In the finance industry, disasters are especially dangerous. Disruptions to a single bank’s operations have the power to tarnish the brand and disrupt entire markets. Data loss can compromise the financial information of thousands of customers. To avert these scenarios, a bank business continuity plan must account for every disaster possible, along with the proper protocols for recovery.
- What takes priority after a disaster?
- Who’s in charge?
- What if key stakeholders cannot be reached?
- Who should personnel turn to for answers?
- How will operations be restored, and when?
These are just a few of the questions that a bank business continuity plan must be able to answer – long before disaster strikes.
While there is no one-size-fits-all business continuity plan template for banks, we’ve put together a checklist of areas that every plan should address.
Essential Components of a Bank Business Continuity Plan
__ Managerial Protocols
This is the foundation of a bank business continuity plan. It encompasses all of the sections listed below, outlining what needs to happen before, during and after a disruption. This framework will apply to virtually all scenarios, regardless of the type of disaster (natural, manmade or electronic) – or how many bank branches have been affected (just one or over a hundred). Your plan needs to outline:
- Who does the decision-making in an emergency situation?
- What are the mission-critical responsibilities of each executive and manager?
- What are the protocols for personnel in each department?
- Who needs to do what to restore operations?
__ Plan Objectives
Since each business continuity plan is unique, every plan must clearly state its scope. This information should be included at the beginning of the plan, so that there are no questions about what the plan covers and what it doesn’t. For example, a single bank might have several different BCPs intended for different business units, and a master plan for the entire company. Each document must therefore identify the specific objectives of the plan.
- What does the plan aim to achieve?
- Is the plan relevant to all bank operations, or specific departments such as IT?
- What is the core purpose of the plan?
- What are the limitations of the plan (if applicable)? Are additional planning documents needed?
__ Risk Assessment
No financial services business can adequately plan for disaster without understanding what those disasters look like. Banks must perform comprehensive risk assessments that identify every possible threat to their operations. These risks can include everything from cyberattacks to electrical outages, followed by detailed descriptions of what they entail and what causes them.
- Which operational risks does the bank face?
- Which threats have the greatest likelihood?
- What are the causes of each threat?
- What are the circumstances? What does each disaster scenario actually look like?
__ Business Impact Analysis
After identifying risks, the next step is analyzing the impact of those events. This is another critical component of a bank business continuity plan, because it uncovers the most urgent threats and enables you to prioritize your planning accordingly. Each operational disruption listed in the risk assessment should be defined by its effects on the bank, including the estimated length of an outage, impact on customer-facing services, financial impact and so on.
- How does each threat actually disrupt the bank’s operations?
- What is the immediate and long-term impact?
- What is the anticipated length of time for each disruption?
- What is the cost? How much money does the bank lose per hour in each scenario?
__ Prevention Strategies
Your bank business continuity plan cannot prevent every disaster. But it can greatly minimize the risks, while also preventing the worst aftermaths. Your plan should identify the steps you are already actively taking to prevent operational disruption in a disaster. This section should include disaster-specific scenarios and strategies currently being used to monitor and prevent these risks.
- What technologies are in place to prevent cyberattacks?
- What systems are implemented to block malicious files from entering the network?
- How adequate are your data backup and recovery systems?
- Are your bank branches built to withstand various natural disasters?
__ Disaster Response
The longer a bank is shut down, the worse the consequences. Every bank disaster recovery plan template must include the specific actions that need to be taken if operations have been halted. In a BCP or DRP, this is sometimes referred to as “disaster response.” These are the immediate steps following a disruption, which help to assess the situation and determine the best path to recovery.
- How should disruptions be evaluated to determine what actually happened and what happens next?
- Which banking services are the highest priority if limitations are in place?
- What protocols are in place if technological roadblocks prevent access to information systems?
- If staffing has been affected, what are the minimum staffing requirements required to maintain operations?
__ Recovery Protocols
The immediate response to a disruption does not always translate into a full recovery. So, it’s critical to outline the additional protocols that will be needed to restore operations back to 100 percent. Depending on the type of disaster, this stage may take several days or even weeks. But by defining these procedures in the BCP, banks will be better prepared for every possible disruption and will be able to significantly shorten recovery time.
- What steps should be followed to fully restore operations?
