Financial institutions (FIs) face challenges every day, and sometimes, those challenges are major disruptions, from natural disasters such as hurricanes to external events such as vendor data breaches. Given these scenarios and the various risks they pose, FIs must have business continuity plans and disaster recovery plans in place.
But what’s the difference between business continuity and disaster recovery plans? How can FIs build effective business continuity plans and disaster recovery plans? How can business continuity management software help ensure your FI doesn’t miss any gaps when implementing these plans?
Let’s discuss those answers and more.
Table of Contents
- What is a business continuity plan?
- How to build a BCP
- What’s the difference between BCP and business continuity management?
- What is a disaster recovery plan?
- How to build a DR Plan
- Business continuity plan vs. disaster recovery plan
- Why your financial institution needs a BCP and DR
- When disaster strikes, do you implement BCP or DR first?
- The benefits of business continuity management software
What Is a Business Continuity Plan?
A business continuity plan (BCP) addresses what a financial institution (FI) must do to continue delivering essential products and services. A BCP identifies critical functions and the minimum service levels that need to be met.
BCPs are broad strategies that focus on ensuring organizations can continue operating despite disruptions, including cyberattacks, natural disasters, data breaches, and other crises. The BCP umbrella covers every facet of the organization, including the people, processes, technology, and physical infrastructure, and by default, nearly every area of risk.
Related: Key Risk Indicators for Banks, Credit Unions and Other Financial Institutions
How to Build a BCP
There are a few recommended steps when building a BCP:
- Conduct a business impact analysis (BIA). A BIA analyzes critical systems, business functions, and services and the elements that support them to determine how a business interruption might impact them.
- Perform a risk assessment. A risk assessment is a multi-step process that includes establishing the context of the risk, risk identification, risk analysis, risk treatment, monitoring and review, and communication. A model risk assessment from a Knowledge-as-a-Service (KaaS) solution like Nrisk can be helpful when creating a new risk assessment from scratch.
- Develop the BCP. Create a detailed plan outlining how to respond to disruptions. Designate team members' roles and responsibilities, including recovery strategies for people, processes, and technology.
- Test and exercise the plan. Regularly test, update, and improve your BCP based on new insights and changing business environments.
- Implement a communication strategy. Establish clear communication plans for employees, clients, stakeholders, and regulators. The communication plan may vary depending on the type of disruption.
Related: Business Continuity Planning (BCP) Q&A for Financial Institutions
What’s the difference between BCP and business continuity management?
The phrase "business continuity management,” or BCM, has become more widely used since the Federal Financial Institutions Examination Council (FFIEC) released its updated Business Continuity Management booklet on how FIs and enterprises should address sectors – technology, business operations, and testing, among others – “critical to the continuity of the business.” The overarching message is that business continuity is more than planning the recovery of operations post-event. It’s also the maintenance of systems and controls for better business resiliency. Thus, what was once called business continuity planning is now often referred to as business continuity management.
Related: Business Resiliency: Your Guide to Business Continuity Management
What Is a Disaster Recovery Plan?
A DR plan explains how an FI can regain critical systems and resume normal operations following an unforeseen event. It includes detailed procedures for addressing problems, protecting and preserving sensitive and vital data, and getting systems back online. Having a DR plan is critical to responding to incidents quickly and minimizing an FI’s financial, operational, and reputational damage.
How to build a DR plan
When building a disaster recovery plan:
- Identify critical assets. Inventory the essential information technology (IT) systems and physical infrastructure that support your operations. This includes hardware, such as devices and computers; software, including banking applications for employees and customers; cloud applications, which are critical applications hosted on the cloud; and network and internet access and connections.
- Categorize systems. Once essential technology and systems are identified, organize them into categories from most important to least important using labels such as mission-critical, essential, necessary, and non-essential. For example, wires and ACH payment processing systems are mission-critical for most financial institutions, whereas an employee intranet may be non-essential.
- Perform a business impact analysis (BIA). A BIA assesses the financial impacts of potential disruptions. This analysis should identify costs related to lost revenue, equipment replacement, additional employee overtime, and overall profit losses.
A disaster recovery plan should also include the following key metrics, all of which are usually included in the BIA document:
- Recovery point objectives (RPOs). An RPO determines the point in time at which data must be recovered from backup storage so normal operations can resume. It's basically how much data your institution can afford to lose. For instance, if an RPO is one hour, backups should be made at least once per hour.
- Recovery time objectives (RTOs). An RTO is the time goal for restoring systems, applications, and business functions after an outage. This includes systems like the core and remote deposit.
- Maximum allowable downtime (MAD). The longest period a system can be down.
Related: Disaster Recovery Planning for Banks & Credit Unions
Business continuity plan vs. disaster recovery plan
While sometimes used interchangeably, a business continuity plan and disaster recovery plan have fundamental differences, which are highlighted in the table below. It’s also important to note that a disaster recovery plan is typically included in a business continuity plan, as the BCP takes a more holistic view of business operations and risk.
