Business Continuity Management as a Component of Operational Risk Management
Business continuity is not a new concept. However, the effect of recent high impact events and outages as diverse as 9/11 to the Asian tsunami, Hurricane Katrina and avian flu, have sensitized bankers to manage such eventualities in as seamless a manner as possible. The events also helped to establish the business case of continuity and provided the necessary buy-in required from management and key stakeholders. Around the world, regulators also realized that continuity of the banks and the payment system, which depends on them, is vital to reduce the crippling impact of such events. As a result they came out with various guidance, recommendations and regulations to ensure that the banks have effective business continuity practice in place. BIS, FSA and SEC have taken the lead in providing the required direction and guidance to banks. Other bodies laying out the guidance for business continuity include Disaster Recovery Institute International (DRII) and Business Continuity Institute. All these have brought a change in the way banks deal with their business continuity practices and manage outages.
Other notable change factors are:
Recent developments have led to a change in approach towards business continuity. Banks have realized the need to go beyond disaster recovery planning (DRP) and business continuity planning (BCP) and into the management of business continuity, which is much broader in scope and mature in nature. Business continuity management (BCM) not only includes planning and organizing but also execution and control of the continuity process. BCM not only includes DRP and BCP but also areas such as continuity strategy, alternate strategy, communication strategy, continuous risk monitoring and assessment, updating response plans and strategy and embedding business continuity factors in all major decisions of the banks relating to employees, logistics, facility, location etc. BCM also involves having risk mitigation and controls in place to avoid stoppage of work.
The Business Continuity Institute, UK, has defined BCM as: “an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.”
This definition underlines the objective of BCM to increase resilience of business and safeguard business. This approach has led to a gradual shift in the centre of gravity of business continuity from IT and disaster recovery to a more business driven approach where effectively managing service levels and delivery in outage scenario becomes critical. As a result, the critical nature of a process is determined by the importance of the service level delivery – taking into account various factors such as customer retention, revenue loss and other direct and indirect cost of non delivery including compensation and litigation cost. Against this backdrop, the focus of risk assessment and risk mitigation in business continuity has shifted to include people, process and products apart from systems and IT. Interestingly these were the very areas on which risk managers were increasing their focus for operational risk management.
In June 1999, BIS set out its definition of operational risk: “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.” This was significant, as it was the first formal definition of operational risk and it helped bankers to have a common understanding of operational risk. This was followed by BIS defining and classifying seven different risk categories along with the eight business lines. This comprehensive effort by BIS to define ‘event’ risk category led to a realization among bankers regarding the close relationship of BCM with operational risk management (ORM). The fifth and sixth risk categories, namely ‘damage to physical assets’ and ‘business disruption and systems failures’ established the relationship and the need to have BCM as an integral component of ORM.
The business continuity-related outage events and losses generally exist at the tail end of the operational loss distribution curve. They are the high impact and low probability events that organizations generally do not have much data about.
The acceptance of BCM as an important component of ORM has changed the focus of bankers from viewing ORM from just a control point of view to a more macro view that incorporated BCM as a hedge in managing operational risk. Five major risk mitigants have emerged as a result of this:
BCM as an operational risk mitigant has been further endorsed by BIS, while other regulators and bankers have realized that having a robust BCM practice will allow them to reduce the economic capital to be kept towards operational risk apart from reducing direct losses from stoppage and outages. BCM has thus emerged as an important complementary play in the larger operational risk management framework. It allows a bank to positively manage the consequences of an outage without unacceptable delivery issues and thus reduce the operational risks and cost arising from litigation, compensation, data loss or customer churn, etc.
The relationship between BCM and ORM is not limited to BCM being an operational risk mitigant and qualitative adjustment factor for reduction of risk capital requirement. The framework and method used for ORM can also be extended and used for BCM, bringing the much needed rationalization of cost and resource utilization.
