Skip to main content


Three Considerations for Upgrading Your Business Continuity Plan

Three Considerations for Upgrading Your Business Continuity Plan

As we approach the end of 2017, it’s always a good time to look back on the lessons we learned from the previous year and look ahead at improving our Information Security Plan, especially our Emergency Preparedness plans, which include Business Continuity/Disaster Recovery and Incident Response. Often, updating our Business Continuity Plan (BCP) can appear more daunting than beneficial. After all, you’ve been (hopefully) regularly performing table top walk-throughs and perhaps even higher levels of functional testing. Perhaps you’ve even honed your current plan to the point of not finding meaningful updates to make following each of the aforementioned tests. So where do you go from here?

Here are three quick and easy wins that can take any Business Continuity Plan to the next level. Of course, we are assuming you’ve already created a solid Business Impact Analysis that identifies Recovery Point Objectives, Recovery Time Objectives, Maximum Allowable Downtimes as well as internal and external dependencies for all business processes. If you have not, please check out our previous article on the components of a good Business Impact Analysis.

Manual Operating Procedures

The first component to consider adding to your BCP is Manual Operating Procedures. It’s becoming a regulatory expectation for larger Banks (1 Billion plus) and highly suggested for those smaller to document Manual Operating Procedures that outline how your institution will continue to operate if the Internet or IT systems are not available. Creating Manual Operating Procedures need not be difficult. While you may desire to create Manual Operating Procedures for all departments, start with those most critical as identified by your Business Impact Analysis. Then work with each department and document their answers to the following questions:

  1. What do you do if access to your Bank location isn’t possible?
  2. What do you do if access to the IT resources necessary to perform your job isn’t possible?

System Recovery Procedures

The second component to consider adding to your BCP is System Recovery Procedures. System Recovery Procedures are designed to document the steps that need to be taken to restore IT systems or assets to operational status in the event they are shut down. Depending on how your overall Emergency Preparedness Program is organized, you may choose to place System Recovery Procedures in either your Business Continuity Plan or your Disaster Recovery Plan if they’ve been separated out. System Recovery Procedures should minimally be developed for all critical systems as identified by either your IT Risk Assessment or Third Party Management Risk Assessment, or both. System Recovery Procedures can be designed in whatever method necessary that works best for your institution, but should include, at a minimum:

  • Production Server Information
  • Backup Server Information
  • Applications Associated
  • Backup Strategies
  • Recovery Scenarios For:
    • Loss of Hardware
    • Loss of Data

Testing with Critical Third Parties

The final component to consider adding to your BCP might not feel like an addition, yet it is highly beneficial and a requirement of Appendix J to the FFIEC Business Continuity Planning Booklet. Identifying which Third Parties with whom to perform testing should manifest from your Third Party Risk Assessment. Minimally, you should review said Third Parties’ own Business Continuity testing documentation to ensure results align with your Business Impact Analysis’s Recovery Point Objectives (RPO), Recovery Time Objectives (RTO), and Maximum Allowable Downtimes (MAD). To take it one step further, ask your contact at the Third Party to participate in your own Table-Top Walkthroughs.


Updating your Business Continuity Plan need not be difficult. At the heart of any of your BCP updates should be the goal to continuously improve the preparedness of your institution to actually handle a disaster or business disruption in real life, though the hope is that these plans never have to be activated. Updating all of your Emergency Preparedness Plans – Business Continuity, Disaster Recovery, Pandemic Preparedness, and Incident Response – should be a continuous cycle of documenting, testing, learning lessons from said tests, and improving your plans. The more you can improve your plans by testing different scenarios, the better your plan will be in the event it needs to be used.


Written by: Cody Delzer
Senior Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

  • A good Business Continuity Plan includes Business Impact Analysis (a priority ranking of business functions to determine restoration priority), Disaster Recovery (making sure you people are safe, then understanding where you will recover business operations in the event a physical location is unusable), Business Continuity (restoring business processes in order to resume services to customers), and BCP testing. If you would like to learn more about SBS’ BCP processes or need assistance with the creation or updating of your BCP and BCP testing, you can learn more here.
  • {Article} What Does a Good BIA Look Like? When creating a BIA, there are going to be three (3) main components that you should address to get the best results, including 1) Impacts, 2) Timeframes, and 3) Dependencies. This article will cover each of these BIA components, along with a little information on your business processes themselves. Read Article

Related Certifications

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Business Continuity Professional   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, November 22, 2017
Categories: Blog