INDIANAPOLIS, Ind.-Try to guess the top five mission-critical business processes at Finance Center FCU.
If you think "maintaining headquarters" is on the list, you guessed right. And if you missed it, don't worry: many people get that one wrong, according to William Hord, VP-enterprise risk management at the $430-million CU.
FCFCU here doesn't have to guess which of the CU's 90 business processes are the most critical-or where to put resources to fight risk. Instead, executives consult a quarterly "Process Report" that ranks the criticality of all business processes across the CU.
Each process is ranked according to the impact it has on business continuity and recovery metrics (RTO and RPO).
"We're no longer guessing where each process lies on the list" since fully rolling out an enterprise risk management platform (ERM) last month, Hord explained. "We've systematically made that determination based on real, tangible data input during our business impact analysis. I've talked to and met with the people who own these business processes. They know the nitty-gritty of each process, including the related software, hardware, vendors and websites, who's responsible and how often the process is completed."
Pulling all the data together is web-based ERM software from Quantivate of Woodinville, Wash. The ERM software pulls data from the FCFCU vendor management and business continuity platforms, also provided by Quantivate. That way, ERM considers the CU's 200 vendor contracts and perhaps most importantly, the quarterly business impact analysis (BIA).
ERM is a "totally different way of thinking" from the common approach of considering risk by business unit, Hord suggested.
Pulling It All Together
"You can do just business continuity and impact analysis, but ERM pulls it all together so you can see the results across the enterprise," Hord said. "If you look at just a department level, which is what we used to do, you'll see some mission-critical processes, but when you compare those to other departments, they may not be as important. Our old business continuity was kindergarten compared to now."
Employees can examine the enterprise criticality rankings on the quarterly process report and continually discuss how to mitigate threats to the processes. They can work to reduce the amount of data loss and data recovery time. Internal auditors can pay special attention to the processes that "bubble up" to the top of the rankings.
Asked what happens when a credit union doesn't take as deep a dive into BIA and ERM, Hord said, "they'll be operating off of assumptions, not facts."
The process-based approach to ERM precludes the need for scenario-based planning, Hord suggested. "Whatever the scenario-a train derailment, terrorist attack or increased unemployment-it makes no difference. The ability to conduct business is affected."
ERM results are helping the CU make decisions about how to spend money to mitigate risks next year, he added.
Although the enterprise view of the CU's processes is the most useful, Hord can also sort the process report by business unit, including accounting; facilities; human resource; lending and collections; information systems; and operations.