meeting ffiec requirements conducting your business impact analysis n.
Skip this Video
Loading SlideShow in 5 Seconds..
Meeting FFIEC Requirements – Conducting your Business Impact Analysis PowerPoint Presentation
Download Presentation
Meeting FFIEC Requirements – Conducting your Business Impact Analysis

Loading in 2 Seconds...

play fullscreen
1 / 30

Meeting FFIEC Requirements – Conducting your Business Impact Analysis - PowerPoint PPT Presentation

  • Uploaded on

Meeting FFIEC Requirements – Conducting your Business Impact Analysis. January 29 th 2013 Don Stewart, MBCP, MBCI, CCP Senior Business Continuity Professional. Test. About Ongoing Operations. Leading provider of business continuity services to credit unions nationwide

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Meeting FFIEC Requirements – Conducting your Business Impact Analysis' - dorie

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
meeting ffiec requirements conducting your business impact analysis

Meeting FFIEC Requirements – Conducting your Business Impact Analysis

January 29th 2013

Don Stewart, MBCP, MBCI, CCPSenior Business Continuity Professional


about ongoing operations
About Ongoing Operations
  • Leading provider of business continuity services to credit unions nationwide
  • CUNA Strategic Services provides credit unions with access to quality products, services and technologies through 3rd party providers such as Ongoing Operations
  • OGO facilities
    • Phoenix, Arizona
    • Longmont, Colorado
    • Hagerstown, Maryland
    • Thousand Oaks, California

Plan. Prepare. Protect.


the ogo difference
The OGO Difference
  • Focus on making business continuity planning an organization wide initiative and process
  • Holistic - People, Processes AND Technologies
  • Financial Impact Analysis (FIA) as well as Threat and Business Impact Analysis (BIA)
  • Award winning BCP software platform
  • Certified Professional Staff

Plan. Prepare. Protect.


key outcomes

Discuss FFIEC Requirements regarding Business Continuity Plan / Business Impact Analysis (BIA)

Financial Impact Analysis (FIA) component, Enterprise ThreatAssessment, Business Impact Analysis

Using the results to develop a stronger Business Continuity Program and to provide Continuity of Service to our Members NO MATTER WHAT HAPPENS!

Key Outcomes


goal of business continuity plan

Minimize financial losses to the institution

BIA to identify business processes with potential for greatest impact (including Threat and Financial Impact Analysis)

Continue member service with minimal interruption

Focus on “Continuity of Member Service”

Mitigate negative effects of disruption on Operations

Solutions include redundancy, failover, resiliency, procedural documentation and manual alternative procedures

Prioritize implementation of solutions

Goal of Business Continuity Plan


board senior management responsibilities

Oversee the BCP Process

Establish policy for managing risks

Personnel and financial allocation

Annual review of the program

Support employee training and awareness

Ensure regular enterprise-wide testing of the BCP

Review BCP testing program and test results

Support continual updates to keep program

Board & Senior Management Responsibilities


objectives to include in plan

Include recovery, resumption and maintenance of the business – not just technology

Enterprise-wide BCP and prioritization of business objectives and critical operations essential for recovery

Integration of role in financial markets

Regular updates based on changes in business processes, audit recommendations and lessons learned

Cyclical process-oriented approach including BIA, Threat Assessment, Risk Management, Vendor Management, and the Exercise life-cycle

Objectives to include in plan


the bia

Assess and prioritize business functions and processes

Indentify potential impact of business disruptions on the business functions and processes

Identify legal and regulatory requirements of the business functions and processes

Estimate maximum allowable outages and acceptable level of losses associated with functions and processes

Estimate RTOs and RPOs



the threat assessment

Evaluate BIA assumptions using various threat scenarios

Analyze threats based on impact to institution, members and financial market

Prioritize potential business disruptions based on severity which is determined by impact on operations and probability of occurrence

Perform “gap analysis” that compares existing BCP to policies and procedures to be implemented based on prioritized disruptions and resulting impact

The Threat Assessment


threat risk management

Based on comprehensive BIA, Threat, and Risk Assessment tools

Documented with audit trail

Reviewed and approved by Board and Senior Management annually

Disseminated to employees

Properly managed when outsourced to 3rd party

Specific regarding what conditions should prompt implementation of the plan and the process for invoking

Threat/Risk Management


event management

Immediate steps should be taken during a disruption

Flexible for unanticipated scenarios and changing internal conditions (all hazards approach)

Focused on impact of various threats that could potentially disrupt operations (specific event docs)

Developed based on valid assumptions and interdependencies

Effective minimizing disruptions and financial loss through implementation of mitigation strategies

Event Management


exercising the program

Incorporate BIA and Threat Assessment into BCP and Exercise Program life-cycle

Develop enterprise-wide exercise program

Assign roles and responsibilities for exercise program

Complete at least annual exercise of the BCP (this is much more than the annual IT/DR exercise)

Exercising the program


exercise life cycle

Senior Management and BOD evaluate program and exercise results

3rd party audit/assessment of exercise results

Revise BCP and exercise program based on operational changes, audit and examination recommendations, and test results

Exercise life-cycle


integrate policies standards into the bc planning process

Security Standards

Project Management

Change Control Policies

Data Synchronization/backup Procedures

Crisis Management

Incident Response

Employee Training

Notification Standards


Government and Community

Integrate Policies & Standards into the BC Planning Process


fia tool
Potential financial impact

Uses your 5300 Report and NCUA statistics on what the impact of actual events has been

Available to use at

Executive team MAO!

FIA Tool


what does the fia measure
Delinquency Risk

Daily Transaction Risk

Fee Income Risk

Check & ACH Risk

Daily Loan Risk

Reputational Risk

What does the FIA measure?








bia outcomes

Core to your planning process

Meet regulatory and audit requirements

Senior Management Support

Top ranked Threat items with plans to protect, assign, accept or eliminate the threat

Creation of an IT recovery plan that uses the outcome of the BIA to establish a priority for recovery – must include an annual life-cycle of testing/exercising for all critical systems and connectivity

BIA Outcomes


exercise your plan

Critical processes and locations

Is the plan to work from home or alternate site? Perform processes from the alternate location

What processes are included

Who is involved in the exercise

Successful exercise?

Issues occurred and revisions assigned for additional exercise

Everything was smooth and all goals were achieved

Exercise your plan



Integrate DR and BCP into daily operations

Separate the roles of DR Administrator and BCP Administrator



don stewart mbcp mbci ccp senior business continuity professional www ongoingoperations com
Don Stewart, MBCP, MBCI, CCPSenior Business Continuity