The table illustrates the key differences between business continuity and disaster recovery.
Why your financial institution needs a BCP and DR
BCP and DR plans are essential to ongoing business resilience and risk management in the face of disruption. Let’s dive deeper into how these plans affect an FI:
Regulatory guidelines and legal requirements
Given regulators’ increased concerns about operational resilience in a dynamic risk environment, having both plans is no longer just best practice but often a regulatory requirement.
As mentioned earlier, the FFIEC Business Continuity Management booklet covers a wide range of topics related to BCM, including specifics on creating a BCP and DR plan. In 2021, the Basel Committee on Banking Supervision issued its principles for operational resilience, aiming to help banks better “withstand, adapt to and recover from severe adverse events.”
FIs should ensure they’re following state and federal regulations and guidelines to ensure their institutions are prepared for a variety of disruptions, including those that impact both systems and broader business operations.
Related: Laws vs. Regulations vs. Guidance: What's the Difference?
Reputation and customer trust
Your FI faces various risks: operational, transaction, compliance, financial, third-party, strategic, reputation, and cyber. An integrated (or enterprise) risk management (IRM) approach considers how these risks are interconnected, and how FIs can use this type of approach to anticipate disruptions, adjust, and regularly assess their processes and systems for any weaknesses.
No matter the risks your institution faces post-incident, you have a legal and regulatory obligation to provide continuous service. While your DR plan is there to clean up the mess, the BCP helps your employees continue serving consumers and maintaining trust. Consider how an IRM approach can inform your BCP and DR plans to ensure your consumers and stakeholders continue to trust your institution.
Related: Essential Risk Assessments for Financial Institutions
Coordinated recovery
A BCP and DR should work in tandem. For example, an institution might be able to recover its IT systems quickly with an effective DR plan. Still, without a solid BCP, key personnel may be unable to access the building or operations systems.
A comprehensive, updated BCP that includes a DR plan is crucial to ensuring all people, processes, and technology are aligned to facilitate a successful recovery. The plan should include areas such as remote work plans, backup locations, cybersecurity information, third-party vendor BCPs, and communications plans, supplies for cleaning up after physical disasters, recovery team operations, and employee well-being initiatives.
Related: Does Your BCP Have a BCP?
When disaster strikes, do you implement BCP or DR first?
BCP and DR fill different roles, so determining which plan to implement first depends on the disaster. Ideally, BCP and DR should come into play simultaneously, with the institution working to provide services while recovering. However, sometimes one needs to take precedence over the other.
For example, if a disaster causes injuries or loss of life, disaster recovery will be the top priority as your institution works to ensure people's safety. Once people are taken care of, the BCP can take over.
A cyber attack is one example of when a BCP might take precedence. Your institution's priority is stopping the attack, understanding what's happening, and servicing customers and members experiencing problems. Once the institution grasps what's happening and has found a way to stop it, it can use its DR plan to recover.
The benefits of business continuity management software
There are many moving parts when it comes to creating and updating your BCP and DR plan. Business continuity management software and services help navigate this process and ensure your FI can weather any future storms.
Here are some features to look for when choosing a business continuity solution.
- Customized for financial institutions. While BCM tools exist for many industries, choosing one customized for the financial industry's highly regulated environment is essential. A solution with prebuilt tools and automation can help your FI uncover gaps and risks across your organization.
- Includes function-based planning. Look for a BCM solution that uses a function-based approach to planning instead of scenario-based planning. While it might feel comforting to say your FI knows what to do in case of a tornado or another incident, it’s more helpful to have a plan that addresses critical functions regardless of cause.
- Exposes third-party business continuity risk. Given the impact of vendor relationships, third-party risk management, or TRPM, should be a priority for FIs. Make sure your solution helps you understand the role vendors play in business continuity and disaster recovery, so you're not exposed to unnecessary continuity risk.
- Enables emergency communication. Communication is vital in the face of a disruption. Look for a continuity management solution that facilitates two-way communication with staff via voice, text, and email during tabletop exercises and emergencies.
- Promotes exam readiness. When examiners arrive, it’s important to show that your plan is regularly reviewed and tested and that any weaknesses are quickly addressed. Ensure your solution offers comprehensive reporting and dashboards with measurable timeframes and results to prepare you for incidents and examiners.
Related: 8 Features to Look for in a Business Continuity Solution
When it comes to business continuity and disaster recovery, it’s not enough to know about the differences. Without proper implementation and the right solution, your FI risks not being ready for the assortment of disasters and disruptions facing the modern financial institution.
If you haven’t already, reevaluate your institution’s BCP and DR plan to see if there are any gaps. By conducting thorough business impact analyses, performing risk assessments, and regularly testing these plans, your FI can significantly mitigate the potential financial, operational, and reputational damages that can arise from unexpected events.
Need help navigating business continuity management? Learn how business continuity management software can help your FI in the Business Continuity Management Buyer’s Guide.
Subscribe to the Nsight Blog
Share this
Business Continuity Software