A look at the ORM and BCM frameworks reveal the similarities between their building blocks. We might not be able to use the ORM framework exactly for BCM, or vice versa, but we will definitely be able to use the approaches of risk and control for both – thereby avoiding duplication in risk assessment process and thus saving time and cost for the business units.
Given the similarities it is pertinent to explore whether we can use the methodologies used for ORM for managing business continuity risks.
RCSA is a methodology that has evolved over the past 20 years from being used predominantly in internal audit to a risk management approach. RCSA is a systematic method of reporting and documentation on risks, controls and action plans. It covers identification and assessment of risks, their ratings and making risk profiles of business depending on the basis of risks and controls identified. The major building blocks of the RCSA process are:
An RCSA approach gives a balanced view of the business by assessing all the risks, a rating of how relevant those risks are and the list of controls that are in place to mitigate those risks. RCSA can be used effectively to understand what impact a disaster will have on the ability of the bank to operate. Analysis of the business impact of various outages and their risk assessment can be done with the help of a questionnaire administered to the business managers or by conducting a workshop. Once the assessment is done on the basis of likelihood and impact on business, relevant controls are identified for the risks. Relevance of the controls is further validated through their periodic testing.
Identifying issues and putting in place action plans to address those issues help to manage the control defects and categories of risk without relevant controls. The action plans also involve putting together various plans to manage outage situations.
When the risk is high or medium the bank will have a well-documented contingency plan in place. If not then an action plan will be developed to mitigate the risk or a contingency plan or continuity plan can be developed. There are different action plans that banks use to mitigate and control risk:
Conducting periodic tests of their plans is an important action point for most banks to ensure that the plans are relevant for practical implementation.
RCSA is an effective way to identify, assess and mitigate risk. Conducting RCSA with respect to BCM risk will not only enable banks to manage their BCM objectives but also reduce duplication and waste of conducting separate assessments for OR and BCM and thus reduce cost.
A scenario is a description of an adverse event that may happen. Banks may build up scenarios varying in the degree of their detail and focus. Scenarios may also contain detail of the cause and their likely impact. There are four primary approaches for building scenarios.
In practice, a combination of all of these approaches is used to determine outage scenarios. For each scenario the likelihood (probability) and impact on the process and product delivery, SLAs, and general business is assessed. The scenario analysis will help to identify the high impact points and will help to identify the critical processes that will require attention in terms of continuity strategy and plan.
The resultant strategy and plan will put focus on prevention and protection as well as recovery and continuity if the outage occurs. Prevention and protection will include RCSA of the site, unit, processes, security and utilities and help plan controls and actions for risk mitigation.
KRIs relevant to business continuity risks help in both assessment of the risks and their monitoring. The identification and assessment of risk and controls help to develop indicators for the key outage risks of the bank. KRIs track either the risks or the controls and can form an important part of the risk and control monitoring process. The KRI score can also be used on the risk in a business unit and timely action can be taken to mitigate risk as and when the risk crosses the threshold limits.
Business continuity should be the responsibility of the business and every manager rather than a separate department. This will help businesses to own the responsibility for success and failure of continuity rather than think of it as someone else’s responsibility. However BCM policy and procedures are to be made, risk assessment and impact analysis are to be done periodically, testing and monitoring are to be done, which can be co-coordinated by a person or a team of people within the ORM organization. The responsibility of the person or team is to ensure compliance by business regarding BCM practice and help business in their outage readiness.
However, most banks have BCM coordinator function outside the ORM function and the coordinator reports directly to the top management of the bank. This is because, until now, most banks have viewed BCM outside the ORM framework.
The key challenges in implementation of a BCM framework are:
The big challenge for all banks is to rationalize cost and integrate compliance requirements. Banks are taking steps to rationalize cost by reducing duplication of risk management processes for a different purpose. Understanding and appreciating the commonalities among various risks is a first step towards meeting this challenge. In the years to come we can expect banks to have an integrated approach for managing operational risk and business continuity risks, given the commonalities, and focusing on reducing duplication and waste in having multiple risk assessments for businesses.