Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Sectors

Moving from Disaster Recovery Planning to Business Continuity

By Federica Della Noce

Over the past decade, financial services firms have spent considerable time and resources formulating risk management practices. Recently, the focus of these efforts has shifted from disaster recovery planning to business continuity planning across all areas. For financial institutions, this has meant recognizing the need to take a more proactive approach, where exposures and risks are anticipated and measures are implemented to mitigate or prevent losses.

This article explores how the change in focus evolved, and how it has created an opportunity for financial institutions to adopt common principles to guide them in their business continuity planning.

Operational risk management
Operational risk management aims to reduce losses due to unanticipated failures in processes and technologies or from systemic external events. Although the goals are clear, financial institutions have been inconsistent in their efforts to understand and plan for operational exposures. Beginning in 1999, regulatory agencies have been making an effort to set a more focused agenda. However, the attack on the World Trade Center on September 11, 2001, which highlighted the shortcomings of many recovery plans, was the real catalyst behind the renewed focus on disaster recovery and business continuity planning.

"Sound Practices for Management and Supervision of Operational Risk," a paper authored by the Bank for International Settlements' Basel Committee in early 2003, outlined the components of operational risk and the 10 key principles to promote business continuity. The goal of the report was to encourage banking organizations to allocate funds to each category of operational risk.

In the spring of 2003, the U.S. Security and Exchange Commission, The Office of the Comptroller of the Currency, and the Federal Reserve set forth their approach to minimizing disruptions to financial systems in a paper called, "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System." In the report, the U.S. regulators outlined the three main goals of business continuity:

  • Promoting quick resumption of normal business operations
  • Resuming critical operations and restoring access to critical sites
  • Ongoing testing of critical continuity plans

As the financial industry becomes more dependent on complex technologies and is threatened by increasingly sophisticated fraudulent schemes, regulatory agencies have kept pressure on institutions to dedicate continuous attention to operational risk management.

From requirements to best practices
In addressing disaster planning, regulators tend to concentrate on risks posed by systemic, external events, such as terrorism or natural disasters, while executives at financial institutions are concerned about a variety of other disruptions, such as phishing, viruses, worms, and direct hacking (in addition to internal threats, such as volume spikes that can overburden internal processes and cause failures). The convergence of these two perspectives has produced a set of several common principles to guide financial institutions in establishing best practices for creating business continuity plans:

  • Identify critical systems and assess the exposure created by each
  • Make plans to resume business operations at alternate locations
  • Establish a clear set of business recovery objectives
  • Regularly update senior management, external regulators, customers, and other third parties about recovery plans
  • Test all plans, systems, processes, and methods of communication
  • Implement security plans to protect critical systems and networks
  • Ensure that continuity plans include contingencies to provide additional capacity in case of volume spikes

Addressing challenges
However, evaluating operational risk exposure continues to pose several challenges. Complying with the growing list of disaster planning and recovery regulations that emanate from various agencies -- such as the SEC and NASD -- is a daunting task for U.S. financial institutions. In addition, simply identifying "critical" business systems can be difficult. For instance, systems that are critical to traders are not necessarily critical to customers or management. Furthermore, resilience and continuity plans are vulnerable to becoming obsolete in a constantly changing business environment. Lastly, most institutions struggle with how much money to allocate to business resilience plans. Regulators have set minimums, but firms struggling to compete in global markets can find it difficult to justify incurring higher costs by going above what is required.

Steps to take
In the absence of clear-cut guidelines on how to best address operational risk exposures, financial institutions seeking to strengthen their business continuity position have been focusing on the following major areas:

  • Ongoing communication Keeping the lines of communication open is extremely important. Organizations should strive to ensure their business units are aware that changes in strategy must be reflected in their continuity plans. The corporate culture of the institution needs to embrace business continuity as a critical goal.
  • Look for leverage In an era when growth is critical to survival, IT investments acquired to provide excess capacity should be leveraged to support business growth, especially in times when budgets are tight. There is no need for backup network storage and remote servers to sit idle if a way can be found to exploit excess capacity to benefit the institution.
  • Exploit new technologies To increase flexibility and scalability, as well as to bolster continuity plans, financial institutions should focus on technology innovations. Those worth exploring include: monitoring and dashboarding tools, distributed processing and management, backup and recovery tools, and testing.

Conclusion
In recent years, a growing number of external threats, an increased dependency on technology, and pressure from regulatory agencies have forced the financial service industry to shift the focus of operational risk management from disaster recovery to business continuity. Investing in operational risk provides a unique opportunity for financial firms to closely examine procedures and interdependencies, and perhaps to discover inefficiencies that can be eliminated to save money and provide better service to customers. The benefits of concentrating on business continuity will be felt even more if continuity becomes a competitive advantage that can be marketed to customers.

Federica Della Noce has over 10 years experience writing and editing content for a variety of Web sites.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

The attack on the World Trade Center on September 11, 2001, which highlighted the shortcomings of many recovery plans, was the real catalyst behind the renewed focus on disaster recovery and business continuity planning.
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.