Business continuity planning: A risk manager's agenda for operational and credit risk management

RMA Journal, The, March, 2002 by Joel Lanz

This two-part article identifies current actions that risk managers need to take to strengthen their business continuity strategies. Part I focuses on operational risk management strategies for bank service delivery. Part II, to be presented in a future issue, discusses how lenders should evaluate their customers' continuity plans to mitigate the risk of a customer not meeting credit obligations due to a business interruption.

Many bank risk managers are in the process of reassessing business continuity risk strategies at both the operational and credit risk levels. At the operational risk management level, the strategies must ensure that customer service delivery commitments and objectives are achieved. At the credit risk management level, they must ensure that business interruptions affecting the customer's business will not affect the quality of the credit.

Why Reevaluate Continuity Planning at the Operational Risk Level?

Given the trust and expectations of the public, banks have always played a leadership role in continuity planning by:

* Providing emergency financial assistance, including loan programs and funds to disaster areas.

* Providing "thought leadership" and sharing best practices on developing Y2K contingency plans.

* Involving the board of directors in annually reviewing continuity plans, including incorporating recommendations from such independent experts as banking regulators and both internal and external auditors.

* Demonstrating the resilience of the industry in the aftermath of September 11. (1)

Recent events have changed the assumptions we make about potential events and their impact on the business that drives the continuity plan. Figure 1--taken from the FFIEC's IS Examination Handbook--contains the typical steps involved in the development of a corporate contingency plan. (2)

Note the effect that assumptions and business impact analysis-related steps (items 1-4) have on the development of the plan.

Changing Assumptions

Banks have always tailored the assumptions used to develop a business continuity plan to their unique circumstances and considered probability of occurrence, as well as to the cost benefit of the control. Many assumptions used in plans leveraged lessons learned from Y2K compliance efforts. Additionally, as banks conducted various testing exercises, they reconsidered assumptions used and made the necessary adjustments. Three current factors placing pressure on banks to reevaluate their continuity plan assumptions are recent global events, new business and service delivery models, and increasing use of service providers and vendors.

Recent global events. These events have triggered a number of revised assumptions:

* Greater consideration given to whether the bank might fit a terrorist target profile. Risks include but are not limited to:

* location of bank facilities and projects, especially in areas with major financial, political, or industrial activities;

* types of services provided, including having customers who may fit a terrorist target profile;

* image of the bank, especially if viewed as an icon of American prosperity; and

* conducting operations at or near landmark buildings and surrounding areas.

* Greater potential for critical public infrastructures (for example, utilities, transportation, public safety) to be unavailable. Previously,

especially in areas not historically subjected to severe weather conditions, this threat was generally recognized as a very low probability. Additionally, a number of resource-challenged banks wrongly believed that if public infrastructures were unavailable, customer service delivery expectations would significantly decrease. Events have shown that public expectations (including those of the media) can even increase during disasters.

* Expanded continuity planning actions relating to people. Although continuity plans always prioritized the safety of personnel, many plans--especially those focused on operational recovery and not business continuity--gave minimal consideration to employees' mental well-being or the impact of commuting to a "long-distance" recovery site over an extended period of time.

* Forcing the issue of adequate testing. Banks generally test their continuity plans on an annual basis. However, the extent of testing varies considerably, from a structured walk-through (reading and discussing the plan) to actually shutting down operations and attempting a recovery (banks that perform the latter typically do so over a weekend). Many experts agree that, at a minimum, a parallel level of testing needs to be performed. In this situation, the plan is tested without disrupting business operations. As a result, participation in the test is limited. Typically, the IT group takes a leadership role (because the test needs to be done) and the service delivery people do not adequately participate (because they are too busy serving the client). The latter is not adequately prepared to provide feedback on the accuracy and completeness of the plan, nor are they familiar with what to do in an emergency.