MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2015 Wolf & Company, P.C.

2015 CEO & Board University

Taking Your Business Continuity

Plan To The Next Level

Tracy L. Hall, MBCP

Meet Our Presenter

Tracy Hall, MBCP

IT Assurance Manager

Wolf & Company, P.C

Direct: 413-726-6884

thall@wolfandco.com

Agenda

Taking your Business Continuity Program to the Next

Level

• Statistics and Recent “Disaster” Events

• FFIEC Guidelines / Latest Updates

– Appendix J: Strengthening the Resilience of

Outsourced Technology Service

• Other considerations / Lessons Learned

Not So Fun Facts

A 2012 Survey showed that the Top 4 causes of downtime that year were:

– Hardware Failure 55%

– Human Error 22%

– Software Failure 18%

– Natural Disasters 4%

Don’t Let The Door Hit You…– 40% of business severely compromised by a disaster go out

of business within 6 months

– 90% of businesses that are “down” for 7 days do not reopen

Cost of Not Being Prepared:– Of businesses that experience a major loss of data without a

plan:• 51% close within 2 years

• 43% never reopen

• 6% survive long-term

Increased Scrutiny

It is no longer sufficient to point to the

“Large Book” on the shelf…

Recent Events

6

Changes in preparedness and scrutiny by regulators

and examiners began after 9/11 & Katrina and continue

to increase with each incident.

• Hurricanes Irene & Sandy

• Winter 2011 Blizzard

• The East Coast Earthquake

• Tornadoes and thunderstorms

• Boston bombing

FFIEC Guidelines – 2008 Revision

• Board and Senior Management Responsibilities

– Executive Overview of the BCP Process

– Board of Directors responsibility

• Business Continuity Planning Process

– Enterprise-wide approach to planning

• Business Impact Analysis

– Define critical functions

– Impact to business if those functions were interrupted

– Resources required to support those functions

– Critical Timeframes to Recover

• Risk Assessment

– What threats could possible impact your operations?

– Where are your vulnerabilities?

• Risk Management

– Implementing Controls

– Developing a sound BCP

– Implementing a reliable Recovery Strategy

• Risk Monitoring

– Testing

– Maintenance

• Other Policies, Standards, and Processes

• Vendor Management

• Pandemic Planning

FFIEC Guidelines –2015 Update

February 2015:

Appendix J: Strengthening the Resilience of Outsourced

Technology Services

• Result of increasing dependency on outsourced

technology providers for critical systems and

infrastructure

• Four Specific Areas

FFIEC Guidelines – 2015 Update

Third Party Providers

• More and more processes are outsourced; must

consider vendor response and recovery plans

• Ask for detailed SLAs

• Widespread regional events have identified issues

with suppliers

• Contingent business interruption loss:

– A loss that a business suffers as a result of damage to

other property that prevents one of the suppliers from

providing goods and/or services to the business, or that

prevents the business’ customers from accepting goods

and/or services from the business.

FFIEC Guidelines –2015 Update

Area One

Third-Party Management addresses a financial

institution management’s responsibility to control the

business continuity risks associated with its TSPs and

their subcontractors.

FFIEC Guidelines –2015 Update

How To Prepare

Third-Party Management

• Validate that third party resilience considerations are

part of your vendor management program, including

due diligence, contract negotiations and ongoing

monitoring.

• Evaluate the use of subcontractors by your TSPs.

Ensure TSPs are reviewing their subcontractor’s

business continuity plans.

FFIEC Guidelines –2015 Update

Area Two

Third-Party Capacity addresses the potential

impact of a significant disruption on a third-party

servicer’s ability to restore services to multiple

clients.

FFIEC Guidelines –2015 Update

How To Prepare

Third-Party Capacity

• Ensure that your TSPs have adequate planning and

testing strategies to support multiple clients in a

regional event.

• Identify a comprehensive set of alternative resources

to provide services in the event your TSPs are unable

to recover from a wide-scale disruption.

