Business Contingency Planning

 Business Contingency Planning & Disaster Recovery Planning: Introduction - Backup Computer
Processing Choices - Contingency Planning Process - Detailed Outline of a Disaster Recovery Plan -
Business Continuity Plan - Contingency Planning Process
 Business Continuity Plan
 Crises can come in many forms; an emergency that happens suddenly, a disruption to
the routine of the organization, or something that hurts a company’s competitive
position and demands immediate attention, which can be called a crisis.
 Emergencies can take many forms:
 physical perils, such as fires, floods, or earthquakes; • work accidents; • loss of
essential supplies and utilities, such as electricity; • walk outs or other labor
problems; or deliberate acts of terrorism or sabotage.
 Sometimes there is advanced warning, while other crisis or emergencies are
unexpected.
 Crisis or Emergencies also vary in degree and level of impact. Contingency planning
is essential for successfully minimizing any adverse effects on a business and its
operations.
 Being unprepared can cause a business to experience significant loss of assets or
human life, or to experience business interruptions. Also, being prepared for
“expected” emergencies will make a business better suited to deal with unexpected or
unforeseeable ones.
 Business Continuity Plan

 How to avoid or overcome disasters? Only way is ‘Be prepared

for them’ 
 When things are going well, you often forget to plan for the bad
times. But when disaster strikes, you could lose everything in a
heartbeat.
 An earthquake can bring your whole shop to the ground, your
biggest client can choose your competitor over you, your system
suddenly can crash making you lose important data etc. There are
endless possibilities of disasters if you really think about it. 
 Nowadays, computer data is given more importance by all the
regulators
 That’s why lack of a business contingency plan can be a disaster of
its own. 
 Business Continuity Plan
 Importance of Computer Data:
 RBI in April, 2021 asked global card payment networks American Express Banking
Corp. and Diners Club International Ltd not to on-board new customers due to non-
compliance of localized payment data storage norms. “This order will not impact
existing customers," the regulator said.
 American Express and Diners Club are payment system operators authorized to
operate card networks in India under the Payment and Settlement Systems Act, 2007
(PSS Act). The ban on adding new customers will be effective 1 May, 2021 RBI said.
 In its circular on “Storage of Payment System Data" in April 2018, the central bank had
directed all payment system providers to ensure that their entire data is stored in a server only
in India. They were also required to report compliance to RBI and submit a board-approved
system audit report within the timelines specified.
 RBI had asked payment service providers to comply with the regulations within six months
and report by 15 October 2018. Data to be stored exclusively in India include complete end-to-
end transaction details, information collected, carried and processed as part of the message or
payment instructions.
 Business Continuity Plan

 Importance of Computer Data (contd.):

 Additionally, they were also supposed to submit a Board-approved
System Audit Report (SAR) conducted by a CERT-In empaneled auditor
within the timelines specified therein.
 What happened next? The RBI's decision to restrict American Express
and Diners Club International from taking on-board new customers
indicate that the two companies failed to follow the instructions issued to
payment system providers two years ago.
 Does it impact existing customers? No. The RBI clarified, in its
statement, that the ban will have no impact on existing customers of both
entities.
 According to a Financial Express report, American Express had 15.6 lakh
credit cards outstanding, having 2.53% of the total market. The Diners
Club cards are issued exclusively through HDFC Bank in India.
 Business Continuity Plan
 Importance of Computer Data (contd.):
 The movement towards Basel II has prompted banks to make necessary improvement
in their risk management and risk measurement systems. Thus, banks would be
required to adopt superior technology and information systems which aid them in better
data collection, support high quality data and provide scope for detailed technical
analysis.
 Data limitation is a key impediment to the design and implementation of credit risk
models. Most credit instruments are not marked to market; hence, the predictive nature
of a credit risk model does not derive from a statistical projection of future prices based
on comprehensive historical experience. The scarcity of the data required to estimate
credit risk models also stems from the infrequent nature of default events and the
longer term time horizons used in measuring credit risk. Thus, in specifying model
parameters, credit risk models require the use of simplifying assumptions and proxy
data.
 One of the major challenges is the availability of long-time series and reliable data and
information as also sophisticated IT resources. In view of these constraints, banks in
emerging economies are forced to adopt the standardized approach.
 Business Continuity Plan

 Importance of Computer Data (contd.):

