disaster preparedness critical elements of centurion ...€¦ · step 4 –conduct a business...

Disaster Preparedness

Critical Elements of Centurion Business

Continuity Planning

Tom Williams

Centurion Business Continuity Strategy Manager

• This webinar, Critical Elements of Centurion

Business Continuity Planning, is the second

webinar of a two part series.

• The first webinar in this series was entitled:

Discover Next-Generation Data Redundancy

Services with Centurion Hosted High Availability

• To view the recording of Webinar 1 please email

Cathy Ohara at [email protected] to

request the link to the webinar replay.

Disaster Preparedness Webinar Series

mailto:[email protected]

Agenda

• Identifying the Disaster Risk Mitigation Profile for

your bank

• The FFIEC Guidelines on Business Continuity

Planning

• Centurion’s Ten steps to Business Continuity

Planning

• Centurion Disaster Recovery Suite of Services

• Q&A

How would you answer the followingquestions regarding your bank’s BCP?

Is it an “Enterprise Wide” plan or just an I/T Plan?

Will the plan meet the examination criteria?

Is the plan tested and maintained on a regular basis?

How effective is our BCP?

The most important question;

Will our plan get us through a serious Disaster Event?

Top 5 Reasons why banks do not have an effective BCP?

2. The myth that there is a plan in place that will work.

5. We are to busy with other projects that are of a higher priority.

1. Let’s just do enough to satisfy the auditors and examiners.

3. It costs too much money.

4. The disaster will never strike.

LOW

RISK

HIGH

RISK

Identify your Bank’s Disaster Risk Mitigation Profile?

BSA/

AML

No Business

Continuity

Program

Intern

al

Fraud

Business

Continuity

Program

MODERATE

RISK

Each organization should continually

strive to move toward the Low Risk area

The FFIEC Guidelines on Business Continuity

Business Impact

Analysis

• Disaster Impacts• Prioritization• Recovery Windows• Recovery Strategies• Resource Requirements

Risk Assessment

• Threats• Frequency• Duration• Forewarning

Develop Business

Continuity Plan

• Enterprise Wide BCP• Emergency Plan• Crisis Management Plans• IT & Business Unit Plans

Test / Maintenance

Program

• Plan Updates• Recovery Center

Testing• Tabletop Exercises• Mock Drills

8

5. Conduct A Risk Assessment

4. Conduct A Business Impact Analysis

3. Review Current Business Continuity Plan

2. Develop BCP Development Team

1. Obtain Management Support

Centurion’s Ten Steps to Business Continuity Planning

Centurion’s Ten Steps to Business Continuity Planning 10. Obtain Board and

Regulatory Approval

9. Initiate Plan Maintenance Process

8. Test Recovery Plan

7. Document the Business Continuity Plan

6. Determine Recovery Strategies

Step 1 – Obtain Management Support

• Familiarize yourself and management with the FFIEC Business Continuity Guidelines

• Conduct research to determine plan deficiencies• Compare your plan to different plans • Talk with other FI’s about their BCP approach• Read articles to educate management on Best

Practices for BCP in the financial sector • Go to BCP / DR conferences for education• Have your plan reviewed by BCP experts• Conduct a mock disaster drill with your senior team


Risk Measurement - The Risk of a Disaster Occurring and not having an Effective Plan vs. the Cost of having an Effective BCP Plan

Risk Cost


Medium

Low

Cost of Recovery

Level of Commitment

High

Enterprise Wide BCP

IT Plan/Hot Site Only

No preparations

Enterprise Wide BCP tested and maintained at all levels

Disaster Level of Readiness Vs Cost of Recovery

Step 2 – Develop BCP

Development Team

• Select an Executive Owner

• Select a BCP Manager / BCP Coordinator

• Select a participant from each business unit

• Include BCP responsibility in job description

Step 2 – Develop BCP Development Team

• Establish a project plan for plan completion

– Plan development tasks / responsibilities / timelines / success factors / critical decision points

– Departmental interviews / management reporting

– Escalation process and status meeting dates

• Determine the following:

– Plan development methodology (Internal or Outsourced)

