Alert & Declare: (877) 364-9393
Member Emergency Hotline
Emergency Hotline
Agility Recovery +

September is National Preparedness Month—a time to reflect on the importance of being ready for any unexpected events that could disrupt your business.

At Agility Recovery, we believe that resilience is built through proactive planning, continuous improvement, and a commitment to safeguarding your organization. To help you take meaningful action this month, we’ve compiled a list of 10 actionable steps your business can take to enhance its resilience. Let’s dive in!

1. Review and Update Your Business Continuity Plan (BCP)

Your business continuity plan is the cornerstone of your preparedness strategy. Regularly reviewing and updating it ensures that it reflects your current operations, personnel, and technology.

2. Test Your Data Recovery Plan

Disaster recovery testing is essential to validate that your data and IT systems can be restored efficiently. Schedule a full-scale disaster recovery exercise to ensure your team is prepared to respond quickly. Discover our data backup and recovery solutions here.

3. Conduct a Ransomware Impact Analysis

Ransomware is a growing threat, and understanding its potential impact on your business is crucial. Assess how a ransomware attack could affect your operations, data, and finances, and develop strategies to mitigate these risks.

4. Secure Backup Power Solutions

Power outages are among the most common disruptions businesses face. Ensure you have reliable backup power solutions, such as generators, to keep your operations running. Find out more about backup power options here.

5. Train Your Team on Emergency Response Procedures

A well-trained team is your first line of defense in an emergency. Conduct regular training sessions to ensure everyone knows their roles and responsibilities during a crisis.

6. Assess Supply Chain Vulnerabilities

Supply chain disruptions can have a significant impact on your operations. Evaluate your supply chain partners for vulnerabilities and develop contingency plans to mitigate these risks. Learn more about supply chain resilience strategies here.

7. Implement a Crisis Communication Plan

Clear communication is vital during any disruption. Establish a crisis communication plan that outlines how you’ll communicate with employees, customers, and stakeholders. Learn more about crisis communications here.

8. Review Your Insurance Coverage

Make sure your insurance policies adequately cover the types of risks your business faces. This includes property damage, business interruption, and cyber incidents.

9. Enhance Cybersecurity Measures

Cyber threats are on the rise, and a robust cybersecurity strategy is essential. Regularly update your security protocols, conduct vulnerability assessments, and train employees on cyber hygiene. Learn about strengthening your cybersecurity here.

10. Engage in Community Preparedness Initiatives

Building resilience isn’t just about your business—it’s also about your community. Participate in local preparedness initiatives, share resources, and collaborate with other businesses to strengthen collective resilience.

Get Started

Taking these steps during National Preparedness Month will position your business to weather disruptions and recover swiftly. At Agility Recovery, we’re here to support you every step of the way with comprehensive solutions tailored to your needs. Ready to take action? Talk to an Agility Recovery expert today . Stay resilient, stay prepared!

In the dynamic and heavily regulated landscape of the financial industry, ensuring the resilience of operations is paramount.

Business continuity testing is a cornerstone in achieving this resilience, allowing banks and credit unions to prepare for and respond effectively to various disruptions. In this blog, we highlight the top five scenarios for business continuity testing tailored specifically for financial institutions.

1. Cybersecurity Breaches

Download a free cybersecurity tabletop exercise template

Cyberattack

With the increasing threat of cyberattacks, financial institutions must be proactive in safeguarding sensitive data and systems. Conducting simulations of cybersecurity breaches helps evaluate the effectiveness of security protocols, incident response procedures, and employee training. By identifying vulnerabilities and refining response strategies, banks and credit unions can enhance their cybersecurity posture and minimize the impact of potential breaches.

Key Considerations of a Cybersecurity Breach Scenario

  • Evaluate the effectiveness of cybersecurity protocols, including firewalls, intrusion detection systems, and encryption methods.
  • Assess the response time and efficiency of incident response procedures, including notification protocols, containment measures, and recovery forts.
  • Review employee training programs to ensure awareness of cybersecurity risks and adherence to security policies.
  • Identify potential vulnerabilities in systems, applications, and network infrastructure and implement appropriate safeguards.

2. Natural Disasters

Get a free hurricane tabletop exercise template

Hurricane

Natural disasters such as hurricanes, floods, and earthquakes can severely disrupt operations, leading to financial losses and reputational damage. Business continuity testing enables financial institutions to assess their readiness for such events by simulating scenarios like prolonged power outages, facility damage, and communication failures. By validating contingency plans and recovery procedures, banks and credit unions can ensure swift restoration of services and maintain customer trust during times of crisis.

Key Considerations of a Natural Disaster Scenario

  • Assess the readiness of physical facilities to withstand natural disasters, including building integrity, emergency power systems, and structural reinforcements.
  • Test communication channels and protocols for notifying employees, customers, and stakeholders about the impact of the disaster and available support services.
  • Evaluate the effectiveness of contingency plans for relocating operations, restoring critical functions, and accessing alternate facilities.
  • Review insurance coverage and disaster recovery contracts to ensure adequate protection and support in the event of a natural disaster.

3. Pandemics

Download a free pandemic tabletop exercise template

People working with masks on

The COVID-19 pandemic underscored the importance of comprehensive pandemic response planning for financial institutions. Business continuity testing allows banks and credit unions to simulate scenarios such as widespread employee illness, remote workforce management, and increased customer demand for digital services. By stress-testing remote access capabilities, communication channels, and operational resilience, financial institutions can adapt to evolving circumstances and sustain business operations amidst a pandemic or similar health crisis.

