March 07, 2006

Fifteen major banks and technology companies teamed up with the Financial Services Technology Consortium (FSTC) to take on the task of creating benchmarks for business continuity. The FSTC's Resiliency Model Project will develop benchmarks for operational resiliency for all areas of a financial enterprise. This will be the first effort of its kind, according to the New York-based trade group.

The project will address the need for financial institutions to adequately plan and measure their resiliency activities against a set of industry standards. "One goal is benchmarking," says Charles Wallen, managing executive of the FSTC's Business Continuity Standing Committee and project director. "But in a broader sense, this is a pioneering effort to get banks on the same page in understanding what constitutes resiliency in a secure environment. We are trying to establish a uniform vocabulary and process improvement approach so organizations have a clear roadmap for raising the bar."

This project is a follow-on to two earlier endeavors conducted in 2005 that clarified global standards for U.S. financial institutions and identified the essential capabilities of operational resiliency. In the newest phase of the effort, participants—which include JPMorgan Chase, USBank, Bank of America and KeyBank—will work together to document goals and practices of vital operational resiliency processes and develop a draft process improvement framework, along with requirements for metrics.

"[The framework] will be a listing of capabilities organizations should have to be resilient," he explains. "It will span core areas—facilities, technology, data, people, processes. We're laying out capabilities and establishing goals so we can build a model to let organizations assess themselves ... and develop process improvement roadmaps for themselves."

Wallen notes an important contributor to the project is Carnegie Mellon University's Software Engineering Institute. It is conducting applied research in the application of process improvement techniques to information security and operational resiliency. "Carnegie Mellon and the FSTC were working in parallel to each other without knowing it. We thought this would make a good marriage," he explains.

Wallen emphasizes this is not a best practices group. "We are defining the 'what,' not the 'how,' of what to do," he says. "Our scope is broader than business continuity. We want to look at resiliency and operational risk areas holistically so that we see information security, business continuity and IT management together." He says banks have been impeded from achieving uniform resiliency because of their siloed operating environments.

No only does Wallen hope to break down these silos within banks, he also hopes the project will provide a model for resiliency for other industries as well. "This has to be an industry agnostic effort," he says. "If financial services companies are recovering and everyone else is still trying to figure out what to do, that doesn't make sense."

The target to release the resiliency framework is early summer 2006, says Wallen. Interim materials will be released over the next few months to gather feedback.

ABOUT THE AUTHOR