Welcome » IT Booklets » Business Continuity Planning » Business Continuity Planning Process
A financial institution's business continuity planning process should reflect the following objectives:
The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.
Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery. This enterprise-wide framework should consider how every critical process, business unit, department, and system will respond to disruptions and which recovery solutions should be implemented. This framework should include a plan for short-term and long-term recovery operations. Without an enterprise-wide BCP that considers all critical elements of the entire business, an institution may not be able to resume customer service at an acceptable level. Management should also prioritize business objectives and critical operations that are essential for survival of the institution since the restoration of all business units may not be feasible because of cost, logistics, and other unforeseen circumstances.
Business continuity planning includes the integration of the institution's role in financial markets. Financial industry participants that perform clearing and settlement activities for critical financial markets (core firms) and organizations that process a significant share of transactions in critical financial markets (significant firms) are required to follow interagency guidelines,Refer to the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," issued by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission. which are designed to ensure the continued functioning of settlement and clearing activities that support critical financial markets. Critical markets include, but may not be limited to, the markets for federal funds; foreign exchange; commercial paper; and government, corporate, and mortgage-backed securities. Based on these guidelines, key financial industry participants are expected to identify activities that support these critical markets, continually maintain their ability to recover and resume critical operations in a timely manner, and routinely use or test recovery and resumption arrangements. Since these organizations participate in one or more critical financial markets and their failure to perform critical activities by the end of the business day could present systemic risk to financial systems, their role in financial markets should be addressed as part of the business continuity planning process
Financial institutions that do not directly participate in critical financial markets, but support critical financial market activities for regional or national financial sectors, are also expected to establish business continuity planning processes commensurate with their importance in the financial industry. Similarly, smaller, less complex institutions are expected to fulfill their responsibilities by developing an appropriate business continuity planning process that incorporates comprehensive recovery guidelines based on the institution's size and risk profile.
The business continuity planning process should include regular updates to the BCP. The BCP should be updated based on changes in business processes, audit recommendations, and lessons learned from testing. Changes in business processes include technological advancements that allow faster and more efficient processing, thereby reducing acceptable business process recovery periods. In response to competitive and customer demands, many financial institutions are moving toward shorter recovery periods and designing technology recovery solutions into business processes. These technological advances underscore the importance of maintaining a current, enterprise-wide BCP.
Additional industry practices that are commonly used to maintain a current BCP include:
The FFIEC agencies encourage financial institutions to adopt a cyclical, process-oriented approach to business continuity planning. This process-oriented approach will be discussed in the first part of the booklet, with additional information included in the appendices. The four steps in this process include:
While this approach is reflected as four steps, the business continuity planning process actually represents a continuous cycle that should evolve over time based on changes in potential threats, business operations, audit recommendations, and test results. In addition, this process should include each critical business function and the technology that supports it.Refer to the "Interagency Guidelines Establishing Information Security Standards," Board of Governors of the Federal Reserve System, 12 CFR part 208, Appendix D-2, and 12 CFR part 225, Appendix F; Federal Deposit Insurance Corporation, 12 CFR part 364, Appendix B; National Credit Union Administration, 12 CFR part 748, Appendix A & B; Office of the Comptroller of the Currency, 12 CFR part 30, Appendix B; Office of Thrift Supervision, 12 CFR part 570, Appendix B, for additional information. As such, other policies, standards, and processes should also be integrated into the overall business continuity planning process.