Insight. Innovation. Industry.
Business / Risk Management /  •

The best laid plans

Security breaches, natural disasters, bad weather and a myriad other crises can threaten the ability of credit unions to do business. That's where business continuity plans come in.

It seems almost impossible to think that a company’s critical passwords could literally be buried with its founder, locking up millions of dollars in encrypted deposits. But that’s exactly what happened to Canadian cryptocurrency exchange QuadrigaCX after its CEO, Gerald Cotton, died unexpectedly from complications related to Crohn’s disease early last December while vacationing in India, leaving staff without access to $137 million in customer deposits. While auditors eventually managed to gain access to the secure accounts, a more complex story behind the missing funds unravelled. Nonetheless, a cautionary tale about the importance of keeping clear documentation of passwords and other key operating information remains.

The possibility of the unexpected loss of senior leaders is also the reason many firms limit the number of executives allowed to travel together on the same flight. But disasters of many kinds can threaten a company’s ability to do business as usual — everything from bad weather to robberies, cyber-security attacks and pandemics. Enter business continuity planning.

For most companies, preparing for the unexpected comes down to having a business continuity plan, sometimes referred to as a risk management plan. Business continuity planning, however, is broader in scope and enables a company to maintain its business priorities while in the midst of a crisis.

The importance of business continuity planning has, in fact, increased for financial institutions, according to a 2018 Deloitte Risk Management Survey, due to factors such as more sophisticated cyberattacks, changes in global regulations and new obligations around privacy. Of the 94 financial institutions around the world that completed Deloitte’s survey, the majority (more than 85 percent) rated their organization as “extremely or very effective in managing traditional financial risks such as market, credit, asset and liability, and liquidity.” In contrast, only half felt confident in their ability to manage non-financial risks including data integrity, operational and business resilience.

Business continuity encompasses risk management while linking it to an organization’s larger strategic objectives and priorities. “Business continuity planning used to mean disaster recovery plans. It was all about what to do if you had a flood or a fire and how you would get back up and running,” says Kim Andres, principle at Andres Consulting, which works with Canadian credit unions to develop business continuity plans. “It was very crisis oriented and talked a lot about authorities and responsibilities,” Andres says. “Policies came out of that like, ‘you can’t have all of the executive team on the same plane.’ ”

“There’s a giant risk to not doing it well.” – Rajan Dhariwal

Today, credit unions are planning for a broader spectrum of issues that can affect business continuity, says Andres. “What would be the impact if the ATM network was out of order, or the online banking system went down? What would be the impact if you had some kind of breach? You need planning that allows credit unions to remain in business and not let short-term disruptions get in the way of service.”

Today’s business continuity plans have large information technology (IT) and human resources (HR) components. Plans should focus on helping credit unions understand how long they could be out of operation in a particular area and how to get back to business quickly. But they’re also about prioritizing business objectives, even in the event of a crisis, Andres says. “Business continuity plans make the connection around risk tolerances. Every credit union has a choice around how to handle issues like fire, flood, earthquake, intrusions, IT breaches, or even HR risks. This connects to the strategy of the credit union. If they’re promoting themselves as an agricultural lender, for example, and their in-house lender wins the lottery and leaves and they need to replace that person, they’re more likely to borrow the lending person at the credit union next door rather than going without.”

Similarly, if continuous service is part of a credit union’s brand promise, then a business continuity plan may put policies in place to facilitate continued service even in the event of a disruption. Andres cites last fall’s 2018 service disruption at Vancouver City Savings Credit Union (525,000 members, $26.4 billion in assets) as an example of this scenario. When a three-day online banking outage — the result of an issue with a third-party system — occurred, Vancity was able to double-down on in-branch staff availability despite Thanksgiving holiday hours. “They recognized that their members were inconvenienced and acknowledged that, even though it was a supplier’s responsibility,” Andres says. “It was Thanksgiving weekend and employees were already earning double time. They wanted all branches open to make sure member needs were met when the online system was down. They offered to pay triple time, which has a big monetary impact. Normally there are approval processes you have to go through [for increasing budgets] but because they had the plan in place, they didn’t need to go through that,” Andres says. Anticipating what you’re prepared to pay to prioritize service in the event of a disruption enables you to implement a recovery plan quickly without wasting time getting last-minute approvals, she adds.