- Which aspects of the business take priority if several operations are disrupted?
- Who will oversee the recovery for each type of disaster? To whom will they provide updates?
- What are the recovery objectives and expectations? How long is each type of recovery expected to take?
__ Data Backup & Recovery Technologies
More than most industries, financial institutions need to be especially aggressive in deploying technologies that thwart cyberattacks and accelerate recovery. Data backup is thus a critical component of continuity planning that needs to be defined in a bank’s BCP. In this section, you’ll identify the implemented technologies for restoring lost data in a variety of scenarios, along with clear recovery objectives. In addition to a bank’s data backup systems, this section can also include any other recovery technologies, such as redundant hardware, network repair tools and so on.
- What is the bank’s primary business continuity & disaster recovery system (BCDR)?
- Which data recovery methods should be used in various scenarios, such as ransomware, accidental deletion or hardware failure?
- What is the bank’s recovery point objective (RPO)? What is the maximum age of the most recent backup?
- What is the recovery time objective (RTO)? How long should it take to recover lost data or systems?
In addition to data backup, banks must have a “Plan B” for all other aspects of their operations. Better yet, they should have a Plan C, D and E. This section of the continuity plan should identify the bank’s contingency plans and redundancies for various disaster scenarios. These contingencies can be placed in their own section within the BCP or addressed in each of the other sections. Some example scenarios to consider:
- What happens if the physical bank location was destroyed in a disaster?
- What if sensitive data was stolen in a cyberattack and held at ransom?
- What if third-party service providers are unavailable and are disrupting your own operations (i.e. utilities, technology providers, ATM access providers and so on)?
- What if additional hardware is suddenly needed for a branch location? Where will it come from? If it’s already been acquired, where is it being stored?
__ Training & Education
Employees should receive routine training on disaster prevention, response and recovery. For example, staff should be educated on how to safely use email and Internet, how to spot a phishing attack and what to do in a ransomware attack. This training applies not only to your disaster recovery teams, but to all bank employees, including upper management. In a bank business continuity plan, this section will outline these training programs and objectives in detail.
- What types of training are needed to achieve the bank’s continuity objectives?
- How often does that training occur?
- Who receives the training?
- Who develops and manages it?
__ Methods & Hierarchy of Communications
Imagine a scenario in which telecommunications and other utilities have been knocked offline for weeks. How will managers communicate with personnel, and vice versa, about the status of operations? Even for small disruptions, it’s critical to maintain clear communication between affected stakeholders. Otherwise, recovery will be far more challenging. In this section of the BCP, you’ll outline these communication strategies.
- Which methods will be used to maintain communications after a disaster?
- Which personnel will need emergency devices (i.e. mobile phones), and how will that process work?
- Will the public need to be notified of updates? If so, how, and what information will need to be submitted in a press release? Who will communicate with the press?
__ BCP Plan Writing, Testing and Reevaluation
A bank business continuity plan is a coordinated effort, written and reevaluated by several members of your organization on a regular basis. This is not a job for a single IT person or an executive’s assistant. It should be a comprehensive document that is reviewed and updated regularly. This section of the BCP will thus be devoted to identifying who manages the planning and when it gets updated.
- Who is in charge of maintaining your bank’s BCP?
- How often should it be reviewed?
- Who has access to the document and/or BC management software?
- How will the plan be tested? How will you know if the BCP’s protocols are effective?
When in doubt, always speak to a business continuity professional. This checklist is intended only for illustrative purposes to identify the core objectives of a bank disaster recovery plan. A professional will help you build out the most essential components of your plan, based on the specific needs of your business.
What are the most common threats to banks?
Your average consumer might assume that the greatest threat to a bank is a robbery or a devastating natural disaster. After all, these events make the big headlines. But in reality, banks face numerous other threats almost daily, and, in many cases, they are even more destructive. Here are just a few threats that can affect a bank’s operational continuity:
- Ransomware: A ransomware infection can rapidly disable a bank’s IT systems, destroy data and force it to close for days unless backups can be restored quickly.
- Malware & phishing scams: Like most businesses, banks face a barrage of malicious messages that sometimes get past firewalls and spam filtering technologies. This is a near-constant threat that financial institutions must guard against to avoid a potential operational disruption.
