Business Impact Analysis (BIA)
BIA is the key element of the BCP planning process, since it provides the foundation upon which the BCP is developed.
Bank’s critical business functions are time-sensitive and must be restored first in the event of a disaster to avoid unacceptable financial and operational losses. BIA helps identify these time-sensitive critical business functions within various departments of the bank. The purpose is to identify the impacts of disruptions that may result in denied access to the critical banking services, buildings and facilities.
The NRB guidelines specifically require that there should be detail procedures for prioritizing critical business functions, incident handling and how the bank will manage and control identified risks.
BIA helps analyze the operational, financial and non-financial impacts on various bank activities (within each of the identified critical business functions), when these business functions are not available or the access to normal workspace is denied.
Furthermore, BIA also helps identify resource requirements, such as competent staff, office equipment, office technology, computer applications, vital records, office stationery, and third-party services etc. to support the technology and business recovery process of the bank.
As per the NRB guidelines, the bank should accurately determine and prioritize such mission-critical business activities along with their recovery strategy, alternate site locations, testing, training, etc.
It would be meaningful if the BIAs were conducted before the risk assessment in order to identify urgent business functions upon which risk assessment could be focused.
BIA is often completed in two major steps targeting first functional recovery (activity recovery) and next computer application recovery on a priority basis. The idea is to determine the bank’s functional recovery priorities, identify interdependent activities and establish appropriate recovery objectives so that Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) can be set for those mission critical business functions as well as activities within them.
RPO and RTO
Recovery Point Objective (RPO) is the point in time at which backup data, such as backup tapes or replication must be restored and synchronized by IT to resume business processing. It is basically the frequency of data backup (e.g. software backup, user data backup, application backup, etc.) or in other words, the measure of data loss (in hours or days) acceptable to your bank.
For example, if you have an RPO of 24hrs, then the data restored from the backup will be 24hrs old and that the business function will manually recover the missing data.
In the best-case scenario RPO is zero which basically means that all affected computer systems utilize mirroring (real-time data/transaction copying) technology to simultaneously copy all incoming data/transactions to another identical system in a remote location.
Determining RPO may also depend on the modification frequency of the data that is being backed up. Data that does not change often can have longer RPOs, such as account information, personal records, employee records, etc. On the other hand, shorter RPOs are advised for frequently updated data, such as credit card data, financial transactions, etc.
Recovery Time Objective (RTO) is the period of time within which IT systems, applications, or business functions of the bank must be recovered or put back in operation after an outage. That means a 24hrs RTO would indicate that the particular business function could operate using temporary manual workarounds for the first 24hrs following a disaster declaration. During this period the business function can continue to function in an emergency mode without access to the IT systems or applications.
Determining RTO may also include a “time of year” or “seasonal” component, such as busy festival times, end of fiscal year, quarterly reporting period, etc.; when a disruptive event can prove to be disastrous.
For example, in the middle of the month or quarter your finance team may go days without accessing the finance application, but during the end of the month or quarter, even few hours without this application can be extremely disruptive.
The NRB guidelines require that the bank’s BCP should specify RPO and RTO of different business processes. The guidelines, however, allow the bank to choose from the Hot, Warm or Cold backup sites to meet the RPO and RTO requirements as specified in the bank’s BIAs.
For disaster recovery backup purposes, the NRB guidelines call for the bank’s own standby site and system or having it outsourced from some disaster recovery providers. Depending on RPO and RTO requirements, bank may opt for high availability system to keep both system and data replicated on remote site or live replication of data to offsite location. The bank may also choose to have full system backup, off-site incremental backups or backups made to electronic media and sent offsite periodically.
As per the requirements and criticality of business functions, it is recommended to go for a combination of above strategies utilizing Hot, Warm and Cold backup sites.
Table-1: Comparison of Hot, Warm and Cold Backup Sites
DC is a physical location which hosts computer systems and network equipment to facilitate and support day to day banking operations. It could be located on the bank premises, co-located outside or on Cloud.
Whatever the arrangements has been done for standby site (or disaster recovery sites; Cold, Hot and Warm), the NRB guidelines dictate that the bank should also adopt disaster mitigating strategies such as locally mirroring data and system, arranging UPS and generator for long term power failure, using surge protector to minimize the effect of power fluctuations and providing adequate physical and environmental controls in the DC.
Moreover, the delivery channels such as ATM, internet banking, mobile banking tend to significantly increase the risk of financial loss and electronic frauds along with other banking risks, such as credit risk, reputation risk, compliance risk, market risk, strategic risk, etc. Therefore, the DC, disaster recovery solution, enterprise network and security and branch or delivery channels should be designed and configured for high availability and no single point of failure, as prescribed by the NRB guidelines.
The guidelines further requires that the location of building containing the DC and critical equipment rooms must be chosen so as to minimize the risk of natural and man-made disaster, flood, fire, explosion, riots, environmental hazards etc. Physical access to DC and critical equipment rooms must be restricted to authorized individuals only.