How to Make Business Impact Analysis, Disaster Recovery Planning and Testing Work While Keeping the Regulators Happy

By Derek Gilmore and Kevin Tsuei, CISA, CISSP, AuditOne LLC

With the myriad regulatory guidance statements related to business contingency planning, it is no wonder that so many community banks continually misinterpret the intent of this practice. We often hear our clients say that between the analyses, policy, procedures and testing, they feel that they would need a dedicated team of staff members to do it correctly. However, with a few practicable recommendations, we intend to show you how to better integrate all areas of your business continuity program into a tailored and manageable process in accordance with FFIEC guidance.

It all begins with the Business Impact Analysis (BIA). A BIA conducted with correct methodology serves as the foundation for the entire program. A good BIA should catalog each and every departmental business function and the systems and applications required for these functions. Taking into account interdependencies between systems and connectivity, the BIA should then go on to assess the impact of a loss in functionality for each of the identified business functions. We recommend assessing loss impact based on, at a minimum, the degrees of financial, operational and regulatory impact, with a loss impact score assigned to each function. That score is then translated into a recovery-time objective (RTO). Functions with what the bank deems to be “critical” RTOs should be subject to the drafting and testing of function-specific disaster recovery procedures. These procedures will require internal coordination among the BCP coordinator, IT and department heads. For example, each department will be responsible for identifying the recovery procedures specific to their functions, including interdependencies such as key systems and software. IT will then be responsible to ensure that their disaster recovery procedures are able to recover these key systems and software within the functional area’s RTO.

Any and all disaster recovery procedures noted in the bank’s Business Continuity Policy (BCP) should directly parallel those functional RTOs listed in the BIA. The RTO should not be a range of hours, days, or weeks, but rather a single digit timeframe. Additionally, when constructing the pandemic planning portion of the BCP, and specifically when assessing resource redundancy/cross training and staffing recovery criticality, this should be done for those very same business functions as cataloged in the BIA.

We have already described how the BIA should be used to determine the need and extent of disaster recovery (DR) procedures testing. That said, we offer the following DR testing recommendations in order to further tie the program together:

Create a standardized DR testing worksheet. This might include the following information: the date and location of the test; the business function which is being tested (from BIA); the systems and applications involved; the personnel and assets involved; the specific test to be performed; the functional DR procedures and test script to be followed; the expected RTO and results; and the actual recovery time and success or failure. It is important to get the proper stakeholders involved as part of the testing. We have observed that many institutions rely on their IT department or vendor to conduct testing without the involvement of departmental manager and employees. Conducting functional disaster recovery testing can also serve as a training for employees. Another issue to keep in mind about having an IT-centric test plan is that there are some processes that are so critical that manual intervention is often needed. One example would be wire transfers. We have observed from time to time that wire recovery procedures are heavily dependent on restoring connectivity to Federal Reserve Bank or a correspondent bank’s systems. The reality is that wires are such a critical function that manual processes (e.g., originating by fax or phone) should be developed and tested at least annually.

Most importantly, we recommend that the worksheet prominently feature a section detailing lessons learned and management review. This section should be used to highlight areas in which DR procedures, Policy, and even the BIA itself should be revised to include previously unconsidered issues discovered during testing. Perhaps the recovery objective was unrealistic, or a key recovery step was missing, or there was an unrecognized systemic interdependency on which the business function relies. These issues should be assigned to owners and prioritized. It is important that they be tracked, resolved, and used to enhance future testing.

While disaster recovery can be seen as a burden to many smaller institutions, management can create a multi-year testing schedule to provide some relief. For example, many institutions elect to conduct table-top testing the first year followed by functional testing for high priority functions for the second and third year. When real-life disasters do happen, the bank should take the time to document the disaster using a similar layout as the worksheet above. There are always many lessons to be learned during a real-life disaster, and any lessons to be learned and they should be properly incorporated to further enhance the bank’s DR procedures.

We strongly encourage banks to regularly revisit their BCP program with lessons learned, as this is the linchpin of an effective but manageable business continuity program.

Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 23 – September 2014.