Winter is coming

This past winter, when British Columbia experienced record-setting snowfalls, First West Credit Union (248,000 members, $10.3 billion in assets) was forced to enact its business continuity plan. One morning in early February, after a particularly intense snowfall, First West was forced to put in place its storm response. “We couldn’t get enough staff at any branch on Vancouver island,” says Rajan Dhariwal, business continuity and risk advisory manager at First West, whose role is mitigation planning. “We had to keep some of our branches closed for a full day. The business continuity plan allowed us to make decisions rapidly on the fly so we could keep employees home and keep branches closed,” Dhariwal says.

“You need planning that allows credit unions to remain in business and not let short-term disruptions get in the way of service.” – Kim Andres

Dhariwal has overseen First West’s business continuity planning efforts for the past year, facilitating sessions with disparate departmental teams to build out numerous plans that will come together as a whole. “We’re not writing one plan, but getting our legs underneath us to build the foundation,” he says. “The nature of what I do is looking at the entire company top to bottom and understanding what would be the impact of certain unplanned events. What are the things we have to maintain in the event of emergency to ensure there aren’t large consequences? If we can’t maintain banking infrastructure, there would be large impacts on members. So we’re focusing on critical things and throwing planning tools toward those of high consequence. There’s a giant risk to not doing it well,” Dhariwal adds.

While naturally occurring events like wildfires, floods, earthquakes and storms all factor into First West’s plan, Dhariwal says he’s seeing more emphasis on IT-related issues such as data breaches or cybersecurity issues. “We’re fortunate that there are networks we’re part of to stay on top of best practice and evolving trends in IT.”

Small but mighty

For smaller credit unions with fewer resources, banding together in the case of emergency is a mutually beneficial approach to maintaining service through challenging times. It’s also a good way to create business continuity plans when your businesses have many points of commonality. That’s how eight Saskatchewan credit unions have developed their plans.

Led by Unity Credit Union (4,559 members, $264 million in assets), in Unity, Sask., a group of eight worked with Andres to put together plans using the 80/20 rule. “Eighty percent would be consistent across the credit unions and 20 percent could be customized,” Andres says.

She worked with the partners to identify what was common and unique to each of them. “We had more detailed discussions around things like, ‘do we have to use a traditional solution or could we do something different?’ For example, if one of the credit unions didn’t have a lending person available, could they borrow a lender from another credit union? And if yes, do they need to share each other’s policies?”

Unity had been developing its plan for years, so it was used as the basis for the shared document. “Of the participating credit unions, some had started a business continuity plan and some didn’t have anything,” says Gerald Hauta, general manager at Unity. “Unity probably had the most developed one. When we got together we did a comparison. Ours had been developed over many years. Each year we’d add a chapter. So we used it as a basis and Andres reconstructed it based on that.”

The partners agreed to support one another in a crisis situation. “In the event someone like the general manager or CEO was absent, the others would support their partner,” Hauta adds. “You can reach out to us and we’ll provide you with help to get you through until you can get your feet underneath you.”

“In the event someone like the general manager or CEO was absent, the others would support their partner.” – Gerald Hauta

While Unity hasn’t had to implement its plan yet, it has done some hands-on training to test it out. The RCMP in Unity approached Hauta and asked if they could undertake robbery training. “We closed the doors so we weren’t scaring members unnecessarily.

A guy came in with a shotgun and we went through the process. We had the Saskatchewan emergency response team leader in the building observing his team. Then we turned it into a hostage situation and the RCMP negotiated with the hostage taker.” Credit union managers then talked to the staff about the scenario afterward and went through what they would have done in a real robbery or hostage situation, Hauta says.

Testing the waters

A business continuity plan is only useful if staff know it exists and know how to use it. Andres says that regulators also want to see that a business continuity plan has been tested. “Build out a scenario and have a group of people who respond to that scenario by relying on the policy,” she says. “If there’s a gap, you need to fill that gap. You don’t have to wait for a real environment. If you’re not addressing your risks you’re not delivering on your fiduciary responsibilities.”

Dhariwal says putting the plan to the test is the fun part of process. “The planning process can be a chore but the exercise at the end is the carrot to dangle,” he says. “People will see where there are gaps and will be inclined
to partake in those things if they see them first-hand through exercises. We do exercises every year that allow us to unearth gaps we hadn’t thought about, so it’s constantly in flight and being tweaked.”

Regular exercises also ensure the plan is kept up-to-date. “We require our teams to make sure that plans are going through regular updates and revisions every year,” Dhariwal adds. “The easier part is to build it, the hard part is to sustain and maintain it.” ◊