– How plan information will be stored and accessed

• Word Processor or BCP Software Tool

– Plan structure

Step 3 – Review Current PlanPlan Elements In Plan Not In Plan

Evacuation Plan in place and tested regularly

Succession / Escalation Plan

Alternate Work Locations Identified for IT & Departments

Critical Processes & Functions Identified / Prioritized

Recovery Time Frames Identified at the Functional Level

Risks Identified and Prioritized

Critical Documentation Identified

Resource Requirements Identified

Emergency Phone Numbers for Internal & External support

Recovery Teams Identified

Recovery Tasks Identified for Personnel for I/T & Departments

Manual Procedures Documented for I/T & Departments

Step 4 – Conduct a Business Impact Analysis-BIA

The Business Impact

Analysis Process

1. Identify the Processes &

Functions per Business Unit 2. Determine the

impact if the process / function is

interrupted

3. Determine the Recovery Time & the

Recovery Point Objectives

4. Prioritize to determine the Mission Critical

Processes5. Determine the

Recovery Strategies for each

function

6. Determine the Resource

Requirements

7. Determine Alternate Locations to restore function

8. Document Contingency

Procedures per function

IMPACTS

Lost Revenue

Accounting Records

Fines and Penalties

Vital Account Records

Lost Financial Records

Customer Service

Work Flow

Quality

Life and Safety

Public Opinion

Social Issues

Employee Morale

Employee Stress

Step 4 – Conduct a BIA - Determining Impacts

Step 5 – Conduct a Risk Assessment

•Probability of Occurrence

–Applicability

–Geography

–History/Current Events

Severity

–Forewarning – Speed -

Duration

Mitigation

–Prevention


• Natural

– Quake

– Tsunami

– Fire

– Lightening

– Tornado

– Typhoon

– Epidemic

• Technological

• Utility Failure

• Air Crash

• Hazmat

• Contamination

• System Failure

• Proximity Crisis

• Economic

• Intentional

• Cyber Attacks

• Reputational

• Espionage

• Terror – Mumbai

• Threats

• Food Tampering

• Strike

• Riot

Step 6 – Determine Recovery Strategies based on the BIA

• Core System

• Check Imaging

• Report Retrieval

• Document Imaging

• ATM / Card Processing

• Internet Banking

• Fedline

• Voice Response

• Statement Printing

• Internal Network, i.e.

• Voice Communications

• Telephone Banking

• Call Center Operations

• Employees

• Facilities

Regulatory Expectations

Prioritizing Critical Business Functions

Source: FFIEC IT Examination Handbook, Business Continuity Planning, March 2008,

Appendix F, p. F-3

http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-f-business-impact-analysis-process.aspx

Prioritizing Critical Business Functions

• Can we recover our technology infrastructure from a disaster?

• What is our Recovery Time Objective (RTO) for our core?

• What is our RTO for our server environment?

• What is our Recovery Point Objective (RPO) for core?

• What is our RPO for our server environment?

24

Step 6 – Determine Recovery Strategies Cost Vs. Level of Commitment Technology Infrastructure

RPO=near zero, RTO <1min, Automatic

Server/Workload/Network/Data SYSPLEX

RPO=Near zero, RTO <1Hr. to 4 hours, Automatic

Server/Workload/Network/Data Automatic Site Switch

RPO=Near Zero, RTO <1Hr. to 4 hours, Manual

Disk or Tape Data Mirroring

RPO > 15 min. RTO= 4+ hours, Manual

PiT or SW Data Replication.

RPO=4+ hours, RTO=8 to 24 hours, Manual

Data Base Log Replication & Host Log Apply at Remote

RTO=Days, RPO>24 hours

Tape, HW ATOD

Point-in-Time Backup

to Tape / Disk

RPO<24 hours RTO = 8-24 hours

Electronic Tape Vaulting

Co

st

Low

er

Hig

he

r

HoursMinutes Days

Traditional Tape

Recovery

Multi-Site

Failover /

Fallback

Continuous

Availability-

Disaster Avoidance

Recovery Solutions Align recovery strategies to the Business Impact Analysis

Function

Max Allowable

Downtime

Applications &

Systems OS

Core processing Critical – Min. to hrs. SilverLake®, CIF 20/20® iOS

Item processing Critical – Min. to hrs. 4|Sight™ Wintel

Document Imaging Urgent – 24 hrs Synergy® Wintel

Online banking Urgent – 24 hrs NetTeller® N/A

Telephone banking Critical – Min. to hrs. iTalk™ Wintel

Mobile banking Urgent – 24 hrs NetTeller® N/A

Bill pay Urgent – 24 hrs iPay Solutions™ N/A

Check printing Urgent – 24 hrs SilverLake®, CIF 20/20® iOS

Credit card processor Urgent – 24 hrs jhaPassPort™ Wintel

Critical Business

FunctionsRTO Resources

Business Continuity ProgramBusiness Continuity Program

Step 4 - Draft Plans Generated

27

Emergency Management Plan (Per Facility) Crisis Management Plans Information Systems Recovery Plan Business Unit Recovery Plans

Executive Summary Plan Testing & Exercise Guide

Step 7 – Document the BCP

Step 7 – Document the BCP - Table of Contents Example

COPE: Centurion’s Online Business Continuity Expert Business Continuity Planning Tool

• Based on Best Practices of the Financial and Business Continuity industry.

