The Navis Group

Business Continuity Planning & Testing
Sample BCP Exercises

Over the years, our “signature” service offering has turned out to be business continuity planning, even as the demand for BCP assistance has been a bit “tidal” as regulators ebb and flow on their prioritization.
Our work includes plans and testing, having conducted annual tabletop tests with many of our clients, using our scripted disaster-du-jour. In 2011, we were shutting everyone’s electricity off, and in 2012, we started burning everyone’s ops center down. Stephen King would be proud!
Our work has also extended to Association-sponsored full-day, full-immersion exercises with many veteran “survivors” of hurricanes, ice-storms and cyber-attacks having attended multiple sessions.

One of the key components to BCP and pandemic compliance is annual testing. We have facilitated numerous planning sessions for our clients and would be pleased to do so for your institution. Additionally, to aid our clients with this component, we have created a menu of a half dozen disaster scenarios to choose from.

Emergency Evacuation

Whether malicious (terrorism) or accidental, the possibility of evacuation exists for situations such as nuclear power plant radiation leaks, "dirty bombs", chemical rail-car derailments, or gas-line breaches.

Consider a scenario in which a circular area with a radius of 15 miles, with your main operational location (main branch or data center for example), is evacuated. The "event" occurs on a Thursday morning such that the evacuation orders are mandatory and occur at 11:30 a.m. The crisis lasts for a period of three days, such that residents and businesses are not allowed to return to the area until 3:00 p.m. on Sunday afternoon.

Discussion points should include, but not be limited to:
Facility closure(s)
People (and their families)
Communications - customers, employees, etc
Security (looting as a concern, particularly with respect to info security)
Re-opening - when, how, etc

Core System Sabotage

Information systems may be sabotaged at different points, whether internal, at a service bureau, or at the software provider's center.

Consider a scenario in which you receive notice form your core application provider that the software that runs your institution has been compromised. It turns out that a disgruntled programmer has inserted code that has triggered automatic transfers out of random deposit accounts. The event occurred during last night's nightly processing. It is not immediately clear whether or not your deposit accounts have been impacted.

Discussion points should include, but not be limited to:
Assessment procedures
Immediate facility closure(s)?

Assuming that your accounts have indeed been compromised:
Communications - media, customers, employees, etc
Remediation procedures
Testing integrity
Re-opening - when, how, etc

Natural Disaster

Natural Disaster - Main Operating Facility Damaged

Hurricane, Tornado, Nor'Easter, Explosion, Fire

Consider a scenario in which your main operating facility (main branch or operations/data center) is substantially destroyed. It will take months to clean-up and rebuild. The "event" occurred on Sunday evening into early Monday morning.

Discussion points should include, but not be limited to:
Assessment procedures
Facility closure(s)?
Information security issues relative to files remaining at damaged site
Communications - media, customers, employees, etc
Back-up site deployment
Re-opening - when, how, etc

Electrical Failure

Electric Failure

Consider a scenario in which the power grid covering an area consisting of your state and 8 contiguous states suddenly goes down at 2:30 on a Friday afternoon. Early assessment by the electric company is that power will be restored by Sunday evening. On Sunday afternoon, the estimated restoration time is revised as "Monday - mid-day". In fact, power is not restored until Thursday. For northern institutions, this event occurs during a deep-freeze.

Discussion points should include, but not be limited to:
Assessment procedures - each day
Facility closure(s)?
People issues
Security issues
Communications - media, customers, employees, etc
Re-opening - when, how, etc

Telecommunications Failure

Consider a scenario in which the nation-wide communications network has been sabotaged. The "event" occurs at 8:00 a.m. on a Monday morning. The extent of the disaster is that both land-lines and cell services are rendered inoperable. The condition is severe such that service is not returned for a full three weeks, but along the way, assessments are at day-to-day status.

Pandemic

Consider a scenario in which a pandemic (bird-flu, for example) has begun. In fact, the first person to die from the dreaded pandemic is someone from your town, a 45 year-old customer named Jack, a local business-man just returned from Singapore. Today is Wednesday, Jack died last night. Jack was in the bank last Thursday and Friday; depositing a check at the teller window, checking in with the loan department on a real estate tax escrow issue, and dropping off something to his sister-in-law who works in back-office operations. Today, two tellers, three customer service reps, the loan ops manager and four employees in deposit ops called in "afraid". Those who did come to work are thinking about going home. Staff in outlying branches are just getting the sad (and frightening) news.