Conducting a Business Impact Analysis (BIA) is the first step in building your Business Continuity Program. The BIA report describes potential risks and the projected financial impact to the Credit Union when a business disruption or disaster occurs. Equally important, though, it also outlines processes and functions within each department and functional areas and ranks them according to criticality, which helps to determine the needs/requirements to sustain business during the disruption. Each identified process and function has a stated Recovery Time Objective (RTO) – the period of time within which systems, applications or functions must be recovered after a disruption, and a stated Recovery Point Objective (RPO) – the maximum amount of data loss an organization can sustain during an event. The RTO and RPO can be determined by conducting a Risk Assessment.
After you’ve determined the RTO and RPO for the identified processes, it’s time to determine the actuals (RTA/RPA). The actuals can only be exposed by disaster and business disruption rehearsals. There is always a recovery gap between the actuals (RTA/RPA) and objectives introduced by various manual and automated steps to restore the process. It’s necessary to review those gaps and find ways to minimize them as much as possible. In some cases, you may even be able to eliminate them.
With so many processes, where do you start? Start by identifying the processes with common supporting systems. Email, for example, is one of the most critical communication tools, and many business processes are dependent upon it – especially during a disaster. If your Credit Union currently runs an in-house email server, try utilizing Hosted Exchange instead, all business processes with email as a supporting system would benefit by having a faster RTO and higher RPO. It would be one less system for IT to recover during an event, and would eliminate any recovery gap that exists with your current plan. Because of the high availability of a hosted solution, it would also reduce the impact it would cause to your members and the Credit Union by allowing you to communicate more effectively.
Another common system often identified in Credit Union business processes is the core system. Recovery times with most cores are generally within the “less than 4 hours” range, if not immediate because of instant failover to a replicated backup core. A review of critical processes for a client once revealed an RTO of “less than 12 hours” for their core. The 12 hour RTO was predominately due to travel time and restoration of their core from a tape backup. That’s an incredibly long RTO for a core based on today’s expectations of availability. Since replication wasn’t an option, by maintaining a “stand-by” core and loading the most recent database from an offline disk-to-disk backup stored locally at their DR site, they were able to reduce the RTO by 50% with an RTA between 3 to 4 hours. That one adjustment to their recovery procedure allowed their other identified business processes to meet, and in some cases, exceed their stated RTO.
Identifying and closing the gaps for your business processes will ensure a smoother recovery and business continuity for everyone. At OGO, our Professional Services Team works with hundreds of Credit Unions to identify and fill gaps in Credit Union technology