Humankind has hundreds of years of experience with crisis management. Yet each new crisis devastates us--both personally and in our businesses--when it occurs.
Despite companies' best plans, each disaster takes a toll because it inevitably takes the following course: surprise (at the extent of the impact), insufficient information, an escalating flow of events, a feeling of loss of control, intense scrutiny from outside the business, a siege mentality, panic, and shortterm focus. This is because each event involves humans and automatically triggers human reactions.
The need for business continuity planning reached a new level when businesses became more interdependent and also dependent on massive stores of data. Those who have been tackling the problem know that business continuity involves prioritization of risk management steps within the context of the entire enterprise.
Lillibett Machado is vice president for Corporate Business Continuity at Amegy Bank of Texas in Houston. As technology risk liaison, she reports to the bank's CIO and has close ties with John Drew, chief credit and risk officer. Drew is a 24-year veteran of Houston's banking industry, and Machado came to Amegy with 35 years of experience in quality management within other industries. She was recently named president of the Houston chapter of the Association of Contingency Planners. Amegy is proud of its business continuity department and shared some of its successes and insights during an interview with Dwight Overturf, RMA's chief financial officer. Amegy looks at business continuity in three ways, which Machado refers to as "three bubbles": crisis management, business resumption, and disaster recovery.
RMAJ: What facets of your background in IT have most helped you with your current responsibilities for business continuity at Amegy Bank?
Machado: Before joining Amegy, I spent nearly 25 years in the pharmaceutical and food industries, where we were required to meet ISO-9000 certification. (1) That training and experience helped me introduce Amegy's IT to business continuity with a well-designed framework. For example, the template we developed at Amegy for testing Y2K preparedness was very similar to what we had developed for the ISO-9000 testing environment in those other industries. At Amegy, we merged Y2K preparedness and contingency within our business continuity planning. Naturally, the template has been tailored to today's requirements and the size of this institution. But even after eight years, we continue to use it for our business continuity technical exercises.
RMAJ: So your template is adaptable to all new technology that's coming along, including problems that may not have existed in 2000?
Machado: Yes, because it's just a template of how to test. We incorporate content that addresses a particular need and then test to find out if our systems pass. I continue to tailor our template to our needs and to accommodate new regulations, while continuously training our business units on its use.
RMAJ: Do you find such testing to be very cost intensive?
Machado: It depends on the company and how much detail you want in your testing. Our template is built in a way that we can expand it or reduce it, depending on the content we want to test or the complexity of the system. [See "Functional Test Scripts," pp. 26-27.]
RMAJ: Most organizations now have a technology disaster recovery plan, and certainly, since 9/11, many have gone on to develop business continuity plans. When and why was Amegy Bank's business continuity plan developed?
Machado: Amegy went through a complete reorganization in 1999. For us, "business continuity" is a comprehensive Business Continuity Management framework that includes crisis and emergency management, business resumption, and disaster recovery in a "three-bubble" approach suggested by the Gartner Group. [See …