Disaster Preparedness Critical Elements of Centurion ...€¦ · Step 4 –Conduct a Business...
Transcript of Disaster Preparedness Critical Elements of Centurion ...€¦ · Step 4 –Conduct a Business...
Disaster Preparedness
Critical Elements of Centurion Business
Continuity Planning
Tom Williams
Centurion Business Continuity Strategy Manager
• This webinar, Critical Elements of Centurion
Business Continuity Planning, is the second
webinar of a two part series.
• The first webinar in this series was entitled:
Discover Next-Generation Data Redundancy
Services with Centurion Hosted High Availability
• To view the recording of Webinar 1 please email
Cathy Ohara at [email protected] to
request the link to the webinar replay.
Disaster Preparedness Webinar Series
Agenda
• Identifying the Disaster Risk Mitigation Profile for
your bank
• The FFIEC Guidelines on Business Continuity
Planning
• Centurion’s Ten steps to Business Continuity
Planning
• Centurion Disaster Recovery Suite of Services
• Q&A
How would you answer the followingquestions regarding your bank’s BCP?
Is it an “Enterprise Wide” plan or just an I/T Plan?
Will the plan meet the examination criteria?
Is the plan tested and maintained on a regular basis?
How effective is our BCP?
The most important question;
Will our plan get us through a serious Disaster Event?
Top 5 Reasons why banks do not have an effective BCP?
2. The myth that there is a plan in place that will work.
5. We are to busy with other projects that are of a higher priority.
1. Let’s just do enough to satisfy the auditors and examiners.
3. It costs too much money.
4. The disaster will never strike.
LOW
RISK
HIGH
RISK
Identify your Bank’s Disaster Risk Mitigation Profile?
BSA/
AML
No Business
Continuity
Program
Intern
al
Fraud
Business
Continuity
Program
MODERATE
RISK
Each organization should continually
strive to move toward the Low Risk area
The FFIEC Guidelines on Business Continuity
Business Impact
Analysis
• Disaster Impacts• Prioritization• Recovery Windows• Recovery Strategies• Resource Requirements
Risk Assessment
• Threats• Frequency• Duration• Forewarning
Develop Business
Continuity Plan
• Enterprise Wide BCP• Emergency Plan• Crisis Management Plans• IT & Business Unit Plans
Test / Maintenance
Program
• Plan Updates• Recovery Center
Testing• Tabletop Exercises• Mock Drills
8
5. Conduct A Risk Assessment
4. Conduct A Business Impact Analysis
3. Review Current Business Continuity Plan
2. Develop BCP Development Team
1. Obtain Management Support
Centurion’s Ten Steps to Business Continuity Planning
Centurion’s Ten Steps to Business Continuity Planning 10. Obtain Board and
Regulatory Approval
9. Initiate Plan Maintenance Process
8. Test Recovery Plan
7. Document the Business Continuity Plan
6. Determine Recovery Strategies
Step 1 – Obtain Management Support
• Familiarize yourself and management with the FFIEC Business Continuity Guidelines
• Conduct research to determine plan deficiencies• Compare your plan to different plans • Talk with other FI’s about their BCP approach• Read articles to educate management on Best
Practices for BCP in the financial sector • Go to BCP / DR conferences for education• Have your plan reviewed by BCP experts• Conduct a mock disaster drill with your senior team
Step 1 – Obtain Management Support
Risk Measurement - The Risk of a Disaster Occurring and not having an Effective Plan vs. the Cost of having an Effective BCP Plan
Risk Cost
Step 1 – Obtain Management Support
Medium
Low
Cost of Recovery
Level of Commitment
High
Enterprise Wide BCP
IT Plan/Hot Site Only
No preparations
Enterprise Wide BCP tested and maintained at all levels
Disaster Level of Readiness Vs Cost of Recovery
Step 2 – Develop BCP
Development Team
• Select an Executive Owner
• Select a BCP Manager / BCP Coordinator
• Select a participant from each business unit
• Include BCP responsibility in job description
Step 2 – Develop BCP Development Team
• Establish a project plan for plan completion
– Plan development tasks / responsibilities / timelines / success factors / critical decision points
– Departmental interviews / management reporting
– Escalation process and status meeting dates
• Determine the following:
– Plan development methodology (Internal or Outsourced)
– How plan information will be stored and accessed
• Word Processor or BCP Software Tool
– Plan structure
Step 3 – Review Current PlanPlan Elements In Plan Not In Plan
Evacuation Plan in place and tested regularly
Succession / Escalation Plan