FFIEC Guidelines –2015 Update

Area Three

Testing with Third-Party Technology Service

Providers addresses the importance of validating

business continuity plans with TSPs and

considerations for a robust third-party testing

program and including third party providers in the

client’s testing.

FFIEC Guidelines –2015 Update

How To Prepare

Testing with Third-Party Technology Service Providers

• Participate in BCP testing with TSPs, whenever

possible.

• If not possible, review TSPs test results, remediation

plans and status reports on their completion.

• Identify any gaps following testing. Draft a plan to

ensure all gaps are addressed.

FFIEC Guidelines –2015 Update

Area Four

Cyber Resilience covers aspects of BCP unique to

disruptions caused by cyber events

FFIEC Guidelines –2015 Update

How To Prepare

Cyber Resilience

• Ensure that Cyber threats are addressed in the BCP

Risk Assessment.

• Validate that TSPs have an up-to-date incident

response plan. Ensure the plan is periodically tested.

• Research and identify third-party forensic investigators

that may be required following a cyber incident.

Other Considerations / Lessons Learned

Executive Oversight

FFIEC guidelines require annual signoff on the BCP

by Board of Directors

– Ensuring a sufficient plan is in place

– Allocating responsibility of the plan

– Plan must be reviewed and updated at least annually

– Employee awareness

– Testing

– Supporting any actual recovery effort

Other Considerations / Lessons Learned

Enterprise Wide Approach to Planning

• BCP is no longer an IT driven initiative

• FFIEC guidelines call for a business driven recovery plan

Other Considerations / Lessons Learned

Scenarios

• Examiners are looking for responses to a wider range

of possible scenarios

• Considering multiple scenarios while still focusing on

“worst case”

– How do we avoid the vicious “What If” cycle?

– How do you determine “worst case”?

Other Considerations / Lessons Learned

Business Impact Analysis (BIA)

• Is this business driven?

• Identifying MAD, RTOs, & RPOs for critical processes

and systems

– Helps determine recovery strategy

– Do they coincide?

• Prioritizing processes and resource requirements into

more condensed, well defined RTOs

MAD= Maximum Allowable Downtime

RTOs= Recovery Time Objective

RPOs= Recovery Point Objective

Other Considerations / Lessons Learned

Recovery Reality

• How realistic is your recovery strategy?

• Have you tested that your recovery strategy supports

the business critical RTOs and RPOs?

• Is your DR site equipped with the appropriate

requirements?

– How often is this reviewed?

– Are changes to business incorporated?

Other Considerations / Lessons Learned

Granularity

• More detailed “Action Plans” at the department level,

especially focusing on the initial phase of incident

response

Other Considerations / Lessons Learned

24

Communications Plans

• Identify methods of communicating to employees,

clients, etc. throughout the incident, not just at the onset

• Develop a procedure for communicating prior to

incidents that have warning

• Ensure the plan adequately identifies who is

responsible for what, including internal and external

communications

Other Considerations / Lessons Learned

Alternate Site Selection

• Geographic Diversity

• Accessibility

• Vulnerabilities

Other Considerations / Lessons Learned

Testing

• Requirement for more dynamic testing

– Different types of exercises

– More frequent tests that are smaller in scope can make

testing more manageable

• Incorporating user community

Other Considerations / Lessons Learned

Awareness & Training

• How often are employees made aware of plan details?

• Do employees understand their role in the BCP?

Other Considerations / Lessons Learned

Incorporating BCP into every day business

• Considering how changes to the business affects your

BCP is essential to ensuring your BCP stays current

and sufficient

– Personnel changes- growth

– System/Application changes – consider redundancy in

budget

– Vendor/Provider changes

– Other technology changes

– New and updated policies and procedures

– Audit Feedback

Conclusion

Thank You! Questions?

Tracy Hall, MBCP

IT Assurance Manager

Wolf & Company, P.C

Direct: 413-726-6884

thall@wolfandco.com