Business Continuity Management: With More Than 50 per Cent of Australian Financial Institutions Facing a Business Continuity Crisis in the Past Five Past Years, Business Continuity Management Is Rapidly Becoming a Key Focus of Risk Management
Delpachitra, Sarath, Van der Vyver, Glen, Rateb, Zohdy, Journal of Banking and Financial Services
While issues such as the Sasser virus can bring a major bank to its knees, recent research shows that many of Australia's financial institutions are not sure that they are prepared for such a crisis.
This research, conducted by the University of Southern Queensland's Centre for Australian Financial Institutions (CAFI) and Fuji Xerox in late 2003, was based on a survey of the four major Australian banks, ten other banks including subsidiaries of foreign banks and fourteen credit unions and building societies.
The Fuji Xerox/CAFI study found that although most financial institutions are developing, implementing and testing strategies for Business Continuity Management (BCM) their approaches vary widely.
Almost 80 per cent of financial institutions surveyed are committed to BCM, however, nearly 40 per cent of institutions either have no crisis management plans, or the plan has been documented only, with no testing or validation.
Almost 60 per cent of those surveyed had invoked BCM plans in response to a major threat, a brief crisis or a sustained crisis. Institutions felt that BCM assisted in around 75 per cent of brief crises, but they weren't sure that BCM would help in a sustained crisis.
What is Business Continuity Management?
While disaster recovery is not new for Australian financial institutions the need for business continuity plans has only developed in recent years as business processes have become more complex and processes are increasingly integrated.
BCM is the process by which well-prepared plans are initiated, reviewed and managed to ensure that essential business processes can recover and continue in a situation where a serious business interruption occurs.
A commitment to BCM is generally made at high levels within organisations--by the CEO and the board. BCM initiatives are separated into the various forms of risk faced by financial institutions with probabilities being assigned to these identified risks through business impact analysis.
BCM provides for a hierarchy of strategies disaster recovery is an element of the business continuity plan, which in turn, is part of the overall BCM strategy.
Whereas much of disaster recovery planning has been developed in the IT divisions of organisations, BCM focuses on companywide processes and interconnections, with IT still an important component.
In a typical organisation there is a chain of processes and each division and department within it has their own disaster recovery plan. With BCM, organisations focus on how they can keep the whole process going if a disaster occurs at any one of the nodes in their complex chain of business processes.
Why BCM has become important
Before 2000, the main risk focus for most financial institutions was a collapse in the market--i.e. systematic risk that cannot be controlled and must be absorbed and recorded as nondiversifiable risk.
Since 2000, the focus of risk management has shifted from systematic to random or systemic risk. This has been due not only to the increasing size and complexity of businesses but also to the rapid growth in technology, the growing reliance on IT by financial institutions and increased threats of terrorism and natural disasters such as SARS.
Indeed technology--related risk (e.g. the Sasser virus) can become systemic risk since all the activities of organisations are now linked due to complicated IT strategies and process integration. Co-banking systems, involving the sharing of activities, are widely used to reduce excess capacity. This integration of activities means that an issue/disaster in one bank can flow through the whole system.
One of the key findings of the study was that as institutions get bigger and more complex the perception of risk increases and this has been a key driver of the move towards BCM.
The dichotomy here is that as institutions increase in size they need to become more efficient and to do this they integrate their processes both internally and externally. …