Key Considerations of a Pandemic Scenario

  • Test remote access capabilities, including virtual private networks (VPNs), cloud-based applications, and collaboration tools, to support a distributed workforce.
  • Assess the scalability and resilience of digital infrastructure to handle increased demand for online banking services and remote transactions.
  • Review policies and procedures for managing employee health and safety, including remote work policies, sick leave provisions, and healthcare support resources.
  • Evaluate communication strategies for keeping employees, customers, and stakeholders informed about pandemic-related developments and business continuity measures.

4. Operational Disruptions

Power outage

From system failures to supply chain disruptions, various operational challenges can impact the continuity of financial services. Business continuity testing helps identify vulnerabilities across critical functions such as payment processing, customer support, and risk management. By simulating scenarios like IT outages, vendor failures, and staffing shortages, banks and credit unions can strengthen their operational resilience and minimize service disruptions for customers.

Key Considerations of an Operational Disruption Scenario

  • Identify critical business functions and dependencies, including IT systems, third-party vendors, and key personnel, and assess their vulnerability to disruptions.
  • Test backup and recovery procedures for restoring data, applications, and services in the event of system failures or outages.
  • Review supply chain resilience, including alternative sourcing strategies, inventory management practices, and supplier relationships, to mitigate disruptions.
  • Assess the effectiveness of incident response plans for managing operational disruptions, including escalation procedures, decision-making frameworks, and communication protocols.

5. Regulatory Compliance

Compliance

Compliance with regulatory requirements is essential for maintaining the trust and confidence of stakeholders in the financial industry. Business continuity testing provides an opportunity to assess compliance with regulatory mandates related to operational resilience, data protection, and disaster recovery planning. By simulating regulatory audits, compliance reviews, and reporting obligations, banks and credit unions can identify gaps in their processes and ensure adherence to legal and regulatory standards.

Key Considerations of a Regulatory Compliance Scenario

  • Review regulatory requirements related to operational resilience, data protection, and disaster recovery planning, including industry standards and guidelines.
  • Assess the documentation and distribution of business continuity plans, including risk assessments, recovery strategies, and testing results.
  • Test the effectiveness of controls and safeguards implemented to protect sensitive data, including encryption, access controls, and data loss prevention measures.
  • Review compliance monitoring and reporting processes to ensure timely identification and resolution of compliance issues, including audit trails, documentation reviews, and regulatory filings.

Conclusion

Business continuity testing is integral to the resilience and sustainability of financial institutions. By addressing the top five scenarios outlined above, banks and credit unions can mitigate risks, enhance operational preparedness, and maintain uninterrupted service delivery to customers. As the financial landscape continues to evolve, prioritizing business continuity testing remains a proactive measure to safeguard against unforeseen disruptions and uphold the trust of stakeholders.

Reach out to us today to explore our testing options, tailored to your specific institution’s needs.

Businesses today face a multitude of threats that can disrupt operations. With threats ranging from cyberattacks to natural disasters, the need for robust business continuity and disaster recovery (BCDR) plans has never been more critical.

However, many organizations lack the expertise and resources to develop and implement effective BCDR strategies on their own. This is where partnering with a BCDR provider can be invaluable. But with so many options available, how do you choose the right partner for your business? Here are five essential questions to ask before making your decision.

1. Is BCDR Cost Effective to Outsource?

Before your organization begins researching prospective partners, examine if it’s cost effective to outsource your BCDR needs. Outsourcing BCDR services can offer several cost advantages for businesses, but it’s essential to evaluate these factors carefully in the context of your organization’s specific needs and circumstances to truly determine the ROI (return on investment). Considerations include:

Cost of Staffing an In-House BCDR Team

Building and maintaining an in-house BCDR team requires significant investment in recruiting, training, and retaining specialized personnel. By outsourcing to a BCDR provider, you gain access to a team of experts with extensive experience and specialized skills in disaster recovery planning, risk assessment, and crisis management. This expertise can help streamline the BCDR process and minimize the risk of costly errors or oversights.

Subscription Costs

Outsourcing BCDR services often involves subscription-based pricing models or fixed-term contracts, providing greater predictability and control over expenses. This can be particularly advantageous for businesses operating on tight budgets or seeking to manage costs more effectively. Additionally, outsourcing allows you to avoid unexpected expenses associated with hardware upgrades, software updates, and ongoing maintenance, as these responsibilities typically fall within the purview of the service provider.

Investment in Infrastructure, Software, and Technology

Implementing an in-house BCDR solution requires substantial upfront investment in infrastructure, software, and technology. Outsourcing allows you to convert these capital expenditures into operational expenses, freeing up capital for other strategic initiatives and investments. This can improve your organization’s financial flexibility and agility, especially during periods of economic uncertainty or market volatility.

Time Savings

By outsourcing BCDR services, your internal teams can focus on core business activities and strategic priorities without being bogged down by the complexities of disaster recovery planning and implementation.

