FOUNDATION OF THE PLAN WAS A RISK ANALYSIS. Basic Flaw focus on threat probability instead of potential impact

Transcription

1

2

3 FOUNDATION OF THE PLAN WAS A RISK ANALYSIS Basic Flaw focus on threat probability instead of potential impact

4

5 NOBODY KNEW ANYTHING How do you create a plan? How do you do a Risk Analysis? How much processing redundancy do you need? How much would it cost? It doesn t seem like a huge job Do it in your spare time How can you get the departments to participate? NOBODY WAS TAKING THIS SERIOUSLY!

6

7 HOW IT IMPROVED OVER THE YEARS... Disaster Recovery in the 70 s was strictly an IT issue and it was most often the Operations Manager s responsibility In the 80 s & 90 s responsibility gradually rose to a higher level in the organization, like CIO, VP, or CFO After Y2K, executives started realizing it wasn t Disaster Recovery, it was Business Continuity and building an effective plan involved the whole organization At about the same time, examiners were realizing that for it to get done right it needed senior executive accountability

8 45 YEARS LATER... From the FFIEC IT Handbook... Action Summary A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: Establishing policy by determining how the institution will manage and control identified risks; Allocating knowledgeable personnel and sufficient financial resources to properly implement the BCP; Ensuring that the BCP is independently reviewed and approved at least annually; Ensuring employees are trained and aware of their roles in the implementation of the BCP; Ensuring the BCP is regularly tested on an enterprise-wide basis; Reviewing the BCP testing program and test results on a regular basis; and Ensuring the BCP is continually updated to reflect the current operating environment.

9 WHO S GOING TO MAKE THIS WORK? The BCP Coordinator?

10 WHO S GOING TO MAKE THIS WORK? The Department Heads?

11 YEAH, RIGHT!

12 BUSINESS CONTINUITY PLANNING: THE PARTS BCP Plan Maintenance Risk Management Incident Management Emergency Response Business Impact Analysis Event Scheduling

13 TANGIBLE IMPACT TO THE BANK IMPACT Impact Categories: Financial Operational Customer Service Fraud Legal Exposure Interruption occurs TIME

14 WHAT ARE THESE? RTO RPO - Recovery Time Objective -Recovery Point Objective Normal Operations Recovery Process Normal Operations B a c k u p s R u n Crisis Recovery Time Objective Test Recovered Application(s) Lost Data and Backlog Recovered

15 BUSINESS PROCESS FOCUS IMPACT IMPACT IMPACT Pricing ACH Training Check Journal New Processing Accounts Entries IMPACT IMPACT IMPACT TIME TIME TIME TIME TIME TIME Most Vital Processes Supporting Resources: Systems Information Facilities Staff Vital Systems Vital Information Vital Facilities Vital Staff

16 You Have To Work Together! Departments Information Technology

17 How about a colaborative Web Tool?

18 THE BOARD AND SENIOR EXECUTIVES: WHAT DO THEY NEED? 1. A quick and easy update on the status of the plan 2. High visibility task reporting 3. A logical, intuitive Incident Management piece 4. Summary level information regarding Impact Analysis, Threat Assessment and Remediation's 5. Crisis Management Notification System

19 WHAT DOES THE BCP COORDINATOR NEED? 1. Easy implementation and Maintenance 2. Notification of overdue tasks and expired documents 3. Easy communication to responsible parties through s and text messages 4. High visibility of overdue tasks and documents 5. Direct links to regulators (OCC and FFIEC) and cyber security intelligence

20 WHAT DO DEPARTMENT HEADS NEED? 1. Quick and easy access to their information 2. An effective task management tool with seamless integration to their Outlook calendars 3. A system of Alerts for changes in Event Scheduling, Document Expiration and plan changes 4. A seamless integration to MS Office for easy document upload and download