2015 was a groundbreaking year for business continuity regulators and that makes 2016 a key year for compliance modifications.
What happened? Well, 2015 was the culmination of many variables:
Threats increased. Weather it’s our awareness or the actual activities themselves, there is more responsibility and accountability to guard against threats to operations risk than ever.
Marketplace tolerance exceeded the breaking point. The bar had been raised so high for banks that many vendors were noticeably below standard. So far that when the dam broke (literally) the regulators got involved, resulting in documents like Appendix J and the Cybersecurity Assessment Tool.
Time to revise the FFIEC Handbooks was up. The previous edition was beyond end of life. The industry had advanced beyond what the previous editions covered. Several have been updated and more are to come. Changes include incorporation of cybersecurity concepts as a part of information security, advancement of management-related concepts and IT risk-management as a part of enterprise-wide management.
Here’s where to put your resources in order to maintain compliance and create value in 2016
Leadership Denotes Character
The old saying goes, “the fish stinks from the head down” and examiners are more than casually aware of this. There is no one more accountable than the board of directors. Unfortunately, there is often no one less clued in. Fiduciary relationships – those where the board member must act in the best interest of the bank before himself- are not taken lightly in the eyes of the regulators. If your employees aren’t demonstrating healthy business behavior, the responsibility lies squarely in the shoulders of the board. This is a big jump up from what’s been enforced in the past.
Don’t expect your board to know it all right now but do find resources for coaching and basic training immediately. Work with your board to build their capacity and understanding so that they will have the resources to make the best decisions for the clients to which they are held responsible. There’s no plea of ignorance as a board member. Those who don’t take fiduciary seriously have gone to prison and paid hefty fines. 2015’s fines were in the billions.
In case you missed it’s release, the FFIEC developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness. While you’ll probably be fine not acing the test on the first go around, you must have a working knowledge that exceeds “familiar with the Assessment”. Where do you currently score and how are you working to upscale your security? Take the time to find out. Give the executive officers and directors the Overview and get to work on the profile. You’ll be glad you didn’t wait!
Lest you confuse all this work for a waste of time, think again! You’re actually securing the value of your organization. The FFIEC has released several statements to help clarify the threats and best practices.
Supply Chain Management
Move over Vendor Management. Banking is a business and it knows how it creates value. In order to maintain those performance indicators, banks know what and who it depends on to get the job done. Vendor relationships go far beyond handshake these days. Trust must be proven and a relationship that will make it through any storm is a must and Appendix J gives you four specifics. Though it outlines details for technology service providers (TSPs), it’s smart to apply this document to all critical service providers.
2016 calls for forms that standardize processes, develop information, measure impact and progress and are regularly used. What you don’t measure you can’t manage and evidence of that measuring is always in writing. Whether you have a top level software package with pre-populated templates or 3-ring binders and loose leaf paper, the value comes from keeping all that data organized and accessible. As long as you’re thorough and consistent, you’re doing it the right way.
Plan for the Future
Keep your vision clear – compliance is a small part of a bigger picture. Don’t shrink your standards by confining the scope to small parts. The planning process is an investment in the future value of the institution. It brings vision and hope. Have a vision and Plan for long term congruence in 2017 and beyond and share it with everyone from the tellers at the drive thru to the board as often as possible.
You’ve got something important you’re protecting! When you require more assistance don’t forget there are specialists who have traveled this road before. Give us a call and we’ll guide you in the right direction.
The benefits of outsourcing production processes or services to suppliers are many: it can provide a better product or service than you would be able to produce internally; it can increase your efficiency; it can allow you to focus on core areas; and, of course, it can reduce your overall costs. Meanwhile, it also creates additional risks companies may not be factoring into their own business formula for success.
Lack of transparency
Suppliers are often reluctant to share information they may see as proprietary or confidential but it’s essential that they give reasonable assurance that they have plans in place for business continuity and that they are regularly maintaining and testing these plans. Their process may include a wide scope of operational dependencies so it’s valid for regular assurance and audits from clients.
