By Kirk Drake | January 3, 2013

What does a Business Continuity Program look like?

If you believe that business continuity planning is living & breathing processes than this blog is for you. If you believe it is something that you do because the regulators make you than don’t bother reading on…

A Business Continuity Program for Credit Union follows the following outline:

Business Impact Analysis

This is core to planning for DR/BCP for an organization. The BIA identifies potential threats, risks, impacts, and outlines criticality of business processes. The outcome of your BIA helps determine needs/requirements to sustain the business. Ongoing Operations uses the BIA as the foundation of your program. Each department outlines their processes and ranks them based on technologies and whether there are manual workarounds, member impact and confidence and recovery needs. Based on the outcome of this analysis, departments are able to focus on those areas in which documentation, cross training and additional planning are needed. Single Points of Failure can be identified and plans for resolution created. Data for the BIA is collected in a workshop with team leaders from the department that does this business process providing the raw data required to build your draft analysis:

• Can the process be performed manually?
• Timeframe for severe impact to the Credit Union?
• At what point will the member be impacted by the disruption?
• At what point will the member begin to lose confidence in the Credit Union?
• At what point with the Credit Union be at risk for increased fraud or financial loss?
• Recovery Time Objective (RTO) – the period of time within which systems, applications or functions must be recovered after an outage.
• Recovery Point Objective (RPO) – the maximum amount of data loss an organization can sustain during an event (0 hours means that only the transaction in progress at time of the disaster could be lost)
• Supporting Resources such as policy, procedure, and who you contact for help
• IT systems and connectivity required to support the process.

Processes are then ranked:

• Critical – Services that Must be online “today”
• Vital – Services that can be restored “tomorrow”
• Important – Services that can take “up to 3 days”
• Non-essential – Services that can be “a week or more”

Something to keep in mind – your business is constantly changing. Updating these changes in your BIA data is important. We help focus those efforts and update your reports to ensure you are meeting FFIEC requirements.

Emergency Response Procedures

This encompasses the Human Health and Safety components of your program. You have to take care of your staff so you will have a team that can respond!

Crisis Management

This is all about leadership. It is the decision and communication processes and tools. ACTION words belong in this part of the plan. These action steps may include collecting information, declaring the disaster, setting up a command center, supplemental damage control, communicating to members, staff, media and board – See the verbs? Clearly defined actions help you “manage” an event, incident, or disaster. Crisis Management plan is exercised during tabletops, walkthroughs, planned and unplanned live events.

Incident Management Plan

This is the “all hazards” checklist for each team or department to use when responding to an event, incident, or disaster. We use 4 stages in the Incident Management Plan:
o Stage 1 – from threat through initial response, declaration, and activation
o Stage 2 – relocation and/or operating in “disaster mode”
o Stage 3 – planning for an orderly return to normal operations
o Stage 4 – transition/return to normal.

Supporting documentation and information

This is the policies, procedures, contact information, and other information needed to executive the plan at time of event when no internal IT services are available.

Tabletop Exercise

Many times we get asked the purpose of a Tabletop Exercise and why a Credit Union should conduct one. To begin, if you aren’t interested in meeting your members expectations in an actual crisis event, then you shouldn’t bother doing one. If however, you believe as I do that it is often more important how you perform in the bad situations, then tabletops are essential to performing well when something bad happens.

The Tabletop Exercise is designed to exercise and practice a group’s response in a certain situation. We do these annually as a team event (for our clients) with participation from all departments and functional areas. They help create muscle memory and locate areas of improvement in planning and training. Think of these as something similar to a fire drill. You did them as a child, you continue to do as an adult and we’re all better prepared and familiar with what needs to be done.

Some of the key elements for an effective tabletop are:

• Have someone create a scenario and have him/her be the facilitator/observer throughout the event
• Have all department heads and critical personnel present and participating for the entire event
• Take notes of key decisions, problems that arise and missing steps
• Remember to look at your Business Continuity Plan during the event
• Learn from the exercise by making a list of action items and plan changes. Follow up to make sure they are completed.
• Repeat with a new scenario

In addition – what we most regularly find that clients forget to do during an Event or Tabletop Include:

• Forgetting to communicate status on a regular basis to the whole group
• Not making a decision
• Not communicating clearly and consistently with members
• Following the plan (strangely people regularly forget they have written down most of this before)

Disaster Recovery Exercise

Our Business Continuity professionals will participate in your DR Exercise as observers, note takers, or even in a more critical audit role. We bring extensive experience and knowledge in what other Credit Unions are doing, regulatory compliance, and best practices.

Change Management

Our software is hosted in SQL/SharePoint and includes extensive change management options including automated version management, document check-out, document change approval, “alerts” when a change occurs, audit trail, and event tracking calendars. We will help you to elect the right balance of change management to meet regulatory compliance and internal policies.

Regulatory Compliance

This is an area where a partnership with Ongoing Operations shines. At last count, there were well over 130 regulatory mandates affecting Disaster Recovery and Business Continuity Programs. We maintain a high level of awareness and work hard to ensure all requirements are met without burying your team in any more information than they want/need to know. A perfect balance… it is a partnership with the goal of providing Continuity of Service to your Members no matter what happens!

Do you have concerns about how best to conduct a risk assessment? Are you concerned about how to engage your staff in your business continuity program? Do you have an NCUA or auditor exam of your Business Continuity Plan Coming up? If you have these or other questions please e-mail us at info@ongoingoperations.com.