A stable banking system is crucial to our economy. Lessons learned from past disruptions to the financial industry—including hurricanes Katrina and Rita, and the events of September 11—have resulted in increasingly stringent business continuity (BC) requirements for the banking system. Today, banks must comply with the BC regulatory standards as set forth by the Federal Financial Institutions Examination Council (FFIEC). And although the requirements seem heavy-handed, there is a method to the madness. Banks that have thorough and carefully thought-out recovery plans will be able to continue operations through a disruption of any kind—and that benefits us all.
The best recovery plans spring from one important activity: The Business Impact Analysis (BIA). It’s important for every organization, in every industry, to start business continuity planning at this stage, because, as we’ve said before, a BIA lays the foundation for defining recovery strategies and developing plans. This information-gathering stage is the only way for any business—not just banks—to truly understand the risks to their processes, what they depend on, and get an accurate estimate of the recovery timeframes that will be required. There’s no better way to understand what needs to be recovered and in what order.
Do you have everything you need to write a business recovery plan that works? Take a look here for the essential recovery plan components and the four categories of disruptions you need to plan for.
Because of the criticality of the function banks perform and their impact on customers and the liquidity of the financial industry overall, banks are required to complete this step, according to FFIEC guidelines.
Although the purpose of the BIA is the same for every industry—to assess the criticality of business functions and processes, including their interdependencies—the requirements for completing it are different (and more thorough) for banks. In my view, by adding those additional requirements the FFIEC has extended the BIA’s reach beyond simple identification of critical practices. In fact, many of the steps that are required for a bank BIA are typically done as part of the normal recovery planning process in other industries.
As a result, bank BIAs will require additional time and resources compared to the typical BIA process—on the part of both the business continuity management office as well as the BIA participants.
If you’re looking to create a Business Impact Analysis template for a bank, see below for the required steps.
The Business Impact Analysis For Banks
An important note about the FFIEC guidelines: Where the guidelines say “should” it’s wise to consider it “must.” A final determination of compliance can be somewhat subjective, which is why most experienced BC managers tend to err on the side of caution. Ideally, BC managers and auditors should be partners in addressing compliance issues, so that the process yields the best results.
FFIEC guidelines require you to do the following for a Business Impact Analysis (an asterisk indicates that the step is required for banks as part of the BIA):
- *Identify the potential impact of a business disruption resulting from uncontrolled, nonspecific events. Impact over time without looking at what type of disruption caused it.
- Identify the legal and regulatory requirements for business functions and processes critical to business operations.
- *Determine maximum allowable downtime. For each critical process, estimate the maximum time that process could be down before the organization suffers a material or critical impact (customer, financial, reputation, etc.).
- For each critical process and its associated applications, calculate recovery time objective (RTO) and recovery point objective (RPO). These calculations should be equal to or less than your estimated maximum allowable downtime.
- *Perform a risk assessment. Consider possible disruptive events that could affect your critical processes and understand the risks associated with those events. For example, if you lose access to your building, what would the dollar and non-dollar impacts be on, say, the accounts payable process?
- Identify critical dependencies between systems/applications, processes, and departments. This step is particularly important as it relates to specialized equipment.
- *Determine how those business processes will function without critical technology.
- For critical systems, determine single points of failure and their significance. Consider human availability and third-party vendors in addition to technology.
- Identify critical outsource relationships and your service level agreement responsibilities for each.
- *For each critical process, identify critical operational or security controls that are required to be implemented prior to recovery. For instance, the addition of cameras for security or door access control systems for safety.
- *Identify the minimum number of staff members and the minimum amount of space that would be required at a recovery site.
- *Identify special forms or supplies that would be needed at the recovery site.
- *Identify equipment needed at the recovery site to communicate with customers and employees.
- *Identify which of your processes affect critical cash management and liquidity.
Need a Business Impact Analysis template for banks?
Our BIA On-Demand (BIAOD) tool provides more than just a template; it includes everything you need to conduct a complete Business Impact Analysis for your bank. It’s part of our business continuity software suite BCMMetrics™, which helps facilitate compliance across your business continuity program. BIA On-Demand walks you through a full evaluation of your business processes, including dollar and non-dollar impact as well as recovery time objectives. In the end, it automatically calculates the level of criticality of each unit you’ve chosen to evaluate and produces a detailed report of the results. BIAOD makes it easy to ask the right questions, giving you the exact results you need to create strong recovery strategies and plans. It is aligned with a number of industry standards, including FFIEC, and operates securely within the cloud.
Schedule a free demo of the tool today to see BIAOD in action.