The National Credit Union Administration (NCUA) requires that all federal credit unions have a business continuity plan. No matter how big or small a credit union you are, make sure you are aware of the basic information the NCUA looks for when they come to audit you. Here are some key elements from the FFIEC IT Booklet which the NCUA references when evaluating a credit union’s business continuity preparations:
Business Impact Analysis – The NCUA will be looking to confirm that all business functions and processes have been identified. As the name implies, it’s necessary to determine the impact to the credit union if there is an interruption to each of the processes. The processes must be prioritized and all interdependencies and legal and regulatory requirements for each, identified.
Risk Assessment – In this step you’ll need to identify the threats to your credit union and the potential impact each may have on your business. You need to prioritize the threats to determine which pose the biggest risk to your credit union. The severity of their impact on the business, and their likelihood of occurring are two factors that must be included.
The Plan – It’s not enough to download a free business continuity plan template and add your credit union’s name. The NCUA will be looking for particular elements that you’ll need to be able to deliver. A plan review, by the board and senior management, must take place annually. The plan also must be disseminated to the employees of the credit union. It needs to focus on the impact of various threats that could disrupt operations, rather than specific events. Instead of a tornado plan, you need a plan that addresses how to operate through the effects of a tornado. This may include when buildings and equipment are damaged, systems are not available, only a fraction of your people can report to work and/or third party suppliers are unable to serve you.
Testing your Plan – Yes, once you write your plan, your work is not complete. The NCUA looks for evidence that your plan is tested, at least annually. The test results must be compared against your BCP. This process identifies gaps in your plan. There needs to be evidence that the BCP has been updated based on these test results. Your testing program also must be reviewed by an independent third party.
Vendor Management – From telecommunications providers to secure cash delivery, credit unions rely heavily on third parties to support their operations. Vendor due diligence is a critical part of ensuring your business continuity plan will support you in recovery. The NCUA looks for evidence that you are ensuring your suppliers have regularly tested business continuity plans. For really critical services, such as telecommunications, they may want to see redundant service providers in place.
This is just a high level look at what the NCUA needs when they come to audit your business continuity preparations. For more information on these requirements be sure to review the FFIEC Testing booklet. If you need help ensuring your plan meets the NCUA’s requirements, KingsBridge is available to help through our plan writing and exercising services or through our Shield software, with a template customized for credit unions and a built in notification solution.
KingsBridgeBCP offers businesses of all sizes BCP Software Solutions and industry know how based on best practices. We help build, exercise, and maintain Business Continuity Plans. Our services and software packages are customized to meet the wide range of our customers’ needs, ensuring we deliver the best value in every project. To learn more click here or check out our Services.