Alternate Work Locations Identified for IT & Departments
Critical Processes & Functions Identified / Prioritized
Recovery Time Frames Identified at the Functional Level
Risks Identified and Prioritized
Critical Documentation Identified
Resource Requirements Identified
Emergency Phone Numbers for Internal & External support
Recovery Teams Identified
Recovery Tasks Identified for Personnel for I/T & Departments
Manual Procedures Documented for I/T & Departments
Step 4 – Conduct a Business Impact Analysis-BIA
The Business Impact
Analysis Process
1. Identify the Processes &
Functions per Business Unit 2. Determine the
impact if the process / function is
interrupted
3. Determine the Recovery Time & the
Recovery Point Objectives
4. Prioritize to determine the Mission Critical
Processes5. Determine the
Recovery Strategies for each
function
6. Determine the Resource
Requirements
7. Determine Alternate Locations to restore function
8. Document Contingency
Procedures per function
IMPACTS
Lost Revenue
Accounting Records
Fines and Penalties
Vital Account Records
Lost Financial Records
Customer Service
Work Flow
Quality
Life and Safety
Public Opinion
Social Issues
Employee Morale
Employee Stress
Step 4 – Conduct a BIA - Determining Impacts
Step 5 – Conduct a Risk Assessment
•Probability of Occurrence
–Applicability
–Geography
–History/Current Events
Severity
–Forewarning – Speed -
Duration
Mitigation
–Prevention
Step 5 – Conduct a Risk Assessment
• Natural
– Quake
– Tsunami
– Fire
– Lightening
– Tornado
– Typhoon
– Epidemic
• Technological
• Utility Failure
• Air Crash
• Hazmat
• Contamination
• System Failure
• Proximity Crisis
• Economic
• Intentional
• Cyber Attacks
• Reputational
• Espionage
• Terror – Mumbai
• Threats
• Food Tampering
• Strike
• Riot
Step 5 – Conduct a Risk Assessment
Step 6 – Determine Recovery Strategies based on the BIA
• Core System
• Check Imaging
• Report Retrieval
• Document Imaging
• ATM / Card Processing
• Internet Banking
• Fedline
• Voice Response
• Statement Printing
• Internal Network, i.e.
• Voice Communications
• Telephone Banking
• Call Center Operations
• Employees
• Facilities
Regulatory Expectations
Prioritizing Critical Business Functions
Source: FFIEC IT Examination Handbook, Business Continuity Planning, March 2008,
Appendix F, p. F-3
Prioritizing Critical Business Functions
• Can we recover our technology infrastructure from a disaster?
• What is our Recovery Time Objective (RTO) for our core?
• What is our RTO for our server environment?
• What is our Recovery Point Objective (RPO) for core?
• What is our RPO for our server environment?
24
Step 6 – Determine Recovery Strategies Cost Vs. Level of Commitment Technology Infrastructure
RPO=near zero, RTO <1min, Automatic
Server/Workload/Network/Data SYSPLEX
RPO=Near zero, RTO <1Hr. to 4 hours, Automatic
Server/Workload/Network/Data Automatic Site Switch
RPO=Near Zero, RTO <1Hr. to 4 hours, Manual
Disk or Tape Data Mirroring
RPO > 15 min. RTO= 4+ hours, Manual
PiT or SW Data Replication.
RPO=4+ hours, RTO=8 to 24 hours, Manual
Data Base Log Replication & Host Log Apply at Remote
RTO=Days, RPO>24 hours
Tape, HW ATOD
Point-in-Time Backup
to Tape / Disk
RPO<24 hours RTO = 8-24 hours
Electronic Tape Vaulting
Co
st
Low
er
Hig
he
r
HoursMinutes Days
Traditional Tape
Recovery
Multi-Site
Failover /
Fallback
Continuous
Availability-
Disaster Avoidance
Recovery Solutions Align recovery strategies to the Business Impact Analysis
Function
Max Allowable
Downtime
Applications &
Systems OS
Core processing Critical – Min. to hrs. SilverLake®, CIF 20/20® iOS
Item processing Critical – Min. to hrs. 4|Sight™ Wintel
Document Imaging Urgent – 24 hrs Synergy® Wintel
Online banking Urgent – 24 hrs NetTeller® N/A
Telephone banking Critical – Min. to hrs. iTalk™ Wintel
Mobile banking Urgent – 24 hrs NetTeller® N/A
Bill pay Urgent – 24 hrs iPay Solutions™ N/A
Check printing Urgent – 24 hrs SilverLake®, CIF 20/20® iOS
Credit card processor Urgent – 24 hrs jhaPassPort™ Wintel
Critical Business
FunctionsRTO Resources
Business Continuity ProgramBusiness Continuity Program
Step 4 - Draft Plans Generated
27
Emergency Management Plan (Per Facility) Crisis Management Plans Information Systems Recovery Plan Business Unit Recovery Plans
Executive Summary Plan Testing & Exercise Guide
Step 7 – Document the BCP
Step 7 – Document the BCP - Table of Contents Example
COPE: Centurion’s Online Business Continuity Expert Business Continuity Planning Tool
• Based on Best Practices of the Financial and Business Continuity industry.
