After the past few months of wildfires and hurricanes, many financial institutions are wondering if their business continuity plans (BCPs) are as current and comprehensive as they need to be.
When reviewing your BCP, make sure it incorporates these 10 best practices:
Organized information. A fully realized business continuity plan has many components. Consistent formatting should be used for all plans. All plans and related information should be stored in one central location.
Recovery strategies. Develop function-based plans, not scenario-based plans. These should address high-level problems like what happens if the institution loses a facility or if it loses critical staff. It’s not about how to recover from a fire vs. a hurricane. It’s about impact to functions and how to quickly bring the functions back online.
Third parties. Know which third parties your institution will rely on to help get back to business. This includes regular vendors needed to operate in a business-as-usual environment as well as vendors who may aid in recovery, such as generator providers.
People. Some institutions make the mistake of assuming a disaster is an all-hands-on-deck situation. It’s more important to have the right people who can help get business back on track. You don’t want too many people crowding an alternative location with limited space or hourly employees standing around costing money. Know who is essential to restoring functions.
Call Trees. It’s old school, but call trees make people feel comfortable and can serve as a plan of last resort if operations are extremely degraded.
Resources. Picture a blank room. Employees will be in this location for a certain period of time. What do you need? Go beyond computers, software, and screens and think about water, blankets and office supplies.
Locations. What would you do if you didn’t have access to a location or facility? This is an exercise in thinking about the functions you need and the role location plays in filling them. An alternative location might be needed. It also might make sense to conserve resources and keep only a few strategic branches open.
Teams. Organize tasks and teams by function. Get granular to make plans realistic. For example, there may be five teams in the mortgage department and three major processes.
Documents. Collect all instructions, procedures, and rules in one place so that no one has to guess what to do in a disaster. You want everyone following the same script to eliminate confusion. Make sure there is redundancy from an IT perspective so data can be accessed.
Required functions. With the exception of IT, every department depends on other departments. Deposit operations probably relies on accounting, IT and maybe even lending if it takes applications. Uncover these interdependencies to understand what functions your organization needs. Take into account the recovery time objectives (RTOs) and recovery point objectives (RPOs) of interdependent functions when setting RTOs and RPOs otherwise there may be gaps.