Sure Tornados, Hurricanes and other Natural Disasters are Threats. But what are the most likely threats to your Credit Union? When was the last time you performed a Credit Union Threat Assessment?
As part of CURecover, OGO does Threat Assessments for our clients. The Threat Assessment outcome is the identification of the greatest threats to the Credit Union based on the collective responses of the survey responders. In performing these assessments, these are the top 10 typically highest ranked for Credit Unions.
- Network Failure – Branch Connectivity (WAN/LAN)
- Internet Access
- Local Weather causing office closure (Snow, Tornado, Hurricane, Flood, etc)
- Blackouts (wide area)
- Power Outage specific to facility
- 3rd party offline
- Equipment – Single Point of Failure
- Virus Attacks
The Business Continuity Plan Sponsors and leadership team should discuss the top ranked items on the Threat Assessment, identify opportunities to reduce the likelihood or impact should that event occur, and activate an action plan. Your auditor will be looking to see that the Threat Assessment was done AND that an action plan is in place.
Keep in mind that there are 5 ways of dealing with Threat. Only 4 of those are allowed to be used:
- Eliminate – change policy and procedure to eliminate the threat; don’t engage in a specific activity or technology because the threats are greater than the benefits.
- Protect – apply mitigation steps (hardware, training, etc. to reduce the likelihood or the impact). This is avoidance by using an approach that reduces the probability of a threat becoming a reality (generator, door locks, security systems and procedures).
- Assign – outsourcing all or part of the threat (insurance, hosting, partnerships, etc.). This however does not transfer responsibility and liability.
- Accept – Some threats are acceptable (low probability and low severity/impact, some cannot be dealt with right now due to cost or time factors, document and review later.
- Ignore – distinctly different from acceptance and obviously, this is NOT allowed. This is an active decision to not properly analyze the threat, identify the potential impact, and place it one or more of the above categories
Protect what you can afford to, Assign what you cannot afford to protect AND cannot afford to lose. Accept that some threats will be dealt with later. Document those decisions.