Business continuity in financial services firms

Despite the headlines, business continuity remains a challenge for many financial institutions in terms of: regulatory compliance, its misperception as an insurance policy rather than a risk discipline, approval of costs for risk mitigation, corporate governance, accurate assessment of business and technology resiliency and contingency plan effectiveness, improvement of staff training and awareness for multiple emergency scenarios and ensuring an optimal, enterprise-wide and business-oriented approach. Outlined below are seven areas of focus for 2006 that are formulated to address the immediate challenges I see over the next 12 to 18 months, while strategically positioning the business continuity function for the next step on its evolutionary journey as an op risk discipline within financial institutions. These seven key areas of focus are to:

• Pre-empt difficult global regulatory compliance reviews. There is increasing global regulation and scrutiny during examinations from most financial services regulators, world-wide, including in: the US (Federal Reserve Bank, SEC, NASD, NFA, OCC), the UK (FSA, Bank of England, HMS Treasury), Singapore (Monetary Authority of Singapore) and Japan (Bank of Japan, FSA). Prepare and issue, as a matter of course, comprehensive PowerPoint presentations with supporting materials through your internal compliance department to your regulatory contact on a recurring basis agreed in advance or upon request. This will pre-empt the hard, time-consuming examination sessions and challenges associated with responding to questions such as evidencing the ability to restore mission critical settlement and clearing functions within a specified recovery time frame or testing with key market participants, exchanges and utilities.

• Routinely demonstrate incremental business value. Providing clearly developed and tested recovery and resiliency plans must be our principal focus; however, I advocate a number of additional ways to regularly participate in the overall business that begins to cast the business continuity function in a new important light. Some specific actions should include: a) revenue enhancement – help in preparing bids for new business to assure prospective clients of your firm's resiliency and contingency preparedness in order to better position your firm's offerings against increasingly competitive peers; b) expense reduction – demonstrate your firm's effective business continuity planning programme as the means to reduce insurance premium costs for business interruption coverage; c) due diligence – conduct business continuity risk assessments of key business process and technology interdependencies (internal and external) and develop and test contingency plans to mitigate any associated gaps; and d) risk mitigation – maintain an effective business-resilient operating environment while deploying critical business functions offshore or onshore.

• Minimise business continuity and disaster recovery costs by maximising utilisation of company assets (that is, people, real estate and technology). The trend to spend is down – we need to advance with less. Develop alternative recovery and resiliency strategies such as displacement (whereby business-critical staff temporarily displace less critical staff from their office space), multi-purpose space like a training room, cafeteria or auditorium into a disaster recovery site, transfer functions to other locations (for example, between New York and London trading desks), remote compute (virtual recovery from home or hotel), 'split' or 'shared' production whereby critical systems are load-balanced across multiple data centres and staff performing critical business functions are disbursed across multiple geographic locations.

• Ensure both business line and executive ownership now. There is just too much ground for any dedicated business continuity function to cover if it has to own it all – the lines of business must be responsible for their own business recovery plans and contingency procedures. Having business lines own the plans and procedures ensures their accountability for the risk and commitment of resources. It also positions business continuity and disaster recovery to be business-as-usual. Furthermore, many business continuity decisions that are critically important to the overall firm must be mandated by executives that have the larger corporate view and enterprise level of responsibility – as individual business owners cannot justify cross-business expenditures alone. Establishing a strong corporate governance structure headed by executives with the appropriate level of cross-divisional and/or regional responsibility for risk management and complemented with senior level business line representatives responsible for risk management and/or business administration will naturally develop both business line and executive ownership.

• Implement transparent measurement and reporting mechanisms for business continuity and disaster recovery. Have the right planning, testing and review metrics, risk assessments, infrastructure and tools in place to always know how recoverable or resilient a business is on a product and/or service basis – firm-wide. Develop and use business-oriented criticality weightings, environmental threat and vulnerability assessments and standardised business impacting scenario assumptions in your firm's approach. This will help avoid misrepresentation, inconsistency and/or ambiguity across businesses and geographic regions.

• Train for multiple and simultaneous crisis events in different locations. Assume business-affecting scenarios that vary in effect and location. An organisation's ability to effectively respond to inclement weather, civil unrest, communicable diseases, natural disasters, or partial or total utility service and system outages may vary significantly due to its resource constraints, thus requiring the development of alternate plans to prioritise and allocate resources more appropriately. Ensure that both business line managers and staff are well prepared and trained to respond, utilising online web resources, table-top workshops and proprietary tools that would provide an accurate picture of today's business processes and enable 'what-if scenario' impact analysis and response plans to be developed on-the-fly.

• Adopt a top-down and front-to-back business process perspective. Far too often, business continuity and/or disaster recovery are narrowly viewed and addressed only as internal technology and/or facilities problems. In fact, there is a people and business process dimension to business continuity that can be overlooked. Coming up with a contingency plan whereby manual workarounds could be just as effective in the first few hours/days following a disaster may prove to be the difference of millions instead of thousands of dollars in terms of a traditional technology and facility recovery solution. To ensure a business-oriented approach that incorporates critical internal and external interdependencies and opportunities for alternative recovery strategies, analyse the business vertically or top-down by location and horizontally or front-to-back across multiple locations.

It is not expected that all major financial services firms will be able to fully address each of these seven areas of focus over the coming year. However, sufficient resources applied to each means that they will be able to address today's business continuity management challenges while evolving into the global business continuity risk function of tomorrow.

Peter Poulos is a director in Credit Suisse's operational risk management group in New York. Email: peter.poulos@csfb.com.