Following 9-11, Hurricane Katrina, Jason running around town and other events, banking regulators moved to ensure the banking system maintained its reliability following disruption. The result was to have banks create a business continuity plan ("BCP") that would include step-by-step instructions on how to keep critical business functions working and/or quickly restarted in the event of a significant event. The goal of BCP is to ensure information and processes remain available to support customers, employees, regulators and others. A robust BCP includes policies, guidelines, standards, procedures and lots and lots of testing.
Before we go too far down this road, however, let's back up to be sure we have covered business continuity in general. Specifically, business continuity describes a methodology of how a bank will maintain operations and services in the event of a disruptive event (either natural, man made or something out of a Wes Craven movie). These can include such events as power failures, hurricanes, tornados, IT system crashes and other events. In short, the underlying goal of business continuity planning is to ensure the bank has a process to help manage risks that may arise from external environmental influences.
The basic structure of any BCP is to create a detailed plan that includes information telling employees how to communicate, where to go and how to keep doing their jobs. As with any plan, each bank will have its own and details can be starkly different (depending on customer needs, branch locations, etc.). Banks must not only consider how they do business today, but talk about what role IT will play and which systems/processes must be recovered in what order. Banks must review process throughout the company and ask themselves which ones are vital, which can be down (and for how long) and where backup facilities exist to support people and systems.
Beyond the basics, a good BCP is a comprehensive plan that includes information and feedback from both IT and business units. Together, these teams work to determine which people are responsible for what, how to mitigate the problem and the process for locating and communicating with employees. Plans must also take into account the fact that, depending on the event, employees may have larger concerns than getting back to work, which can lead to resumption delays.
To begin a BCP, banks should probably start with a vulnerability or business impact assessment. This process should identify the bank's most critical system, processes and people. It should also quantify by product, service or department how much revenue could be lost in the event of a disruptive event. That will allow the bank to determine where and how best to spend its money based on a cost/benefit analysis.
Once the impact assessment is completed, the BCP should move to include other factors. These can incorporate cross-training backup employees to fill gaps as needed in the event of a crisis; practicing employee/customer communication in the event of a crisis; ensuring redundancy of systems; reaching out to emergency response groups (such as fire, police, etc.) to make sure the bank stays up to date and informed about local differences or limitations. The key to all this is pre-planning. Having relationships with vendors, local markets, public safety, etc. and employee training before you need it will save valuable hours in the event of an emergency..
Business continuity is important and every employee/manager needs to know what to do. Team members that go through simulations can not only provide assistance in identifying flaws in the program, but they are also better prepared for emergency situations. Friday the 13th is as good a day as any to have everyone review your bank's BCP. If your bank is waiting for an event to implement and test a BCP - then maybe management is making your bank unlucky?