Revisiting Your Plan for the Unexpected (article)
In times of crisis, financial institutions are depended on to assure assets are safe and easily accessible. Since 9/11 business continuity has become a key business function for private companies and public institutions –perhaps most critically in the financial sector. Best practices have been challenged to keep pace with rapidly changing business landscapes. Less than 10 years ago, “easily accessible” related primarily to brick and mortar banking; today we are talking about open banking and third-party developers.
In a feature article nearly two years ago, our risk and advisory professionals discussed key issues for consideration by financial institutions when planning for incident response and rapid recovery. Essentially, your primary objective is to identify your risks and create an actionable plan. Your strategy should account for people, places, procedures and communications, and it should be adaptable to multiple situations.
Government regulation of the financial industry is in place to create uniform national standards and actionable recovery strategies that are routinely tested for ongoing awareness and improvement. No doubt you have an established business continuity plan in place. In the wake of a year replete with epic natural disasters and ever-evolving cyber risks, we have to ask – has your institution recently reviewed and tested your plan?
Just last year Nationwide warned of a widening gap between disaster risks and business preparedness. Their study looked at small business, which of course suggests a separate concern for financial institutions, i.e., preparedness of loan portfolio companies. The point is well taken, however, that preparedness once meant constructing a plan but now requires continual analysis to manage rapidly changing risk profiles.
Perhaps no industry has experienced greater recent change in business processes and supporting systems than banking and financial services. Projects enacting major change may now be implemented in quarters versus years and decades. In this dynamic environment, lack of scheduled regular plan review and testing may be undistinguishable from no plan at all, leaving your institution open to loss of revenue and customer confidence, even potential legal action.
Some say that no disaster should be considered unexpected these days, so we will call them unplanned events. Have we made the case for revisiting your approach to manage and recover from the unplanned? If so, here are some basics you will want to include in your ongoing review and plan.
Business Continuity Planning – General Concerns
In the event of a disaster, it’s important to recover and maintain your data and have cash on-hand so you can continue serving your customers. You may not be able to prevent a disaster from occurring, but you can be prepared to rebound when the air clears. Developing a business continuity plan entails preparing for anything that could disrupt your business operations and planning for the continuation of operation. You may consider identifying backups for essential operations, personnel, sensitive records, data processes and communication channels. When developing a business continuity plan, make sure it addresses the following:
- Employee concerns. In the wake of a disaster, you won’t be the only one trying to recover. Your employees will most likely have their own concerns about the safety of their families and personal property. In order for your employees to make a positive contribution to your recovery efforts, they will need some freedom to address their own issues.
- Customer accommodations. If you are forced to temporarily close, you should have strategies in place for your customers to be able to access their funds, where feasible, and a communication plan set up to inform customers of the situation.
- Alternate work locations. Your plan should address employee relocation in case a disaster leaves your facilities unusable. By establishing alternate locations (disaster recovery sites) in advance, operations can be moved to secondary locations or other branches with fewer interruptions. During the planning process, it is important to consider how a change in work location will affect employees. Things like work hours or transportation concerns may need to be addressed.
- Prioritize data and processes. What processes are essential to your operation and what data is needed for them to run effectively? Creating a hierarchy of processes in the planning stage will help focus your recovery efforts on restoring the most essential components needed to resume operations. Once you have established your critical processes, determine what resources they require so alternate plans can be made to ensure they are available.
- Electronic vaulting. With the increasing number of financial transactions that take place online, protecting your electronic data is extremely important. Even if your physical location temporarily shuts down, your online services may be able to hold customers over until you are able to reopen. Electronic vaulting, or off-site data protection, backs up critical data and sends it to a different geographic location for storage. These backups can be used in the event that a disaster destroys the equipment that houses your critical data.
- Define employee responsibilities. After a disaster is no time to train employees on disaster response. A successful recovery effort requires trained individuals who are ready to take action. Establish the responsibilities of key employees long before disaster strikes so they’ll be ready if a situation arises.
You may never know what natural disaster could affect the physical location of your institution or that of a third party providing service to you. In 2017 Hurricane Harvey damaged several banks and financial institution facilities, with vaults and ATMs underwater for weeks. Start by ensuring your plan addresses these basic steps:
- Identify key assets (these may have changed or expanded); define the business impact of loss of each asset.
- Determine how long you can go without access to this resource.
- Establish a communications plan and assign roles and responsibilities.
- Establish your disaster recovery site by implementing the systems or capabilities required to continue operations.
- Define the appropriate mechanism for access to your data and applications.
- Test your plans and train your employees on their roles and responsibilities.
- Backup computer systems and customer data.
- Encourage customers to establish online banking relationships in case your physical location in unavailable.
The post-hurricane Houston market suggests another reason to be sure your systems are documented and plan is actionable. M&A activity paused only briefly as the storm’s impact was assessed then accelerated quickly, a testament to confidence in the city’s bustling economy. Proper documentation of business systems is always an advantage in M&A activity.
While the circumstances involved in bank failures are complex, having a solid plan in case of financial crisis is important. Stress testing focusing on critical risks like credit risk, market risk and liquidity risk can be used to evaluate your institution’s risk of having insufficient capital during tough times so that you can plan accordingly. It’s important to consider crowd and customer management as part of your risk management strategy to ensure the safety of both your patrons and your staff.
A well-established response plan is essential to restoring operations after a disaster, but plans have a short shelf-life. Regular plan review and testing will ensure you are prepared in the face of unplanned disruptions.
For additional information about business continuity, risk and related issues, contact Chris Roach at (713) 871-1118 or firstname.lastname@example.org.