Testing your Credit Union’s Business Continuity Plan (BCP)
You may already have a written business continuity plan, but how can you make sure that it actually works? At Ongoing Operations, we’ve developed a couple of methods to ensure that plans remain foolproof in practice as well as in theory.
If you’ve ever watched The A-Team, either the original or the reboot, you may remember Hannibal, the leader of the group. While everyone plays their role, Hannibal made plans to keep everybody out of trouble, even when things got dangerous. Normally, we don’t condone taking business advice from old blockbuster movies, but why not take wisdom where you can? During a helicopter chase in the reboot, Hannibal explains to his team that incomplete planning is one of the largest oversights one can make: “one step ahead of the game isn’t a plan,” he warns, “two to three steps ahead, beating an enemy’s move before it’s even made, that’s a plan.”
Hannibal is right. In our years of experience, we’ve seen a lot of faulty or short-sighted plans. Often, we see plans that cover only one scenario, such as a pandemic, or a loss of power or connectivity. It’s great to plan for such setbacks, but they cover only a small set of problems that might arise. For example, in the event that the bank must work in offline mode, you’ll want to see that you can still perform offline processing or accept applications. Or, in the event of a pandemic, you’ll take a look at your employees and how they can minimize contact with each other while maintaining effective practices. A plan that addresses only systemic problems such as connectivity, or a plan that addresses only personnel problems such as a pandemic, would be incomplete because they don’t address broader resultant consequences. In essence, a continuity plan needs to address more than one root cause of business failure. Such plans may be “one step ahead of the game,” but they’re not really plans. Not yet. We advise establishing plans that cover a broad array of setbacks or disasters.
Another issue we see is a business continuity plan that doesn’t get tested after it’s been set in place. Testing a business continuity plan is paramount to the plan’s success. We suggest that after you set up your policy in your individual departments, you should test them against other departments. When running tabletop exercises, you can see how all your different departments will act in a given scenario, and you can iron out any wrinkles or conflicts that arise. Interdepartmental testing will ensure that when disaster strikes, all parties will be on the same page; they’ll know their role, but they’ll also know how to work with others in their branch to keep things running smoothly.
When you test your plan across different areas of your branch, everyone will learn their individual roles and responsibilities. Additionally, you’ll be able to see any gaps or weak areas in your plan’s coverage, and you can revise your plan to suit. As Hannibal put in in The A-Team, this is how a plan comes together, and he “just loves it when a plan comes together.”
To summarize, there are two things you should do to keep your business continuity plan live. The first is to plan several steps ahead so that your plan doesn’t cover only one or two possible system failures. The second thing you should do is test your plans. We recommend testing often—quarterly, at least.
If you’re looking for more help in testing your business continuity plan, you can check out CU Recover, our solution for strong tabletop exercises and testing.
Click here to learn more about Business Continuity Planning solutions available at Ongoing Operations.
Welcome to the Ongoing Operations blog archive.
For our most up-to-date information, please visit ongoingoperations.com.
HOME