A bank’s Business Continuity Plan (BCP) is the crucial blueprint for guiding it through the recovery from a business outage and is instrumental in ensuring that people, process, and technology elements are all properly coordinated and restored. These plans have evolved from early plans that were one-or two-page outlines for banks to follow in times of disaster to a large, step-by-step detailed instruction manual for everyone in the financial institution to follow should a disaster strike. For the past several years, examiners have been closely looking at these plans not only to verify that banks have a compliant plan in place, but to also ensure that they are able to successfully execute it.
While most institutions have some sort of BCP in place, many community banks and credit unions find it challenging to produce a current and comprehensive BCP that meets examiner expectations. Some of the challenges institutions face when producing a current and compliant BCP include:
Understanding Plan Deficiencies
Today, most financial institutions have some sort of BCP in place and are not drafting a plan from scratch. Yet many struggle with understanding the difference between where their plan is now and where they need to be to have a compliant and comprehensive plan. Understanding the plan’s deficiencies can be challenging if it hasn’t been routinely updated and if the financial institution does not truly understand the FFIEC guidance on BCP. The BCP should be a living, functional document that keeps pace with any changes in infrastructure, strategy, technology and human resources. Financial institutions that do not regularly update their plans or keep up with FFIEC regulations might not pass exams in the future.
Determining What to Include in the BCP
Each organization has a unique operating model based on its specific services, organization, processes, and technologies. The first step to creating a comprehensive BCP is to have a thorough understanding of all the functions and processes that make up those operations, which involves breaking the institution into departments and determining the team members responsible for each of these areas. Having representatives from each department contribute to the BCP ensures the technologies and responsibilities for each area are accurately represented. It is difficult for a single individual to have all of the knowledge required to put together the BCP.
Properly Testing the BCP
The BCP process is not complete until the plan is thoroughly tested. Testing verifies the effectiveness of the plan, helps train the team on what to do in a real-life scenario, and identifies areas where the plan needs to be strengthened. Testing exercises help identify errant assumptions and gaps in the plan to make sure what is on paper matches the most likely threat scenarios. While regulators require proof of testing annually, more frequent testing may be necessary if a previous test uncovered significant gaps in the plan or if there are significant internal changes to processes or infrastructure.
Revising the BCP Based on Test Results
Simulated testing scenarios are helpful in determining what adjustments and changes need to be made to the plan to enhance recoverability of the bank’s processes and functions. However, many financial institutions do not take the time to make necessary revisions. It is important to review and update the full plan on a regular basis, especially when new services and technologies are implemented and as regulatory guidance and best practices change.
To streamline this process, community banks should integrate business continuity into all business decisions, assign responsibility for periodic reviews of the plan, and perform regular testing. The importance of the BCP should be communicated to the entire organization and everyone should understand his or her unique role and responsibility. The board, senior management and other stakeholders should also be kept up-to-date on the status of the BCP, review test results, and approve plan updates.
In today’s regulatory environment, it is critical to ensure you are adhering to the examiner’s expectations. It is no longer enough to simply have some variant of a BCP plan in place. All financial institutions must have a solid understanding of the FFIEC guidance to ensure their plan is comprehensive and that it adequately addresses all areas. It must be updated, accurate and tested routinely. A comprehensive BCP limits the impact that a disaster will have on your financial institution and ensures that you can continue to provide services to your customers, no matter what type of disaster may strike.
At Safe Systems, we have been working with community financial institutions to manage their business continuity planning process for more than 25 years. With our knowledge of banking applications, technology, and compliance we can help you ensure your plan will meet your objectives while also satisfying all regulatory requirements. Our hope is that it isn’t needed, but should a disaster strike, we want our customers to be prepared and recover quickly.