Sufficient monitoring and alerts of operational outliers or different-from-expected production or delivery is also a basic requirement. Many clients now require automatic monitoring and timely technical reports. If your organization is not already formally requiring this from your key suppliers, introduce it into your relationship. Conjoined tests and validation exercises are valid trust builders and can improve expectations and transparency in the vendor-client relationship.
Relationships with critical partners frequently begin with a trust or “handshake” agreement on delivering a small service with little risk but develop over time into a critical dependency. When contracts are not fully formed or re-addressed as the relationship matures, both parties can end
It’s a global market and many of your suppliers have their own suppliers – around the globe. In fact, those that are delivering value to your suppliers may be receiving value from you or someone like you. It is a small world, afterall. The key is to understand relationships that are imperative to you and their dependencies. Are several of your vendors relying on the same supplier for a raw material? Do your vendors require the same level of standards you do from their partnerships? There are many layers of business these days and it’s difficult to see the supply chain clearly across several (perhaps as many as several dozen) variables. In short, you need to know your suppliers as well as you know your customers.
Don’t forget that because today’s global supply chains are so interdependent, the number of organizations that influence your product multiplies the complexity of product quality. Each organization carries their own process methodologies, operational policies and strategic initiatives. Each piece of these creates another layer of complexity. It’s easy for a small part to become obscure and the detail less defined, resulting in a poorer level of product. Clear service level agreements and carefully systematized audits are needed to set and maintain standards of quality.
In conclusion, many risks that come with supplier relationships can be minimized through establishing clear expectations early in the relationship and continuing to clarify those expectations throughout the working contract.
Continuity management has long been tied to disaster planning and crisis response as fundamental to emergency planning but the reality is: If you’re just practicing business continuity to survive you’re never going to get much out of it.
The key to effective value creation from continuity management is a strategy that builds on how the day-to-day business is designed to create value. Today’s global market puts us all in crisis. Corporate directors are in jail. Cyber terrorists can easily hide across borders around world yet still access information kept locked away. States and countries declare bankruptcy. Instability is everywhere.
Businesses are so interdependent on one another that supply chain and technology are complex grey zones of value and accountability. The bottom line is the business needs to create value to survive. Maybe value means money, maybe it’s customer satisfaction or maybe it’s serving its nonprofit goal. Regardless, the creation of that value must be the crux of your resilience plans.
One of the most common misconceptions of business continuity planning is that it starts with a disaster and in a lucky world no one would need a plan. Luck favors the prepared. A business with a healthy continuity management program doesn’t just survive crisis; it thrives daily. The reality of the business world is that every day is more complex and risk loaded. In order to work toward corporate maturity and institutionalization of the systems that create value you have to structure and live your plan.
Am pleased to have made the acquaintance of Joe Soltis of Soltis Consulting today. I recommend you follow his blog and engage in the concepts he introduces. Stimulating and value-added.
Think again! So many companies these days think it’s a good idea to let technology get behind the wheel of business or business recovery. This is not going to move you forward. Business is about people and systems. If you happen to have a computer to help with one of those systems, fine, but don’t let that computer boss you around and don’t EVER start thinking that computer cares about you or your company. It doesn’t and it never will.
Likewise, there’s a strong trend to push business decisions on to the people who care for the computer. They are fantastic people and they help you get what you need. You may even get to feeling like they are indispensable because they are always saying things like, “We are working on that now”. Or they make your iPad work after you screamed at it and threatened to throw it out the window. Your tech team may be working miracles but they still can not run your business. Put them back in their car seat and get back to driving!
Consider a complex manufacturing and logistics organisation, based at the North Pole, traditionally very busy around the 25th December. As you might imagine, planning for this event takes all year – no sooner has Santa Claus sat down on Boxing Day then he’’s called to deal with all sorts of unplanned events that require attention.
This year, it started early. Santa was putting the sleigh in the garage when he was accosted by Mrs Claus.
““What are these reports on the radio about you kissing somebody’’s Mommy?”” she demanded.
““W, w, what? Who?”” Santa stammered.