• A web-based business continuity plan built on an SQL server platform utilizing a relational database.
• Built in-house by JHA software developers.
• Fosters plan ownership at the business unit level.
• Designed solely for financial institutions.
• Access plans for planning purposes, testing, maintenance, and plan execution from any web browser.
COPE – Business Unit Teams
COPE – Departments
COPE – Business Functions
Team Responsibilities
Crisis Management Teams Business Units Recovery Teams
• Management• Administrative• Damage Assessment• Information Systems
• Business Functions
CIG, CTC Trust ServicesCIG, CFG Asset Management
Business Unit Recovery Teams
Information Systems Management Team
Crisis Management Teams
Trust Administration
Trust OperationsAsset Management Client Support
Administration
Facilities Management –
Administration Support
Human Resources
Compliance
Human Resources and
Training
Internal Audit
Information Technology
IT
Internet Branch
Clear Sky Branch
Pandemic Response
Planning
Lending Recovery Team
Commercial/Consumer Loan Operations
Mortgage Loan Operations
Deposit Operations
Bookkeeping
Electronic Services
Item Processing
Operations
Scanning
Recovery Team Organization Chart
Crisis Management Teams
• Team Leader: Alternate Team Leader: Team Members:
• Team Leader: Alternate Team Leader: Team Members:
• Team Leader: Alternate Team Leader: Team Members:
• Team Leader: Alternate Team Leader: Team Members:
Management Crisis Team
Administrative Crisis Team
Damage Assessment Crisis Team
Information Systems Crisis Team
Business Unit Recovery Teams
•AccountingAccounting
•Administration
•Chief of Staff
•Legal
Administration –Chief of Staff –
Legal
•Card Services
•Commercial Documentation
•Deposit Operations
•Fraud Investigations
•Loan Operations
•Treasuary Management Operations
Deposit Ops –Loan Ops – TM
Ops – Fraud
Business Unit Recovery Teams
• Bank Secrecy
• Compliance
• Enterprise Risk Management
• Internal Audit
ERM – BSA –Compliance –Internal Audit
• Human Resources
• Project Management
Human Resources and Project
Management
• Application Support
• IT Risk Management
• Network Services
IT Risk Management –
Network Applications
Business Unit Recovery Teams
• Agricultural Lending
• Commercial Finance
• Commercial Lending
• Consumer Loans – Collections
• Credit – Special Assets
• Loss Share
• Treasury Management
Lending – Credit
• MarketingMarketing
Plan Execution/Recovery Timeline
Crisis Management Phase
Relocate & Restore Phase
Recover Business
Functions Phase
Rebuild & Return Phase
EVENT
OCCURS
Plan Execution/Recovery Timeline
Crisis Management Phase
Relocate & Restore Phase
Recover Business
Functions Phase
Rebuild & Return Phase
EVENT
OCCURS
Evacuation & SafetyDamage AssessmentCommunicationsDisaster Declaration
Plan Execution/Recovery Timeline
Crisis Management Phase
Relocate & Restore Phase
Recover Business
Functions Phase
Rebuild & Return Phase
EVENT
OCCURS
Evacuation & SafetyDamage AssessmentCommunicationsDisaster Declaration
NotificationsMobilizationRelocationRestore
Plan Execution/Recovery Timeline
Crisis Management Phase
Relocate & Restore Phase
Recover Business
Functions Phase
Rebuild & Return Phase
EVENT
OCCURS
Evacuation & SafetyDamage AssessmentCommunicationsDisaster Declaration
NotificationsMobilizationRelocationRestore
Resume Services
Plan Execution/Recovery Timeline
Crisis Management Phase
Relocate & Restore Phase
Recover Business
Functions Phase
Rebuild & Return Phase
Evacuation & SafetyDamage AssessmentCommunicationsDisaster Declaration
NotificationsMobilizationRelocationRestore
Resume Services Rebuild/Repair
Step 7 - Document the BCP
Establish a Recovery Time
Line
4
4
0 TBD?? Hours
Recovery Time
Step 7 – Process and Resource RecoveryFunction Description: Accept and post deposits
Recovery Window: Within 24 Hours
Describe the business tools and systems needed to complete the activity.2.1 Information Systems
Core Processing System
Data on Network
E-mail (External)
E-mail (Internal)
Internet Other EZTellerSystem
2.2 External Data Exchange
Connections to third parties via modem or other data file exchange. Connection to: File Name/Contents:
2.3 PC Software MS Access MS Excel MS Internet Explorer
MS Word
Other (Name)
2.4 Specialty Software
Examples are teller/platform systems, loan processing systems, A/L management, etc. Name/Description: EZTeller
Supplied by: Jack Henry
2.5 General Office Equipment
Adding Machine
Copier Fax Machine
Phone Typewriter Other:
2.6 PC Workstations & Peripherals
PC Workstation
Printer Other Computer Hardware (Name):
2.7 Specialty Equipment
Examples: Proof, image capture, sorters, etc. Separate multiple entries with a comma (,).Description: Model: Supplied by:
Forms Used Electronic (Name): Paper (Name):
Reports Used System Generated Manually Prepared
