What happens if a bank cannot offer its customers online banking due to a technical breakdown, unexpected personnel shortage interferes with normal business operations, or the data center is paralyzed after a hacker attack? Such incidents do not necessarily have to turn into a horror scenario for financial institutions: Smart business continuity management using digital business impact analysis helps banks to keep an eye on critical processes and resources, and to take appropriate countermeasures in critical situations.
Because of their influential role in the economic and financial system, banks occupy a special position in the market. Foresighted business continuity management is particularly important for them to fulfill their regulatory obligations and comply with legal requirements. In the competition for customers, it is just as important to keep downtimes as short as possible and to ensure security for sensitive data. To be able to react appropriately to critical situations, financial institutions must therefore be familiar with their core processes and the impact of failures.
Business Impact Analysis: The Basis for a Contingency Plan
The business impact analysis (BIA) is the foundation of successful business continuity management. Institutions use it to determine the consequences of disruptions, or of the failure of business processes. In this way, critical business processes can be identified and suitable preventive measures for damaging events can be prepared.
Business continuity management (BCM) supports banks in developing strategies that enable them to continue business operations even under difficult conditions – from server failures to natural disasters. With BCM, the BIA is an important tool for creating an effective contingency plan. Only on the basis of the BIA can a risk analysis be used to assess the risks to processes and resources. A continuity strategy builds on these analyses, depicting alternative processes for the implementation of contingency measures.
The foundation for adequate contingency measures for banking operations in Germany is Section 25a of the Banking Act, which, among other things, stipulates “the definition of an adequate contingency plan, especially for IT systems.” Taking this act as a basis, the Minimum Requirements for Risk Management (MaRisk) specify the requirements in section AT 7.3 Contingency Plan.
How is the Business Impact of Process Failures Analyzed?
There are several ways to carry out a BIA. Since there are many uncertainties when it comes to contingency management, it is advisable for banks to follow a proven operational framework, such as the standards of the German Federal Office for Information Security (BSI). The so-called "IT-Grundschutz" developed by the BSI specifies several coordinated steps:
- Select business processes and organizational units
Only those business processes that are essential to achieve business objectives and create value are analyzed in more depth.
- Analyze damage
For each of the selected business processes, the damage that a potential failure can cause is assessed.
- Set recovery parameters
The recovery parameters (maximum tolerable downtime, recovery time, recovery level) for each business process are determined based on the expected progression and amount of damage.
- Consider process dependencies
The recovery parameters are adjusted accordingly if dependencies between business processes or strategic business goals so require.
- Prioritize business processes based on their criticality
Based on the results of the damage analysis and the recovery parameters, the criticality of the processes and the priorities for their recovery are determined.
- Determine resources for normal and emergency operation
For processes assessed as 'critical', the resources that are required for normal and emergency operation are determined.
- Determine the criticality and recovery times of the resources
Finally, criticality and recovery times are determined for the resources required by the critical processes.
Banks have to carry out a BIA regularly; in practice at least once a year if there is no reason or incident that requires further BIA to be affected. Not only do the technical process requirements constantly change, but also the organization, competencies, and thus process responsibility. As a consequence, regular updates are necessary to meet the regulatory requirements and be prepared for contingencies.
How Technology Facilitates Business Impact Analysis in Banks
An IT application for BIA workflow support makes it much easier to request the data required to evaluate the relevant business processes, analyze it, and keep track of progress. This allows the automation of most of the workflow and helps to monitor the execution of the process assessment.
Business Impact Analysis: Digital Process Assessment Ensures Good Results
Let us assume the following scenario: Every year, each business unit of a financial institution is asked to carry out a BIA. As part of this analysis, each business unit must evaluate its critical processes and determine its risk group. In addition, the resources relevant to this process (people, buildings, work equipment, and infrastructure/applications) must be assigned. Afterwards, the result must be submitted to the BCM coordination team of the financial institution. This team checks the submitted analysis and approves the process or refers it to another business unit for clarification. How can this extensive workflow, based on the recommendations of 'IT-Grundschutz', be mapped digitally?1. Create and select business processes for analysis
In a digital application for BIA, business processes can be created and existing processes can be edited or deleted. All value-adding processes within the financial institution should be listed here as the starting point for the analysis.
2. Perform damage analysis
The application sends a yearly reminder to the business unit to analyze a business process. Starting with the risk assessment, the responsible employee answers the question: What damage will occur if the business process fails? For this purpose, he or she provides information on the financial impact, potential violations of laws or regulations, potential damage to reputation, and on the impairment of task performance.
According to the 'IT-Grundschutz' approach, damage categories ("low", "normal", "high", "very high") are used to determine the extent of the damage. Each bank defines which damage category an event causing damage is assigned to.
3. Set the recovery parameters of the process
The times and resources required to restore a process are collected here.
4. Consider process dependencies
The process and resource overview of the BIA application gives the process owner an overview of all information about the processes stored in the system. This enables him or her to see, at a glance, which processes are relevant for further BCM. Findings from previous analyses are also available to the employee.
5. Determine the criticality of the processes
If the risk assessment and resource analysis are filled with the necessary data, the application automatically compares criticality and maximum tolerable restart time with the defined service-level agreements (SLAs).
6. Collect resources for normal and emergency operation
If the tool determines a critical resource for a process during the BIA, a contingency plan for process recovery must be defined. For this contingency plan, resources (IT infrastructure, personnel, locations, etc.) must be assigned.
7. Determine the criticality and recovery times of the resources
In the overview, the recorded resources can be easily maintained and assigned to the relevant processes, and competing SLAs can be easily managed.
After a successful review by all relevant stakeholders, the data collected during the BIA is systematically passed on to the BCM coordination team for further processing.
In order to be able to react optimally in an emergency, banks must always keep an eye on the critical business processes and resources as well as the impact of interruptions. Especially when carrying out a BIA, close cooperation between the business units is essential for a quick and high-quality result.
A specialized software solution supports banks by making the data required for a BIA manageable and by facilitating task management and thus cooperation between the many stakeholders. Service interruptions are a thing of the past. The fact that the processes are automatically classified after data entry, and that the employees are guided through the application, accelerates the BIA workflow. A digital BIA application forms the basis for efficient business continuity management, which ultimately not only helps meet the regulatory requirements of compliance and governance but also brings cost advantages in the competition for the customer.
Teaser: MIND_AND_I - 801354732 - iStock.
Screenshots of the application: knowis AG.