 Full implementation of Basel II would require upgradation of skills both
at the level of supervisory authority and the banks.
 Supervisors expect the banks to do any research or product
development or improvement in the existing process based on minimum
seven years data which should contain at least one downturn.
 Banks would be required to use fully scalable state of the art
technology, ensure enhanced information system security and develop
capability to use the central database to generate any data required for
risk management as well as reporting. The emphasis on improved data
standards in the revised accord is not merely a regulatory capital
requirement, but rather it is a foundation for risk-management practices
that will strengthen the value of the banking franchise.
 Business Continuity Plan

 Let’s see why you need a business contingency plan and how to create one
in a few simple steps.   
 What is a Business Contingency Plan? 
 But first, let’s define what a contingency plan is. :
 A contingency plan is a proactive strategy that describes the course of
actions or steps the management and staff of an organization need to take in
response to an event that could happen in the future.
 It plays a significant role in business continuity, risk management and
disaster recovery. 
 It helps you stay prepared for unforeseen events and minimize their impact.
It also outlines a plan for carrying out the normal business operations after
the event has occurred.  
 It’s also known in names such as plan B, backup plan, and disaster recovery
plan. In case your primary plan doesn’t work, it’s time to execute the plan B.
 Business Continuity Plan

 Benefits of a Contingency Plan:

 Without a contingency plan you’re opening yourself to
unnecessary risks. Here are some important benefits of a
contingency plan that you cannot look away from. 
• Helps react quickly to negative events. As a contingency
plan lists the actions that need to be taken, everyone can
focus on what to do without wasting time panicking.
• Having a contingency plan in place allows you to minimize
damage that could happen from a disaster and minimize
the loss of production. For example if you have emergency
generators set up, even during a blackout, your team can
work seamlessly. 
 Business Continuity Plan

 How to Make a Contingency Plan?

