Plan for Incident Response and Rapid Recovery (article)
Over the past several decades, the world’s economic and political infrastructures have been tested by environmental extremes and physical and virtual attacks. Natural disasters, civil disturbances, cybersecurity incidents, technical disruptions, facility outages and staffing shortages can paralyze a business. Financial institutions and their strategic partners, however, are expected to maintain the highest level of service delivery to their clients following a crisis situation.
Government regulation of the financial industry with respect to business continuity is in place to create uniform national standards and actionable recovery strategies that are routinely tested for ongoing awareness and improvement. Several regulations such as the Expedited Funds Availability Act of 1989, the Federal Financial Institutions Examination Council Inter-Agency Policy of 1997 and the Gramm-Leach-Bliley Act of 1999 require financial institutions to have business continuity plans. But beyond regulatory requirements, there is an implied trust in financial institutions to have measures in place to protect everyone concerned. The institutions themselves bear the responsibility for determining how to maintain the viability of operations and protect key business resources and staff.
As it is impossible to predict exactly how or when disaster will strike, focusing too narrowly on specific incidents when designing your incident response strategy could hinder your institution’s ability to respond. Regardless of the cause of the business disruption, it’s important that actions of the designated crisis management team are aligned with the recovery strategies defined in the plan.
The objective of any business continuity plan is to minimize the impact of disruptive incidents on customers, other stakeholders and employees, and your business operations. The following five components will help you create and implement a clear, holistic incident response and recovery strategy or guide your review of the plan you may already have in place.
Loss of Facilities
Your strategy needs to include a plan for continuing operations without disruption. This might include allowing your employees to continue their work from home or identifying a temporary alternative location for your staff, such as another business location or branch, client facility or community collaborative workspace.
Loss of People
Even if your facility remains intact after an incident occurs, your staff could be divided. Personal tragedy, illness or injury can render key employees unavailable or incapable of making critical decisions necessary to get your operations back on track. Part of your overall strategy should include the cross-training of your staff so that each member is prepared to step in to perform essential functions should another employee be unavailable. Documenting your processes and procedures can ease the burden of training and provides employees with reference materials if necessary. It may also be valuable to identify a third party that could assist your team with critical functions in situations that would cause large members of your staff to be unavailable.
Loss of Technology
Not every incident will be physical. In 2014, JP Morgan experienced a data breach that compromised an estimated 83 million customer records. As today’s business environment increases its dependency on information technology, financial institutions need to have a plan in place to recognize when a cyber-attack is occurring, react quickly to stop the breach and recover in a way that addresses both the short- and long-term problems from unauthorized access. Identifying potential system workarounds can keep your operations functioning should you lose the use of a system during an attack. Knowing exactly how long your company can continue to deliver client service without a particular system can help you create a recovery timeline once an outage or breach is contained.
Loss of Vendors
Your incident response strategy is only as strong as the third-party vendors on which you rely. Outsourced payroll and IT support, for example, offer both savings and efficiencies. These vendors must be prepared to step in and assist should an incident occur. Additionally, your organization should expect that a vendor’s disaster recovery plan offers protection for your institution, as clients expect that you are protected if the disaster strikes on the vendor’s end. Keep in mind that the Federal Financial Institutions Examination Council (FFIEC) holds financial institutions responsible for making sure that their third-party service providers comply with applicable regulations and that activities are conducted safely. You should ensure a third-party service provider’s business continuity plan meets the appropriate standards for your organization.
Beyond disaster preparedness, financial institutions that manage vendor risk by anticipating and managing exposures, including those emanating from structural weakness or financial pressures, have been able to leverage this process to gain significant business benefit during the most challenging business environment. Examples are in the news daily. Through its risk assessment model, a mortgage banking organization identified a growing market risk that several of its mortgage servicers were going-concern risks due to market pressures. The company implemented a plan to protect its assets held with these servicers and minimized its loss exposure from more than one month of cash flows to less than one day. The organization was also able to put in place transition plans for transferring servicers in a timely manner. These actions saved the company millions of dollars that would have been lost had the company not been proactive.
Communications, both internal and external, are a critical aspect of incident management. Customers will want to know they can access their daily banking accounts even when your institution is in the midst of a disruptive event. Corporate customers want to ensure their payments, loans and transfers will still operate as expected. Banking partners need to know the institution is stable and will resume continuity of service. Employees need to know they are working in a safe environment and that there is a business continuity plan in place.
A decade ago, this would be achieved by press releases and internal memos. Modern communications are more instantaneous and multi-pronged. All communications should be both leveraged and monitored, including social media, emails, news media coverage, press conferences, voicemails and texts.
Bottom Line – Identify Risks; Create an Actionable Plan
Your primary objective when designing an incident response and business continuity strategy is to identify your risks and create an actionable plan. Writing a plan that includes recovery steps for every possible scenario will most likely result in a complex document that isn’t practical when employees need to act quickly. The key to a strong response and recovery plan is not to over-complicate the context. Your strategy should account for places, people, procedures and communications, and it should be able to work in multiple situations.
For more information about Business Continuity, call or email Mark Madar, National Director, Business Continuity, CBIZ Risk & Advisory Services, (216) 525-1956.
For more information about Vendor Risk Management, call or email Remonde Brangman, National Practice Leader, Vendor Risk Management, CBIZ Risk & Advisory Services, (540) 687-0406.