Hurricanes Harvey and Irma, which struck different locations on the U.S. coastline in August and September, were a tragic reminder that we live in an uncertain world, and natural disasters can cause widespread devastation. The individuals who have been directly affected will always be the first concern, but it’s equally important that businesses and government agencies be able to rebound quickly after a widespread disaster because their ability to function effectively is vital to the recovery of the communities they serve.
Every bank needs a business continuity management plan that the senior executive team and board of directors can activate in the event of a disaster like Harvey or Irma. The plan should be reviewed and tested annually, and updated as needed, suggests Christopher Wilkinson, a principal in Crowe Horwath’s Technology Risk Consulting Group who oversees business continuity planning and penetration assessments for the firm’s cybersecurity team. A common mistake that many organizations make is to see business continuity planning as purely an IT issue, when in fact it is much broader than that. “It’s important to make sure that you focus, first and foremost, on business continuity as a business issue and not just as an IT issue,” he says. In an interview with Bank Director Editor in Chief Jack Milligan, Wilkinson talks about the basic elements of a sound business continuity management program.
BD: What are the primary elements of a good plan?
Wilkinson: When you take a look at business continuity management (BCM) programs, there are four key components. The first component starts with a business impact analysis (BIA). Organizations used to look at business continuity as an IT problem when in fact it really is a business issue. IT is a big component of restoring business operations, but business continuity as a whole is not just an IT problem. A lot of organizations have made the shift to say, “When an event happens, I don’t necessarily want to restore [just] my payroll application. I want to make sure that the process of paying my individuals is restored in full.” And the BIA builds the requirements for each one of the organization’s critical business processes.
One of the biggest components, or variables, that is set during the business impact analysis is the recovery time objective, or RTO. This tells an organization how long a specific business process like HR or payroll can be placed on the back burner before it significantly impacts the organization.
You can look at the impact from a variety of different perspectives. The obvious one would be the financial impact to the organization, but there are others, like the ability to attract new customers or the impact on servicing existing customers. There are a variety of factors that you want to measure the impact of for each business process to determine the overall impact on the organization.
The second important variable in BCM is the recovery point objective, or RPO. This one is a little bit more difficult, but what this variable tells us is, if I had to go to a snapshot of data in the past for some of the systems associated with a business process, how far back could I go? Depending on how dynamic the data is, are we talking minutes, hours or days?
Disaster recovery is an IT issue, and basically what it tells the organization is, “How do I strategically prepare my critical applications to meet the RTO and RPO expectations from the process owners?”
For example, when you talk about RTO, do I have a system designed in such a way with data backups and system redundancy, and the ability to recover that system within the required recovery time objective that the business has given me? So in essence, it’s giving you a service-level agreement, or an SLA, for each and every one of your applications. It tells the IT department, “Here’s how long I can go without this system. Now it’s your job to make sure that system is positioned strategically to meet expectations.”
The third component of a BCM program is the business continuity plan. This is, once again, a business issue. When we document business continuity plans for organizations, one of the things that we’re doing is making sure that certain processes can still be performed in the event of a disaster. If it’s payroll, for example, what can I prepare beforehand to ensure that I can pay employees given the absence of either the systems, the people, or the resources and facilities that are available?
The fourth component of BCM is testing. Are we doing our tabletop testing? Are we getting the right people in a room and walking through disaster scenarios on an annual basis? Are we testing the business side and the business continuity plan? Are we testing the disaster recovery plan, and the ability for IT to recover both the systems and the data that support the business function?
BD: What mistakes do companies, including banks, typically make in their business continuity planning?
Wilkinson: That is a great question. I think one of the more common mistakes that I mentioned earlier is looking at business continuity as an IT issue, instead of as a business issue.
If we’re dealing with payroll and HR as an example, I very likely could recover the payroll application. But there may be other dependencies within the payroll process that aren’t up and running that aren’t IT related.
So it’s important to make sure that you focus, first and foremost, on business continuity as a business issue and not just as an IT issue.
Another mistake is that some of the smaller banks under $10 billion in assets haven’t done a business continuity risk assessment, where you’re prioritizing your threat based upon the company profile. That could be geographic location, which is probably one of the largest factors for banks. As you can imagine, if I’m a bank in the Florida Keys, I’ll have much different concerns with regards to the types of events or threats that may impact me than a bank in the Midwest.
So I need to make sure that I take a look at those threats, and then take a look at the controls that are in place from a business continuity perspective. Look at the most effective controls that are required for each one of those types of events, and then put those in place, and make sure that they’re effective.
BD: Do banks have any special issues when it comes to business continuity?
Wilkinson: Banks are probably a little less challenging than other kinds of organizations. If you think about manufacturing and distribution, you have to worry about supply chain management. The Japanese tsunami in 2011 was a great example of that; it disrupted the supply chain for folks in many industries. It became quite a challenge to be able to find some of the parts and raw materials that companies needed, especially if they were coming from Japan.
Probably the most challenging aspect within the banking world is the number of branches they have and their geographic distribution. Banks need to review their facilities and understand where the critical business processes lie within each one of those facilities, and then strategically design a business continuity plan for each one of those facilities, based upon their geographic footprint. That is probably the most challenging thing that bankers face that other industries may not.
BD: Are there other risks that banks need to worry about from a business continuity standpoint that don’t necessarily relate directly to some kind of natural disaster?
Wilkinson: There absolutely is. And that’s why when we talk about more mature organizations and their business continuity management program, what we’re starting to see is the convergence of the business continuity management program and the crisis management plan.
Having a crisis management playbook and a communication strategy for things like an active shooter scenario are starting to converge with business continuity management. The primary area where we see overlap is the management structure that’s going to be leading that organization through one of those events. They are very different situations if you think about a tornado versus an active shooter. But the overall management structure, and who’s leading the organization and making key decisions and putting out public communication—that’s where the primary overlap is for those two different kinds of events. In the past, we’ve looked at them as two different programs. More mature organizations are starting to converge those two into one larger program that speaks to business resiliency.
BD: Any last points you want to make before we close this out?
Wilkinson: Today we are a very mobile workforce. How am I to use that mobility strategically to assist my business continuity program?
One of the ways that organizations can take advantage of this mobility is if they have a laptop refresh program. Let’s assume that a certain number of bank employees carry laptops, and those laptops get refreshed on an annual, biannual or every-three-year basis. If you’re not leasing those laptops and you own them, it’s a good opportunity to take those laptops, put them in a secure location and leverage them in case something does happen. It’s a lot easier to pull out 15- or 20-year-old laptops that already have a lot of the software and systems I need loaded on them than it is for me to create new systems from scratch.
Number two, when we see banks or organizations connecting their business continuity programs, in the unfortunate case where there is an event, communication is key. There are a lot of different systems out there that allow me to communicate with my employees and my customers. Pricing varies between the different products that are available, but the ability to send text messages—especially because typically that’s one of the last things that ultimately will go down from an infrastructure perspective in terms of the amount of data that’s used across networks—is changing the way that we as practitioners implement our plans.