BCP requirements within a firm can vary from application to application.
In financial services, applications deemed critical require a high available and redundant architecture to meet ever-demanding service level agreements.
Financial institutions and their TSPs should develop, implement, and test appropriate disaster recovery and business continuity plans capable of maintaining acceptable retail payment-related customer service levels.
For financial institutions and service providers with complex retail payment operations, business continuity plans should enable restoration of service within timeframes that are reasonable for internal business units as well as other dependent financial institutions and counterparties.
Perceptions of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions.
A function may also be considered critical if dictated by law.
The objectives of a BCP are to minimize financial loss to the institution, continue to serve customers and financial market participants, and mitigate the negative effects disruptions can have on an institutionâ€™s strategic plans, reputation, operations, liquidity, credit quality, market position, and ability to remain in compliance with applicable laws and regulations.
Changing business processes (internally to the institution and externally among interdependent financial services companies) and new threat scenarios require financial institutions to maintain updated and viable BCPs.
Key to any BCP is an impact analysis differentiating between critical and non-critical functions.
A function may be considered critical if the implications for stakeholders or damage to the organization are regarded as unacceptable.