Skip to main content
Practice, Practice, Practice

Moderator: Are there a set of core principles or three things you could write on the back of an envelope that would help you achieve eighty percent of what you need to do and think about in terms of business continuity?

Steve Kos: Yes, I think there are. And I probably mentioned a couple of them already in terms of business continuity and disaster recovery being a strategic issue for large companies. Our senior management has to own it, as does our board of directors. In the past that wasn’t the case. They have to set that tone at the top; we have to get everybody involved every day thinking about it to keep it alive.

The threat analysis that I mentioned to you—there are so many things that can happen and you just have to keep thinking of the unknown, the unforeseen, because chances are those things will happen sooner or later. So we like to do a lot of that hypothetical, you know, within a bank we actually sit around and we will push that around with a particular business. And we will take a look at all the adverse events that took place in a particular industry and related to a certain business and maybe make some changes as a result.

Also, establish a crisis management committee. We had a business continuity committee involving all the businesses, but this was at a higher level. The crisis management committee is a very small group of our senior management team that will come together if something happens around the world. When we had bombings in Istanbul, Turkey, we had our team together at 4:30 a.m. in the morning talking that through and understanding what impact it had on HSBC Bank here in the U.S.

And if I had to say anything, it’s practice, practice, and practice at this committee level and at a business level. It’s very important to do your contingency testing. You’ve got to have somebody who knows business continuity and disaster recovery to make sure that the testing is well thought-out and well conducted. And whatever gaps come about as a result of those tests are monitored and closed.