2. How Does the Vendor Simplify the Recovery Process and Protect Our Team’s Capacity?

During a disaster or disruption, your team’s capacity may be stretched thin as they focus on critical tasks to ensure business continuity. It’s important to understand how the BCDR vendor simplifies the recovery process and supports your team during challenging times. Be sure to ask about the vendor’s:

  • Automation capabilities
  • Intuitive user interfaces
  • Streamlined workflows designed to minimize manual intervention and accelerate recovery efforts
  • Support services
  • Training programs 
  • Documentation resources to empower your team and enhance their effectiveness in managing BCDR activities

A vendor that prioritizes simplicity and support can help protect your team’s capacity and mitigate the impact of disruptions on your business operations.

3. Can the Vendor Meet (or Exceed) Our RTO?

In the event of a disaster or disruption, time is of the essence. Therefore, take the time to understand your prospective partner’s response time and recovery objectives. How quickly can they mobilize resources and initiate the recovery process? What are their guaranteed recovery time objectives (RTOs) and recovery point objectives (RPOs)? Ideally, you’ll want a BCDR partner capable of providing rapid response and minimizing downtime to ensure minimal impact on your business operations. This is especially important in highly regulated industries like banks and credit unions and healthcare.

4. What Is the Vendor’s Reputation and Experience?

When evaluating potential BCDR partners, inquire about their experience and track record in the industry. Questions to ask include:

  • How long have they been in business?
  • Have they worked with organizations similar to yours?
  • What kind of results have they achieved for their clients?
  • What is their rate of success in meeting their clients’ RTOs?

A reputable BCDR partner should be able to provide case studies, testimonials, and references – all relevant to your industry and needs – to demonstrate their expertise and success in helping businesses recover from disruptions.

5. Are the Vendor’s Solutions Scalable?

Scalability is a critical consideration when evaluating BCDR partners. As your business grows and evolves, your BCDR requirements may change. Ensuring that the vendor’s solutions can scale seamlessly to accommodate your organization’s changing needs means you can form a long-lasting relationship. Inquire about the vendor’s ability to handle increases in data volume, user traffic, and geographical expansion without compromising performance or reliability. Also ask if the vendor can include other solutions as your organization’s needs evolve. A scalable BCDR solution will enable you to adapt to changing circumstances and future-proof your business continuity strategy, maximizing the long-term value of your investment.

Bonus: Does the Vendor Provide Additional Value Beyond Recovery?

BCDR vendors often provide more than just recovery services, making them a true partner to your business, rather than simply a vendor. Explore if they offer some of the following options as well.

Training and Testing

BCDR planning is not a one-time effort but an ongoing process that requires regular review, testing, and refinement. Ask your potential partner about their approach to continuous improvement and testing. Do they conduct regular assessments and audits of your BCDR plan to identify weaknesses and areas for improvement? How frequently do they perform disaster recovery drills and simulations? A proactive and responsive BCDR partner will prioritize continuous improvement and ensure that your organization remains resilient in the face of evolving threats.

Resources

In addition to providing training and testing, BCDR partners may provide access to guides, workshops, online courses, templates, or a knowledge base. These options allow your team to improve their own BCDR knowledge and capabilities.

Preparation

Ask about the vendor’s readiness assessments, tabletop exercises, and other preparedness activities designed to test and validate your BCDR plans and capabilities. Also inquire whether the partner runs their own tests and risk assessments in house. By investing in training, resources, and preparation, you can ensure that your team is well equipped to respond effectively to any potential disruptions and minimize the impact on your business operations.

Agility Recovery: Your Partner in BCDR

Once you’ve decided to move forward in outsourcing some, or all, of your BCDR efforts, reach out to Agility Recovery. Agility is a true partner in our members’ BCDR efforts, offering training, support, resources, and scalability. Try out our ROI calculator or make an appointment with an expert today.

When it comes to business continuity and disaster recovery planning, resilience professionals know that no plan is ready for the real world before it is tested.

There are different test types to choose from, including:

  • Tabletop tests: Employees participate in an actual exercise during a scenario-based, role-playing exercise. Everyone involved practices their roles and responsibilities during an emergency, such as an earthquake, hurricane, or active shooter.
  • – Plan reviews: Similar to a business continuity plan audit. The BCP team and the C-level management or department heads get together to review the plan and decide if any components are missing or need revision.
  • – Walk-through/simulation tests: A simulation test combines real recovery actions, like data loss, restoring backups, live testing of redundant systems, network outage, physical recovery, emergency notification, and other relevant processes.

In this blog, we'll focus on tabletop testing. With guidance from Agility recovery manager Alysha Hester, we will explore what a tabletop test is, what scenarios it's best suited to address, and how you can use tabletop testing to enhance your organization's resilience.

What Is a Tabletop Test?

A tabletop test is a walkthrough of an actual disaster scenario – like a hurricane , active shooter , or power outage – in real time. This walkthrough allows businesses to talk through reactions and strategies to ensure that department strategies are aligned with all areas of the organization. The walkthrough also allows organizations to gauge individual teams’ readiness levels if a disaster were to occur at that moment.

Think of this as a business continuity plan brainstorming session in real time, but in the safety of your office, outside of the actual disaster.
Alysha Hester Agility Recovery Test & Declare Manager

What Are Tabletop Tests Used For?

Organizations use tabletop tests to test for gaps in written continuity plans . They allow businesses to explore the scenario and identify any dark corners in those plans, providing the opportunity to answer any questions before experiencing an actual event.

Why Do Businesses Use Tabletop Tests?

