On March 19, 2008, the Agencies (OCC, Federal Reserve Board, FDIC, OTS, NCUA and FTC) jointly issued guidance for examiners, financial institutions and technology service providers in the form of an update to the IT Examination Handbook, Business Continuity Planning Booklet (the booklet was previously released in March 2003). The new guidance handbook included many significant changes. This, the third article in a three-part series, will review the booklet's expanded sections on the business impact analysis process. [To review the previous articles, visit www.conetrix.com/resources.]

What is a business impact analysis (BIA)?

A BIA is the initial step in the business continuity planning process. The purpose of a BIA is to determine the impact a disruptive event would have on your bank. A BIA should include:

  • A work flow analysis to identify and prioritize the bank's business processes that must be recovered
  • The potential impact of uncontrolled, non-specific events on business processes identified during the work flow analysis
  • The impact of legal and regulatory requirements
  • An estimate of the maximum allowable downtime (MAD) and the associated acceptable level of losses for the identified business processes
  • An estimation of recovery time objectives (RTOs), recovery point objectives (RPOs) and recovery of the critical path (those business processes or systems that must receive the highest priority during recovery)

What are the goals of a BIA?

A new appendix (Appendix F: Business Impact Analysis process) presents three primary goals of a BIA:

  1. To identify critical business processes and assign criticality. Factors influencing the determination of criticality include interdependencies among business processes and the MAD for each unique business process.
  2. To estimate the maximum downtime the bank can tolerate while still maintaining viability. Bank management must determine the longest period of time a business process can be disrupted before recovery becomes impossible or moot.
  3. To evaluate resource requirements such as facilities, personnel, equipment, software, data files, vital records, and vendor and service provider relationships

An expanded appendix (Appendix E: Interdependencies) seems to place even greater emphasis on identifying shared resources and services. For example, most banks' dependency on voice and data communications for many or most business processes dictates this functionality be given a high criticality rating.

The booklet presents five MAD estimates for assigning criticality: Nonessential (30 days), Normal (7 days), Important (72 hours), Urgent (24 hours) and Critical (minutes to hours). The number of MAD/criticality categories and time frames should be adjusted as appropriate and consistent with the size and complexity of the bank.

What are the steps in the BIA process?

The four cyclical steps in the BIA process are:

  1. Gathering information;
  2. Performing a vulnerability assessment;
  3. Analyzing the information; and
  4. Documenting the results and presenting the recommendations.

Much of the information presented earlier in this article serves to flesh out these four steps. However, this is the first reference to a "vulnerability assessment". A vulnerability assessment is similar to a risk assessment but differs as it focuses exclusively on threats relevant to business continuity. Many banks attempt to maintain multiple risk assessments, which can be costly in terms of resources but also commonly result in a great deal of redundancy. Rather than creating and maintaining a wholly separate vulnerability assessment for the bank's BCP, it may be acceptable to confirm the bank's information security risk assessment adequately identifies BCP-type threats and that both the risk assessment and BCP reference each other.

Final thoughts

Since a BIA is the foundation upon which a BCP is developed, examiners and auditors will frequently ask to review it. Therefore, the bank's BIA should be well documented and stored alongside the bank's BCP. The BIA should be revisited as the initial phase of any update to the bank's BCP.

Where can I get more information?