|
Wake-Up Call: Best Practices for Business Continuity, a Banking Perspective
January 31, 2006
Elizabeth Johns, Managing Director, Communications
 |
|
AFP Multimedia: Mike Fossaceca, JPMorgan Chase, speaks about best practices in forming business continuity plans.
|
|
Events of Sept. 11, 2001 and recent hurricanes may have served as a wake-up call for financial professionals, yet many believe their organizations are only somewhat prepared to meet disasters, according to AFP’s 2005 Business Continuity Survey.
The survey, sponsored by JPMorgan Chase & Co., found that just over a third (37%) of the 1,035 respondents thought that their organizations are well-prepared to handle an event similar to Hurricanes Katrina and Rita.
“For many organizations, this has become an important topic because they saw that a major city could be out of commission for weeks or months,” Kevin Roth, AFP’s director of research, said. “The recent hurricanes were truly a wake-up call, even though we’ve had wake up calls in the past.”
Despite destruction caused in the Gulf Coast region, half the respondents said their companies have no immediate plans to actually test their plans, a best practice that was identified by several speakers on AFPs recent business continuity conference call, attended by more than 500 corporations.
In a videotaped interview at the AFP Annual Conference, we spoke with Mike Fossaceca, large corporate sales executive with the treasury services business of JPMorgan Chase, about other best practices in forming business continuity plans. Having been involved in some large-scale planning with corporate customers across several industries, he had some interesting observations and a few tips.
At what point should a company’s treasury department get involved with business continuity planning?
Treasury should be involved right from the very beginning. The treasury group is responsible for mission-critical systems that really are the lifeblood of any company. A large part of their responsibility is to maintain liquidity for a company, as well as all of the funding mechanisms. For contingency planning, it’s important that they have information about internal processes, as well as information about external providers.
When it comes to sitting down at the table, who are all the parties that need to participate?
That’s interesting because it goes way beyond the treasury group. It even goes beyond the internal organization. Participants should include anyone who touches a process that the treasury group touches: IT, accounts payable, accounts receivable, customer service … as well as groups outside, like their banking provider. These partners should be involved in discussing how the process should work. At the end of the day, a contingency plan is only as good as its weakest link.
Tell us about some of the weak points, the areas where companies are particularly vulnerable.
I think it comes down to four areas.
1. People are the first vulnerability you look at in a contingency plan. If your employees have been dispersed, you don’t have access to them, and you don’t know how to reach them, you are in a lot of trouble. Importantly, one thing companies fail to consider is the emotional toll a disaster can take on employees. Contingency plans normally assume that the people who do the jobs are going to be able to continue doing those jobs, but that’s not always the case.
2. The other part is geographic. Can you physically get your people to your recovery site?
3. Another vulnerability is power. You might not have access to an electrical supply.
4. And finally, you have to think about telecommunications. Some contingency plans I’ve seen have only one channel for communications. When that channel goes down, the plan falls apart. You have to have multiple channels, particularly for executing transactions.
So often companies just consider systems, so I like the fact you’re saying that there’s a human element to business continuity planning… but how do companies test to make sure their plans actually work?
Once you have a plan in place, you need to test it on a regular basis. That doesn’t mean seeing if a user ID works; it really means going through a full blown test. At minimum, a quarterly test is essential, with an annual review of the plan itself, as a company’s internal processes can change in that time.
When you test, do you have to reconvene all the parties that were part of the original planning?
Absolutely. Both the treasury department and its partners should be involved in setting the plan and in conducting the testing. One company I work with took its entire team offsite for a test. They contacted us ahead of time to let us know what they were doing, and we tested to make sure links were up and running. As a result, that company feels secure that they can operate well in contingency, and we feel secure that we can work with them, both in a BAU and a contingent environment.
What tools can companies use as they begin the planning process?
At JPMorgan Chase, we have compiled a “treasury readiness” audit that covers all of the critical elements that a treasurer needs to consider. The audit reviews the elements treasurers need to think about in their back office, focusing on five key areas beginning with principles of the plan and what to think about in terms of people issues. It speaks to the processes and looks at infrastructure issues. Finally, it looks at how a company works with external providers as well as clients. Since Sept. 11, 2001, we’ve walked a number of companies through the audit and we’ve helped them to examine and, ultimately, improve their contingency processes.
For companies not so far along, for those just starting to think about business continuity planning, where can they go for additional resources?
It’s important to do a lot of research. It’s also essential to sit down with stakeholders to see how prepared you all are as a team. Each company’s plan is unique to that company, taking into consideration very specialized needs. Some companies may look at solutions on the Web to spark ideas for how they may expand those plans for their needs. But it’s also very important that they engage with other corporations and to learn from industry best practices.
Business continuity planning is a process companies should never take lightly. Never assume you have everything nailed down. For example, historically, companies have planned for disasters that are localized, but we’ve seen from the Sept. 11, 2001 terrorist attacks and the recent hurricanes that disasters can be very large in scale.
For a plan to be effective, involve your external partners and clients as well as your internal staff. Additionally, your banking part-ners can add value when you’re developing your contingency plans.
Elizabeth Johns, AFP's managing diector of commnications, runs the association's Web site, magazine, newsletters, and books, among other content initiatives. Contact her at ejohns@afponline.org
Copyright © 2006 Association for Financial Professionals. All Rights Reserved.
|
Add to del.icio.us
Add to Facebook