The bank’s Disaster Recovery Plan was outdated and its Contingency Program did not include a complete Business Impact Analysis, Threat Impact Analysis, Risk Assessment, or Business Continuity Plan. A complete Contingency Program was needed to comply with Federal Financial Institutions Examination Council (FFIEC) audit requirements, drive the development of business procedural run books, identify return objectives for business functions, and prioritize technical solutions, delivery, and associated costs.
A Business Impact Analysis (BIA) was developed that included critical business processes, dependencies, return time and return point objectives, and maximum tolerable downtime (RTO, RPO, & MTD) as well as operational impacts and financial risks resulting from business disruptions. The BIA was leveraged to perform a Threat Impact analysis and Risk Impact Assessment and to develop the Business Continuity Plan and Disaster Recovery Plan. A common five-pillar framework was used to align the contingency components and provide a structured approach for auditing, reviewing, and updating. The pillars follow business continuity best practices for prioritizing business risk and impact by prioritizing people, communications, systems, facilities, and fixtures.
The organization is better prepared to ensure business operations continue after an unforeseen event, minimizing its reputation risk and financial exposure. By identifying its critical business functions and recovery plans, the bank now complies with FFIEC audit requirements and industry standard best practices. Technical solutions associated with critical business functions are identified, addressing both business and IT infrastructure requirements. Technical capabilities can now be aligned to business function return objectives (RTO & RPO), and where gaps exist, solutions can be identified and confidently prioritized.