Meeting Minutes:

ACP Meeting

Wednesday, January 17, 2018

Presidents Welcome

3 guests for today

1 new Member- Scott

Annual Conference-

Thoughts on dates- 9/11

Feelings on date:   (no comments- but let JW know if any opinions)

Location: Batavia Downs

Facebook and LinkedIn - Thanks to those who are getting all of the access straightened out

ACP  is a co-sponsor with Firestorm

BIA's & AIA What is the difference? How and When are they used? Questions asked in each?

John , Greg, Cory, Mike (presenters)

Greg (Paychex)- BIA

Who gets a BIA?

-Our org structure is similar to most companies in that we have multiple layers of professional and experiences management.

- Executive Officer Team, VP, Directors, Senior Managers, Mid-Level Managers, Functional Managers

Sue Miller- we do our BIAs by Business Lines (which is broken down into may departments)

John- from all the bank employees here, do you think the BIA function is similar across all banks

A BIA called an AIA

AIAs identify the criticality of individual applications

Why is this required?

-The criticality of apps is typically identified by the critical process which in turn are identified by the BIAs

-We do not have a well-defined BIA for every dept in the company so that process has gaps

-AIAs are created for each application as needed. The design architect, data owner and BU are interviewed to determine a criticality level of the applications

Jay Williams- is it the same for Medical fields?

-(Kathy-  U of R guest) Similar  but primary use AIA. We meet with App owners and reps for Business side and explain why we need this to work. During BIA we decide what the key resources needed to perform business function. Then we do a crosswalk of information.

Next Steps

-Create standards and requirements for BC including BIAs

-Implement a BCM tool

-Currently using RPX

-Identify depts and managers responsible for BC

-Train users on the tool as well as BIA process

-Assist depts in the creation of their BIAs

-Track compliance and results

John- do you find that quality is better than quantity when it comes to BIA? How do you know what makes a good quality questions.

Craig- the issue is that most people who are answering these questions don’t really know what the impact is to the company.

Michael- send them out interviews, write up something a scenario to have the read and then go ahead and ask them questions. Getting them in the mind set before you start asking questions

Additional Notes (Part 2)

-Essential employees we define (loosely) as people who are critical to a process, and yes they are identified in the BIA


Cory- (ESL)


  1. Understanding your business
  2. BC strategies
  3. Develop and implement BC response
  4. Building and embedding a Continuity culture
  5. Exercise, maintenance and audit
  6. BCM Program Management


Performed during an investigative process of acquiring an application or system- called the Tech, Arch Review Process

-Who meets: 16 people

-Managers representing: Info Sec, DBA, System Admin, BCP Network Services, Legal Arch

-There are 20 BCDR questions I created for the BC discipline

Sample AIA Questions

-Is this system supporting a critical business function?

-Is this system supporting critical business function for a BU as defined in a departmental BIA

-If the system is unavailable, do you have manual work arounds?

-What is the RTO for this system?

-What is the RPO for this system?

-Can the system achieve the RTO? If not, state why and what time it can meet.

-Can the system achieve the RPO? If not, state why and what time it can meet.

Current BIA

-Reviewed at least annually with each BU in a workshop, interview format

-Review critical functions of each BU and resources that support the functions

-Reponses and data feed into detailed Corporate BCP

-Each BU exercises their plans at least once a year at our BC-DR Facility

-Highly regulated and audited environment from internal and external audit teams

John- is your BC plan a direct output of your BIA?

Emy- it’s a way to identify how to prepare for an event. The BIA is focusing on the IT terminology and terms used.

Michael- AIA  feed the information to the server recovery plan, database recovery plan, and application recovery plan. Separate plans.

Additional Notes (Part 2)


-Extension of Service NOW

-App conforms to ISO22301

Mike Weaver (M&T Bank)


-Last BIA was performed in 2014 in BIA professional

-It didn’t do dependencies

-It was campaign based

-The new tool will fix it all

-AIA was performed continuously in RSA Archer

-It wasn’t informed by the BIA

-It didn’t do dependencies either

Pitfalls/Stumbling Blocks


-Not sustainable

-Too complicated

-Did not integrate to planning tool

-Not enough buy in from management

-Process owners were not engaged

-No consequences to process owners who did not comply


-Trying to go from comically simple to overly complex does not improve data quality

-Not integrated in planning tool

-Still not informed by BIA

-Still in a tool we don’t control

-Still doesn’t do dependencies

John- where are the majority of the questions coming from? (group question)

-Mainly experience

-FFIEC guidelines

-DRI had a lot of questions (15 years ago) that were generic

Note: chapter agrees that it might be a good idea to have a working session on question development

Chapter Business Session

Next meeting in March is at M&T Bank - Holtz Location. Guest speaker on Opioids