Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Meeting FFIEC Requirements:
Enterprise-Wide Testing of Your
Business Continuity Plan
April 25, 2012
Robin Remines, CBCP, AMBCI Certified Business Continuity Professional
Copyright 2010 Ongoing Operations
The OGO Difference
• Focus on making business continuity planning
an organization wide initiative and process
• Holistic - People, Processes AND Technologies
• Financial Impact Analysis (FIA) as well as
Business Impact Analysis (BIA)
• Award winning BCP software platform
• Leader in building private/public partnerships
• Certified Professional Staff
Plan. Prepare. Protect.
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Key Outcomes
• Understand FFIEC Requirements regarding Business
Continuity Program / Business Impact Analysis (BIA)
and the relationship to Testing
• Financial Impact Analysis (FIA)
• Using the results to develop a stronger Business
Continuity Program and to provide Continuity of Service
to our Members NO MATTER WHAT HAPPENS!
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Meeting FFIEC
Requirements: Enterprise-
Wide Testing of Your
Business Continuity Plan
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Goal of Business Continuity Plan
• People safety first!
• Minimize financial losses to the institution
– BIA to identify business processes with potential for greatest
impact (including Risk and Financial Impact Analysis)
• Continue member service with minimal interruption
• Be a community resource (CIKRP)
• Mitigate negative effects of disruption on Operations
– Solutions include redundancy, failover, resiliency, procedural
documentation and manual alternative procedures
– Prioritize implementation of solutions
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
FFIEC Testing Guidelines
• Roles and responsibilities should be specifically defined
• The BIA and risk assessment should serve as the
foundation of the testing program,
• Enterprise-wide testing should be conducted at least
annually
• Testing should be viewed as a continuously evolving
cycle
• Mitigation strategies should sustain the business until
permanent operations are reestablished
• The testing program should be reviewed by an
independent party
• Test results are compared against the BCP to identify
any gaps
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
We all have a role!
• Business line management - the testing of business operations;
• IT management - testing recovery of the institution's
information technology systems, infrastructure, and
telecommunications;
• Crisis management - testing the institution's event
management processes
• Facilities management - testing the operational readiness of
the institution's physical plant and equipment, environmental
controls, and physical security
• The 3rd party/audit - responsibility for evaluating the overall
quality of the testing program and the test results.
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Business Impact Analysis
• Assess and prioritize business functions and processes
• Identify potential impact of business disruptions on the business
functions and processes
– Severity of impact
– Member Impact
– Member Confidence
– Increased Fraud
• Identify legal and regulatory requirements of the business
functions and processes
• Estimate RTOs and RPOs
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
BIA Outcomes
• Establishes solid foundation for your planning process
• Meet regulatory and audit requirements
• Senior Management Support
• Top ranked Risk items with plans to protect, assign,
accept or eliminate the threat
• Creation of an IT recovery plan that uses the outcome
of the BIA to establish a priority for recovery
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Risk Assessment
• Evaluate BIA assumptions using various
threat scenarios
• Analyze threats based on likelihood and potential
impact to institution, members and financial market
• Prioritize potential business disruptions based on
severity which is determined by impact on operations
and probability of occurrence
• Perform “gap analysis” that compares existing BCP to
policies and procedures to be implemented based on
prioritized disruptions and resulting impact
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Risk Management (Mitigation)
• Based on comprehensive BIA and Risk
Assessment
• Documented
• Reviewed and approved by Board
and Senior Management annually
• Disseminated to employees
• Properly managed when outsourced to 3rd party
• Specific regarding what conditions should prompt
implementation of the plan and the process for
invoking
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Risk Management (cont)
• Immediate steps that should be taken during a
disruption
• Flexible for unanticipated scenarios and changing
internal conditions
• Focused on impact of various threats that could
potentially disrupt operations
• Developed based on valid assumptions and
interdependencies
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Testing/Exercising
• Develop Exercise Scenarios which incorporate BIA and
Risk Assessment
• Include C-level and Department level staff
• Gain buy-in thru role-playing and inclusion
• Consider tabletop vs. walkthrough
– http://ithandbook.ffiec.gov/it-booklets/business-continuity-
planning/risk-monitoring-and-testing/principles-of-the-
business-continuity-testing-program/testing-policy.aspx
• Complete at least annual tests of the BCP (more than
the annual IT/DR exercise)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Exercise your plan
• Critical processes and locations
– Is the plan to work from home or alternate site? Perform
processes from the alternate location
– What processes are included
– How are communications handled?
• Successful exercise?
– Issues identified and revisions assigned for additional planning
– Everything was smooth and no opportunities identified
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Testing – Creating the Lifecycle
• Senior Management and BOD evaluate program and
test results
• 3rd party assessment of program and test results
• Revise BCP and testing program based on
operational changes, audit and examination
recommendations, and test results
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Financial Impact Analysis
(FIA)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
FIA Tool
• Potential financial impact
• Uses 5300 Report provided to NCUA
• Coming soon! www.ongoingoperations.com
• Easily customized to fit your credit union’s business
strategies and operating practices
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
What does the FIA measure?
• Delinquency Risk
• Daily Transaction Risk
• Fee Income Risk
• Check & ACH Risk
• Daily Loan Risk
• Reputational Risk
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Fee Income Risk
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Summary – BCP Testing – FFIEC
Guidelines
• Spend resources ( time, people, $$$ ) on performing an in-
depth Business Impact Analysis (BIA) and Risk
Assessment • Without this, there is no foundation from which to measure
your testing
• Create a testing plan/cycle – Using various
scopes/objectives, create a yearly calendar to test at various
levels • Enterprise-wide testing should be conducted at least annually
• DR (IT) tests at least annually
• Departmental – annually AND when any significant process
change occurs
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Summary – BCP Testing – FFIEC
Guidelines
• Mitigation strategies should sustain the business until
permanent operations are reestablished
• You may not always have the “right” mitigation
strategy – document your decision making process
• Should consider 3rd party “stand in” availability (such
as card processing, ATMs, etc)
• Always have an independent reviewer – look at it as a
chance to improve your plan, not grade it
• Update your plan IMMEDIATELY after testing to close
gaps identified by the exercise
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Robin Remines, CBCP, AMBCI
Certified Business Continuity Professional
www.ongoingoperations.com