risk reduction in a way executive management can support.
- Utilize risk management to prioritize functions: Partnering with other risk management entities to prioritize business functions will help validate lower recovery objectives. In addition, a quantitative risk factor scoring common to all risk management groups will result in an efficient and less subjective list of priorities.
Participate in Change
Change in banks is constant. Reacting to change – as opposed to being proactive with change – can result in more business continuity strategies that are more expensive than necessary because recoverability is designed and implemented after the fact. Additionally, there will be recoverability gaps with a reactive approach to change since new processes and technologies are introduced into the business while viable recovery strategies catch up weeks later.
Work with your organization’s Project Management Office (PMO) and other change managers to play an advisory role in meeting the organization’s business continuity standards before projects “go live”. There is a time investment for the business continuity team, but this investment is much less when compared to working on plans and strategies after the project is operational.
As business continuity programs grow, the amount of information increases exponentially. Repositories multiply (even with robust software solutions), data doesn’t flow as easily between systems as it once did, and complexities grow with multiple people working on the same data at the same time.
Do not delay, allowing more information to back-up. It’s important to take a step back to inventory your data within all tools, repositories and hard-copy formats. Once inventoried, consolidation is the key to developing an efficient data management system. If providing one system for all data is not possible, you can consider linking systems and reports so that they feed each other. The last component is to allow processes to be altered to meet your data management process, but not to complicate or compromise the integrity of the processes. If implemented correctly, having your data under control can have a major impact on program quality and efficiency.
The financial services industry will always have a unique set of challenges. Continuity programs continue to mature, but expectations are rising as well. The past ten years have seen rapid change, from technology-centric disaster recovery programs to today’s enterprise-wide business continuity management efforts. More change should be expected. Can you say your program is characterized as:
- Collaborative; and
If so, it’s highly likely your executive management team and regulators will find great value, comfort and confidence in your ability to deliver continuity and availability now and in the future.