320 likes | 724 Views
Meeting FFIEC Requirements – Conducting your Business Impact Analysis. January 29 th 2013 Don Stewart, MBCP, MBCI, CCP Senior Business Continuity Professional. Test. About Ongoing Operations. Leading provider of business continuity services to credit unions nationwide
E N D
Meeting FFIEC Requirements – Conducting your Business Impact Analysis January 29th 2013 Don Stewart, MBCP, MBCI, CCPSenior Business Continuity Professional Test
About Ongoing Operations • Leading provider of business continuity services to credit unions nationwide • CUNA Strategic Services provides credit unions with access to quality products, services and technologies through 3rd party providers such as Ongoing Operations • OGO facilities • Phoenix, Arizona • Longmont, Colorado • Hagerstown, Maryland • Thousand Oaks, California Plan. Prepare. Protect. Test
The OGO Difference • Focus on making business continuity planning an organization wide initiative and process • Holistic - People, Processes AND Technologies • Financial Impact Analysis (FIA) as well as Threat and Business Impact Analysis (BIA) • Award winning BCP software platform • Certified Professional Staff Plan. Prepare. Protect. Test
Discuss FFIEC Requirements regarding Business Continuity Plan / Business Impact Analysis (BIA) Financial Impact Analysis (FIA) component, Enterprise ThreatAssessment, Business Impact Analysis Using the results to develop a stronger Business Continuity Program and to provide Continuity of Service to our Members NO MATTER WHAT HAPPENS! Key Outcomes Test
FFIEC Requirements related to Business Continuity Plan / Business Impact Analysis Test
Minimize financial losses to the institution BIA to identify business processes with potential for greatest impact (including Threat and Financial Impact Analysis) Continue member service with minimal interruption Focus on “Continuity of Member Service” Mitigate negative effects of disruption on Operations Solutions include redundancy, failover, resiliency, procedural documentation and manual alternative procedures Prioritize implementation of solutions Goal of Business Continuity Plan Test
Oversee the BCP Process Establish policy for managing risks Personnel and financial allocation Annual review of the program Support employee training and awareness Ensure regular enterprise-wide testing of the BCP Review BCP testing program and test results Support continual updates to keep program Board & Senior Management Responsibilities Test
Include recovery, resumption and maintenance of the business – not just technology Enterprise-wide BCP and prioritization of business objectives and critical operations essential for recovery Integration of role in financial markets Regular updates based on changes in business processes, audit recommendations and lessons learned Cyclical process-oriented approach including BIA, Threat Assessment, Risk Management, Vendor Management, and the Exercise life-cycle Objectives to include in plan Test
Assess and prioritize business functions and processes Indentify potential impact of business disruptions on the business functions and processes Identify legal and regulatory requirements of the business functions and processes Estimate maximum allowable outages and acceptable level of losses associated with functions and processes Estimate RTOs and RPOs The BIA Test
Evaluate BIA assumptions using various threat scenarios Analyze threats based on impact to institution, members and financial market Prioritize potential business disruptions based on severity which is determined by impact on operations and probability of occurrence Perform “gap analysis” that compares existing BCP to policies and procedures to be implemented based on prioritized disruptions and resulting impact The Threat Assessment Test
Based on comprehensive BIA, Threat, and Risk Assessment tools Documented with audit trail Reviewed and approved by Board and Senior Management annually Disseminated to employees Properly managed when outsourced to 3rd party Specific regarding what conditions should prompt implementation of the plan and the process for invoking Threat/Risk Management Test
Immediate steps should be taken during a disruption Flexible for unanticipated scenarios and changing internal conditions (all hazards approach) Focused on impact of various threats that could potentially disrupt operations (specific event docs) Developed based on valid assumptions and interdependencies Effective minimizing disruptions and financial loss through implementation of mitigation strategies Event Management Test
Incorporate BIA and Threat Assessment into BCP and Exercise Program life-cycle Develop enterprise-wide exercise program Assign roles and responsibilities for exercise program Complete at least annual exercise of the BCP (this is much more than the annual IT/DR exercise) Exercising the program Test
Senior Management and BOD evaluate program and exercise results 3rd party audit/assessment of exercise results Revise BCP and exercise program based on operational changes, audit and examination recommendations, and test results Exercise life-cycle Test
Security Standards Project Management Change Control Policies Data Synchronization/backup Procedures Crisis Management Incident Response Employee Training Notification Standards Insurance Government and Community Integrate Policies & Standards into the BC Planning Process Test
Potential financial impact Uses your 5300 Report and NCUA statistics on what the impact of actual events has been Available to use at www.ongoingoperations.com Executive team MAO! FIA Tool Test
Delinquency Risk Daily Transaction Risk Fee Income Risk Check & ACH Risk Daily Loan Risk Reputational Risk What does the FIA measure? $ $ $ $ $ $ Test
Delinquency Risk Test
Fee Income Risk Test
Check & ACH Risk Test
Daily Loan Risk Test
Reputational Risk Test
Core to your planning process Meet regulatory and audit requirements Senior Management Support Top ranked Threat items with plans to protect, assign, accept or eliminate the threat Creation of an IT recovery plan that uses the outcome of the BIA to establish a priority for recovery – must include an annual life-cycle of testing/exercising for all critical systems and connectivity BIA Outcomes Test
Critical processes and locations Is the plan to work from home or alternate site? Perform processes from the alternate location What processes are included Who is involved in the exercise Successful exercise? Issues occurred and revisions assigned for additional exercise Everything was smooth and all goals were achieved Exercise your plan Test
Integrate DR and BCP into daily operations Separate the roles of DR Administrator and BCP Administrator Strategy Test
Don Stewart, MBCP, MBCI, CCPSenior Business Continuity Professionalwww.ongoingoperations.com Test