Tabletop tests are useful for several reasons, including:

  • – Identifying recovery gaps in plans, resources, and communication strategies
  • – Implementing new training protocols for safety that are identified post exercise
  • – Meeting compliance requirements

According to expert Alysha Hester, "I would say the main reason businesses use tabletops is to deep dive into a specific potential disaster to determine findings that could be further explored after the exercise. Once a post-event investigation has been completed, plans would be updated accordingly (and then the cycle of testing starts over so you can explore if these new adjustments provided greater resilience during a disaster."

Pros and Cons of Tabletop Testing vs. Other Types of Tests

Why implement tabletop exercises instead of other types of tests and exercises? Ultimately, we advise utilizing all types of exercises, but tabletop tests are a great place to start.

Pros:

  • – Test the specific people and processes documented in your organization’s BCP
  • – Can be done virtually to conveniently include all staff (including hybrid employees or third-party vendors/MSPs)
  • – Low- to no-cost option

Cons:

  • – Creating exercises internally can be extremely time consuming and take some creative thought.

For additional value, consider involving a 3rd party perspective in facilitation if you feel your tabletop exercises have become more of a check-the-box type of event or a BCP/incident response read-through.
Alysha Hester Agility Recovery Test & Declare Manager

  • – Tabletop tests can’t test the physical components of the recovery, so it still may be unknown if some IT and manual processes will function as expected at the time of the disaster as discussed in an exercise.

After the Tabletop Exercise

So you've completed your tabletop exercise – now what? One of the most critical outputs of any test or exercise is identifying gaps and areas for improvement . These could include realizing there is no personnel redundancy, not knowing how to get in touch with remote employees , or not having enough people who know how to access important information. Document this information and use it to update your organization’s business continuity plan . Then, be sure to update your organization on any new plans and procedures. In doing so, you'll be more prepared for any interruption that may affect the business. Ready to get started? Agility provides free tabletop exercise templates ; we can also create a custom tabletop exercise and run it with your organization. Reach out to us today !

Earlier this year, Agility Recovery and The Conference Board joined forces for an extensive study, examining the growing significance of operational resilience.

Analyzing data from 147 business continuity professionals, 85 executives, and individuals from 56 firms, the study underscores the pivotal role operational resilience programs play in distinguishing between a business's success and failure during crises. This article delves into the connection between the report and ongoing events. It also explores how these events influence the perspectives of the continuity professionals surveyed in the study. Prepare for some surprising insights into what experts consider the most dangerous threats and what they believe might not be as critical. While every business has different needs, many of the threats to their continuity plans remain the same.

Perceptions vs. Reality in Operational Resilience

In the realm of operational resilience, perceptions don't always align with reality. While persistent cyberattacks , including DDoS, social engineering, phishing, and ransomware , top the list of perceived threats, several organizations that have experienced these attacks reported minor impacts. Are these threats being overestimated, or are organizations genuinely well-prepared? On the flip side, terrorist attacks, despite their global prominence, score the lowest in terms of both major impact and future risk. Recent events, such as the massive cache of military weapons left in Afghanistan , highlight the potential for determined bad actors to create global havoc. Some of these weapons have turned up in Kashmir and continue to fuel the conflict between India and Pakistan, two nuclear powers. The geopolitical landscape adds another layer of complexity. Despite ongoing tensions like Russia-Ukraine and China-Taiwan, geopolitical conflict and war are only recognized as a "top 5" risk by 40% of respondents . This raises questions about our perception of risk in the face of global military powers. Meanwhile, economic uncertainty casts a significant shadow, with the global economy weakening, interest rates rising, inflation continuing, and recession looming. These facts and figures challenge organizations to navigate the complex terrain of operational resilience and business continuity effectively.

The Lingering Impact of Pandemic Disruption: Perceived vs. Future Risk

Pandemic disruption continues to cast a long shadow over the global economic landscape. It's worth noting that 64% of respondents acknowledge its catastrophic or major impact on businesses. Surprisingly, only 12% consider it a top-5 risk in the future. This discrepancy may stem from the belief that, as a known event, most companies handled the pandemic well. However, this perspective could be shortsighted. Future epidemics or pandemics may introduce different risk factors and impacts, underscoring the need for ongoing preparedness. The toll of COVID-19 is a stark reminder. Lockdowns, supply chain disruptions, business closures, illness affecting over 676 million people, and more than 6.8 million deaths worldwide serve as somber statistics. Few business continuity plans effectively addressed the novel virus, leaving uncertainty about their applicability to future pandemics. Moreover, resilience professionals voice concerns about the technology and human risks associated with the shift to remote and hybrid work trends, citing lower employee engagement, reduced collaboration, and increased burnout. The proliferation of remote work locations adds new physical risks to the equation, as organizations must consider the safety of employees in numerous diverse settings. Exploring the disparities between perceived and future risks sheds light on the multifaceted challenges of operational resilience and business continuity in a post-pandemic world.

Risks of Remote Work: Balancing Benefits and Concerns

While reducing physical office space can boost the bottom line, organizations embracing remote/hybrid work face a delicate balance of benefits and risks. Despite enjoying reduced real estate footprints and expanded labor recruitment opportunities, 65% of respondents express concern about the overall risk associated with current remote/hybrid work strategies. The advantages for employees, such as eliminated commutes and increased time with family, are tempered by challenges. Diminished engagement, collaboration, and heightened screen fatigue contribute to burnout, potentially impacting productivity and organizational objectives. Human-factor risks abound in the remote workspace, with an expanding cyber attack surface and the presence of external entities—kids, cleaners, pet sitters, and curious roommates—introducing security concerns. Moreover, the lack of control over local power and internet infrastructure poses additional risks. Questions about technology deployment, broadband/WiFi stability, and potential weather-related outages underscore the complexities of managing a remote workforce. As organizations strive for remote work success, acknowledging and mitigating these risks becomes paramount in maintaining a secure and productive virtual environment.

