4 Ways Financial Institutes Can Build an Effective Business Continuity Plan
“Financial institutions should consider developing an awareness program to let customers, service providers, and regulators know how to contact the institution if normal communication channels are not in operation.”
–Federal Deposit Insurance Corporation (FDIC)
Financial institutions including banks, credit unions, accounting firms, and loan offices are all vulnerable to security breaches, unforeseen emergencies, and operational disruptions. With millions (or potentially billions) of dollars at risk, the need for an effective business continuity plan (BCP) is mission critical.
There are also unique employee/customer needs specific to the financial sector. For example, because banks are susceptible to robberies, the threat of a violent situation is higher. In addition, public-facing environments are exposed to unique threats where management is in a position of having to protect both its employees and customers.
Robberies pose a physical danger and psychological impact to any customer visiting the bank and to employees. Banks are often the target of cyberattacks and fraud, which could result in financial loss for the bank and its customers. As a result, the financial/banking sector is likely to struggle more than most industries in the aftermath of an emergency.
A Brief Guide to Financial Institute Business Continuity
The following guide serves as a starting place for handling an incident and recovering as quickly as possible. Beyond security threats typically associated with banks (robberies, cyber-attacks, and fraud), there are a host of potential disasters that could impact an organization.
Severe weather including hurricanes, tornadoes, blizzards, and wildfires can wreak havoc on any infrastructure. Other isolated scenarios a business might encounter: the nightmare of an active shooter on the premises, widespread technical failure, or a sudden power outage.
Keeping your people safe and your operations up and running will be the main focus before, during, and after a disaster. Regardless of the incident, having a reliable emergency notification system in place is critical to safeguarding your assets and protecting your staff.
The Federal Deposit Insurance Corporation (FDIC) developed a business continuity plan to help financial firms navigate an emergency. The following guide should be viewed as a starting place for handling an incident and recovering as quickly as possible. Of course, you should conduct thorough research in order to build a robust plan suitable to your company’s specific needs.
1. Business impact assessment
How will a disaster impact your business? What financial hit will your organization suffer? And how long will it take to recover? The first step in building your business continuity plan: address some critical questions. You’ll want to have a thorough understanding of what a disaster means in the context of maintaining operations.
Here are some key actions of your business impact assessment:
- Define critical business functions: This is important for prioritizing your financial institution’s resources and determining the costs associated with downtime. If you’re an organization that’s open to the public (such as a bank), you’ll want to consider the impact to customers and proactive solutions.
- Calculate downtime costs: Depending on the specific nature of the emergency, operations could be halted anywhere from hours to days or even weeks (catastrophic damage due to a major hurricane). As a result, it’s important to evaluate a range of financial consequences.
- Identify essential resources: You’ll need to understand who your key personnel are, if technologies are up to date, what facility requirements you have, if your communications system needs to be tested (e.g., mass notification system), and what steps should be taken to safeguard vital records/data.
- Determine legal impact: With any disaster, there are inevitable regulatory considerations to address. For financial institute business continuity, customer and data privacy will be a top concern. If facilities are relocated, you’ll have required notifications to make to your organization’s primary federal regulator.
You’ll also need to review some critical needs within each of your departments. Some questions you’ll want to ask: Does my organization have necessary specialized equipment/software? How will I notify my people if internet access is unavailable? And what communication system will I need to facilitate recovery?
2. Risk assessment
One essential component to your business continuity plan: understanding the risks unique to your industry and specific to your organization. It should be noted that developing threat scenarios that are limited in scope could undermine the effectiveness of your plan.
Threats can come in various forms: malicious activity targeting your employees and customers, a technical disruption, or a natural disaster that’s entirely beyond your control. While security will be a major concern in the financial sector, the focus should be on the impact of an emergency as opposed to the threat itself.
Establishing a scale of anticipated threats is helpful in evaluating the severity of the risk. A low impact threat might be a temporary power outage, whereas an active shooter scenario or wildfire could have major business repercussions.
Risk assessment should consider the following:
- Impact of a scenario on your institution and customers
- Probability of occurrence (a rating system is useful)
- Internal and external danger to personnel, facilities, and service providers
- Vulnerability of critical processing documents and vital data/records
- Disruptions to business across natural, technical, and human threats
Financial institute business continuity plans should also take the geographic location of their facilities into account. Being located in a flood plain or close to critical infrastructures (e.g., airports, highways, nuclear power plants) could all impact potential damage your organization faces.
3. Risk management
Risk management is the stage where you’ll produce a written business continuity plan that can be disseminated across your organization. Based on the insights you’ve gained from your business impact and risk assessments, you should have a wealth of information to consolidate into a single document.
The plan should establish strategies that enable your organization to maintain operations and recover business functionality as quickly as possible. This is where you’ll want to assign priorities (critical vs. non-critical functions) and articulate specific events that could lead to an emergency situation.
Within your plan, you’ll need to clearly define roles and responsibilities and contact lists for key stakeholders/emergency team members. This will be useful in notifying your people, especially if you have an intuitive employee notification system in place.
Seamlessly contacting decision makers through a conference call, which allows users to quickly get all necessary parties on the same page (either individually or by preset groups), will prove invaluable in the event of an emergency.
Preparing for worst case scenarios is also a best practice that will help your business brace for the worst. Your plan should indicate how to respond if:
- Key personnel are not available
- Facilities are inaccessible
- Equipment malfunctions
- Software is corrupted
- Service providers are unavailable
- Utilities (power/communications) are down
- Critical documentation is not available
A note of caution: If your business has more than one location, you’ll need to prepare for potential damage/disruption to multiple facilities.
4. Testing and training
After your business continuity plan is fully established, you’ll want to conduct annual testing (or more frequently if possible). Detailing a testing strategy is an essential starting place and should include test objectives, scripts, schedules, as well as a review of test results.
The objective of testing is to ensure your business continuity plan is functional under strained conditions. It helps to start small in order to keep the scope manageable as you slowly scale to include enterprise-wide testing.
In addition to developing specific test plans and establishing methods (walkthroughs, tabletop sessions, and mini-drills), you’ll also want to train your people on all relevant aspects of your continuity plan.
Employee training should focus on a thorough understanding of communication protocol. Your plan should include the adoption of employee communication software that meets the following criteria:
- Intuitive Interface: easily send out critical information
- Two-way Messaging: allow your people to reply with status updates
- Wellness Checks: quickly survey employees to see if they’re safe or need assistance
- Geofencing: This location-based feature allows you to group recipients based on who might be in close proximity to (or in the path of) a disaster
- Always Available: accessible via mobile device—an incident can occur any day, at any hour
Financial firms face unique challenges when it comes to disaster recovery. Security threats, compliance requirements, and potentially catastrophic economic loss should be addressed by any financial institute business continuity plan. Of course, maintaining business continuity isn’t just about recovering technology and assets. Above all, it’s about keeping your people safe, informed, and connected.
Adopting Reliable Emergency Communication Software
AlertMedia is the leading provider of emergency communication software. Our intuitive interface, two-way messaging capability, immediate onboarding, and 24/7 customer support will give your financial institution and its people peace of mind in the event of a workplace emergency.