Santa was able to explain that there must have been a case of mistaken identity. Santa’’s image had taken a battering at the hands of an imposter. He was straight onto his Incident Management Team and, following a quick injunction and a public apology, his reputation was restored. He couldn’’t afford for his customers to think he was in anyway naughty.
February brought ice storms to the North Pole.
““Sir, it’’s too cold for the employees to work,”” his Elf and Safety Manager told him, “”I have instructed the elves to down tools.””
Santa sighed and reached for the Yellow Pages, “”Hello, heat engineers? It’s just possible you could save my elves…”.”
Despite the interruption, with a bit of overtime, the Elves were soon back on schedule.
Things carried on uninterrupted until spring saw flocks of birds returning from their winter habitats. Concern rose amongst Santa’’s employees that the wild birds may bring the H5N1 avian flu virus with them, giving rise to concerns about an epidemic. Santa consulted the WHO website for the latest advice.
““There’’s currently little risk for us, the birds are returning from countries where there has been no recorded H5N1 outbreaks, but to be sure, I’’ll employ a couple of special wardens specifically to keep an eye on the well-being of the birds”” he told his elves, hoping that he wouldn’’t have to employ more wardens when the wild reindeer herds returned. He’’d read that the Blue Tongue virus was spreading north and already had problems with one of his sleigh crew having a red nose….
The summer holidays always presented Santa with problems, bored children with too much time on their hands were always on the lookout to cause mischief. This year Santa’’s IT partners informed him one morning that his “Naughty or Nice” database had been hacked! The status of all the children had been changed and there was no way they could sort it out.
Fortunately Santa is pretty tech-savvy. He didn’’t panic and instructed his IT department to delete the data and restore from the back up. As extra insurance, he asked for a full virus check to be undertaken, arranged for the firewall firmware to be updated and instructed all the elves to change their passwords.
There were no further problems to distract Santa. Come the 24th, the Elves loaded up the sleigh and the reindeer team was harnessed. Santa clambered up into the driving seat, picked up the reins with one hand and turned the sleigh’s ignition with the other. There was a short croak and then nothing. He turned the key again, with the same result. Santa realised that when he had been managing his reputation issues last year, he’’d forgotten to turn the sleigh headlights off. The battery had gone flat.
Fortunately, on Mrs Claus’ insistence, the date was the 24th of November and Santa and Elves were running an exercise. Sure, Santa hated having to squeeze into his suit before his annual diet had worked off all the previous year’s mince pies, the Elves got cranky at having to load and unload the sleigh and the reindeer team disliked being taken from their warm stables, but Mrs Claus had seen the benefits of exercising ahead of “the “big off””. The battery was rigged up to the charger and, come the big day, all the good children received the right presents thanks to Santa’’s business continuity arrangements….
Just a bit of fun! Special thanks to Richard Jones!
Did you know you have a frog and a rat in your brain that help you survive? I learned that while reading Laurence Gonzales’ latest book, “Surviving Survival”. The title, though initially vague, points out an excellent conundrum: what do you do once you’ve survived a crisis? You don’t come out the other side of any crisis the same so how do you assimilate the “survivor” parts of you into your old view of yourself. You must be a whole being to move comfortably forward.
Often complex and though I have a little whiplash from descriptions of “drama in real life” to deep diving in the neurology, I give it 4 of 5 stars. Great book!
Here’s a good assessment of 9 ways to Recognize a good BCPlan. Enjoy
There are all sorts of templates and thoughts on how the various Business Continuity Management (BCM) program components should look – the “plans.” Every organization has its own self-styled plan; every consulting agency has its own look and feel and every available free online template looks different from the next. So how can you recognize a good plan from a really bad and confusing plan?
The following 10 considerations will help you determine if you’ve got a good plan or a not-so-good plan
- Action Oriented: If people are expected to follow and execute plan activities, it must be action oriented. A document full of theory and suggestions won’t be of any help and will quickly be used to stop a desk from wobbling – or used to capture excess dust that may collect on a shelf. As a rule of thumb, I tend to look for the first action step/item/activity within the first 5 pages after…
View original post 1,247 more words