Unraveling the Investment Landscape in Operational Resilience

The realm of operational resilience is witnessing a surge in spending, but accurately benchmarking these investments poses a challenge for leaders. Parameters such as geographic locations, technology architecture, regulations, and risk tolerance play pivotal roles in shaping effective programs. Whether decentralized or centrally directed, the diversity in operational resilience labor models further complicates spending pattern assessments. Respondents reveal that 60% of operational resilience spending is directed towards labor and purpose-fit tools, yet the accuracy of spending patterns remains uncertain. Technology failover and alternate workspace recovery constitute a modest 16% of spending, showcasing the challenges in benchmarking accountability and costs. In the case of outsourcing IT to a third party, the responsibilities of the third-party provider are variable. Making a robust disaster recovery strategy complicated when outsourcing these tasks. With the evolving landscape of remote/hybrid work, traditional work area recovery models are being reevaluated, reflecting shifts in recovery strategies. Before COVID-19, numerous organizations would engage in contracts for a designated "hot/warm" site, intending to recover critical office staff in the event of an impact on a building. However, in the aftermath of the global pandemic, organizations are reassessing the risk/reward proposition of remote/hybrid working arrangements and making adjustments to their recovery strategies. The remaining 24% of spending is allocated to crucial activities like exercising, testing, training, and travel—a critical investment to bridge the gap between executive expectations and actual preparedness. As organizations navigate the complexities of operational resilience, understanding these investment dynamics becomes pivotal in fostering true preparedness. The study highlights a notable disparity between what executives expect and the actual state of preparedness. To bridge this gap and gain a genuine understanding of readiness, it is crucial to test and exercise capabilities. Furthermore, identifying gaps in recovery time (RTO) and recovery point (RPO) objectives enables better focus and prioritization of efforts to address these shortcomings.

Conclusion

In the intricate landscape of operational resilience, this exploration reveals a striking dissonance between perceptions and realities. From the overestimation of cyber threats to the underestimated risks of geopolitical conflicts, organizations grapple with aligning their strategies with the ever-shifting tides of global uncertainties. The enduring impact of the pandemic, the challenges of remote work, and the enigma of investment dynamics underscore the multifaceted nature of navigating operational resilience. As we unravel the intricacies, it becomes evident that a holistic and adaptive approach is essential for businesses to not only survive but thrive in the face of evolving risks.

Protecting Operations for Financial Institutions

The history of business continuity planning for banks and financial crises that inevitably impact banking institutions has taught us that nothing is 100 percent certain or safe. We can come up with analyses and forecasts, but a crisis can strike at any time. It can come in the form of natural catastrophes. Crises can also arise from human-made disasters, such as acts of terrorism, civil war, fraud in various forms and at different levels, cybercriminal attacks, technological failures, human error, and many others. This is why business continuity planning is such an essential company-wide responsibility. It involves the development of strategies designed to ensure the restoration of critical business processes, as well as the technical recovery of critical information systems integral to such functions during bank-wide service or operational disruptions. It plans for how critical processes, departments, information systems, and business units will work in tandem as a coordinated response to any disruption. For timely business resumption and recovery, there should be a tightly unified planning process involving each business unit’s plans and roles in the resumption of essential processes. This includes both short-term and long-term disruptions and subsequent recovery operations. Moreover, senior management must set the tone for everyone else that business continuity is an organizational responsibility, and not an information technology (IT) department matter for which only the IT function is liable.

The objectives of business continuity planning

Business continuity planning is essential to all companies during disruptions. In the banking industry, in particular, it aims to accomplish the following objectives:

  • To reduce financial loss to the banking institution.
  • To ensure customers and financial market participants continue to be served.
  • To diminish the negative impact of disruptions on the bank’s reputation, market position, liquidity, credit quality, strategic plans, and operations.
  • To maintain the bank’s ability to comply with applicable laws and regulations.

Today, technological innovation and changing internal and external business processes, as well as the emergence of new threat scenarios, require the continuous review and update of business continuity plans. A bank’s business continuity plan must always take into account regional disasters, and possible staff inaccessibility and losses. This is especially useful in the case of pandemics, such as epidemic-prone diseases like Ebola, influenza, and SARS, which affected several countries. Such outbreaks do not only impact staff availability but also affect customers who may become paralyzed with fear and panic, leading to increased delinquencies, higher internet banking volume, more requests for additional credit, and, at worst, bank runs.

The importance of impact analysis

An essential step in any business continuity plan is a business impact analysis that distinguishes critical from non-critical functions. A critical function is one whose implication for stakeholders or the extent of damage to the bank is considered unacceptable or disastrous. Moreover, any function that is dictated or required by law is automatically regarded as critical. What are perceived to be acceptable disruptions may be changed based on the cost of establishing and maintaining the necessary business or technical recovery solutions? Furthermore, impact analysis leads to the identification of each critical function’s recovery requirements. These include the timeframe in which the critical operation is restored after a disaster, the business and technical requirements essential to the recovery of each vital process. These days, banks have shorter business recovery time objectives compared to just a few years ago. In fact, recovery time for some institutions takes only a matter of hours, minutes, and sub-minutes, depending on the reason for the disruption. A business continuity plan must also address or take into account market-based and geographic interdependencies since there are now local, national, and global banking networks, as well as infrastructure service providers.

