Welcome » IT Booklets » Business Continuity Planning » Risk Management » Business Continuity Plan Development
Risk management represents the third step in the business continuity planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be:
The BIA and risk assessment represent the foundation of the BCP. The BCP should be written on an enterprise-wide basis, reviewed and approved by the board and senior management at least annually, and disseminated to financial institution employees for timely implementation.Refer to Appendix G: "Business Continuity Plan Components" for additional information. All financial institutions should develop a BCP that documents business continuity strategies and procedures to recover, resume, and maintain all critical business functions and processes.
Some financial institutions may choose to develop their BCP internally, while others may choose to outsource the development and maintenance of their BCP. While outsourcing BCP development may be a viable option, the board and management are ultimately responsible for implementing and maintaining a comprehensive BCP. Therefore, financial institution management should understand the business impact of potential threats, have the ability to implement mitigating controls, and ensure that the BCP can be properly executed by financial institution personnel and validated through comprehensive testing. When outsourcing BCP development, management should ensure that the chosen service provider has the expertise required to analyze the financial institution's business needs. The service provider should also be able to design executable strategies that are relevant to the financial institution's risk environment, create education and training programs necessary to achieve successful deployment of the BCP, and integrate necessary changes so that the BCP is properly updated.
A well-written BCP should describe the various types of events that could prompt the formal declaration of a disaster and the process for invoking the BCP. It should also describe the responsibilities and procedures to be followed by each continuity team, have current contact lists of critical personnel, address communication processes for internal and external stakeholders, identify relocation strategies to alternate facilities, and include procedures for approving unanticipated expenses.
The BCP should specifically describe the immediate steps to be taken during a disruption in order to maintain the safety of personnel and minimize the damage incurred by the institution. The BCP should include procedures to execute the plan's priorities for critical versus non-critical functions, services, and processes. Specific procedures to follow for recovery of each critical business function should be developed so that employees understand their role in the recovery process and can implement the BCP in a timely manner.
The BIA and risk assessment should be integrated into the written BCP by incorporating identified changes in internal and external conditions and the impact of various threats that could potentially disrupt operations rather than on specific events that may never occur. Examples of the potential impact of various threats include the following: