1 / 30

Meeting FFIEC Requirements – Conducting your Business Impact Analysis

Meeting FFIEC Requirements – Conducting your Business Impact Analysis. January 29 th 2013 Don Stewart, MBCP, MBCI, CCP Senior Business Continuity Professional. Test. About Ongoing Operations. Leading provider of business continuity services to credit unions nationwide

merritt
Download Presentation

Meeting FFIEC Requirements – Conducting your Business Impact Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Meeting FFIEC Requirements – Conducting your Business Impact Analysis January 29th 2013 Don Stewart, MBCP, MBCI, CCPSenior Business Continuity Professional Test

  2. About Ongoing Operations • Leading provider of business continuity services to credit unions nationwide • CUNA Strategic Services provides credit unions with access to quality products, services and technologies through 3rd party providers such as Ongoing Operations • OGO facilities • Phoenix, Arizona • Longmont, Colorado • Hagerstown, Maryland • Thousand Oaks, California Plan. Prepare. Protect. Test

  3. The OGO Difference • Focus on making business continuity planning an organization wide initiative and process • Holistic - People, Processes AND Technologies • Financial Impact Analysis (FIA) as well as Threat and Business Impact Analysis (BIA) • Award winning BCP software platform • Certified Professional Staff Plan. Prepare. Protect. Test

  4. Discuss FFIEC Requirements regarding Business Continuity Plan / Business Impact Analysis (BIA) Financial Impact Analysis (FIA) component, Enterprise ThreatAssessment, Business Impact Analysis Using the results to develop a stronger Business Continuity Program and to provide Continuity of Service to our Members NO MATTER WHAT HAPPENS! Key Outcomes Test

  5. FFIEC Requirements related to Business Continuity Plan / Business Impact Analysis Test

  6. Minimize financial losses to the institution BIA to identify business processes with potential for greatest impact (including Threat and Financial Impact Analysis) Continue member service with minimal interruption Focus on “Continuity of Member Service” Mitigate negative effects of disruption on Operations Solutions include redundancy, failover, resiliency, procedural documentation and manual alternative procedures Prioritize implementation of solutions Goal of Business Continuity Plan Test

  7. Oversee the BCP Process Establish policy for managing risks Personnel and financial allocation Annual review of the program Support employee training and awareness Ensure regular enterprise-wide testing of the BCP Review BCP testing program and test results Support continual updates to keep program Board & Senior Management Responsibilities Test

  8. Include recovery, resumption and maintenance of the business – not just technology Enterprise-wide BCP and prioritization of business objectives and critical operations essential for recovery Integration of role in financial markets Regular updates based on changes in business processes, audit recommendations and lessons learned Cyclical process-oriented approach including BIA, Threat Assessment, Risk Management, Vendor Management, and the Exercise life-cycle Objectives to include in plan Test

  9. Assess and prioritize business functions and processes Indentify potential impact of business disruptions on the business functions and processes Identify legal and regulatory requirements of the business functions and processes Estimate maximum allowable outages and acceptable level of losses associated with functions and processes Estimate RTOs and RPOs The BIA Test

  10. Evaluate BIA assumptions using various threat scenarios Analyze threats based on impact to institution, members and financial market Prioritize potential business disruptions based on severity which is determined by impact on operations and probability of occurrence Perform “gap analysis” that compares existing BCP to policies and procedures to be implemented based on prioritized disruptions and resulting impact The Threat Assessment Test

  11. Based on comprehensive BIA, Threat, and Risk Assessment tools Documented with audit trail Reviewed and approved by Board and Senior Management annually Disseminated to employees Properly managed when outsourced to 3rd party Specific regarding what conditions should prompt implementation of the plan and the process for invoking Threat/Risk Management Test

  12. Immediate steps should be taken during a disruption Flexible for unanticipated scenarios and changing internal conditions (all hazards approach) Focused on impact of various threats that could potentially disrupt operations (specific event docs) Developed based on valid assumptions and interdependencies Effective minimizing disruptions and financial loss through implementation of mitigation strategies Event Management Test

  13. Incorporate BIA and Threat Assessment into BCP and Exercise Program life-cycle Develop enterprise-wide exercise program Assign roles and responsibilities for exercise program Complete at least annual exercise of the BCP (this is much more than the annual IT/DR exercise) Exercising the program Test

  14. Senior Management and BOD evaluate program and exercise results 3rd party audit/assessment of exercise results Revise BCP and exercise program based on operational changes, audit and examination recommendations, and test results Exercise life-cycle Test

  15. Security Standards Project Management Change Control Policies Data Synchronization/backup Procedures Crisis Management Incident Response Employee Training Notification Standards Insurance Government and Community Integrate Policies & Standards into the BC Planning Process Test

  16. Financial Impact Analysis Test

  17. Potential financial impact Uses your 5300 Report and NCUA statistics on what the impact of actual events has been Available to use at www.ongoingoperations.com Executive team MAO! FIA Tool Test

  18. Delinquency Risk Daily Transaction Risk Fee Income Risk Check & ACH Risk Daily Loan Risk Reputational Risk What does the FIA measure? $ $ $ $ $ $ Test

  19. Test

  20. Delinquency Risk Test

  21. Daily Transaction Risk Test

  22. Fee Income Risk Test

  23. Check & ACH Risk Test

  24. Daily Loan Risk Test

  25. Reputational Risk Test

  26. Using the BIA results to develop a stronger BCP Test

  27. Core to your planning process Meet regulatory and audit requirements Senior Management Support Top ranked Threat items with plans to protect, assign, accept or eliminate the threat Creation of an IT recovery plan that uses the outcome of the BIA to establish a priority for recovery – must include an annual life-cycle of testing/exercising for all critical systems and connectivity BIA Outcomes Test

  28. Critical processes and locations Is the plan to work from home or alternate site? Perform processes from the alternate location What processes are included Who is involved in the exercise Successful exercise? Issues occurred and revisions assigned for additional exercise Everything was smooth and all goals were achieved Exercise your plan Test

  29. Integrate DR and BCP into daily operations Separate the roles of DR Administrator and BCP Administrator Strategy Test

  30. Don Stewart, MBCP, MBCI, CCPSenior Business Continuity Professionalwww.ongoingoperations.com Test

More Related