Does Your BCP Have a BCP? And other disaster recovery concerns

If there has ever been a year for contingency plans, 2020 is it. Many financial institutions have activated their business continuity plans (BCP) due to the COVID-19 pandemic. Now as hurricanes, wildfires, and other natural disasters disrupt business further, FIs are finding themselves activating a second BCP on top of the one already in place.

How can an FI be sure its business continuity management (BCM) keeps pace with these changing conditions?

It requires taking a second look at the plan to ensure the procedures in place for supporting critical functions still apply.

What do you need to look at? Areas include:

Remote work plans. Many staffers are still working from home, making electric and Internet service indispensable. Does the FI have a plan in case essential staff loses service? Perhaps it’s a backup location, hotel, or MiFi device. Is this connection secure enough to conduct business? Is the staff comfortable with the solution? Are human resources and IT prepared to deal with these questions?

Back-up locations. Your FI may have a back-up location in its BCP, but is that location still feasible in the pandemic environment? Does it have adequate space, ventilation, and supplies?

Cybersecurity. Cyber crooks love exploiting confusion and uncertainty. Is the staff well-trained in how you will communicate with them if current methods temporarily stop working? Do they know how to spot a phishing scam? If the staff is working from a new remote location, is the connection secure? Does the staff know to check? Make sure you’ve analyzed your cybersecurity maturity.

Third-party vendors. Have your critical third-party vendors updated their BCPs? If so, have you reviewed them to make sure they still align with your own BCPs? It’s basic vendor management. The same holds true for government crisis plans, including response times. If your plan hinges on someone else’s plan, make sure you know what that plan is.

Communications. Are your plans for communicating with consumers, employees, regulators, and others updated?

Supplies. Supplies can be hard to locate right now, and it’s often even worse after a disaster. Make sure you have adequate supplies such as plywood, cleaning supplies, and PPE.

Recovery team. Your plan likely includes a point person if an office is damaged or destroyed. Is that person still able to fill that role? If they or a loved one are a member of a vulnerable population, the employee might not be comfortable performing that role anymore. Make sure everyone can still perform their assigned roles and name backups who can.

Employee well-being. It’s been a tough year for everyone, and throwing another crisis on top of the pandemic is overwhelming. Chances are your FI has plans in place to function with less staff in the case of illness or having to take care of loved ones. Employees incurring other trauma, such as damage or loss of a home, trying to find shelter while maintaining social distance, or just feeling overwhelmed that yet another thing has gone wrong may not be able to perform as usual. Does your plan cover widespread absences due to two major disruptions at once?

If your FI hasn’t recently reviewed its BCP to understand how it may have to adapt in light of the ongoing pandemic, now is the time to re-examine it.

Also, be mindful of the difference between business continuity planning and disaster recovery.

A BCP has a wide scope, looking at the enterprise as a whole. It allows a business to make advanced plans to address what needs to be done to ensure resiliency so that it can continue to deliver key products and services. It includes a business impact analysis (BIA) to analyze critical systems, business functions, and services and the elements that support them to determine how a business interruption might impact them. It identifies critical functions and the minimum service levels that need to be met.

A disaster recovery (DR) plan allows a business to plan what needs to be done immediately after a disaster to recover from an event. It includes detailed procedures for addressing problems and getting systems like data backup back online.

It should address elements from the BIA:

• Recovery point objectives (RPOs). An RPO determines the point in time in which data must be recovered from backup storage so normal operations can resume. It's basically how much data your institution can afford to lose. For instance, if an RPO is one hour, backups should be made at least once per hour.
• Recovery time objectives (RTOs). An RTO is the time goal for restoring systems, applications, and business functions after an outage. This includes systems like the core and remote deposit.
• Maximum allowable downtime (MAD). The longest period of time a system can be down.

A disaster recovery plan is one element of a business continuity plan. The BCP is concerned with the whole enterprise. The DR plan is focused on specific steps to recover from an incident.

When Disaster Strikes Do You Implement BCP or DR First?

BCP and DR fill different roles and determining which plan to put into place first depends on the disaster. Ideally, BCP and DR should come into play simultaneously, with the institution working to provide services while recovering, but sometimes one needs to take precedent over the other.

For example, if a disaster is causing injuries or loss of life, disaster recovery will be the top priority as your institution works to ensure people are safe. Once people are taken care of, then BCP can take over.

A cyber attack is one example of when a BCP might take precedence. Your institution's first priority is to stop the attack, understand what's happening, and start servicing members and customers who are experiencing problems. Once the institution has a grasp on what's happening and has found a way to stop it, it can use its DR plan to recover.

Don’t be caught off guard. Make sure your BCP has a BCP—and that both plans include disaster recovery.

Michael Berman is the founder and CEO of Ncontracts, a leading provider of risk management solutions. His extensive background in legal and regulatory matters has afforded him unique insights into solving operational risk management challenges and drives Ncontracts’ mission to efficiently and effectively manage operational risk.