Business continuity or resiliency planning is the process of designing strategies and procedures to ensure critical functions will be available during a disruption, which could range from a natural disaster, the permanent loss of a building, a computer hack, or even a power outage.
When a credit union discusses business continuity, the first question should be "what is our goal?" The primary goal should be to resume normal operations in a reasonable timeframe, be able to provide members services and appropriately manage liquidity risk. For example, during Hurricane Katrina, access to cash became critically important for affected credit unions and their members.
Business continuity planning should encompass a broad range of scenarios and consider the effects on a credit union's facilities, people and technology. Here, we focus on the technology aspects of business continuity planning.
Building a strong business continuity plan can be challenging for credit unions. However, credit unions don't need to reinvent the wheel. There are a number of resources available to help you develop the processes and procedures to manage a disruption from a technology perspective successfully.
A good starting point is the Federal Financial Institutions Examination Council's Business Continuity Planning booklet, which provides detailed information on effective business continuity planning. It is available at http://go.usa.gov/cujGC (opens new window).
In this guide, the FFIEC identifies four main steps to developing a business continuity plan:
- Business impact analysis
- Risk assessment
- Risk management
- Monitoring and testing
Yet, when it comes to ensuring a credit union is able to reconstitute its technology, a well-developed continuity plan can only be created if management understands the credit union's inherent technology-risk profile. If a credit union can achieve the advanced stage of cybersecurity maturity, its ability to handle a disruption will greatly improve.
We recommend credit unions utilize a business impact analysis and a cybersecurity assessment to get a better understanding of their technology continuity risks.
Business Impact Analysis
A critical element of business continuity is the business impact analysis, a systematic process to identify and evaluate how unexpected events may affect a credit union's critical business operations. The analysis predicts the consequences of such events and allows the team to outline and develop recovery strategies for each scenario. This helps a credit union's management make informed decisions on where to invest credit union resources.
We will discuss this in more detail in a future article. Until then, you can find more information on carrying out a business impact analysis from the Department of Homeland Security at http://go.usa.gov/cujhk (opens new window).
FFIEC developed the Cybersecurity Assessment Tool (opens new window) to help financial institutions identify their risks and understand how prepared they are for a cybersecurity incident—theft, damage or disruption of the information and services they hold or provide their members. Some of the key ideas the tool conveys are:
- Understanding the institution's cybersecurity maturity level.
- Forging partnerships to improve the credit union's cyber threat intelligence. One partner could be the Financial Services Information Sharing and Analysis Center (FSISAC). More FS-ISAC resources can be found at https://www.fsisac.com (opens new window).
- Identifying and monitoring the risks within the credit union's critical infrastructure. For example, creating alerts in a search engine to notify you when a critical infrastructure vendor is mentioned.
- Achieving resiliency commensurate with a credit union's risk profile. One way to improve resiliency is by building partnerships with other institutions who have achieved higher maturities in their cyber preparedness, understanding how they achieved it and implementing similar practices at your credit union.
You can find more information about the FFIEC's Cybersecurity Assessment Tool at www.ffiec.gov/cyberassessmenttool.htm (opens new window).
Writing the Plan
Writing a business continuity plan can be filled with obstacles, which can affect an institution's ability to resume normal operations. However, by incorporating the following, a credit union can develop a stronger and more resilient business continuity plan:
- Include business unit owners in writing the plan, rather than assigning the task to one person. This allows for a broader understanding of potential risks and will promote buy-in of the final product.
- Require each business unit owner to certify the plan for each section or division.
- Integrate the plan into the credit union's enterprise risk-management program.
- Adopt a "triad model" consisting of at least three individuals who understand business continuity concepts and continuity processes within the credit union. These staff members can improve the quality of the final product by contributing multiple viewpoints and diverse experiences to the plan's development process. There is a correlation between the absence of a triad model and decreased business resiliency.
There are many important elements for credit unions to consider when creating a new business continuity plan or evaluating an existing plan. It is critical the board of directors establish a strong, detailed continuity plan before an incident actually occurs. The plan should incorporate on-going training to ensure everyone is aware of his or her role during an event. The plan also should require periodic testing of the plan.
We have discussed some highlights of business continuity planning, business impact analysis, and the Cybersecurity Assessment Tool. Having a well thought-out plan that considers a wide variety of threats and responsive actions will help stack the deck in a credit union's favor if it finds itself operating under adverse conditions.