|
By Pat McAnally, Laurie Bailey, Deborah Taylor,
Chris Jansen, Len Boyer, & Joe Riley
Business continuity planning within the financial industry has
been around as long as the discipline itself. Banks and brokers
recognized early the importance of ensuring and protecting their
essential information, which was most often in paper form. Today
we are in new and unusual circumstances, where technology has made
us both powerful and vulnerable and we can't take anything for granted.
Things that were givens even a year ago are not so certain anymore.
Today's business continuity plans need to extend beyond the data
center and into security and protection, the business functions,
and islands of automation. Recent federal regulations make business
continuity a mandated essential for financial institutions.
Mitigating damage
Failure in the first phase of an incident impacts a company's ability
to accomplish its established recovery strategies. Where possible,
you must manage any incident before it becomes a crisis. Safeguarding
employees and material assets equals smarter risk management-and
that means thinking the unthinkable. For example, incident management
plans should cover situations where:
• Buildings are permanently inaccessible or even destroyed
• Staff are scattered, lost, or otherwise unavailable
• Suppliers experience prolonged downtime
• Utilities are disrupted over a wide area or extended period
• Business value chain processing is disrupted
Considerations:
Do you have an incident management plan that outlines information
flow and action options? How about an incident management team?
Do you have more than one way to contact your employees outside
of work? Have they been briefed regarding emergency procedures and
have they practiced those procedures? Do the procedures include
a command center and/or place for evacuated personnel to reconvene?
Have you made provisions for alternate site operations-whether a
vaulting solution for failover resumption or a hotsite for short-term
business operations? Where and how will your people go back to work?
Have your legal and finance departments been informed of their responsibilities?
The changing marketplace
As you're coming to terms with the new realities of risk management,
burgeoning technology continues to reshape the marketplace-single-handedly
creating new trends and raising the bar on user expectations. Let's
take a look at the most important trends within the industry.
Increased government scrutiny
The most recent wave of government regulations and legislation affecting
the financial industry is a classic case of the chicken and the
egg. There's really no clear-cut determination as to which came
first-regulations that address and control industry trends or the
trends themselves. However, no one remembers a time when government
wasn't a significant force within the industry and they know its
reach and influence will continue to expand. In fact, just imagine
what legislation and guidelines will evolve from the recent wave
of terrorist activity within our borders.
FFIEC's risk management of outsourced technology
services
Effective November 2000, the Federal Financial Institutions Examination
Council's (FFIEC's) guidelines for risk management of outsourced
technology services focus on coordination of the identification,
measurement and monitoring, and control of the pitfalls associated
with outsourcing technology services within the financial industry.
The guidance covers four elements of the risk management process,
including the assessment function, selection of service providers,
contract review, and monitoring of services. Moreover, the guidelines
specifically cite contingency plans-and the availability of alternative
service providers and the costs and resources required to switch
to them-as one area that should be assessed.
Outsourcing risk assessment should include:
• Strategic goals, objectives, and business needs of the financial
institution
• Ability to evaluate and oversee outsourcing relationships
• Importance and criticality of the services to the financial
institution
• Defined requirements for the outsourced activity
• Necessary controls and reporting processes
• Contractual obligations and requirements for the service
provider
• Contingency plans, including availability of alternative
service providers, costs, and resources required to switch service
providers
• Ongoing assessment of outsourcing arrangements to evaluate
consistency with strategic objectives and service provider performance
• Regulatory requirements and guidance for the business lines
affected and technologies used
Mergers and acquisitions
Before a consolidated organization can even begin to realize the
benefits of a merger, it must examine and reconcile an infrastructure
that starts with disparate and usually incompatible IT procedures,
products, and systems. Recovery processes, personnel, and institutions
must quickly readdress their business continuity plans at every
step of the consolidation process to reconcile competing expectations,
vendors, timeframes, and maintenance habits. It can also present
a golden opportunity, however, to reevaluate the total business
continuity activity and make it more comprehensive, cohesive, and
congruent.
E-business and mobile access
The World Wide Web has dramatically changed the cost and capabilities
of marketing, distributing, and delivering financial products and
services and enabled new types of products and services to be developed.
Meanwhile, web site continuity strategies are evolving along with
the technology itself, making analysis, planning, and testing more
complex. There are many recovery issues to consider, including the
prevention of lost real-time transactional data, version and backup
control, and policies for notification and redirection. And, when
an organization is in crisis mode, such as in response to September
11, it is unfortunately more susceptible to such malicious attacks
as worms and denials of service. In addition, web solutions tend
to be less secure and robust, which makes testing both more important
and difficult, due to a lack of history within a relatively new
discipline.
If mobile telephone or PDA channels are planned or in use, the
business continuity plan must be re-evaluated to accommodate this
new touch point. Is the delivery channel critical to the company's
operations? Is there room for downtime? Is there potential for loss
of data? Is new network security or data encryption required? Can
the plan be adequately tested?
Building a plan
What would you do if you were faced with a business interruption
today? Tomorrow? Next week? If you don't have an answer, now is
the time to start formulating a plan. We recommend that you take
the discipline that you have built into your business operations
and current IT infrastructure, and apply it to the unexpected. Successful
plans start with a strategy where you consider what downtime means
to your human resources, business operations, and bottom line and
how that all affects your stakeholders. Planning ensures a higher
level of asset protection, that the optimal solution is immediately
implemented, and that seamless continuity between current conditions
and expectations and regulations is maintained.
To develop a financial business continuity plan, we recommend the
following process:
1. Predetermine incident management responsibility and authority
2. Assess both information and physical security
3. Define both intangible and tangible assets, such as human resources,
intellectual property, real estate, and equipment
4. Define all products and services
5. Define all delivery channels and touch points
6. Determine overall recovery requirements (safety and security
needs, as well as thresholds for time, money, and so on)
7. Determine all legal and regulatory compliance issues
8. Determine various levels of asset protection and the limits and
expectations for each
9. Prioritize products and services and the limits and expectations
for each
10. Prioritize delivery channels and touch points and the limits
and expectations for each
11. Determine the resources and strategies you need to provide the
highest levels of asset protection and achieve your requirements
in light of your priorities
12. Develop recovery strategies for assets, business areas, and
processes based on priority
13. Define recovery roles, responsibilities, and actions
14. Draft a preliminary business continuity plan
15. Validate the plan through testing
16. Train recovery personnel on the plan using documentation
The financial institutions of the United States have begun a long
process of reflecting and rebuilding. However your company was affected
by the events of September 11th, you are no doubt concerned about
preventing-or at least preparing for-what may happen in the future.
Incident management planning combined with traditional recovery
planning and strategies that anticipate and address rising industry
trends, is the future of business continuity planning for the financial
industry. Put simply, today's business continuity plans need to
extend beyond the data center and into security and protection,
the business functions, and islands of automation.
About the Authors
This article is an excerpt of a white paper
entitled, "Protecting, Maintaining and Evolving: 21st Century Business
Continuity for Financial Institutions". The article is based on
the collective experience of SunGard Planning Solutions and was
written with the assistance of Pat McAnally, Laurie Bailey, Deborah
Taylor, Chris Jansen, Len Boyer, and Joe Riley. For further information
on the issues, please visit the SunGard Planning Solutions Knowledge
Net website to view the complete white paper. www.sungard.drexperts.com
|