Critical components of a business continuity plan

According to the Financial Industry Regulatory Authority’s (FINRA) FINRA Rule 4370, the elements comprising a member’s business continuity plan are flexible. They can be tailored to the scale and requirements of each member. However, all plans must address the following:

  • Data backup and recovery (hard copy and electronic): This encompasses a clear identification of where primary books and records, as well as backup files (hard copy and electronic) of the same, are kept or located. Establishments should also be prepared to provide a detailed description of the data backup and recovery process during major business disruptions.
  • All mission-critical systems: What is deemed to be mission-critical systems vary based on each member’s business. For banks, these would include online banking, access to customer accounts, and encryption.
  • Financial and operational assessments: These assessments include a record of procedures to be undertaken, allowing for a bank to identify changes in its operational, financial, and credit risk exposures.
  • Alternate communications between customers and the firm and between the firm and its employees: These encompass the provisions to be made to ensure an interrupted connection among everyone involved.
  • Alternate physical location of employees: In the case of disruptions, there should be designated alternative sites for employees (this includes key personnel) in the resumption of business operations.
  • Critical business constituent, bank, and counterparty impact: This covers the effect significant business disruption can have on a bank’s relationships with other banks, counterparties, and other stakeholders, and how it will address such impacts.
  • Regulatory reporting: This should spell out the capability of a bank to ensure compliance with regulatory reporting requirements in the event of business disruption.
  • Communications with regulators: This covers how a bank can communicate with FINRA during a significant disruption, and identifies designated business continuity plan contacts with FINRA who will assist in the communication.
  • How the firm will assure customers’ prompt access to their funds and securities: Comprises details on how the bank will make funds and securities available to customers in the event of an extensive business disruption.

The business continuity planning process should be a continuously evolving step and bank-wide responsibility. It must be resilient and current to be capable of efficiently responding to changes in business operations and potential threats, and must completely address all audit recommendations and test results.

Here’s a question we’re asking each other – and our customers – this month: How are you celebrating National Preparedness Month?

As you may know, we believe preparedness is something to be embraced, not feared. Each September, FEMA reminds us of the importance of preparedness for businesses and families alike through National Preparedness Month. Business continuity and disaster recovery are critical to maintaining resilience and preparing for any interruption, whether that’s a natural disaster, a pandemic, or squirrels chewing through power lines (believe it or not, squirrels cause more damage to critical infrastructure than cyberattacks). Consider a few recent statistics:

  • 75% of Agility customers activated their business continuity plan within the last year.
  • 98% of Agility customers believe organizations should exercise/test plans at least annually.
  • 90% of resiliency professionals see risks increasing over the next three years, with cyberattacks, the economy, supply chain, and climate change topping the list (Making Operational Resilience a Competitive Advantage, The Conference Board, 2023).
  • The average cost of a data breach is $4.45 million (Cost of Data Breach Report, IBM & Ponemon Institute, 2023).
  • As of August 8, there have been 15 weather- and climate-related disaster events with losses exceeding $1 billion each and resulting in 113 deaths. This does not yet include Central severe weather in June, Vermont and New Hampshire flooding in July, the Midwest/Southern drought, or Hurricane Idalia. (NOAA National Centers for Environmental Information U.S. Billion-Dollar Weather and Climate Disasters, 2023).

Every day of the year at Agility, we celebrate and dedicate ourselves to preparedness and resilience. Our customers and their communities rely on business continuity planning, training, and testing to ensure preparedness for any interruption and call on us to deploy critical equipment like backup power, mobile recovery and banking units, technology, and more. To recognize National Preparedness Month, we’ll post on our LinkedIn, Twitter (X), and Facebook pages, and have put together some great resources for you:

This and every month, we hope you will take the time to examine the plans and processes in place at your own organization so you’ll be prepared to sprint into action when – not if – an interruption occurs. As always, we’re just a quick phone call or email away to help.

Best Regards, Jon Bahl CEO, Agility

Jon Bahl Agility Recovery

This National Preparedness Month , we have more helpful resources to share with you. Agility Recovery’s more than three decades of industry expertise allowed us to gather various relevant materials to support any preparedness effort. No threat – a hurricane, a wildfire, a terrorist attack, or an isolated incident – is too small. To help businesses become more aware of any potential threats and risks, we’re sharing the following tactics. Planned preparations build a culture of preparedness and protect your business assets. Because it’s never too late (or early!) to develop a contingency plan, below are the steps your organization can take to make its potential recovery less consuming and costly.

Steps to Preparedness

1. Plan to Stay in Business

Downtime can be costly for a business of any size. If there’s a risk your operations may be interrupted, you need to have a plan of how to get your lights back on in case of disruption. Use our comprehensive business continuity checklist to plan for the unexpected.

2. Talk to Your Employees and Coworkers

The workforce is a company’s most precious asset. Sharing your plan across your team and training everyone involved on their roles will help your company become operational faster. Your business continuously evolves, and so should your plan. Review it regularly and include your teams to help them understand their responsibilities in disaster planning.

