2015 was a groundbreaking year for business continuity regulators and that makes 2016 a key year for compliance modifications.
What happened? Well, 2015 was the culmination of many variables:
Threats increased. Weather it’s our awareness or the actual activities themselves, there is more responsibility and accountability to guard against threats to operations risk than ever.
Marketplace tolerance exceeded the breaking point. The bar had been raised so high for banks that many vendors were noticeably below standard. So far that when the dam broke (literally) the regulators got involved, resulting in documents like Appendix J and the Cybersecurity Assessment Tool.
Time to revise the FFIEC Handbooks was up. The previous edition was beyond end of life. The industry had advanced beyond what the previous editions covered. Several have been updated and more are to come. Changes include incorporation of cybersecurity concepts as a part of information security, advancement of management-related concepts and IT risk-management as a part of enterprise-wide management.
Here’s where to put your resources in order to maintain compliance and create value in 2016
Leadership Denotes Character
The old saying goes, “the fish stinks from the head down” and examiners are more than casually aware of this. There is no one more accountable than the board of directors. Unfortunately, there is often no one less clued in. Fiduciary relationships – those where the board member must act in the best interest of the bank before himself- are not taken lightly in the eyes of the regulators. If your employees aren’t demonstrating healthy business behavior, the responsibility lies squarely in the shoulders of the board. This is a big jump up from what’s been enforced in the past.
Don’t expect your board to know it all right now but do find resources for coaching and basic training immediately. Work with your board to build their capacity and understanding so that they will have the resources to make the best decisions for the clients to which they are held responsible. There’s no plea of ignorance as a board member. Those who don’t take fiduciary seriously have gone to prison and paid hefty fines. 2015’s fines were in the billions.
In case you missed it’s release, the FFIEC developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness. While you’ll probably be fine not acing the test on the first go around, you must have a working knowledge that exceeds “familiar with the Assessment”. Where do you currently score and how are you working to upscale your security? Take the time to find out. Give the executive officers and directors the Overview and get to work on the profile. You’ll be glad you didn’t wait!
Lest you confuse all this work for a waste of time, think again! You’re actually securing the value of your organization. The FFIEC has released several statements to help clarify the threats and best practices.
Supply Chain Management
Move over Vendor Management. Banking is a business and it knows how it creates value. In order to maintain those performance indicators, banks know what and who it depends on to get the job done. Vendor relationships go far beyond handshake these days. Trust must be proven and a relationship that will make it through any storm is a must and Appendix J gives you four specifics. Though it outlines details for technology service providers (TSPs), it’s smart to apply this document to all critical service providers.
2016 calls for forms that standardize processes, develop information, measure impact and progress and are regularly used. What you don’t measure you can’t manage and evidence of that measuring is always in writing. Whether you have a top level software package with pre-populated templates or 3-ring binders and loose leaf paper, the value comes from keeping all that data organized and accessible. As long as you’re thorough and consistent, you’re doing it the right way.
Plan for the Future
Keep your vision clear – compliance is a small part of a bigger picture. Don’t shrink your standards by confining the scope to small parts. The planning process is an investment in the future value of the institution. It brings vision and hope. Have a vision and Plan for long term congruence in 2017 and beyond and share it with everyone from the tellers at the drive thru to the board as often as possible.
You’ve got something important you’re protecting! When you require more assistance don’t forget there are specialists who have traveled this road before. Give us a call and we’ll guide you in the right direction.
Am pleased to have made the acquaintance of Joe Soltis of Soltis Consulting today. I recommend you follow his blog and engage in the concepts he introduces. Stimulating and value-added.
Yes, for the next year or two your bank examiner may make the mistake of crediting you for exercising your disaster plan when you documented an actual crisis but let’s take a step back and think about this before we consider it a “win”.
Experiencing a crisis or disruption does not meet the standard for exercising your plan and should not be adequate to count as testing your plan for many reasons. Including:
- Under best practice continuity management guidelines it is clear that establishing and testing an exercise program is not the same as documenting events that threaten or impact the business. These are two separate best practices.
- FFIEC examination guidelines state “The board and senior management should establish a testing program appropriate for the size, complexity, and risk profile of the organization and its business lines”. Passively experiencing crisis does not demonstrate a testing program has been established and, no matter what the extent of the crisis, will it be appropriate for the size, complexity and risk profile of the organization. In fact, it may be counter productive and make you look unprepared because you didn’t plan a test.
- Community banks are likely to have experienced 6-12 crises in a year. What makes this one particularly meaningful? Did you document the other ones? What are your standards for documentation?
- Test objectives were not set or met (no, “survival” does not count) and only one part of your response plan was tested. The “test” was not comprehensive.
