Publications & Resources

April/May 2007
Focus: Risk Assessment & Disaster Planning

The 10 Most Common Mistakes Made When Implementing Business Continuity Plans

By Len Filppu and John Barchie, CISSP

Most banks have developed Business Continuity Plans (BCP) in order to plan and prepare for the timely recovery of business and technological services in the aftermath of disruptive disasters. But mistakes are routinely made when implementing these plans.

The following 10 most common mistakes made in implementing BCPs is compiled from years of comparing regulatory requirements with actual real world implementation data garnered through objective, independent internal auditing and testing. The list is ranked with the most common mistakes first.

1. BCP focuses on just IT instead of the entire enterprise.

The FFIEC Business Continuity Planning Booklet recommends the development of an enterprise-wide business continuity plan with all business units and their interdependencies considered. Disasters such as Hurricane Katrina underscore the need to anticipate threats appropriately across all levels of the bank, not just from the perspective of recovering information technology.

2. BCP is missing a Business Impact Analysis (BIA).

Regulators consider a BIA essential to a comprehensive BCP. The bank’s first step in the BCP should be the development of the BIA. The BIA phase identifies the potential impact of uncontrolled, non-specific events on the institution's business processes, and determines what and how much is at risk by identifying critical business functions and prioritizing them. A BCP without a BIA is considered incomplete and is subject to criticism.

3. BCP is missing a risk assessment.

This risk assessment evaluates the likelihood of various natural, technical, and malicious intent threats affecting bank data availability. The impact of reputation, operational, compliance and other risks posed by disasters must be considered. The Interagency guidance in “Lessons Learned from Katrina” states that any function that has a high impact to the institution when disrupted, despite how unlikely it may be, should receive additional emphasis in the planning process.

4. Data communications is not considered.

Banks that outsource their core systems are heavily dependent upon their communications, yet many have no written contingency or recovery procedures should their connectivity go down. Provisioning new lines may take weeks without a procedure, and even days with a procedure. As a contingency, bank staff should know how to run the bank without reliable access to the Internet or core system.

5. Both contingency and recovery are not considered for each function.

Contingency is the procedure taken when key resources (for example, Internet access) are not available. Recovery procedures are those procedures necessary to get the key resource back up and running. Each procedure should be managed by a different team.

6. Procedures are not step by step.

During a disaster, high stress reduces the effectiveness of even the most hardened professionals. The trick is to make things easy on staff. Since key personnel may not be available when needed, create procedures that are very detailed and can be followed by anyone, regardless of the stress.

7. Tests do not take into consideration the loss of key personnel.

Most successful BCP tests occur under ideal conditions, but if you remove a few key personnel, the rubber meets the road and the real lessons are learned. During Hurricane Katrina, circumstances prevented many employees from reporting to assigned locations, despite their best efforts. Don’t hope this doesn’t happen; plan ahead for it.

8. Written test plans are missing.

One of the most emphasized objectives in the FFIEC’s BCP guidance is the creation of written test plans. Testing is integral to the BCP process and should be performed often (at least annually), cover all critical areas (as discovered during the BIA process), be realistic, and have after-action critiques. Many banks show serious weaknesses in this area, as if the BCP were just an afterthought, and this can cause regulatory criticism.

9. Annual Board Approval is not sought.

Make no mistake, the FFIEC guidelines clearly indicate that the bank’s board of directors is wholly responsible if response to a disaster is ineffective or impotent. The quality of annual Board oversight and support is a key objective. The most effective BCP processes occur at banks where the Board appoints senior management by name to drive the BCP.

10. Security plans during a disaster are missing.

During a disaster, non production systems will typically be used instead of the tested and secure production systems. These temporary systems need to be as secure as the information security program demands. Hackers will not hesitate to attack an institution during a disaster. Make sure the plan takes into consideration physical, logical and administrative security needs during a disaster, just as the FFIEC guidelines recommend.

Len Filppu is executive vice president and director of operations and for AuditOne LLC , a San Jose, California-based independent internal audit firm specializing in banks and their service providers. John Barchie, CISSP, CNE, MCSE, is an AuditOne senior IT associate and holds the industry’s highest information security certification. The can be reached at 408-980-8099 or len.filppu@audit-one.com or john.barchie@audit-one.com respectively.