Yesterday's face-to-face banking environments have been replaced with ATMs, online banking, and expectations of immediate service and availability­. Customers are far less tolerant of a service disruption or a major disaster which affects a community bank they have entrusted with their financial assets.

Customers' expectations, coupled with expanding business continuity FFIEC and NCUA regulations, fortify the need to address business continuity as a program that must be maintained – having an executive and board endorsement to ensure its success.

Today's competitive, regulated and economically stressed business environment means community banks may be living on a razor's edge, meeting increased demands with decreasing resources.  In order to make proactive decisions regarding mitigation and acceptance or deferral of uncertainty, financial firms must focus on the full spectrum of technology risks to key business processes and the challenges they create.

Despite the increasing drive for greater system reliability, most banks cannot afford to designate 99.999 percent levels of availability for every system in their datacenters. That approach is cost-prohibitive in terms of dollar and people resources. Rather, any information availability strategy must assess what risks are acceptable, identify which processes, systems and data are truly time-critical, and balance business and technology capabilities.  This approach will provide acceptable levels of resiliency and recoverability and ensure all risks are being considered

Community banks should therefore develop a practical and holistic approach to system and data availability and leverage business resiliencies where possible. The following tips will help business and IT personnel as they look at ways to improve information availability:

Conduct a risk assessment to focus efforts. By performing a risk assessment, a bank can uncover areas to focus on in their business continuity plan.  Once an organization identifies threats to time-critical processes and their anticipated level of impact, it is better prepared to make decisions on how to best protect critical assets – whether those assets are facilities, systems, data or people.  A risk assessment can be conducted internally or by an outside expert, although an outside provider might be more objective when analyzing and addressing all aspects of business continuity risk mitigation.

Devise a holistic solution. A resiliency and recoverability solution should be approached holistically and include facilities, systems, information, people and partners – and how to mitigate risk for all five areas. For example, if your bank is experiencing a power outage and the current recovery measures account only for the datacenter systems, this leaves a gap in your capabilities. Even a building's water pumps and fire sprinkler systems should be incorporated into a recovery plan, so that barring any other threats, your people are able to occupy the building and use the available systems.

A solution should also include crisis management, business continuity and information technology resiliency and/or recovery – one or two without the others creates gaps and vulnerabilities that can render the plan ineffective.  Other areas to be considered include: internal interdependencies, unique personnel knowledge, and external dependencies on the operations of suppliers and business partners.

Conducting a business impact analysis is a good first step to identify the functions and processes that are essential to your day-to-day operations.  This also helps to sharpen the business' awareness of IT resiliency and recoverability capabilities, as well as, a shared view of impacts, risks and solutions.

Tier your systems and recoverability. In today's economy, most banks don't have the budget to make every system a top tier priority. Even if they did, too much risk is assumed by not tiering systems. Your recovery should focus on the most time-critical systems first, especially in the early and uncertain hours of an incident response, rather than assuming all systems are equal and should be recovered simultaneously. Practically speaking, when all systems are at the same level of criticality, decisions still need to be made about which systems get addressed first. Systems tiering decisions must be driven by business needs – with regulatory, customer and business partner requirements playing a big role in guiding your plans. It is also critical to examine system interdependencies because they can run deep within the datacenter, and the weakest link will affect the ability to recover.

Availability is about more than just hardware. Even when a company has highly available information systems, other areas such as change control, capacity management, project management and software release management need to be included in availability planning. For instance, if the project management process makes a plan to expand highly available systems but doesn't spot that your datacenter is running near the capacity edge of its cooling systems, your organization is creating an availability issue without realizing it.  Understanding, integrating with and managing change processes, both business and technology-related, are key components of an availability solution.

Consider outside help. For many banks, it is time or cost prohibitive to create a sound business continuity program internally. A company may not have the internal breadth of knowledge necessary to enable a sustainable, effective and efficient program.

Should you chose to hire a consultant, look for business continuity providers that have the specific experience, as well as, the server, storage and network infrastructure in place to manage a business continuity solution.  Banks should consider providers that take a holistic approach to business continuity and that allow an organization to change and adapt their plans over time as business needs shift and grow.

IT organizations are skilled at figuring out how to apply technology to banking needs, but often need help in understanding the full spectrum of threats and determining where to focus their efforts.  These tips will help banking and IT professionals take a balanced and holistic approach to technology risk – weighing the ability to mitigate risks and the impacts of threats – to build cost-effective information availability strategies.