Reevaluating Business Continuity: New FFIEC Guidance Equals Major Plan Overhaul for Banks and Credit Unions

The FFIEC updated its BCP IT Examination Handbook in November 2019. In fact, the handbook is no longer called BCP (Business Continuity Planning) but is now called BCM (Business Continuity Management). This represents the first major update since 2015 and many community banks and credit unions may now be wondering what this means for their institution today, and what changes they’ll need to make to maintain compliance in the future.

Safe Systems compliance experts, Tom Hinkel and Jackie Marshall, held a webinar last month covering the new BCM guidelines and how auditors and examiners will assess plans going forward. The new guidance calls for community banks and credit unions to rethink their approach to business continuity and be prepared to make appropriate plan revisions, up to and including a complete overhaul. In this blog, we’ll cover a few of the key points from the webinar.

Strong Focus on Resilience

With the title change from business continuity planning to business continuity management, the business continuity plan is now just a subset of the overall BCM process, one in which a financial institution must proactively plan for resiliency to adverse events and recovery from those events. The BCM places a heavy focus on “resilience.”

Resilience is the ability to prepare for—and adapt to—changing conditions and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. The terms “withstand” and “recover” are the two keys for understanding resiliency, with an emphasis on withstanding adverse events. While traditional BCP has been focused more on recovery, the FFIEC has shifted its attention toward resiliency.

The FFIEC wants community banks and credit unions to take an enterprise-wide, process-oriented approach to business continuity, meaning institutions should go beyond planning to recover and focus on the overall resilience of operations. The ultimate goal is for financial institutions to be more proactive and in doing so, avoid or minimize having to implement traditional recovery measures down the road.

Business Continuity vs. Disaster Recovery

With this new emphasis on resilience, it is critical to understand the differences between business continuity and disaster recovery. The business continuity plan focuses on critical functions, while the DR plan focuses on the recovery of technology solutions specifically. In the previous guidance, business continuity and disaster recovery were closely tied together, but now the FFIEC has separated these two concepts completely.

The guidance now states that “The business strategy, not technology solutions, should drive resilience.” Financial institutions cannot rely on technology alone to ensure resilience. Often, alternative procedures have nothing to do with technology. In fact, although technology can help provide resilience, in many cases technology could be what failed in the first place. Financial institutions must be able to offer products and services to their customers or members regardless of technology, and often that could mean using manual processes and procedures to accomplish this.

Ensuring critical functions are available and operating normally is essential to assure there isn’t a negative impact on the institution’s reputation after the event, and that’s a key part of the business strategy.

Key Process Changes for Developing the Plan

When thinking about the development of the plan, it’s important to note some key changes the FFIEC put in place. In the 2015 guidance, the FFIEC advocated a cyclical, process-oriented approach to business continuity planning. The four steps in this process included:

1. Business Impact Analysis – What you do
2. