Fifteen top-tier banks and technology companies have teamed with the Financial Services Technology Consortium (FSTC) to take on the task of creating benchmarks for business continuity. The first effort of its kind, the FSTC's Resiliency Model Project will address the need for financial institutions to adequately plan and measure their resiliency activities against a set of industry standards by developing benchmarks for operational resiliency for all areas of a financial enterprise, according to the New York-based trade group.
"One goal is benchmarking," says Charles Wallen, managing executive of the FSTC's Business Continuity Standing Committee and project director. "But in a broader sense, this is a pioneering effort to get banks on the same page in understanding what constitutes resiliency in a secure environment. We are trying to establish a uniform vocabulary and process improvement approach so organizations have a clear road map for raising the bar."
The project is a follow-up to two earlier endeavors conducted in 2005 that clarified global standards for U.S. financial institutions and identified the essential capabilities of operational resiliency. In the newest phase of the effort, participants -- which include JPMorgan Chase, U.S. Bank, Bank of America and KeyBank -- will work together to document goals and practices of vital operational resiliency processes and develop a draft process improvement framework, along with requirements for metrics.
"[The framework] will be a listing of capabilities organizations should have to be resilient," explains Wallen. "It will span core areas -- facilities, technology, data, people, processes. We're laying out capabilities and establishing goals so we can build a model to let organizations assess themselves ... and develop process improvement road maps for themselves."
Wallen adds that an important contributor to the project is Carnegie Mellon University's Software Engineering Institute, which is conducting applied research in the application of process improvement techniques to information security and operational resiliency. "Carnegie Mellon and the FSTC were working in parallel to each other without knowing it," he explains. "We thought this would make a good marriage."
'What,' Not 'How'
Wallen emphasizes this is not a best practices group. "We are defining the 'what,' not the 'how,' of what to do," he relates. "Our scope is broader than business continuity. We want to look at resiliency and operational risk areas holistically so that we see information security, business continuity and IT management together." Wallen says banks have been impeded from achieving uniform resiliency because of their siloed operating environments.
Not only does Wallen hope to break down these silos within banks, he also hopes the project will provide a model for resiliency for other industries as well. "This has to be an industry-agnostic effort," he emphasizes. "If financial services companies are recovering and everyone else is still trying to figure out what to do, that doesn't make sense."
The target to release the resiliency framework is early summer 2006, according to Wallen. Interim materials will be released over the next few months to gather feedback. * --Maria Bruno-Britz