Externally Supplied (Name):
Supplied by: Files/Documents Name of File/Document:
Location: Format: Electronic Physical:
External Services Examples: Credit Reporting, Appraisals, Legal or Accounting
Step 7 – Process and Resource RecoveryFunction Description: Accept and post deposits
Recovery Window: Within 24 Hours
Step 8 – Test the BCP
Testing Benefits
• Identify weaknesses and exposures in the plan
• Identify backup and cross training requirements
• Provide training for team members & vendors
• Establishes credibility and authority to the plan
• Improves self confidence thru rehearsals
• Validates contract subscriptions with vendors
• Meet regulatory compliance requirements
• Authenticate recovery tasks and timelines
Test Plan
Set Test Objectives
Identify Resource
Requirements
Identify ParticipantsIdentify
Schedule Options
Determine Test
Budget
Conduct Test
Identify Scope
Step 8 – Test the Plan
Test Gap Analysis
Modifications
Step 8 - Analyze Test Results
Conduct a Post Test Review Meeting
Review results with team members and observers
Identify items to be re-tested for next test
Document test results for management & auditors
Amend Business Continuity Plan as required
Update Change Management Program
Schedule next test and set test objectives
Activity
• Recovery of individual application systems by using files and documentation stored off-site.
• Reloading of system tapes and performing an IPL by using files and documentation stored off-site.
• Ability to process on a different computer. • Ability of management to determine priority of systems with
limited processing.
• Ability to recover and process successfully without key people. • Ability of the plan to clarify areas of responsibility and the chain
of command.
• Effectiveness of security measures and security bypass procedures during the recovery period.
• Ability of users of real-time systems to cope with a temporary loss of on-line information.
• Ability of users to continue day-to-day operations without applications or jobs that are considered noncritical.
Step 8 - Test the BCP
Testing Checklist – Areas to be tested
Step 9 – Initiate Plan Maintenance Process
• Have all updates coordinated by BCP owner
• Establish Plan Ownership at the department level
• Make department managers responsible for updating their business unit plans
• Update plan annually for smaller organizations and bi-annually for larger organizations using the FFIEC guidelines.
• Integrate plan into the Change Management Process
• Develop a plan update status report & report results to senior management
52
Step 9 – Initiate Plan Maintenance Process
Phase 1:Locations, Personnel, Recovery Teams, Internal Notifications
Phase 2:Business Functions, Processes, Resources
Phase 3: Vendors, External Notifications
Phase 6:Conduct Plan Exercises, Changes from Exercises
Phase 5:Update Documentation, Prepare for Tests and Exercises
Phase 4:Schedule Plan Exercises, Application Recovery Procedures
Maintenance Cycle: One Year – 12 MonthsMaintenance Phases: 6 Phases – 2 Months per Phase
Step 10 – Obtain Board and Regulatory Approval
• Has policy been determined on how to manage and control identified risks?
• Have knowledgeable personnel and sufficient financial resources been allocated to properly implement the BCP?
• Has the BCP been independently reviewed?
• Are employees trained and aware of their BCP roles?
• Is the BCP regularly tested on an enterprise-wide basis?
• Has the board reviewed the test results and improvement plans based on the test results?
• Is the BCP continually updated to reflect the current operating environment?
LOW
RISK
HIGH
RISK
Identify your Bank’s Disaster Risk Mitigation
Profile?
BSA/
AML
No Business
Continuity
Program
Intern
al
Fraud
Business
Continuity
Program
MODERATE
RISK
Each organization should continually
strive to move toward the Low Risk area
Next Steps
1. Ensure you have Executive support for the BCP.
2. Have your BCP reviewed by BCP Experts.
3. Conduct a Mock Disaster Drill using your BCP.
4. Determine if outside expertise is required to
improve your plan, or if the work will be done
internally.
5. Ensure that your BCP is structured at the
department level.
6. Build / improve your plan and test it regularly
Centurion Business Continuity Planning Services
• Business Continuity Plan Development
– Deluxe Business Continuity Plan Development Option
– Remote Business Continuity Plan Development Option
• Review of your current BCP / DR Plans
• Mock Disaster Drills / Training on BCP / DR
• Business Continuity Strategic Planning Session
• Business Continuity Executive Webinars (Free)
Centurion Suite of Services
Contact Information
• Tom Williams
– Centurion Business Continuity Strategy Manager
– GSB Faculty Instructor
– 800-299-4411
Questions