Plan, plan, plan… As with any project the first thing to do is set the plan, determine the resources and set timelines for task completion. Completing your Credit Union Business Impact Analysis is just that – a project. Without proper planning and resource allocation, it’s just a document. It should mean something to your Credit Union as it’s the backbone for your Disaster Recovery and Business Continuity Planning.
- Setting expectation – everyone involved in planning needs to understand what is expected, the deadline and be supported by Management. The Executive Team and the Board of Directors is essential for setting this accountability. In many cases, we see this as a goal that’s added to Credit Union scorecards, budgets and incorporated into annual reviews.
- BIAs are not intended to address only critical processes. Remember, Business Impact Analysis isn’t being written based on “what processes need to be completed during a disaster”. The disaster could be the loss of a department. In working with MANY CUs, we often hear the comment, I’ve listed all of my critical processes. All processes are important to your Credit Union and should be included in your planning process. Depending on the time of month, year, situation, etc, processes can certainly become more critical than the typical “day to day”.
- No list of systems provided – “core” is often noted in multiple fashions (some people call it by the vendor name, by the application or even just “core”). Having a standard list will help guide the front end users identify the systems what they are commonly known as by the Technology Team as well.
- Criticality/Severe Impact not given proper consideration – definition of what severe is to your CU should be communicated to the team compiling the business processes. Consider the cost of doing business as you define “severe impact” for your Credit Union. Ongoing Operations offers a Financial Impact Analysis for you on our website using YOUR 5300 data. Critical processes should be determined as those that MUST BE OPERATIONAL within the 24 hours of an outage. We think of many things that should be but do they have to be? Have you closed for a day before? Most of you would say yes at some point. If that’s the case, what processes could not wait until the following business day?
- Backups of data to meet Recovery Point Objectives are often misunderstood by users. Often times we see data residing on local hard drives of PCs that are not backed up regularly. The user hears that backups are done nightly but don’t understand that the backups are of the network and not individual workstations. It’s important to ensure storage and backup is communicated with the users.
- Recovery Time Objectives vs Recovery Time Actuals – results from annual Disaster Recovery Tests need to be compared and shared with Department Managers. If a department has a process with an expected uptime of 8 hours and the information on a server cannot be available for 24 hours, an alternate plan needs to be made to access the needed information.
- BCP is not a finite project – Just as your business changes, so should your BCP and DR plans. Resources are needed to review and update your plan regularly. As new processes and systems are implemented to the environment, the BIA needs to reflect the changes. Incorporate Business Continuity and Disaster Recovery into your Change Control and Project plans.
- IT does not own your BIA – This is a Credit Union initiative, not one for IT. IT assumes the need for many systems and in many cases is correct. However, with the Departments being responsible for listing their business processes and defining the criticality, there are no assumptions. Results for assumptions may be correct 80% of the time, but what about the other 20%? Inaccurate BIAs become apparent when disaster strikes – too late.
- Not taking the process seriously – Managers are busy with many daily activities and projects. They are overwhelmed with spending time on the BIA process and take the easy way out. Not taking the time to identify the impact of the department processes puts the entire company at risk.
- Not analyzing the results – BIA data can help identify gaps between the reality of recovery resources and assumptions. Are your RTO’s tested and achievable? If not, budget for them or change them.
Once the Credit Union business impact analysis is completed, IT needs to reflect and respond to the data. The Disaster Recovery and Business Continuity Plans need to answer the needs identified in the BIA. The effort put into planning is apparent when responding to an event.