BSA ALERT: Recent Developments Concerning BSA/AML

By Kevin K. Watson, CAMS, Co-CEO, AuditOne LLC

We recently attended the largest ACAMS Conference in history in Las Vegas where there were 2,000 attendees, up from 1,500 the prior year.  To illustrate the importance of BSA/AML, we counted the number present from the FDIC, FRB, NCUA and OCC on the attendee list at nearly 100, along with numerous other state and federal agencies and law enforcement units.  Aside from most everyone agreeing that regulatory expectations and scrutiny have increased substantially, our key takeaways from the conference are summarized in the following paragraphs.

One important pronouncement, FIN-2014-A007, released August 11 by FinCEN and entitled, “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance” will have significant repercussions for financial institutions.  Because of their significance, we will summarize them here for you.

  1. Leadership should be engaged
  2. Compliance should not be compromised by revenue interests
  3. Information should be shared throughout the organization
  4. Leadership should provide adequate human and technological resources
  5. The program should be effective and tested by an independent and competent party
  6. Leadership and staff should understand how their BSA reports are used

FIN-2014-A007 emphasizes regulatory expectations regarding governance of a financial institution’s BSA/AML program.  We can expect examiners to consider the extent that each financial institution conforms to the culture as an important element of the overall BSA examination rating.  We recommend that directors, managers, and BSA Officers make a careful read of the document that can be found at

Currently, out for comment is a FinCEN proposed rulemaking regarding “Customer Due Diligence Requirements for Financial Institutions”.  One of the key elements will be an explicit requirement to collect information on the beneficial owners of legal entities, defined as a 25% ownership interest by an individual, regardless of how many ownership layers are in place between the legal entity and the individual owner.   Individuals with a significant control responsibility, are also considered to be beneficial owners.  This will prove to be a time consuming effort in many cases.   Interestingly, the 25% ownership cutoff is actually less onerous than some jurisdictions, where the cutoff is 10%.  Financial institutions will need to establish written procedures or polices to ensure identification is established for all such beneficial owners as examiners will certainly be scrutinizing new account files once the guidelines becomes effective.  The proposed rulemaking can be found at

There is no agreement yet on the form or content of Automated AML system validations, except to provide assurance that AML monitoring systems, customer risk rating models, and sanctions (OFAC) checking features are reliable and efficient.  Examiners are naturally expecting to see such independent validations completed on a periodic basis.   Independent validators will need to follow the validation concepts of OCC 2011-12/FRB SR-11-7, “Supervisory Guidance on Model Risk Management” issued by the OCC and FRB, but also adhered to by the FDIC.

AML and OFAC risk assessments were also much discussed at the conference.  Such risk assessments are critical elements to an AML program and should assess all products, services, geographies and customer types, with generous documentation of the relevant activity levels and other risk drivers of each.  They should address inherent risk, mitigating controls and resulting residual risk for each risk category and be maintained up to date in order to always be representative of the financial institution’s structure and environment.

There were many areas of concern noted by regulators speaking at the conference, but some common issues that caught our attention were as follows.

  • BSA Officer qualifications
  • BSA Program resources
  • Problems associated with turnover of key BSA personnel
  • Inability to identify high risk customers
  • Unique risks presented by exporters with specific reference made to the recent L.A. garment district sweep where 1,000 federal agents made nine arrests and confiscated $100 million cash associated with money laundering where drug cartel funds were being indirectly used to pay for exports from the garment district into Mexico, where they could later be converted to pesos.  Friday’s Los Angeles Times noted that 2,000 more garment district businesses were subsequently individually warned that for the next 180 days, they must file reports for any cash transaction in excess of $3,000.   Bankers to these businesses will also need to be mindful.
  • Foreign correspondent banks involved in the clearing of USD
  • Physicians defrauding private and public insurance companies by making referrals for unnecessary services in exchange for kickbacks

While all of these issues are cause for alarm, we believe the most important will be the FinCEN Culture of Compliance Advisory.  It effectively will serve as an entry barrier into the financial services industry against those that don’t “get it”, while financial institutions that embrace the new compliance culture paradigm will be successful in the long run.