Business Impact Analysis Template For Banks

Because of their highly regulated nature, critical role in the economy, and attractiveness to cybercriminals, banks should be especially rigorous in performing BIAs, which provide significant protective benefits. This post lays out the steps banks should follow to create templates to help them conduct quality BIAs.

Related on MHA Consulting: FFIEC: An Introduction to BCM’s Gold Standard

Lessons learned from past disruptions to the financial industry have resulted in stringent business continuity (BC) requirements for the banking system. Today, banks must comply with the BC regulatory standards set forth by the FFIEC, the Federal Financial Institutions Examination Council. The importance of these demanding and comprehensive regulations has been underscored more recently by the relentless rise in the frequency of cyberattacks, of which financial institutions are a prime target.

As the FFIEC guidelines recognize, the best way for banks to ensure they can successfully weather disruptions is for them to develop sound business continuity (BC) programs and thorough recovery plans. The FFIEC also understands that quality recovery plans start with a good BIA or business impact analysis, an assessment that helps the organization understand what its most mission-critical business processes are.  This is a prerequisite to knowing what processes needs to be recovered first to minimize the impact of a disruption.

The purpose of the BIA is the same for every industry, but because of FFIEC requirements, completing one is more stringent for banks. The tough requirements have given the bank BIA a heft and substance that most other types of organizations don’t approach until they do their recovery plans. (Banker’s hours might be easy but bankers’ BIAs are tough.)

As a result, doing BIAs at a bank requires more time and resources than at other types of organizations, both on the part of the BC office and from the BIA participants (the people from the business departments who supply the needed information).

Are you interested in creating a Business Impact Analysis template for a bank? If so, you’ve come to the right place.

Creating a BIA Template for a Bank 

Here are the steps to create a BIA template for a bank. Steps marked with an asterisk (*) are FFIEC-required. Links are to MHA posts that explain the concept in detail.

1. *Identify the potential impact of a business disruption resulting from uncontrolled, nonspecific events. Consider the impact over time without regard to what type of disruption caused it. 

2. Identify the legal and regulatory requirements for business functions and processes critical to business operations.

3. *Determine maximum allowable downtime. For each critical process, estimate the maximum time the process could be down before the organization suffers a material or critical impact (customer, financial, reputational, etc.).

4. For each critical process and its associated applications, calculate recovery time objective (RTO) and recovery point objective (RPO). These calculations should be equal to or less than your estimated maximum allowable downtime.

5. *Perform a risk assessment. Consider possible disruptive events that could affect your critical processes and understand the risks associated with those events. For example, if you lose access to your building, what would the dollar and non-dollar impacts be on, say, the accounts payable process?

6. Identify critical dependencies between systems/applications, processes, and departments. This step is particularly important as it relates to specialized equipment.

7. *Determine how those business processes will function without critical technology.

8. For critical systems, determine single points of failure and their significance. Consider human availability and third-party vendors in addition to technology. 

9. Identify critical outsource relationships and your service level agreement responsibilities for each. 

10. *For each critical process, identify critical operational or security controls that are required to be implemented prior to recovery. For instance, the addition of cameras for security or door access control systems for safety. 

11. *Identify the minimum number of staff members and the minimum amount of space that would be required at a recovery site. 

12. *Identify special forms or supplies that would be needed at the recovery site. 

13. *Identify equipment needed at the recovery site to communicate with customers and employees. 

14. *Identify which of your processes affect critical cash management and liquidity. 

After the BIA 

To wrap up, let’s fast forward to what a bank should do after its BIA is complete. This is not a complete answer, but there are two steps I want to mention that often go ignored (which is unfortunate because they are very valuable):

1. Share the data with IT. After the BIA is complete and the data aggregated, all the findings on the relative criticality of the technology systems—and when they need to be recovered—should be provided to the IT people. Include the name of the application, the RTO, and the RPO. IT should do a gap analysis looking at the daylight that exists, in any, between the BIA’s requirements and their capabilities—then both teams should work on bringing the two into alignment.
2. Take the data to the business units. The data should also be shared with the business units so they can use it to create their business continuity plans.

Meeting Requirements and Improving Resilience 

The rigorous FFIEC guidelines banks must adhere to extend to BIAs, which they must complete to a very high level as detailed above. The steps provided lay out how to create a template to assist in identifying the bank’s most critically time sensitive business processes and applications.

Implementing a detailed BIA not only aligns with regulatory requirements but also fortifies the bank against cyber threats and operational interruptions. A well-crafted BIA essential for aligning the needs of the business departments with the capabilities of IT, ultimately enhancing the bank’s overall resilience.