• A web-based business continuity plan built on an SQL server platform utilizing a relational database.

• Built in-house by JHA software developers.

• Fosters plan ownership at the business unit level.

• Designed solely for financial institutions.

• Access plans for planning purposes, testing, maintenance, and plan execution from any web browser.

COPE – Business Unit Teams

COPE – Departments

COPE – Business Functions

Team Responsibilities

Crisis Management Teams Business Units Recovery Teams

• Management• Administrative• Damage Assessment• Information Systems

• Business Functions

CIG, CTC Trust ServicesCIG, CFG Asset Management

Business Unit Recovery Teams

Information Systems Management Team

Crisis Management Teams

Trust Administration

Trust OperationsAsset Management Client Support

Administration

Facilities Management –

Administration Support

Human Resources

Compliance

Human Resources and

Training

Internal Audit

Information Technology

IT

Internet Branch

Clear Sky Branch

Pandemic Response

Planning

Lending Recovery Team

Commercial/Consumer Loan Operations

Mortgage Loan Operations

Deposit Operations

Bookkeeping

Electronic Services

Item Processing

Operations

Scanning

Recovery Team Organization Chart

Crisis Management Teams

• Team Leader: Alternate Team Leader: Team Members:




Management Crisis Team

Administrative Crisis Team

Damage Assessment Crisis Team

Information Systems Crisis Team


•AccountingAccounting

•Administration

•Chief of Staff

•Legal

Administration –Chief of Staff –

Legal

•Card Services

•Commercial Documentation

•Deposit Operations

•Fraud Investigations

•Loan Operations

•Treasuary Management Operations

Deposit Ops –Loan Ops – TM

Ops – Fraud


• Bank Secrecy

• Compliance

• Enterprise Risk Management

• Internal Audit

ERM – BSA –Compliance –Internal Audit

• Human Resources

• Project Management

Human Resources and Project

Management

• Application Support

• IT Risk Management

• Network Services

IT Risk Management –

Network Applications


• Agricultural Lending

• Commercial Finance

• Commercial Lending

• Consumer Loans – Collections

• Credit – Special Assets

• Loss Share

• Treasury Management

Lending – Credit

• MarketingMarketing

Plan Execution/Recovery Timeline

Crisis Management Phase

Relocate & Restore Phase

Recover Business

Functions Phase

Rebuild & Return Phase

EVENT

OCCURS




Recover Business

Functions Phase


EVENT

OCCURS

Evacuation & SafetyDamage AssessmentCommunicationsDisaster Declaration




Recover Business

Functions Phase


EVENT

OCCURS


NotificationsMobilizationRelocationRestore




Recover Business

Functions Phase


EVENT

OCCURS



Resume Services




Recover Business

Functions Phase




Resume Services Rebuild/Repair

Step 7 - Document the BCP

Establish a Recovery Time

Line

4

4

0 TBD?? Hours

Recovery Time

Step 7 – Process and Resource RecoveryFunction Description: Accept and post deposits

Recovery Window: Within 24 Hours

Describe the business tools and systems needed to complete the activity.2.1 Information Systems

Core Processing System

Data on Network

E-mail (External)

E-mail (Internal)

Internet Other EZTellerSystem

2.2 External Data Exchange

Connections to third parties via modem or other data file exchange. Connection to: File Name/Contents:

2.3 PC Software MS Access MS Excel MS Internet Explorer

MS Word

Other (Name)

2.4 Specialty Software

Examples are teller/platform systems, loan processing systems, A/L management, etc. Name/Description: EZTeller

Supplied by: Jack Henry

2.5 General Office Equipment

Adding Machine

Copier Fax Machine

Phone Typewriter Other:

2.6 PC Workstations & Peripherals

PC Workstation

Printer Other Computer Hardware (Name):

2.7 Specialty Equipment

Examples: Proof, image capture, sorters, etc. Separate multiple entries with a comma (,).Description: Model: Supplied by:

Forms Used Electronic (Name): Paper (Name):

