4 What is Business Continuity Planning? Business Continuity establishes the basis for financial institutions to recover and resume business processes when operations have been disrupted unexpectedly. Business Operations Technology Testing Communication Strategies
5 Business Continuity Why is it Important? Financial institutions play a critical role in the overall economy. The assurance that disruptions in services are minimized will foster confidence in the overall financial system and trust from the public. Additionally, Business Continuity Planning allows financial institutions to be prepared for the unexpected, and allow them to minimize potential financial losses, while continuing to service customers and financial markets.
6 Business Continuity Business Continuity process comprises of four steps: Business Impact Analysis Risk Assessment Risk Management Risk Monitoring and Testing
7 Business Continuity The first step of Business Continuity ( BIA) is: Identify and prioritize all business processes or functions Identify the potential impact of the business disruption Identify Legal and Regulatory requirements, if any
8 Business Continuity Step two Risk Assessment looks at: Evaluating the Business Impact (from step 1) Analyzing threats based upon the impact to the institution Prioritizing potential disruptions Performing a Gap Analysis
9 Business Continuity Risk Management, the third step, focuses on: Development, Implementation, and Maintenance of a BCP Plan. This includes the consideration of: BIA and Risk Assessment from previous steps Written and specific to conditions to implement and steps to take during implementation Proper Management of the plan, if supported by third party Focused on the impact of various threats Effectiveness in minimizing service disruptions
10 Business Continuity The forth step, Risk monitoring and testing, ensures the viability of the BCP through: Incorporation of BIA and Risk Assessment into testing Roles and responsibilities assignment for implementation of testing Completion of BCP tests Evaluation and assessment of the test program and results Revision of the BCP plan, if necessary
12 Compliance: SOX and Basel II What is SOX? Drafted by Senator Paul Sarbanes and Congressman Michael Oxley, the Sarbanes Oxley Act was signed into law on July 30, 2002 by President Bush. It was enacted largely in response to a number of major corporate and accounting scandals such as Enron and MCI WorldCom, and applies to publicly traded companies and Auditors of such companies. SOX requires an annual evaluation of internal controls and procedures for financial reporting in perpetuity.
13 Compliance: SOX and Basel II SOX Responsibilities The scope of SOX responsibilities include: At least annual assessment and review of controls which include, but are not limited to, controls related to the prevention, identification, and detection of fraud. The CEO is ultimately responsible and should assume “ownership” of the control system. However, everyone in the organization has some responsibility for internal controls. Our efforts directly impact the reporting by our Management
14 Compliance: SOX and Basel II What is Basel? The Basel Committee was established by the central- bank Governors of the Group of Ten countries at the end of 1974 and meets regularly four times a year. In 1988, the Committee decided to introduce a capital measurement system commonly referred to as the Basel Capital Accord. This system provided for the implementation of a credit risk measurement framework with a minimum capital standard of 8% by end-1992
15 Compliance: SOX and Basel II The Basel II Framework, issued on July 4, 2006 is intended to be a comprehensive version and promote a more forward-looking approach to capital supervision, one that encourages banks to identify the risks they may face, today and in the future, and to develop or improve their ability to manage those risks. Categories include: Risk Scenario Analysis and Inventory Loss Data Risk Control Self Assessment Economic Capital Reporting
17 Cobit 4.0 Framework A Cobit Framework was established in support of Management’s realization of the significance that information can have to the success of an Enterprise, the expectation of a heightened understanding of operations, and the assurance of successful management so that the Enterprise can: Achieve its objectives Be resilient to learn and adapt Judiciously manage risks Recognize opportunities and act upon them
18 Cobit Framework This governance and control framework serves a variety of internal and external stakeholders and meets the objectives of: Business focus to align Business and Technology objectives Process oriented, with a specific structure Be consistent with best practices and standards Use a common language generally understandable by all stakeholders Help meet regulatory requirements
19 Cobit 4.0 Framework The Cobit Framework is comprised of: Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate Each of these categories has a list of Detailed Control Objectives specific to that category. These objectives provide a framework for Enterprises to ensure they are compliant with regulatory policies and standards, including SOX, Basel II, and BCP.
20 Cobit 4.0 Framework Within Cobit 4.0, Deliver and Support, there is an entire section DS4 that identifies controls specific to continuity. They include objectives such as: DS4.1 IT Continuity Framework DS4.2 Continuity Plans DS4.5 Testing of Continuity Plans These objectives are directly in line with the goals of Business Continuity.
22 Working Together SOX Basel II BCP Business Continuity, SOX, and Basel II are intertwined
23 Working Together – Common Threads Within BCP, SOX, and Basel II programs, there are common threads: Process identification and prioritization Risk assessment and evaluation Control identification and Gap Analysis Testing Remediation, when necessary
24 Working Together Process Identification and Prioritization What are each of your Business process This includes Business and Technology processes Which processes are key or critical to continue “Business as Usual” Which processes have a direct impact to your financials (General Ledger) Which processes are the key operational processes to support your customers or stakeholders
25 Working Together Risk Assessment and Evaluation For each of the processes deemed critical, what are your risks? Operational, Resource, Financial, Data What is your level of risk? High, Moderate, or Low Level of Risk Management understanding and approval of processes and risks, and necessary efforts associated with identified risks.
26 Working Together Control Identification and Gap Analysis For each risk identified as a High Risk, what are the controls in place? How strong are these controls? Are there any gaps within the process that do not control the risk? Does Management understand and approve gaps, or do they need to be addressed?
27 Working Together Testing and Remediation Perform testing to ensure controls in place are working as expected. Report test results to Management Remediate weaknesses or Failures Were there any failures during testing? Were the controls identified as weak during testing, and did not meet the objectives?
28 Working Together Although the reasons for each program may be different, the Enterprise objectives and activities that are set out for Business Continuity, SOX, and Basel are the same : To ensure controls are in place that meet regulatory requirements Reduce and mitigate risk, whether it is financial, operational, or reputation Reduce the impact to internal or external stakeholders
29 Working Together Think about the synergy of your compliance programs and consider: Are there redundancies within any of your Programs? Can resources be more aligned to work more closely together? Where can efforts be consolidated to be more efficient and cost effective, yet still meet the needs of your Enterprise and regulatory requirements?