Testing 1, 2, 3...New Federal Guidance on Business Continuity Planning

By: (CISA, CISSP, CTGA)

Publication: The Colorado Banker , July/August 2008

In the wake of Hurricane Katrina and increased attention to the threat of a biological pandemic, the OCC, Federal Reserve Board, FDIC, OTS, NCUA, and FTC (the Agencies) consolidated five years of lessons learned and planning considerations into new federal guidance on effective business continuity planning.

On March 19, 2008, the Agencies jointly issued guidance for examiners, financial institutions, and technology service providers in the form of an update to the IT Examination Handbook, Business Continuity Planning Booklet. The booklet was previously released in March 2003.

Many significant changes were made in the new guidance handbook – too many to adequately address in a single article. Therefore, let’s concentrate on one of the major updates – BCP testing.

BCP Testing

The most substantial change, accounting for approximately 42% of the new material added to the main body of the guidance, has to do with BCP testing. The guidance takes BCP testing from a sub-categor y of Risk Monitoring and elevates it to a critical piece of the overall BCP, requiring board or senior management review of the BCP testing program and test results.

The guidance highlights the use of a set of framework tools – the testing program, testing policy, testing strategies, and testing plans – to help banks formalize their BCP testing process and improve the benefits received from each test. These tools are expected to be modified to fit the bank’s size and complexity of operations.

Testing Program

The testing program organizes the financial institution’s BCP testing efforts in a consistent way across the entire bank with support and oversight by the board and senior management. To accomplish this task, the guidance provides eight testing program principles such as defining roles and responsibilities for implementing and evaluating BCP tests, independent third party review, and a continuously evolving testing cycle that becomes progressively more comprehensive and integrated.

The emphasis on an evolving, increasingly comprehensive testing cycle is important to the long-term effectiveness of BCP testing. The number of unknowns in a disaster situation can be overwhelming, but some of them can be identified and addressed with comprehensive testing.

For example, there is no way to know with certainty how well the financial institution’s alternate data center is going to interact with the out-sourced core banking vendor’s disaster recovery site without turning them on and testing the connections, data f lows, and volume capacities. Issues will inevitably arise and they are more easily dealt with during a BCP test than during an actual disaster.

Essentially, the testing program needs to give the bank staff a set of requirements and goals to implement. It is the road map to successful validation of the BCP.

Testing Policy

In any enterprise-wide initiative, one of the keys to success is consistent support by the board and senior management. Without this support, projects may not be well-organized, may lack clear-cut goals, are often underfunded, and may not line up with management’s strategic direction.

In order to support and emphasize the importance of BCP testing within the financial institution, the new guidance recommends the board and senior management establish a testing policy. At a high level, the policy should outline many of the parts of the testing program such as requirements for testing frequency, inclusion of critical service providers in BCP testing, and requirements for reporting test results.

Testing Strategies and Plans

Once the testing program and testing policy are established, they are implemented through the use of a testing strategy and testing plans. The testing strategy is an enterprise-wide document that standardizes the testing process. It defines the BCP testing scope and objectives including what functions, systems, or processes will be tested and what constitutes a successful test.

Finally, individual process owners develop testing plans. Each plan identifies the scenarios and methods to be used for a BCP test. It also provides test details such as roles for test participants, specific test objectives, test locations, and the testing schedule.

So how well would your BCP perform?

Business continuity planning helps ensure a financial institution can continue to function and support its customers whether it suffers a temporary power outage, the loss of a key employee, or a catastrophic disaster. Testing validates the BCP by proving it can guide the bank to restoration and ensures the financial institution does not have a false sense of security regarding the effectiveness of its BCP.

Where can I go to get more information?