|Subject:||Reassessment of Business Continuity Plan|
|Date of Memorandum:||10/18/2001|
|Expiration Date:|| |
|Signed By:||Smith, Roland|
|FCA Contact Person:||Holland, Tom|
|List of Attachments:|
October 18, 2001
To: The Chief Executive Officer
All Farm Credit System Institutions
From: Roland E. Smith, Director
Office of Examination
Subject: Reassessment of Business Continuity Plan
Despite the tragic events of September 11, 2001, the financial markets operated with limited disruption. Certainly a key factor was that mission-critical information systems continued to provide the financial industry the necessary support during this uncertain time. Nevertheless, these events should cause financial institutions and financial regulators to review current practices and priorities as it relates to planning for business recovery. To that end, you should give special attention in the coming months to the Business Continuity Plan of your institution to ensure it addresses the ramifications of natural disasters, acts of war or terrorism, and cyber-terrorism. The Farm Credit Administration has previously issued guidance on various elements of business continuity planning that could assist board and management. This guidance includes the following Informational Memoranda which can be found on our Web site – www.fca.gov.
· “Contingency Planning for Business Continuity” issued June 30, 1998
· “Guidance on Year 2000 Contingency Planning” issued January 29, 1999
· “Threats to Information Management Systems” issued August 30, 1999
· “Risk Management of Outsourcing” issued October 25, 2000
The primary objective of a Business Continuity Plan is to enable an organization to survive a disaster and to reestablish normal business operations. In order to survive, the organization must ensure that mission-critical operations can resume normal processing within a reasonable timeframe. For financial institutions, including Farm Credit System (FCS) institutions, the general public likely expects “reasonable time” to be quite a short period of time. The board and management’s reassessment of the institution’s Business Continuity Plan should include the following actions:
Determine if the Business Continuity Plan is Current. Concern for problems associated with the Year 2000 preparedness caused substantial business continuity planning. But the September 11, 2001 events also showed that many organizations had not revised their plans since the Year 2000 activity. Periodic amendment and maintenance of a Business Continuity Plan is critical to the success of an actual recovery. The Business Continuity Plan must reflect changes to the institution’s environment and be based on certain assumptions that can, and likely will, change over time.
Review the Testing Program. There should be a process to periodically test the Business Continuity Plan. Like the plan itself, the testing process should be periodically reviewed and changes made as appropriate. A disaster recovery test will surface a range of practical issues. (Examples: Is the alternative facility location functional? Can staff be moved in a timely manner? Can customers find the new location via phone or the Internet? Has the plan been updated for changes in personnel, equipment, or technology?) Also, the board and management must be committed to making timely correction when the test identifies problems.
Revisit Offsite Storage. Both the location and the quality of the offsite disaster facility warrants review. Reportedly, at least one firm in the World Trade Center had their backup facility only a few blocks away. The offsite facility should be assessed to be certain it is both secure and equipped to be used for possibly an extended period of time.
Reevaluate Business Relationships. Business continuity services from outside firms are available and can be beneficial. But the board and management should not assume a scenario in which their institution will be the only customer needing assistance during a crisis. If disaster strikes, there may be multiple users of the business continuity services. Therefore, FCS institutions should attempt to ascertain where they stand on the priority list of their backup provider.
If you have any questions about this memorandum, please call Tom Glenn, Special Examination and Supervision Division, Office of Examination, at (703) 883-4412, or write to him on the Internet at e-mail address Glennt@fca.gov.