- System failure: Technology outages and interruptions are extremely common in the financial services industry. The causes can be anything from hard drive failure to application crashes. When it happens, it can have a far-ranging impact on operational continuity.
- Accidental data loss: Lost and deleted files can cause headaches and productivity losses. While a single lost spreadsheet may not derail a bank’s operations, large-scale data loss from a failed migration or unsuccessful O/S installation can absolutely disrupt the business.
- Service provider disruptions: It’s common for banks to leverage third-party solutions as part of their services, particularly for online banking systems and web applications. When these systems go down, they disrupt the bank’s services and damage its credibility.
Identifying the best data backup for banks
We’ve emphasized the importance of having data backup to prevent operational disruptions from data loss. But which data backup is best for financial institutions?
While there are many factors to consider when evaluating BCDR solutions, there are some core features and functions that most banks should look for. Backup frequency, speed and efficiency are extremely important. Additionally, backups should be reliable and easy to restore.
We recommend the Datto SIRIS because it offers the robust protection and versatile recovery options that today’s financial institutions need, especially in the age of ransomware. Some of the most critical capabilities that separate it from other bank data backup systems include:
- All-in-one solution: fully unified hardware, software and cloud backup
- High backup frequency of up to every 5 minutes
- Hybrid cloud storage (on-prem and cloud)
- Backup virtualization for instant access to protected apps & systems
- Built-in ransomware detection
- Resilient backup process via Datto’s Inverse Chain technology
- Automated backup validation and testing
Additional Resources for Bank Continuity Planning
Given the critical need for continuity planning within the financial services industry, there are numerous federal agencies and ancillary organizations that offer additional planning resources for banks. Some financial institutions are required to maintain continuity plans – particularly investment firms and brokerages, which must comply with the rules of FINRA (Financial Industry Regulatory Authority). While these regulations do not apply to all types of banks, the agency provides detailed recommendations that can be leveraged by virtually any financial institution.
Some helpful resources include:
- FFIEC (Federal Financial Institutions Examination Council) Business Continuity Management Booklet
- FINRA Business Continuity Planning Guidance
- Federal Reserve Business Continuity Guide
Frequently Asked Questions (FAQ)
1. What is the first step in business continuity planning in banks?
Conducting a risk assessment is an important first step in business continuity planning for financial institutions. This assessment identifies the threats that are most likely to disrupt the bank’s operations. In turn, this allows planners to implement systems and procedures that mitigate those risks and ensure a smooth recovery.
2. What are the 5 components of a business continuity plan?
While each plan is unique, every business continuity plan should include the following five components, at minimum:
- Plan objectives
- Risk assessment
- Business impact analysis
- Disaster recovery procedures
- Plan testing
Keep in mind, these five components represent only a fragment of the sections that should be included in a bank business continuity plan. However, together they achieve the most critical objective of the plan: implementing protocols that help to maintain continuity during a disaster and mitigate the impact of known risks.
3) What is the business continuity plan of a bank?
A business continuity plan (BCP) is a planning framework that is designed to prevent disruptions to a bank’s operations. The plan outlines the recovery systems and procedures for a variety of disruptive scenarios, which help to ensure the bank can stay open and continue serving customers during a disaster.
4) What does disaster recovery mean in banking?
Disaster recovery refers to the strategies used by a business to recover from an operational disruption. In banking, these strategies can include IT systems, such as data backup, or step-by-step procedures that should be followed when a disruption occurs to restore a bank’s critical operations.
5) Is business continuity a regulatory requirement for banks?
Some financial institutions are required to maintain business continuity plans in compliance with federal regulations. This is particularly true for investment firms, which must adhere to FINRA’s Emergency Preparedness Rule 4370, requiring specific procedures for developing and maintaining a BCP.
Business continuity plans are critical for banks to ensure that they can recover quickly from an operational disruption. An effective BCP will include a thorough risk assessment and impact analysis, followed by the systems and procedures for recovering from a disaster. Having a documented plan ensures that a bank is prepared for every scenario, helping it to avert prolonged downtime and maintain operational continuity.
Learn more about business continuity solutions for banks
Get more information on BCDR solutions that can safeguard your bank from data loss and other disasters. Request a free demo or contact our business continuity experts at Invenio IT: call (646) 395-1170 or email success@invenioIT.com.