Kenya recently suffered a terrible terrorist attack at the DusitD2 complex on Riverside Drive. This complex houses many businesses and among them, a bank. It goes without saying that business operations of this bank were disrupted in one way or another. One needs to pause and reflect on how the financial institution with which they transact suffered such a tragedy.
In the finance industry, disasters are especially dangerous as disruptions to a single branch’s operations have the power to tarnish the entire brand and disrupt the entire institution’s operations. For example, a survey conducted in July 2012 following the Tohoku earthquake, which inflicted mayhem in Japan in 2011, 11.4% of firms indicated that, following the earthquake, firms complained that the bank that was their most important source of lending could not operate the branch with which they transacted, and 4.8% of firms replied that they were adversely affected by the fact that the bank with which they transacted suffered damage as a result of the earthquake.
As seen in the above examples, despite the substantial indirect effects of disasters, more focus is put solely on disaster preparedness rather than business continuity. It is therefore very important for financial institutions to invest in developing robust Business Continuity Plans (BCP).
New business practices, changes in technology, and increased terrorism fears have focused even greater attention on the need for effective BCP and have changed the traditional thinking about an effective plan. The crucial element to any BCP is an impact analysis differentiating between critical and non-critical functions. Crucial functions may include the data of the business, physical cash at the premises, loss of crucial staff and systems among others.
As financial institutions spend more resources to protect the physical assets of the bank, critical controls to manage data protection and prevent cyber attacks may be completely ignored. In the last three weeks alone there have been data breaches of catastrophic impact all over the world. One is left to wonder what a financial institution can do to protect their reputation in case such disasters happens to them.
From a different perspective, institutions need to think of business continuity processes to prevent emergencies from turning into disasters. Let us take a look at the following scenarios:
- Many banks in Uganda have only on entrance accessible to customers. In a scenario where the main door develops a problem (the revolving doors getting stuck or fire outbreak near the entrance), that would be defined as an emergency. This emergency can quickly escalate into a full-blown disaster if customers can’t get in or out of the bank. With a BCP in place, this scenario could have been easily prevented.
- The trend of ATM hacking has been prevalent in the US and other European countries, but this risk has been averted by using more sophisticated ATM models. Ugandan banks have not yet embraced this change and still use the old models of ATM machines. In case multiple ATM hacks happened simultaneously, what contingency plans would the bank take? One must think that these machines are insured, but what happens in the event that the insurance company with which the bank has a policy files for bankruptcy in the same time period. What steps would the bank take to continue operating?
- Flooding in Kampala is a common event whenever there are heavy rains. A bank with offsite back ups would be able to continue operations as the bank’s data is still intact. But what happens when the offsite backup location is in close proximity with the bank, and is flooded too?