As discussed in the May issue of The NCUA Report, business continuity planning is essential for all credit unions. No matter the size, every credit union is responsible for ensuring members have access to money and services. Being prepared for a possible interruption before it occurs is critical to your credit union’s ability to recover.
It Starts with a Business Impact Analysis
A critical element of business continuity planning is the business impact analysis, a systematic process to identify and evaluate how unexpected events may affect your credit union’s critical business operations. The analysis predicts the consequences of such events and allows you to outline and develop recovery strategies for each scenario. This helps management make informed decisions on where to invest credit union resources.
According to the Federal Financial Institutions Examination Council, a business impact analysis must include the following five steps:
- Assessment and prioritization of all business functions and processes—including their interdependencies—as part of a workflow analysis;
- Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution’s business functions and processes;
- Identification of the legal and regulatory requirements for the institution’s business functions and processes;
- Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution’s business functions and processes; and
- Estimation of recovery time objectives, recovery point objectives and recovery of the critical path.
Before continuing, we need to clarify three important concepts. A recovery time objective is the point in time a function or process is inoperable or the amount of time the organization can run without a function, process or service before incurring significant losses. A recovery point objective is the time it takes an incident to disrupt a business function or process. For example how much data, in the case of information systems, or dollars, in the case of operating revenue, can a credit union afford to lose during the disruption.
Finally, the term critical path refers to those processes and functions that must be in place on time to avoid delays in implementing the full business continuity or disaster recovery plan. The more critical path infrastructure you have in place in advance of a disruption, the more likely your credit union will be able to recover in a timely manner.
The business impact analysis can be a laborious process, and many may be tempted to skip through steps. However, it’s important to think of the business-impact-analysis exercise as a prescription for a serious illness—you must follow the prescription in full for the medicine to work.
Test to Make Sure Your Analysis and Objectives Are Realistic
Now that your business impact analysis is complete and you have established your recovery time and point objectives, the next phase is to test your continuity or recovery plan.
The goal of testing the business continuity plan is to determine if the plan will meet your recovery time objectives and recovery point objectives with your existing critical path infrastructure.
If any of your credit union’s business processes fail the test, either the recovery time objectives or recovery point objectives must increase or additional financial investments in systems’ infrastructure are needed to ensure your credit union is able to meet its recovery timelines and objectives.
Following these tests, the business continuity plan should be updated to account for these new recovery objectives and changes in your credit union’s infrastructure.
Keep the Board of Directors Informed
As the governing body of a credit union, the board of directors needs to know the recovery objectives, timelines and processes for the credit union if it experiences a disruption in its normal operations. Management should brief the board at least once a year on the business-continuity test results and any recommendations for improvements to the recovery process or critical systems.
Effective planning and testing are essential to ensuring that your credit union and its systems are able to come back on line after a distribution or disaster. It all starts with the business impact analysis. However, this analysis must be tested continuously to ensure your credit union’s recovery procedures, estimates and objectives are realistic and commensurate with your credit union’s systems and complexity.
For more information on effective business continuity planning, the FFIEC’s Business Continuity Planning booklet, which is part of the FFIEC’s IT Handbook, is available at https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx (opens new window).