Pub. 9 2019-2020 Issue 6

10 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S — H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S www.coloradobankers.org Is Your Business Continuity Plan Up to Date? BY STEVEN WARD, CSI, CIO MANAGER T he developing COVID-19 pandemic serves as a reminder to our industry of the importance of business continuity planning (BCP). It is not just worldwide healthpandemics that should prompt businesses to create and maintain a BCP — natural disasters and other unexpected events also reemphasize the importance of preparedness. Most institutions likely follow the Federal Financial Institutions Examination Council’s (FFIEC) recommended BCP process, which includes a business impact analysis (BIA), risk assessment, risk management, and risk monitoring and testing. But despite the FFIEC’s 2019 updates, some financial institutions are still behind. Is your institution’s BCP up to date? Ensure your organization is ready for the business landscape of the digital age by using these best practices. And don’t forget to review your plan with industry professionals who can evaluate your completed plan. Protecting Your Data While threats of physical loss or disruption caused by pandemics and natural disasters indeed pose risks, other threats to business continuity include disruptive data loss, breach or corruption — and these threats could affect any geographic region at any point in time. A modern BCP must account for the critical role of data in today’s banking environment, beginning with your BIA, which assesses and prioritizes all business functions and processes. To protect your institution from the impact of data being lost, breached or corrupted, make sure these elements are included in your BIA: • Data Classification: Classifying data can be cost prohibitive, especially for community banks. At a minimum, your institution must understand what data you have, what data is critical, where it is stored, how it is protected and how it can be recovered. • Data Flow Diagrams: This diagram is a visual representation of your data, showing how and where it enters, flows through and exits your institution. The diagram is vital to your BCP and should be revised every few years or when introducing new business processes or lines of business. • Security: Your BCP should reference your network segmentation policy, which should limit the access and movement of your data, as well as your data backup policy, to eliminate any unnecessary connections into or out of your backup storage site — something that is especially crucial in the event of a ransomware attack. Assessing Your Risks and Threats Conducting a risk assessment is the next phase in the BCP cycle, during which the FFIEC recommends that institutions develop scenarios of threats that could pose disruption to business