meeting ffiec requirements: enterprise-wide testing of your

Copyright 2010 Ongoing Operations

Plan. Prepare. Protect.

Meeting FFIEC Requirements:

Enterprise-Wide Testing of Your

Business Continuity Plan

April 25, 2012

Robin Remines, CBCP, AMBCI Certified Business Continuity Professional


The OGO Difference

• Focus on making business continuity planning

an organization wide initiative and process

• Holistic - People, Processes AND Technologies

• Financial Impact Analysis (FIA) as well as

Business Impact Analysis (BIA)

• Award winning BCP software platform

• Leader in building private/public partnerships

• Certified Professional Staff




Key Outcomes

• Understand FFIEC Requirements regarding Business

Continuity Program / Business Impact Analysis (BIA)

and the relationship to Testing

• Financial Impact Analysis (FIA)

• Using the results to develop a stronger Business

Continuity Program and to provide Continuity of Service

to our Members NO MATTER WHAT HAPPENS!



Meeting FFIEC

Requirements: Enterprise-

Wide Testing of Your

Business Continuity Plan



Goal of Business Continuity Plan

• People safety first!

• Minimize financial losses to the institution

– BIA to identify business processes with potential for greatest

impact (including Risk and Financial Impact Analysis)

• Continue member service with minimal interruption

• Be a community resource (CIKRP)

• Mitigate negative effects of disruption on Operations

– Solutions include redundancy, failover, resiliency, procedural

documentation and manual alternative procedures

– Prioritize implementation of solutions



FFIEC Testing Guidelines

• Roles and responsibilities should be specifically defined

• The BIA and risk assessment should serve as the

foundation of the testing program,

• Enterprise-wide testing should be conducted at least

annually

• Testing should be viewed as a continuously evolving

cycle

• Mitigation strategies should sustain the business until

permanent operations are reestablished

• The testing program should be reviewed by an

independent party

• Test results are compared against the BCP to identify

any gaps



We all have a role!

• Business line management - the testing of business operations;

• IT management - testing recovery of the institution's

information technology systems, infrastructure, and

telecommunications;

• Crisis management - testing the institution's event

management processes

• Facilities management - testing the operational readiness of

the institution's physical plant and equipment, environmental

controls, and physical security

• The 3rd party/audit - responsibility for evaluating the overall

quality of the testing program and the test results.



Business Impact Analysis

• Assess and prioritize business functions and processes

• Identify potential impact of business disruptions on the business

functions and processes

– Severity of impact

– Member Impact

– Member Confidence

– Increased Fraud

• Identify legal and regulatory requirements of the business

functions and processes

• Estimate RTOs and RPOs



BIA Outcomes

• Establishes solid foundation for your planning process

• Meet regulatory and audit requirements

• Senior Management Support

• Top ranked Risk items with plans to protect, assign,

accept or eliminate the threat

• Creation of an IT recovery plan that uses the outcome

of the BIA to establish a priority for recovery



Risk Assessment

• Evaluate BIA assumptions using various

threat scenarios

• Analyze threats based on likelihood and potential

impact to institution, members and financial market

• Prioritize potential business disruptions based on

severity which is determined by impact on operations

and probability of occurrence

• Perform “gap analysis” that compares existing BCP to

policies and procedures to be implemented based on

prioritized disruptions and resulting impact



Risk Management (Mitigation)

• Based on comprehensive BIA and Risk

Assessment

• Documented

• Reviewed and approved by Board

and Senior Management annually

• Disseminated to employees

• Properly managed when outsourced to 3rd party

• Specific regarding what conditions should prompt

implementation of the plan and the process for

invoking



Risk Management (cont)

• Immediate steps that should be taken during a

disruption

• Flexible for unanticipated scenarios and changing

internal conditions

• Focused on impact of various threats that could

potentially disrupt operations

• Developed based on valid assumptions and

interdependencies



Testing/Exercising

• Develop Exercise Scenarios which incorporate BIA and

Risk Assessment

• Include C-level and Department level staff

• Gain buy-in thru role-playing and inclusion

• Consider tabletop vs. walkthrough

– http://ithandbook.ffiec.gov/it-booklets/business-continuity-

planning/risk-monitoring-and-testing/principles-of-the-

business-continuity-testing-program/testing-policy.aspx

• Complete at least annual tests of the BCP (more than

the annual IT/DR exercise)

http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/risk-monitoring-and-testing/principles-of-the-business-continuity-testing-program/testing-policy.aspx





























Exercise your plan

• Critical processes and locations

– Is the plan to work from home or alternate site? Perform

processes from the alternate location

– What processes are included

– How are communications handled?

• Successful exercise?

– Issues identified and revisions assigned for additional planning

– Everything was smooth and no opportunities identified



Testing – Creating the Lifecycle

• Senior Management and BOD evaluate program and

test results

• 3rd party assessment of program and test results

• Revise BCP and testing program based on

operational changes, audit and examination

recommendations, and test results



Financial Impact Analysis

(FIA)



FIA Tool

• Potential financial impact

• Uses 5300 Report provided to NCUA

• Coming soon! www.ongoingoperations.com

• Easily customized to fit your credit union’s business

strategies and operating practices

http://www.ongoingoperations.com/



What does the FIA measure?

• Delinquency Risk

• Daily Transaction Risk

• Fee Income Risk

• Check & ACH Risk

• Daily Loan Risk

• Reputational Risk



Fee Income Risk



Summary – BCP Testing – FFIEC

Guidelines

• Spend resources ( time, people, $$$ ) on performing an in-

depth Business Impact Analysis (BIA) and Risk

Assessment • Without this, there is no foundation from which to measure

your testing

• Create a testing plan/cycle – Using various

scopes/objectives, create a yearly calendar to test at various

levels • Enterprise-wide testing should be conducted at least annually

• DR (IT) tests at least annually

• Departmental – annually AND when any significant process

change occurs



Summary – BCP Testing – FFIEC

Guidelines

• Mitigation strategies should sustain the business until

permanent operations are reestablished

• You may not always have the “right” mitigation

strategy – document your decision making process

• Should consider 3rd party “stand in” availability (such

as card processing, ATMs, etc)

• Always have an independent reviewer – look at it as a

chance to improve your plan, not grade it

• Update your plan IMMEDIATELY after testing to close

gaps identified by the exercise



Robin Remines, CBCP, AMBCI

[email protected]

Certified Business Continuity Professional

www.ongoingoperations.com

meeting ffiec requirements: enterprise-wide testing of your

Documents