3. Protect Your Investment and Assets

To help your business mitigate risks more effectively, prioritize which of them pose more of a threat. Consider the following to safeguard your business continuity:

  • – Review your insurance coverage and all related terms.
  • Back up your data and store it offsite. Practice recovering it remotely.
  • – Involve your vendors in your business continuity plan. Develop alternative relationships with other vendors in case your current partners are unable to follow your guidelines.

Your business can mitigate most of the damages by establishing thorough business continuity and disaster recovery plan. An organization that thinks about how to get its employees back on the job in case of disruption is more likely to keep its lights on. Take action now to protect the success of your company and to fulfill your promise to the community.

In an era marked by unprecedented challenges, the significance of operational resilience has come to the forefront. Businesses are grappling with an array of risks ranging from cybercrime to supply chain disruptions, and the need for robust business continuity programs has never been more evident.

Agility Recovery and The Conference Board recently collaborated on a comprehensive study that sheds light on the increasing importance of operational resilience. The study, which analyzed data from over 147 business continuity professionals, 85 executives, and professionals from 56 firms, highlights how operational resilience programs can be the critical element differentiating a business's success from its downfall during crises.

Cybercrime: A Looming Threat

Cybercrime has grown exponentially, casting a shadow over organizations of all sizes and industries. The study reveals that 90% of resiliency professionals foresee a surge in risks over the next three years, with cyberattacks as a top concern. The Deloitte Center for Controllership poll uncovered startling statistics, with 34.5% of polled executives reporting cyber adversaries targeting their organizations' accounting and financial data over the past year. Astonishingly, nearly half of the executives expect an escalation in cyber events targeting financial data in the coming year. The financial ramifications of cybercrime are staggering. According to Cybersecurity Ventures , the cost of cybercrime is projected to reach a staggering $8 trillion in 2023, a figure set to escalate to $10.5 trillion by 2025. The alarming truth is that no organization is immune, as evidenced by the average cost of a data breach, which hit a record high of $4.35 million last year. Similarly, the average cost of a ransomware attack stood at $4.54 million. The time to identify and contain breaches is also distressingly long, with an average of 277 days – approximately nine months. The need for cybersecurity collaboration across all facets of the organization becomes acutely clear.

Supply Chain Vulnerabilities: A Chain Reaction of Disruption

The resilience study underscores the precariousness of supply chains. Forrester data reveals that over half of security professionals reported incidents or breaches involving supply chain or third-party providers within the past year. This highlights modern businesses' interdependence on intricate supply networks, which can amplify vulnerabilities. The consequences of supply chain disruptions are glaring. The Conference Board reports that a mere 57% of firms claim to have responded effectively to recent events that hindered their ability to deliver products and services. This underlines the necessity of strengthening supply chain resilience and preparedness. The current scenario demands a proactive approach that integrates operational resilience into the very fabric of an organization. An alarming statistic reveals that only 24% of organizations believe senior management comprehends the firm's operational resilience capabilities, highlighting a critical communication gap.

Increasing Weather Threats: Preparing for the Unexpected

The significance of solutions like backup power and workplace recovery becomes clear when considering the impact of abnormal weather patterns on global businesses. Research indicates that a staggering 70% of companies worldwide experience operational and financial setbacks due to weather disturbances. Shockingly, these disruptions contribute to an estimated cost of $630 billion annually for the United States alone, equivalent to 3.5% of the nation's GDP. Recent history demonstrates that the increasing frequency, intensity, and unpredictability of weather events pose a substantial threat. From the Gulf states’ energy crisis triggered by a winter storm to the havoc caused by Hurricane Ida on power infrastructure in New Orleans, it’s evident that businesses are vulnerable to the whims of nature. In an era characterized by escalating climate-related challenges, the prevalence of extreme cold, scorching wildfires, and heatwaves further underscores the urgency of bolstering power system resilience.

Investing in Resiliency: Bridging the Gap

60% of organizations are increasing resiliency budgets

Amid these challenges, the study presents a silver lining – budgets for business continuity programs are on the rise. A notable 60% of organizations are earmarking increased funds over the next three years to bolster their operational resilience efforts. This financial commitment reflects the growing awareness of the importance of being prepared for disruptions. However, a glaring disparity emerges in understanding operational resilience's value. Only 36% of survey respondents claim the ability to quantify the returns on their investments in operational resilience, indicating an opportunity for growth in this area. To capture senior management's attention and support, resilience professionals need to shift their focus toward demonstrating results and showcasing the tangible benefits of these programs. Operational resilience, often seen as an additional expense, is a strategic asset that safeguards revenues, curtails costs, protects reputation, and mitigates disruptions.

Cultivating a Culture of Resilience

Operational resilience must be ingrained at every level of an organization's structure. The study reveals that just 16% of organizations describe their business continuity plans as mature, while another 18% classify them as reactive. This suggests that many organizations are in the early stages of building and refining their operational resilience strategies. Interestingly, those directly involved in operational resilience express more confidence than CEOs regarding their organization's ability to navigate a crisis. A significant 55% of respondents believe their organization is prepared for most events, while 42% assert they are prepared for at least some disruptions. This confidence is grounded in experience, as evidenced by 57% of firms effectively responding to recent events that hindered their operations.

