Presumably you expect that your IT guys can recover the system. What if they cant? What is at stake? It could be a media nightmare causing a run on the bank in the case of a computer virus. Are you and your staff really ready to handle such disasters? Does your business have a real capability to dig itself out of such difficulties and recover successfully? You may be relying on the existence of a paper plan which has been gathering dust since last years audit review.
In our experience, we have found that while many retail and investment banks have detailed computer back-up plans or comprehensive operational-level plans for specific business units, few have a single plan which encompasses both the crisis management team roles and the business operations. Fewer still have a full working solution that addresses the people element (human resources/public relations) adequately.
The purpose of a business continuity capability is to ensure that in the event of disruption to business there is minimal impact on profits, operations, customers and image. In order to meet these objectives, the capability must provide clear instructions as to how senior executives and staff respond to a range of disaster scenarios, diminishing in severity from worst case (major fire, severe typhoon, sabotage) to less severe situations (temporary loss of access to a building, denial of service attacks, computer virus, isolated power failure, burst water pipe).
If your bank is capable of continuing business in adverse conditions, it will thrive. If not, your competitors will thrive in your place.
Banks that have suffered badly as a result of a disaster relied on staff who didnt understand their 'plans'. Lack of communication across business units is one of the main reasons that continuity capabilities fail. At the critical point when speed is important for business resumption, time, money and resources are wasted.
The traditional approach to building a business continuity capability for any bank has been to first develop detailed plans for individual business units and, in particular, the recovery of computer systems. This process can be long and laborious. Often isolated internal teams or consultants have been engaged to write these weighty documents which are not seen until six months later. This approach seldom involves the management team who can identify the critical business functions at the outset.
It is all too often the IT director who determines which parts of the business resume operations and in what order. The detailed operational plans for the separate business units then get built. Only later are they tested and found to be inoperable. This is because IT systems that are recovered do not meet the needs of the business and the separate business units have different goals and consequently different recovery priorities and timescales. Does this sound familiar? Are you sure your staff can manage a crisis? Would the fixed income/investment banking teams, front office/back office teams, IT and HR teams understand each others roles?
It is essential that banks develop or complete a workable business continuity capability. With this in mind, it is worth noting that the solution to any disaster scenario depends, to a great extent, on people (65%) and infrastructure (30%), and not so much on the six-inch-thick detailed plan documentation (5%), which is rarely used effectively during a real crisis.
These days many banks are seeking a faster and more effective method of implementing their business continuity capability in the dynamic world of modern banking.
Leading organizations are now considering a different approach, often called FastTrack BCP. This differs from the traditional approach in that it looks at all aspects of the business placing great emphasis on the importance of the crisis management team which usually comprises senior executives who are capable of making quick decisions on important issues and coordinating the recovery actions. A cohesive team is essential in a crisis situation when there is no time for empire building.
FastTrack BCP focuses on:
- Fast delivery major deliverables produced at the outset of the project. This means less disruption to staff and a recovery capability in place quickly;
- Holistic coverage, enabling an organization to respond to major crisis;
- Securing buy-in and commitment on day one;
- An organization's most valuable asset its people; and
- A pragmatic, workable recovery capability.
Thereafter, the FastTrack BCP approach ensures proper and regular testing and rehearsals of the continuity capability - the element so often missing during traditional business continuity planning.
We have been helping banks senior executives ascertain the core business functions, document the framework, and test the strength of their capability within a matter of three to four weeks. This is fast when compared to a traditional enterprise-wide BCP project, which can take six months or more to develop. We have found that ongoing staff training and testing through structured simulation exercises in a safe environment is paramount to the success of any banks business capability. Plan maintenance is crucial.
The focus in todays business environment should be to establish a flexible continuity capability based around trained crisis management and business continuity teams. Take a look at your existing plans and seriously question whether they are capable of providing your staff with the skills and support to help your bank should you receive that dreaded 2.00a.m. phone call.
Fiona Raymond-Cox, senior manager, Global Risk Management Solutions, PricewaterhouseCoopers. E-mail: [email protected]