Business Continuity Plan Development
Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be:
- Based on a comprehensive BIA and risk assessment;
- Documented in a written program;
- Reviewed and approved by the board and senior management at least annually;
- Disseminated to financial institution employees;
- Properly managed when the maintenance and development of the BCP is outsourced to a third-party;
- Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP;
- Specific regarding what immediate steps should be taken during a disruption;
- Flexible to respond to unanticipated threat scenarios and changing internal conditions;
- Focused on the impact of various threats that could potentially disrupt operations rather than on specific events;
- Developed based on valid assumptions and an analysis of interdependencies; and
- Effective in minimizing service disruptions and financial loss through the implementation of mitigation strategies.
The BIA and risk assessment represent the foundation of the BCP. The BCP should be written on an enterprise-wide basis, reviewed and approved by the board and senior management at least annually, and disseminated to financial institution employees for timely implementation.Refer to Appendix G: "Business Continuity Plan Components" for additional information. All financial institutions should develop a BCP that documents business continuity strategies and procedures to recover, resume, and maintain all critical business functions and processes.
Some financial institutions may choose to develop their BCP internally, while others may choose to outsource the development and maintenance of their BCP. While outsourcing BCP development may be a viable option, the board and management are ultimately responsible for implementing and maintaining a comprehensive BCP. Therefore, financial institution management should understand the business impact of potential threats, have the ability to implement mitigating controls, and ensure that the BCP can be properly executed by financial institution personnel and validated through comprehensive testing. When outsourcing BCP development, management should ensure that the chosen service provider has the expertise required to analyze the financial institution's business needs. The service provider should also be able to design executable strategies that are relevant to the financial institution's risk environment, create education and training programs necessary to achieve successful deployment of the BCP, and integrate necessary changes so that the BCP is properly updated.
A well-written BCP should describe the various types of events that could prompt the formal declaration of a disaster and the process for invoking the BCP. It should also describe the responsibilities and procedures to be followed by each continuity team, have current contact lists of critical personnel, address communication processes for internal and external stakeholders, identify relocation strategies to alternate facilities, and include procedures for approving unanticipated expenses.
The BCP should specifically describe the immediate steps to be taken during a disruption in order to maintain the safety of personnel and minimize the damage incurred by the institution. The BCP should include procedures to execute the plan's priorities for critical versus non-critical functions, services, and processes. Specific procedures to follow for recovery of each critical business function should be developed so that employees understand their role in the recovery process and can implement the BCP in a timely manner.
The BIA and risk assessment should be integrated into the written BCP by incorporating identified changes in internal and external conditions and the impact of various threats that could potentially disrupt operations rather than on specific events that may never occur. Examples of the potential impact of various threats include the following:
- Critical personnel are unavailable and they cannot be contacted;
- Critical buildings, facilities, or geographic regions are not accessible;
- Equipment (hardware) has malfunctioned or is destroyed;
- Software and data are not accessible or are corrupted;
- Third-party services are not available;
- Utilities are not available (power, telecommunications, etc.);
- Liquidity needs cannot be met; and
- Vital records are not available.