Conclusion

The study conducted by Agility Recovery and The Conference Board serves as a call to action for businesses to elevate the importance of operational resilience . In a landscape fraught with cyber threats, supply chain vulnerabilities, and unforeseen disruptions, having a robust business continuity program isn't just an expense but an investment in the future. The statistics underscore operational resilience's critical role in protecting revenues, reducing costs, safeguarding reputation, and mitigating disruptions. As businesses navigate an increasingly complex landscape, they must recognize that operational resilience isn't merely an option – it's the cornerstone of survival in an uncertain world.

Agility Recovery, Preparis, and The Conference Board recently concluded a months-long study analyzing data from 147 business continuity professionals, 85 executives, and professionals from 56 firms.

This study was conducted to highlight the often-underappreciated importance of operational resilience programs. Many organizations view their operational resilience programs as an added expense or a line item in their budgets. However, having a strong  business continuity program could mean the difference between successfully navigating a crisis or crumbling in the face of it. It’s much better to be proactive instead of reactive and have a sound and well-structured plan in place. Below are four major takeaways from The Conference Board’s report .

1. What is Operational Resilience?

Operational resilience is the ability of an organization to prepare for, respond to, and recover from interruptions that affect its ability to deliver products and services. This includes physical and human resources, policies, and activities. Operational resilience ideally includes both strategic and financial resilience. So, what does this mean? In theory, operational resilience should be integrated into each stage of an organization’s operations and cover the entire life cycle of preparing for and responding to disruptions. According to the ISO 22301 Business Continuity Management Systems (BCMS) standard, a comprehensive program should include risk assessment and management, scenario planning, crisis management, business continuity, and recovery. In practice, however, operational resilience programs tend to focus on the crisis stage and do not always cover areas such as physical assets, technology , and employee health and safety. A survey of 147 professionals found that these areas are often managed by other parts of the organization, where different departments may not be aware of the appropriate response.

2. Don’t Overlook the Human Element

Operational resilience programs typically focus on the physical assets affecting an organization. This includes buildings and equipment but also consists of an organization’s policies, procedures, and playbooks. It’s critical not to leave out the human dynamics in a crisis situation. This involves ensuring that employees comprehend and internalize the concept of resilience, their individual and collective roles in promoting it, and their own personal resilience. Additionally, it is essential to identify in advance an executive who can lead the response effort and provide the appropriate employees with crisis management training . Organizations can benefit from their insights and creativity by including the workforce in crisis management and business continuity planning. The organization, supply chain , and external parties should establish clear communication channels. Finally, learning from a crisis is also crucial to operational resilience, so taking time to reflect on lessons learned, documenting conclusions, and implementing any changes is essential.

3. Budgets for Resilience Programs are Increasing

90% of resilience professionals see threats increasing over the next three years.

It may come as no surprise that 90% of resilience professionals see threats increasing over the next three years. Cyberattacks , economic uncertainty, supply chain issues, and weather are at the top of this list when it comes to what resilience professionals are preparing for. These threats are just the tip of the iceberg. While threats like weather and supply chain disruptions may be foreseeable, other threats like cyberattacks often strike without warning. Even lessons learned from Covid-19 illustrated the importance of preparing for the “what if” when it comes to crisis management. It’s safe to say that most resilience programs probably emphasize pandemics more, even though the likelihood of a resurgence may be further down the list of immediate concerns. The survey results leave no room for doubt, highlighting the critical role of a robust risk identification and assessment process within an overarching operational resilience plan. At the roundtable discussions, concerns arose over the limitations of current enterprise risk assessments. Companies often gather risk information in fragments, restricting the identification of certain risks and their interconnected nature. Moreover, hesitancy in reporting risks to the C-suite without adequate mitigation plans stifles progress, even though these risks demand immediate attention. The statistics, however, reveal a significant gap in readiness protocols. Only 16% of companies describe their operational resilience programs as mature, adhering to industry best practices and standards. Interestingly, resilience professionals stand apart from CEOs, expressing greater confidence in their organization’s ability to weather shocks. With 55% prepared for most events and another 42% asserting their preparedness for at least some disruptions, it’s clear that operational resilience is gaining traction. With these numbers hovering around 50%, it’s evident that there’s still a long way to go. As businesses gear up for the future, data-backed insights provide the compass to navigate interconnected risks and embrace operational resilience as a competitive advantage rather than a line item in their budgets.

4. The Impact of Remote & Hybrid Work on Resilience Programs

Data highlights some potential pitfalls of remote work : Diminished employee engagement, reduced collaboration, and increased burnout can hinder a company’s responsiveness to disruptions. Resilience professionals are particularly concerned about the physical and technological implications, as employees scattered across numerous locations face varying risks like weather events or infrastructure issues. Organizations must strategically respond to localized disruptions, potentially shifting employees to the office or identifying backup work locations. Decisions regarding office space closure or downsizing should be weighed against the need for operational resilience. The speed at which a business responds to a disruption can mean the difference between several thousand or even millions of dollars.

Conclusion

Overall, this study conducted by Agility Recovery, Preparis, and The Conference Board illuminated the importance of developing a strong operational resilience program. This data analysis from over 147 business continuity professionals, 85 executives, and professionals from 56 firms clearly demonstrated that businesses must pay attention to the importance of resilience programs in today’s increasingly interconnected and complex world. To successfully navigate a crisis, organizations must proactively develop and maintain a comprehensive operational resilience program that accounts for both physical and human elements. By investing in resilience now, businesses will be better equipped to handle the unexpected and protect their bottom line in the future. Click the link to download the full report .