• Pressure from financial institutions
• Pandemic concern
• New threats &risks since 9/11
• Demands from customers
• Cost of insurance/takaful
• Perceived as competitive edge
• Reliance on third parties (supply chain)
• Increased regulator and self-regulated requirements
• Loss of revenue / market share
• Decrease in stock value
• Increase of insurance premiums/takaful contributions
• Loss of assets and employees
• Regulatory sanctions
• Downgrading of debt securities or corporate ratings
• Access to inter-bank liquidity declines
• Loss of confidence by foreign investors and potential investors
• Default on financial commitments and contracts
10 PROFESSIONAL PRACTICES
10 PROFESSIONAL PRACTICES
3. Business Impact Analysis
international glossary for resilience
• Establish the need for a business continuity program.
• Obtain support and funding for the business continuity program.
• Build the organizational framework to support the business continuity program.
• Introduce key concepts, such as program management, risk awareness, identification of critical functions/processes, recovery strategies, training and awareness, and exercising/testing.
• Identify risks that can adversely affect an entity’s resources or image.
• Assess risks to determine the potential impacts to the entity, enabling the entity to determine the most effective use of resources to reduce these potential impacts.
• Identify and prioritize the entity’s functions and processes in order to ascertain which ones will have the greatest impact should they not be available.
• Assess the resources required to support the business impact analysis process.
• Analyze the findings to ascertain any gaps between the entity’s requirements and its ability to deliver those requirements.
• Select cost-effective strategies to reduce deficiencies as identified during the risk assessment and business impact analysis processes.
• Develop and assist with the implementation of an incident management system that defines organizational roles, lines of authority and succession of authority.
• Define requirements to develop and implement the entity’s incident response plan.
• Ensure that incident response is coordinated with outside organizations in a timely and effective manner when appropriate.
• Document plans to be used during an incident that will enable the entity to continue to function.
• Establish and maintain training and awareness programs that result in personnel being able to respond to incidents in a calm and efficient manner.
• Establish an exercise, assessment and maintenance program to maintain a state of readiness.
• Provide a framework for developing a crisis communications plan.
• Ensure that the crisis communications plan will provide for timely, effective communication with internal and external parties.
• Establish policies and procedures to coordinate incident response activities with public entities.