 An effective business contingency plan is based on good research and
brainstorming. Here are the steps you need to follow in a contingency
planning process. 
 Step 1: List down the key risks:
 Identify the major events that could have a negative impact on the course
of your business and on the key resources, such as employees, machines,
IT systems etc. 
 Involve other team heads, subject experts, and even outsiders like business
consultants to get a deeper understanding of things that may cause
problems and jeopardize the direction.
 Use a mind map to organize and categorize the information you gather
from the brainstorming session with the staff. You can easily share this
with everyone in the organization to get their input as well.
 Business Continuity Plan
Step 2: Prioritize the Risks Based on Their
Impact:
Once you have created a list of all the possible risks
that could occur in different areas of your business,
start prioritizing them based on the threat they pose. 
The risk impact probability chart is a handy tool you
can use here. It helps you evaluate and prioritize
risks based on the severity of their impact and the
probability of them occurring or frequency.
 Business Continuity Plan
 Step 3: Create Contingency Plans for Each Event:
 In this step you’ll create separate plans that outline the actions
 you need to take in case the risks you identified earlier occur. 
 Consider what needs to be done in order to resume normal
operations after the impact of  the event. 
 Here you’ll need to clarify employee responsibilities, timelines that
highlight when things should be done and completed after the
event, restoring and communications processes and the steps you
need to have taken in advance to prevent losses when the event
has taken place (i.e. insurance coverage). 
 You can use a visual format here to highlight the course of
actions. It would be easier for everyone to comprehend.
 Business Continuity Plan
 Step 4: Share and Maintain the Plan:
 Once you have completed the contingency plans, it should be put up to
the Board as a BCP Policy for its approval.
 Thereafter, it should be ensured that it is quickly made accessible to all
employees and stakeholders. 
 Review your contingency plans from time to time (maximum once in a
year) and update them as needed. And it’s a best practice to inform your
employees of the changes as well, as it may include updates to their roles
and responsibilities.  
 What’s Your Take on Contingency Plans?
 That is how you make a detailed contingency plan. List down the major
incidents that could harm your business operations, prioritize them based
on their impact and probability, create an action plan explaining what you
should do in case they occur, and review and update them frequently. 
 Disaster Recovery Plan
 Disaster Recovery Plan — a plan for actions to be taken to recover
from a disaster and resume business functions. It does not address
preplanning or emergency actions and is part of a broader business
continuity management plan.
 So, A disaster recovery plan is a set of procedures and steps to protect
businesses and aid in recovery after a natural or man-made disaster.
 A disaster recovery plan (also known as a business recovery plan) is an
essential document for all small businesses. It helps business owners
respond effectively to a catastrophic event, safeguarding business
assets and re-establishing operations as quickly as possible.
 The plan should be highly detailed and practical, showing you exactly
what to do after a disaster takes place. A disaster recovery plan and 
business interruption insurance are crucial resources for companies in
the aftermath of a disaster.
 Disaster Recovery Plan
 What are the benefits of a disaster recovery plan?
 Despite numerous benefits to having a disaster recovery plan, 
61% of small business owners polled in a recent survey don’t have a formal
business continuity plan in place. Disaster recovery planning helps businesses
by:
• Minimizing damage to business property and injuries to staff after a disaster. If
your property is damaged, commercial property insurance can potentially
cover replacement costs.
• Ensuring continuity of computer and office operations so customer service can
resume as soon as possible
• Mitigating customer defections during and after an extended business closure
• Allowing for ongoing invoicing and posting of business receivables so that
firms remain solvent
• Making sure a disaster does not put your company out of business
 Disaster Recovery Plan
What should a disaster recovery plan include?
Because you must address many factors in your disaster recovery planning,
it’s helpful to work with a disaster recovery plan checklist, which are given
below:
 Establish and equip an alternative location for your business.
 Develop a plan for maintaining communications (both internally and
externally) after a disaster strikes. 
 Ensure that technology and data backups are in place to guarantee continued
operations after a crisis.
 Document all key business functions (including supply chain) and take steps
to maintain their integrity post-disaster.
 Create a safety/evacuation plan to prevent staff injuries.
 Develop a plan to test (mock drills) and periodically review and revise your
disaster recovery document.
 Disaster Recovery Plan
What role does insurance play in a disaster recovery plan?
A key part of disaster recovery planning is reviewing your
business insurance to make sure you have adequate coverage
for the costs of remediating a disaster.
An important insurance policy to consider is 
business interruption insurance. It provides cash to replace your
lost revenue, normal operating expenses, and the cost of moving
your business to a temporary location.
Having business interruption insurance might be the difference
between your company surviving a disaster or shutting its doors
permanently.
 Risk Management
 Don’t Avoid Risk:
• ‘Risk Management Departments are springing up in many companies.
They categorize and analyze risk to the company before it happens,
and in most cases, they create systems and processes to prevent risks.
But the reality is that all hazards cannot be predicted or avoided.
Instead of simply staving off risk, focus on building resilience so that
when the unthinkable happens, you are better prepared to face it. Look
at all risks you face and play out what you would do if any of them were
to come to bear. Having systems in place to respond could save your
valuable time, money and resources’.
• Management Tip from Harvard University Business Review
 Risk Management
• Mr. Timothy Geithner, the then Treasury
Secretary, US has written in his Book
on Stress Test:
• ‘While crises cannot be prevented, we
can blunt the negative impact if we
have our structure in place’.
 Disclosure Policy
The users of the financial statements need information about the financial position and
performance of the bank/financial institutions in making economic decisions.
They are interested in its liquidity and solvency and the risks related to the assets and
liabilities recognized on its balance sheet and to it’s off balance sheet items.
In the interest of full and complete disclosure, some very useful information is better
provided, or can only be provided, by notes to the financial statements.
The use of notes and supplementary information provides the means to explain and
document certain items, which are either presented in the financial statements or
otherwise affect the financial position and performance of the reporting enterprise.
Recently, a lot of attention has been paid to the issue of market discipline in the banking
and financial sector.
Market discipline, however, works only if market participants have access to timely and
reliable information, which enables them to assess entity’s’ activities and the risks
inherent in these activities.
Enabling market discipline may have several benefits. Market discipline has been given
due importance under Basel II by recognizing it as one of its three Pillars.
 Disclosure Policy
 General Disclosure Principle:

o Every Financial Institutions should have a formal disclosure policy approved by the
Board of directors that addresses the bank’s approach for determining what
disclosures it will make and the internal controls over the disclosure process.

o In addition, banks should implement a process for assessing the appropriateness

of their disclosures, including validation and frequency.

o Further, the policy should state that when the entity has been met with some kind of
disaster, who has the authority to inform about the position of the entity to the
general public periodically. This disclosure made from time to time should reveal to
the public and stakeholders about the intention and the sincere efforts taken by the
entity to come back to the business as early as possible to serve the customers.