Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines,...
Transcript of Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines,...
![Page 1: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/1.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Meeting FFIEC Requirements:
Enterprise-Wide Testing of Your
Business Continuity Plan
April 25, 2012
Robin Remines, CBCP, AMBCI Certified Business Continuity Professional
![Page 2: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/2.jpg)
Copyright 2010 Ongoing Operations
The OGO Difference
• Focus on making business continuity planning
an organization wide initiative and process
• Holistic - People, Processes AND Technologies
• Financial Impact Analysis (FIA) as well as
Business Impact Analysis (BIA)
• Award winning BCP software platform
• Leader in building private/public partnerships
• Certified Professional Staff
Plan. Prepare. Protect.
![Page 3: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/3.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Key Outcomes
• Understand FFIEC Requirements regarding Business
Continuity Program / Business Impact Analysis (BIA)
and the relationship to Testing
• Financial Impact Analysis (FIA)
• Using the results to develop a stronger Business
Continuity Program and to provide Continuity of Service
to our Members NO MATTER WHAT HAPPENS!
![Page 4: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/4.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Meeting FFIEC
Requirements: Enterprise-
Wide Testing of Your
Business Continuity Plan
![Page 5: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/5.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Goal of Business Continuity Plan
• People safety first!
• Minimize financial losses to the institution
– BIA to identify business processes with potential for greatest
impact (including Risk and Financial Impact Analysis)
• Continue member service with minimal interruption
• Be a community resource (CIKRP)
• Mitigate negative effects of disruption on Operations
– Solutions include redundancy, failover, resiliency, procedural
documentation and manual alternative procedures
– Prioritize implementation of solutions
![Page 6: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/6.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
FFIEC Testing Guidelines
• Roles and responsibilities should be specifically defined
• The BIA and risk assessment should serve as the
foundation of the testing program,
• Enterprise-wide testing should be conducted at least
annually
• Testing should be viewed as a continuously evolving
cycle
• Mitigation strategies should sustain the business until
permanent operations are reestablished
• The testing program should be reviewed by an
independent party
• Test results are compared against the BCP to identify
any gaps
![Page 7: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/7.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
We all have a role!
• Business line management - the testing of business operations;
• IT management - testing recovery of the institution's
information technology systems, infrastructure, and
telecommunications;
• Crisis management - testing the institution's event
management processes
• Facilities management - testing the operational readiness of
the institution's physical plant and equipment, environmental
controls, and physical security
• The 3rd party/audit - responsibility for evaluating the overall
quality of the testing program and the test results.
![Page 8: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/8.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Business Impact Analysis
• Assess and prioritize business functions and processes
• Identify potential impact of business disruptions on the business
functions and processes
– Severity of impact
– Member Impact
– Member Confidence
– Increased Fraud
• Identify legal and regulatory requirements of the business
functions and processes
• Estimate RTOs and RPOs
![Page 9: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/9.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
BIA Outcomes
• Establishes solid foundation for your planning process
• Meet regulatory and audit requirements
• Senior Management Support
• Top ranked Risk items with plans to protect, assign,
accept or eliminate the threat
• Creation of an IT recovery plan that uses the outcome
of the BIA to establish a priority for recovery
![Page 10: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/10.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Risk Assessment
• Evaluate BIA assumptions using various
threat scenarios
• Analyze threats based on likelihood and potential
impact to institution, members and financial market
• Prioritize potential business disruptions based on
severity which is determined by impact on operations
and probability of occurrence
• Perform “gap analysis” that compares existing BCP to
policies and procedures to be implemented based on
prioritized disruptions and resulting impact
![Page 11: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/11.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Risk Management (Mitigation)
• Based on comprehensive BIA and Risk
Assessment
• Documented
• Reviewed and approved by Board
and Senior Management annually
• Disseminated to employees
• Properly managed when outsourced to 3rd party
• Specific regarding what conditions should prompt
implementation of the plan and the process for
invoking
![Page 12: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/12.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Risk Management (cont)
• Immediate steps that should be taken during a
disruption
• Flexible for unanticipated scenarios and changing
internal conditions
• Focused on impact of various threats that could
potentially disrupt operations
• Developed based on valid assumptions and
interdependencies
![Page 13: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/13.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Testing/Exercising
• Develop Exercise Scenarios which incorporate BIA and
Risk Assessment
• Include C-level and Department level staff
• Gain buy-in thru role-playing and inclusion
• Consider tabletop vs. walkthrough
– http://ithandbook.ffiec.gov/it-booklets/business-continuity-
planning/risk-monitoring-and-testing/principles-of-the-
business-continuity-testing-program/testing-policy.aspx
• Complete at least annual tests of the BCP (more than
the annual IT/DR exercise)
![Page 14: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/14.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Exercise your plan
• Critical processes and locations
– Is the plan to work from home or alternate site? Perform
processes from the alternate location
– What processes are included
– How are communications handled?
• Successful exercise?
– Issues identified and revisions assigned for additional planning
– Everything was smooth and no opportunities identified
![Page 15: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/15.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Testing – Creating the Lifecycle
• Senior Management and BOD evaluate program and
test results
• 3rd party assessment of program and test results
• Revise BCP and testing program based on
operational changes, audit and examination
recommendations, and test results
![Page 16: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/16.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Financial Impact Analysis
(FIA)
![Page 17: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/17.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
FIA Tool
• Potential financial impact
• Uses 5300 Report provided to NCUA
• Coming soon! www.ongoingoperations.com
• Easily customized to fit your credit union’s business
strategies and operating practices
![Page 18: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/18.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
What does the FIA measure?
• Delinquency Risk
• Daily Transaction Risk
• Fee Income Risk
• Check & ACH Risk
• Daily Loan Risk
• Reputational Risk
![Page 19: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/19.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
![Page 20: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/20.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Fee Income Risk
![Page 21: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/21.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Summary – BCP Testing – FFIEC
Guidelines
• Spend resources ( time, people, $$$ ) on performing an in-
depth Business Impact Analysis (BIA) and Risk
Assessment • Without this, there is no foundation from which to measure
your testing
• Create a testing plan/cycle – Using various
scopes/objectives, create a yearly calendar to test at various
levels • Enterprise-wide testing should be conducted at least annually
• DR (IT) tests at least annually
• Departmental – annually AND when any significant process
change occurs
![Page 22: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/22.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Summary – BCP Testing – FFIEC
Guidelines
• Mitigation strategies should sustain the business until
permanent operations are reestablished
• You may not always have the “right” mitigation
strategy – document your decision making process
• Should consider 3rd party “stand in” availability (such
as card processing, ATMs, etc)
• Always have an independent reviewer – look at it as a
chance to improve your plan, not grade it
• Update your plan IMMEDIATELY after testing to close
gaps identified by the exercise
![Page 23: Meeting FFIEC Requirements: Enterprise-Wide Testing of Your … · 2017-03-10 · Robin Remines, CBCP, AMBCI rremines@ongoingoperations.com Certified Business Continuity Professional](https://reader033.fdocuments.net/reader033/viewer/2022050522/5fa57d3b888dfa1808495e6e/html5/thumbnails/23.jpg)
Copyright 2010 Ongoing Operations
Plan. Prepare. Protect.
Robin Remines, CBCP, AMBCI
Certified Business Continuity Professional
www.ongoingoperations.com