The Federal Financial Institution Examination Council (FFIEC) recently updated guidelines for credit union business continuity, the latest revision since first establishing such guidelines in 2003. This revision serves as a great opportunity to revisit the importance of business continuity planning for credit unions and lay out the basics any credit union should understand in its obligation to meet FFIEC guidelines.
This is a requirement of federally insured credit unions. NCUA Guidance Part 749, Appendix B, mandates that a credit union disaster recovery and business resumption plan:
- Is commensurate with the institution’s complexity
- Minimizes interruptions to members and maintains member confidence
- Is reviewed annually and addresses changes in the credit union’s operations.
FFIEC’s goal for business continuity is to provide a basis for minimizing operational interruptions for credit unions and their customers after a serious event or disaster. The first step required by the FFIEC is to construct a business impact analysis (BIA). According to ready.gov, a BIA “predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.”
The FFIEC wants the BIA to include these five steps:
- Assessment and prioritization of all business functions and processes
- Potential impacts of business disruptions
- Identification of the legal and regulatory requirements
- Examination of the maximum allowable downtime and acceptable loss
- Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path.
Universal musts
A credit union needs to understand the principles of business continuity planning and disaster recovery and then apply them to their unique functions and commercial purposes. That said, much of the work is similar to other industries.
For instance, any plan should receive the support of the board of directors. Therefore, the board should be informed and its buy-in is essential.
Along with buy-in from the board, it’s essential to designate a manager who has the board’s authority to enact the plan and that person can run point to prevent inertia from stalling progress. From that point, decisions can be made about how to communicate with other important stakeholders throughout the process. In a credit union, this means asking members, internal stakeholders, and any other stakeholders, such as any regulatory bodies. Disaster planning also requires the point person to set parameters for reviewing and revising the plan. This should be done annually at the least, and most likely more often.
Credit union specifics
Only a credit union can judge what its critical processes are and how long it will take to get them back up and running. What might be an acceptably short period of time for a manufacturing company with a long lead time and extended sales process will not work for a credit union, whose members usually need access to funds immediately. In planning for a problem such as lost internet access, you will need to determine how long you can go without it before members alter their perception of the credit union or choose to conduct business elsewhere. This is your RTO. Similarly, data can be lost. Some isn’t critical (say, video for a webinar), while others are life-or-death (such as transaction records).
Your impact analysis should address the relevant functions of the credit union, and determine which items are problems in which time periods (see below). Be sure to reach out to the important personnel because your BIA will address all of these matters, it’s the foundation for your business continuity and disaster recovery (BC/DR) plan.
Building your critical path
The results of the BIA will lead to the vital exercise of building a recovery plan. You know now which items are important, and you know which items have time-critical elements. This allows you to build a critical path — the series of contingent actions that result in the minimum time needed to achieve recovery.
The chart below describes the functions that must be addressed first.
- On which processes is continuity of business dependent? (For instance, bagel Friday is probably less important than a working internet connection.)
- Conduct an inventory of applications, then examine each one with an eye to what to do if an emergency renders it unavailable (temporarily or permanently).
- List all locations, identify their capabilities and whether they can back each other up. (For instance, if the northern branch loses six employees in a plane crash, can the branch be backed up by employees from other branches?)
- Related to this is staffing: Who in the organization has which skills? Can they back each other up right now, or with cross-training? Are there people in the organization with institutional knowledge that everyone relies on, but which has never been codified or trained?
- What about your roster of vendors? How would they respond in an emergency? Is your business as critical to them as theirs is to you? Could they be a point of failure for any number of reasons — geography, business size, a poor relationship?
- What records are needed? Digital data, backup servers, and the cloud have made this less of a problem, but are there one-of-a-kind documents that would prove to be a problem if lost in a fire?
- What equipment will help you recover, whether it’s backup servers, fire-resistant vaults, or four-wheel drive vehicles in a region where it doesn’t usually snow?
