Information Technology Risk Management

Business Continuity: How Exactly Did We Get Here?

The Difference Between Regulation and Reality

Yesterday afternoon I heard from a friend of mine who is responsible for Business Continuity Program at her financial services organization. Well, after all the greetings and grievings that come with old friends, the topic of the discussion turned to - if she is on the right path with the Business Continuity Planning for her organization. Before I go any further, I must tell you that this is a depository institution and with all the focus on BCP we have heard about from the regulatory agencies in the last number of years, this should not be a topic that has not been addressed in significant depth at this institution. Well, there is always a difference between what should be happening vs. what is happening! So, here's the million-dollar scenario I was presented with - "We have a well-documented BCP. The organization has never had any issues with this plan, mind you - we have never had to activate this plan since it was developed. I have just taken ownership of this function at the organization. Recently we had an audit and they noticed a number of findings with this plan."

Sadly speaking, I knew what was coming next. Here were the findings from the audit they recently went through.

The organization has not conducted any meaningful Business Impact Analysis (BIA) before developing the Business Continuity Plan for the organization.
The focus of the plan is primarily on system recovery. The overall business continuity, including facilities restoration, people re-location and process re-alignment is not addressed in the plan.
The testing of the plan was limited to table-top exercises.
Pandemic planning has not been addressed in this plan.
The board of this institution has not been briefed on the state of their Business Continuity Planning in the last two years.

I am not convinced, but it sounded like that this friend of mine didn't have any doubts about the marching orders she will be following for months to come. I will share with you what I told her in the next issue of this blog. What got me thinking and I am eager to hear from the community - 'So, how did we get here?' Based on my experience in the industry, they are not alone in the industry going through this. Many institutions I regularly speak with have had one or more issues (and sometimes other issues) listed above. Is it the lack of understanding of the BCP process on these institutions' part or is it simply a matter of lack of resources and overall complacency on the management's part?

Stay tuned to learn more about what I told my friend.



About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.