Business Continuity Planning: 2009 Update

Business continuity planning (BCP) has been one of the issues at the forefront of the credit union industry since 2008. The Federal Financial Institutions Examination Council (FFIEC) updated its guidance in March of 2008 , the first time since hurricane Katrina and Rita devastated the Gulf Coast, with the release of the new Business Continuity Planning Handbook. This update follows the guidance given on Pandemic Planning at the end of 2007.

A business continuity plan does more than just meet FFIEC regulations. The BCP provides peace of mind to members, employees, and the community that the credit union can respond, recover and restore to ensure minimal disruptions to the critical operations. Developing the business continuity plan is a process. It will take time, thoughtfulness and dedication of the credit union from the board of directors and senior management down.

The FFIEC guidance encourages credit unions to adapt a four step, sequential, process orientated approach to business continuity planning. This approach collects the processes, procedures and information that are then compiled and developed into the plan. The importance of ongoing maintenance of the plan is to ensure the credit union is ready for a disaster of any size, at anytime.

The process the FFIEC advices follow the following four steps:

Business impact analysis (BIA): This will estimate the maximum allowable downtimefor critical functions of the credit union. The BIA should identify the impact of anuncontrolled event not only financially but the operational effects as well. The BIA answers the question of cost of an event that disrupts normal business operations.

Risk assessment: This identifies specific risks to your credit union. The risk assessment focuses on the impact to the credit union of a specific threat. A multitude of threats and the severity of each threats impact on the credit union are considered during the risk assessment. Risks include natural disasters, accidental disasters and manmade disasters.

Risk management: This should provide a written credit union wide business continuity plan. The plan's focus is to deal with specific events and what it will take to recover and resume critical credit union operations. The plan includes procedures and resources need to respond, recover and restore critical operations.

Risk monitoring: The testing, independent review and continuous updating of the business continuity plan ensures the plan is viable in the event of an occurrence. The FFIEC gives guidance on four types of tests that could be performed; walk-through, tabletop drills, functional tests, full-scale test.

Credit unions have been given guidance for a comprehensive business continuity plan to properly protect their members, organization and community. The credit union's normal operations and security procedures are not enough to protect the members, personnel, records, facilities and assets if the unexpected occurs. The credit union must have the processes and procedures in place in preparation for the unexpected. The updated FFIEC Business Continuity Planning Booklet has provided the guidance.

Randall C. Smith
Managing Editor
www.cuinsight.com