What if there was a terrorist attack, ala Sept. 11, and your institution could not create and deliver account statements in an acceptable timeframe? Potentially damaging to your business.
Or, say, if there was a natural disaster that disabled a key vendor that manages your internet banking system - what impact might that loss have on you and your customers?
Business Impact Analysis (BIA) is a necessary - and often overlooked - part of Business Continuity/Disaster Recovery planning. Done right, a BIA needs to look at the consequences that could result from an interruption in core elements of the banking institution's infrastructure - both within the institution and within the elements controlled by third-party service providers.
According to the latest update to the FFIEC's Business Continuity Planning Booklet, a BIA must:
- Include a work flow analysis that involves an assessment and prioritization of those business functions and processes that must be recovered;
- Identify the potential impact of uncontrolled, non-specific events on these business functions and processes.
- Consider the impact of legal and regulatory requirements;
- Estimate the maximum allowable downtime for critical business functions and processes and the acceptable level of losses (data, operations, financial, reputation, and market share) associated with this estimated downtime.
According to FFIEC guidelines, once the BIA is complete, it should be evaluated during the risk assessment process, incorporated into, and tested as part of the BCP. The BIA should be reviewed by the board and senior management periodically and updated to reflect significant changes in business operations, audit recommendations, and lessons learned during the testing process. In addition, a copy of the BIA should be maintained at an offsite location so it is easily accessible when needed.
The team responsible for conducting this analysis must work with business units in prioritizing critical functions, estimating downtime and projecting resource requirements. A well-planned BIA must take into account the specific business needs for areas such as:
- Call center operations,
- Item processing,
- Loan processing,
- Back-office operations for both recovery and continuity.
When determining a financial institution's critical needs, all functions, processes, and personnel should be analyzed, and each department should answer a series of critical questions, including:
- What critical interdependencies exist between internal systems, applications, business processes, and departments?
- What specialized equipment is required and how is it used?
- How would the department function if the mainframe, network and/or Internet access were not available?
- What single points of failure exist and how significant are those risks?
- What are the critical outsourced relationships and dependencies?
Still, despite clear guidance on this issue, many institutions struggle to get the Business Impact Analysis done right. At times, the Business Continuity Plans lack the depth needed to address the true impact to the business and the resources required to return to the state of normalcy. To find out about the deficiencies in one's BIA process at the time of a disaster is too late for most the organizations. Others find out about these deficiencies during their regulatory exams or external audits.
Learn from Matthew Speare, a veteran of the banking industry, on how to assess your organization's Business Impact Analysis process - on how to get your BIA right.