- Since you weren’t planning to experience this problem, exercise controls were not in place when you had it. You can only manage what you measure.
- Hypothetically, would you consider going to the emergency room because you thought you might be having a heart attack to be an indicator for your ability to deal with stress? Technically the answer is “Yes”. However, that’s certainly no way to live and if this is your common practice then it indicates you don’t really have a good plan for your health. The same is true for your organization. Why have a heart attack to wait to check and see if your blood pressure is too high? It’s easier to use a blood pressure cuff and check your heart rate.
Let’s speak the truth: This is not the attitude of a healthy, mature business and will not, for much longer, meet requirements for safety and soundness.
Now, before you get frustrated, I realize you don’t want to do continuity management this way. You have a LOT on your plate that you’d rather be getting to (call reports anyone?) and you’re just not sure where to get started. So, DCS has set up some fantastic tools to make planning exercising EASY for you! Get excited now and bookmark this for future reference! First, go ahead and log that problem you had on our FREE Crisis Event Log. It’s got a couple of brief questions to help you get down the information you need to learn from and properly document the problem.
Next, use our FREE Strategic Road Map to get an idea about what a good, well-rounded financial institution can do on to build operational strength. NO, you don’t have to do that big fail-over test right away. We actually recommend against it. Start drilling the little things first. Can you guarantee that you can contact everyone when they’re not at work? Try your call tree out and write down what happens. That’s a great test!
Another quick tip is to see what your IT provider is doing to test regularly. We often find out the IT department regularly tests failover procedures but rarely documents it adequately for oversight or examination requirements. All you have to do is start documenting! It’s easy! You can do that!
We have also started a new product line: DIY Turnkey Continuity. We’re building very strong key kits for your continuity tool case at affordable prices. We’ve started with a data breach kit and will be releasing an exercise kit before the end of the summer. For our BOL friends, we are looking for pilot users to test these at a discounted rate! Private message me if you’re interested. Also let me know what other kits you’re interested in. Pandemic, social media and vendor management are on our list for 2013.
I hope these ideas help out. We realize you are doing everything you can to keep compliant and the business moving in a positive direction. Please let us know what else we can do to make your job easier!
In all planning, whether it is for projects or programs and regardless of the industry and nature of business, one of the key areas that often gets overlooked is the use and belief in assumptions. Not just overlooked but they tend to become part of the fibre of every project and every BCM/DR program. We assume ‘so-and-so’ knows this ‘action’ and will do that ‘activity,’ when in fact, so-and-so has no idea what they’re responsible for or even that others believe they’re responsible for it.
We don’t communicate assumptions often and if we do, it’s once or twice in the initial stages of a BCM/DR project or we make them up within the confines of our own segregated meetings, which aren’t attended by those that the assumptions are based on. We capture the minutes of the meetings and action items but never reach out to those we assigned an assumption…
View original post 520 more words
Rivulets are those tiny droplets of water that join together and move in a common direction. After lots of movement over time these little streams can really impact their environment in significant ways. They begin to shape valleys and eventually build canyons. We have rivulets in our lives and it is my sincere belief we have rivulets in our businesses. They are the little behaviors that eventually tip into culture and build our character and legacy.
Business rivulets start with people. Managers leading encouraging, motivating little streams to run in certain paths. Perhaps invisible at first, over time erosion is clear. What does this have to do with business continuity? Everything. Rivulets form shape of your resilience. Day after day they reinforce or degrade direction, efficiency and speed. Contingencies are initially built-in as the path of least resistance but leaders can design them to create value and build character. What canyons are your rivulets building?
We recently formed a relationship to manage the continuity program for a new client. At the start of the discovery phase, we had a hearty discussion about backup practices. The new client used a well-known and reputable local data backup provider but had not thoroughly fleshed out the agreement or contractual obligations with them. Though our client was very confident in the services they were receiving, after reviewing the contract we were still uncertain how the provider supported testing or recovery of the backup data.
With reservations, but in response to our urging, the client contacted their supplier and, after several weeks and many discussions with varying levels of management – leading up to the owner – he found that, while they were backing up a great deal of data, the backup files were wrong for their core processing system to start recovery. In fact, key files they would absolutely need during any recovery procedure were not getting backed up at all because they labeled them as “backup files” – not required for critical processing during usual business. The backup system was simply filtering them out. Clearly we were not concerned with business as usual!
Though our client had previously felt very sure of their recovery capabilities and had, for several years, paid a first-class disaster recovery provider to back their data up, the system had never been analyzed to recognize its clear flaws. While the provider was technically holding up their end of the contract, our client would never have been able to recover from any data loss impacting their core system. Because of a few simple questions and conversations with the back up and core process vendors, this client now has a better sense of certainty with evidence to prove his recovery capabilities!