Reports Used System Generated Manually Prepared

Externally Supplied (Name):

Supplied by: Files/Documents Name of File/Document:

Location: Format: Electronic Physical:

External Services Examples: Credit Reporting, Appraisals, Legal or Accounting

Step 7 – Process and Resource RecoveryFunction Description: Accept and post deposits

Recovery Window: Within 24 Hours

Step 8 – Test the BCP

Testing Benefits

• Identify weaknesses and exposures in the plan

• Identify backup and cross training requirements

• Provide training for team members & vendors

• Establishes credibility and authority to the plan

• Improves self confidence thru rehearsals

• Validates contract subscriptions with vendors

• Meet regulatory compliance requirements

• Authenticate recovery tasks and timelines

Test Plan

Set Test Objectives

Identify Resource

Requirements

Identify ParticipantsIdentify

Schedule Options

Determine Test

Budget

Conduct Test

Identify Scope

Step 8 – Test the Plan

Test Gap Analysis

Modifications

Step 8 - Analyze Test Results

Conduct a Post Test Review Meeting

Review results with team members and observers

Identify items to be re-tested for next test

Document test results for management & auditors

Amend Business Continuity Plan as required

Update Change Management Program

Schedule next test and set test objectives

Activity

• Recovery of individual application systems by using files and documentation stored off-site.

• Reloading of system tapes and performing an IPL by using files and documentation stored off-site.

• Ability to process on a different computer. • Ability of management to determine priority of systems with

limited processing.

• Ability to recover and process successfully without key people. • Ability of the plan to clarify areas of responsibility and the chain

of command.

• Effectiveness of security measures and security bypass procedures during the recovery period.

• Ability of users of real-time systems to cope with a temporary loss of on-line information.

• Ability of users to continue day-to-day operations without applications or jobs that are considered noncritical.

Step 8 - Test the BCP

Testing Checklist – Areas to be tested

Step 9 – Initiate Plan Maintenance Process

• Have all updates coordinated by BCP owner

• Establish Plan Ownership at the department level

• Make department managers responsible for updating their business unit plans

• Update plan annually for smaller organizations and bi-annually for larger organizations using the FFIEC guidelines.

• Integrate plan into the Change Management Process

• Develop a plan update status report & report results to senior management

52

Step 9 – Initiate Plan Maintenance Process

Phase 1:Locations, Personnel, Recovery Teams, Internal Notifications

Phase 2:Business Functions, Processes, Resources

Phase 3: Vendors, External Notifications

Phase 6:Conduct Plan Exercises, Changes from Exercises

Phase 5:Update Documentation, Prepare for Tests and Exercises

Phase 4:Schedule Plan Exercises, Application Recovery Procedures

Maintenance Cycle: One Year – 12 MonthsMaintenance Phases: 6 Phases – 2 Months per Phase

Step 10 – Obtain Board and Regulatory Approval

• Has policy been determined on how to manage and control identified risks?

• Have knowledgeable personnel and sufficient financial resources been allocated to properly implement the BCP?

• Has the BCP been independently reviewed?

• Are employees trained and aware of their BCP roles?

• Is the BCP regularly tested on an enterprise-wide basis?

• Has the board reviewed the test results and improvement plans based on the test results?

• Is the BCP continually updated to reflect the current operating environment?

LOW

RISK

HIGH

RISK

Identify your Bank’s Disaster Risk Mitigation

Profile?

BSA/

AML

No Business

Continuity

Program

Intern

al

Fraud

Business

Continuity

Program

MODERATE

RISK

Each organization should continually

strive to move toward the Low Risk area

Next Steps

1. Ensure you have Executive support for the BCP.

2. Have your BCP reviewed by BCP Experts.

3. Conduct a Mock Disaster Drill using your BCP.

4. Determine if outside expertise is required to

improve your plan, or if the work will be done

internally.

5. Ensure that your BCP is structured at the

department level.

6. Build / improve your plan and test it regularly

Centurion Business Continuity Planning Services

• Business Continuity Plan Development

– Deluxe Business Continuity Plan Development Option

– Remote Business Continuity Plan Development Option

• Review of your current BCP / DR Plans

• Mock Disaster Drills / Training on BCP / DR

• Business Continuity Strategic Planning Session

• Business Continuity Executive Webinars (Free)

Centurion Suite of Services

Contact Information

• Tom Williams

– Centurion Business Continuity Strategy Manager

– GSB Faculty Instructor

– 800-299-4411

– [email protected]

mailto:[email protected]

Questions