The Hidden Traps of Business Continuity PlanningGLBA Compliance Alone Isn't Enough to See an Institution Through a Disaster
Business continuity planning (BCP) is a key element to Gramm-Leach-Bliley Act (GLBA) compliance, but compliance alone isn't enough to sustain a business in the wake of disaster.
Given recent guidance Financial Regulators Release Updated Business Continuity Planning Booklet on business continuity in general, pandemic planning in particular, we caught up with a pair of industry experts to discuss financial institutions' holes in BCP.
Business continuity planning has been a requirement of institutions since 1989, yet no matter how many disasters occur each year, many institutions still have the mindset of "It can't happen to my institution," says Dana Turner, a noted business continuity planning and disaster recovery expert. Turner has trained more than 8000 bank examiners on the FFIEC's BCP examination process. "It's pretty well a 50 - 50 split in terms of those [institutions] that are being responsible about it, and those that have caught the examiners' attention," Turner says.
Legal issues have emerged as attention-getters for many institutions, Turner says, "Because the board of directors has realized they can be held accountable for a failure to return to business in a timely fashion." Too, the insurance companies have more strict guidelines, and Hurricanes Rita and Katrina inspired many institutions to be better prepared for a disaster.
The current credit crisis definitely has institutions dusting off and updating their plans, Turner says. "This is the time they throw their attention to audit, security and operations to make sure they're OK there." And if they're not OK, he adds, then regulators won't hesitate to penalize. "They've been much more liberal in applying civil money penalties," he says.
From the financial institution's perspective, Matthew Speare, Senior Vice President of Information Technology at Buffalo, NY-based M & T Bank ($65 billion in assets with 700 branches across eight states), says that institutions that want to improve their plan must begin with testing.
While Speare's BCP team tests his bank's plan each quarter, smaller institutions probably can't test their plans as rigorously. "The reality is they have to figure out where their critical functions are and what they're going to spend their limited resources on," Speare says. "They are also tasked with identifying what processes tie to what corresponding application, and that's where they want to concentrate their energies on - where they're getting the biggest bang for their buck."
Then the next step is just put a date on the calendar to test it, he says. One key scenario to test: What if the connection to the institution's core service provider goes down, and the core deposit application is unavailable? "This is something they'll have to know and demonstrate that they know how to recover from," Speare says.
The GLBA Connection
The minimum BCP requirements for an institution are found in the FFIEC's BCP booklet, and it is also a requirement of an institution's GLBA compliance program. The GLBA-compliant institution must have a business continuity plan that completely documents business impact analysis. "The BIA lays the foundation and makes management decisions around what systems and or which business processes are most critical to your viability as a bank," Speare says.
When examiners review the institution for GLBA compliance, a satisfactory report isn't enough, and institutions know it, Speare observes. "Regulators never really sign off and say an institution is in good shape about their plan. Instead they'll usually have such statements as 'Management has satisfactorily met the general requirements of GLBA,' but they'll never endorse an institution's program."
What is in the exam manual is really the minimum of what should be in place, he adds. "An institution really needs to do risk management and be much more proactive. A BCP is an insurance policy of sorts, but at the same time it is what allows a business to continue to function in the face of unknown circumstances," Speare says. Another added benefit to BCP is that much is learned about the institution during the program's planning.
One area often overlooked by institutions when planning their GLBA-compliant BCP is the security of employee information alongside customer information, says Turner. While GLBA doesn't mention employee information, most employees working for a financial institution will also have an account there. "The sanctity of customer records and HR records is often overlooked," Turner says. "However, examiners recently have been paying a lot of attention to employee records."
The People Factor
The human side of business continuity is often the most overlooked area of an institution's business continuity plan. Turner has seen hundreds of individual institutions' plans and notes an alarming lack of forethought when it comes to employees' well-being. "What if a teller can't make it into branch from her side of the river? Or that same employee has childcare issues during a disaster and can't find a babysitter?" asks Turner. One way to plan for this type of situation is to make agreements with board members to act as employees during times of emergencies. A board member could be trained to step in to help cover that time, "just on an interim basis," Turner says.
Another area that needs attention is training. Ask employees if they feel they have been trained to respond to disaster situations. Ask your employees and managers how well they are trained to respond before, during and after an emergency, Turner says.
"There can be all the policies and procedures written down to cover an institution during a disaster, but if staff is not trained adequately, they are going to impair the institution's ability to operate, or they're going to kill it," he says.
The BCP has been a key requirement for financial institutions for nearly 20 years. But how many plans have truly been tested? "For many of my clients I talk to across the country, they're just hoping that something never happens, because they've never tested their plan. Not even a tabletop exercise," Turner observes.
Most smart companies have tested their plan, and while their plan is being tested, they have an auditor record the results and put it into a report. This is what examiners are looking for -- documentation that the plan works. This isn't something that a financial institution's IT department head can sort out during a meeting at Starbucks as an event is happening, Turner warns.
Speare agrees and adds that his bank, on top of the quarterly testing, still gets to experience the "real live" scenarios of weather disasters where it is no longer a test, but the real thing. "Because we are based in Buffalo, NY at least once a year we get to do the full-blown event where the entire company is involved, because of a major snow event, and we move business functions off to another site," Speare says.
He recommends for other institutions to test their plan at least annually, per the regulatory requirements. "But only doing it once a year isn't enough," Speare says. "I think you have to do it at least twice a year -- to wait another 12 months to validate it is too long."
For more BCP insights, check out the following webinars from Matt Speare and Dana Turner: