Jamie Davis, Education Manager
FIRE! BOMB! GUN! DUCK! Want to get someone’s attention? Yell one of these in a room full of people and they will run and scatter. In fact, if you want to have some fun and are not doing anything for the next 48 hours to 20 years, go into an airport and yell out one of these words. Expressing eminent physical danger tends to arouse quick and definitive reactions. Now, go into you bank and yell “VIOLATION! COMPLIANCE! VULNERABILITY!” Anyone move? Anyone scatter? The security guard may move but only after being told to grab the straight jacket. You probably would get a lot of stares and then everyone would continue on as if nothing had happened. These words also signify eminent danger but the difference is the danger is not physical. We tend to believe we can recover, cope, deal with, or avoid nonphysical damage more easily than physical damage. The government forces you to have a fire evacuation plan, which is most likely posted in a visible location where both your customers and employees can view the plan. Regulations also require a bank to have a Business Continuity Plan (BCP), but how many of your employees even know you have one, much less the details outlined within?
Business Continuity Plans are the latest rage in regulatory compliance. The disasters of Hurricane Katrina and others over the last several years have put much more focus on how banks, who play an important role providing structure to the backbone of the US economy, can ensure that the business, customer information, and customer communications can be recovered in the event of a disaster. Per the FFIEC handbook on BCP, released a few months ago, a bank must plan for each type of possible disaster. Types of disasters include a terrorist attack, natural disaster, and pandemic diseases, each of which requires a different set of actions to recover.
Your disaster recovery plans should be as well known throughout your bank as your fire evacuation plan. After all, what good are the plans, that you spent many hours preparing, if no one knows how to follow through with them? Regulatory requirements stipulate that employees must be trained yearly on the appropriate steps. A backup site must be defined so that employees know where they should report. A copy of the BCP must be present at this site defining the chain of command and delegation of responsibilities.
The Board of Directors must approve the BCP and any changes that have been made to it on a yearly basis. For some banks this is as big of a challenge as the BCP document itself. The Board usually wants to know how much money the bank is making, what kind of loans or potential loans the bank is making, or current asset size. They rarely see the need or urgency of reviewing and signing off on regulatory paper work. In all fairness, this view point makes sense. Time is precious so why waste it on paper work when money and profit margins are important to keep the bank open.
If getting in front of your Board is a problem, try expressing the dangers of non-compliance ($10,000 fine per Board member/$100,000 fine to bank per incident, etc.) Find real world examples of regulatory failures and the punishment that ensued. Training your board can also be to your advantage. A well informed/trained Board may be more open to helping you complete your job. This may help them see the bank’s compliance in a better light. If none of these suggestions work, you can always yell “FIRE” to get their attention.