Once the critical path is identified, budgeting decisions can be made, spending on the critical operations first and foremost.
How to get started
To get the data above and build a plan, don’t go off into your office and close the door for two weeks. While the board’s approval provides clout, implementation requires elements of the entire credit union. Identify those people or groups (examples include IT, mortgage banking, commercial lending, personal loans, and teller operations, but this will depend on each credit union’s structure), then reach out to get their input. A kickoff meeting that includes at least one member of the board to underscore the importance of the process is a good way to roll out the planning work.
The planning can be done with one-to-one meetings, but it may be more beneficial to workshop the problem. With everyone in a room together, connections that might have been overlooked in a one-on-one meeting are more likely to pop up. Hypotheticals are essential. For all of your critical-path activities, everyone involved should be asking what they or their department would do if that activity is unavailable. For instance, if IT isn’t available for two weeks, how would that affect human resources? What about car loans? How could those departments work around the problem — or should they just wait?
The nitty gritty
The planning will provide a whole range of data. Pulling it together will be a challenge. Some credit unions (and other businesses) have attended to this task with their favorite spreadsheet, or pulled notes together in a word processing document that’s revised and re-revised. This adds a layer of complexity to an already-complex task because it requires planning how to organize and write the plan, then ensuring that the nuts and bolts of the document are correct as well as the plan itself being appropriate.
This is where a business continuity software tool like Infinite Blue’s BC in the Cloud provides support and direction. All the data entered into its transparent relational database makes organization simple, repeatable, and refreshable. The messiness of merging documents from disparate sources is avoided. You’ll be able to analyze the data, make charts, and produce analytics. Risks uncovered during the process can be assigned to an employee to address. Perhaps most helpful is the ability to use the multiple factors you’re investigating to create a risk score.
Risk
Analyze the data and then use them to build the plan. Scoring will help clarify the critical path. Enlist the management team, because only they can determine what the credit union’s appetite for risk is. Make sure they have all the data possible.
Ways to score risks should include thinking about how likely an event is, how frequently it will happen, and how suddenly it might occur. Some risks can affect operations; others can affect the credit union’s image. For instance, if the credit union submits to a ransomware event, it may keep the credit union functioning for its members, but it may also create a negative image among potential members or business partners. Comfort with those possibilities should be determined before engraving them into the plan in stone.
Validate
Having a plan alone is not enough. The plan and its recovery strategies should be tested to confirm that it’s suppositions work. When you test the plan, involve everyone in the exercise, including vendors whenever possible. Test the whole plan, and do it multiple ways: conduct a tabletop exercise at your facility, then test it away from your facility to confirm the plan will work when you can’t be there. Note the results, and update as needed.
What The NCUA examiners will look for
Once the plan is validated, it will need to be ready for audit by National Credit Union Administration (NCUA) examiners. Because the NCUA is charged with insuring credit unions in the United States, it places a high level of importance on a credit union’s preparation for continuity and disaster recovery. To be ready, be sure that you’ve done your best to PREPARE (yes, it’s an acronym):
- PLAN: Ensure financial services to members
- RESOURCES: Allocate sufficient equipment and facilities
- EXERCISES: Create realistic and challenging situations
- PEOPLE: Maintain the readiness of staff and officials
- ALLIANCES: Establish and rely on relationships with other organizations
- REVIEW: Look at plans, then update them for maximum effectiveness
- EXPERIENCE: Incorporate lessons learned.
How to finish
It should be evident now that there is no true end to credit union continuity planning and disaster recovery. The NCUA’s guidance demands it because most credit unions will change, becoming more complex, either by serving more customers in a region or expanding to other regions. Doing the work of creating a BIA so you know your strengths and weaknesses, enlisting management at the top to give the task weight, involving managers across departments to create the best chance at missing nothing, and securing the participation of vendors to make recovery a holistic solution provides the best chance to do that. Paying attention to that detail by relying on business continuity software like BC in the Cloud to simplify and organize will focus effort on the plan and not its medium.