What is Business Continuity Planning?
In its simplest form, business continuity planning (sometimes referred to as business continuity management) is how you prepare for resilience of systems, business processes, and overall operations during adverse circumstances. Business continuity planning is a multi-faceted process, most often including these elements:
- Business Impact Analysis
- Risk Assessment
- Risk Management
- Training, Exercises, and Testing
- Monitoring, Updates, and Reporting
This article will briefly describe what to expect for each part of the process. As the financial institution industry is highly regulated and considered relatively mature when it comes to business continuity planning, this article uses bank and credit union regulatory references to back-up these recommended best practices.
An early stage in business continuity planning is the development of a business impact analysis (BIA). According to the FFIEC Information Technology Examination Handbook, Business Continuity Management Booklet:
"A BIA is the process of identifying the potential impact of disruptive events to an entity's functions and processes. A BIA allows management to identify and analyze gaps in critical processes that would prevent the entity from meeting its business requirements." (Page 9)
An effective BIA offers many benefits, including the ability to determine:
- What business processes exist at your organization
- The criticality of each business process, as it pertains to achieving your organization's operational and strategic priorities
- What resources each process requires to function at full capacity
- And the impact to your organization, should the process become unavailable
With this information, you can better identify interdependencies, develop appropriate recovery plans, and make informed decisions. For specific steps you can follow when performing a BIA, see our article on Simplifying Business Impact Analysis for BCP.
The next important element to help your organization reach its business continuity goals is to conduct a BCP Risk Assessment.
According to the FFIEC's booklet, a BCP risk assessment is:
"The process of identifying risks to operations, organizational assets, individuals, and other organizations." (Page 12)
The purpose of the BCP risk assessment is to evaluate the likelihood and potential impact of reasonably foreseeable internal and external threats which could result in a business disruption, including, but not limited to:
- Natural events
- Technical events
- Malicious activity
- International events
- Low likelihood and high impact events
The information gained from your BIA and risk assessment processes should enable you to develop appropriate recovery plans. This same information should help you identify preparedness controls, so you're not only recovering from interruptions, but ensuring resilience of operations.
Risk management is driven by the BIA and risk assessment and is the part of the management process where the business continuity plans are developed and documented.
Per the FFIEC guidance:
"The BCP documents the practices and procedures for continuing business operations during a disruption [and] includes specific elements, such as incident response, disaster recovery, and crisis management." (Page 26)
This is the part of the process where you answer the question, "If a business disruption occurs, how will we continue operations?" The answer should be found in three areas of your business continuity plan:
- Preparedness Controls: These controls can help you manage risk before, during, and after a business disruption. Preventative controls keep issues from becoming full-on disasters. Detective controls can identify any ongoing events. Corrective controls provide information for responding to and resolving any event.
- Emergency Checklists: An example of a corrective control would be emergency checklists. Based on your risk assessment, specific checklists can be developed for addressing common business interruption scenarios. These event specific checklists should guide personnel through appropriately managing a disruptive event, whenever it occurs.
- Recovery Objectives: Based on your BIA, you should identify the steps needed to restore the organization's systems, business processes, and operations and identify the maximum amount of time the organization can tolerate without each system and process (MTD). Each objective should have a corresponding recovery time objective (RTO), which can help you estimate how much time it will take to recover. Learn more about RTO and MTD in our blog: What is the difference between RPO, RTO, and MTD?
Development of plans for business continuity is key to managing and mitigating the risks facing your organization.
According to the FFIEC booklet, training should be provided to appropriate personnel over things like significant business continuity concepts, goals, and objectives; current and future risks; new programs and technologies; and organizational changes.
As part of ongoing training, a comprehensive exercise and testing program should be implemented to validate business continuity assumptions. The following objectives should be achieved through an exercise and testing program:
- Build confidence the BCP will achieve business requirements
- Demonstrate services can be restored within expected timeframes
- Validate critical business processes can be restored from alternate operating locations
- Familiarize staff with restoration expectations and ensure key personnel are trained on restoration procedures
- Ensure the exercise and test plans are suitable for the organization's business continuity plan
- Recognize gaps and deficiencies to adjust the BCP accordingly
A business continuity plan will only be an effective risk management tool if (1) personnel are trained to use it correctly and (2) assumptions made in the plan are validated through testing.
Monitoring, Updates, and Reporting
As changes in risks, technology, and processes are identified through ongoing monitoring, the business continuity plan should be reviewed and updated to reflect the current environment. Areas to be considered in regular updates include:
- Operational, security, and alternate-facility requirements
- Technical procedures and vital records
- Hardware, software, and other equipment
- Contact information for team members and third parties
Reports should be delivered to senior management and the board of directors over the status of the plan regularly (e.g., monthly, quarterly, as major events occur, etc.). Reports should include the BIA, risk assessment, business continuity risk management plans, exercise and test results, and identified issues.
Once you define and develop your business continuity plan, visit our article to learn about 3 Ways to Ensure Your Business Continuity Plan is Ready.
To take your BCP to the next level, check out Tandem Business Continuity Planning. Using the Tandem framework, you can ensure your business continuity planning process is thorough with our features and templates for BIA, preparedness controls, exercises and testing, emergency checklists, and presentation-ready reports.
With Tandem's easy-to-use online framework, you can ensure your BCP will allow you to effectively manage operations in the event of a business disruption.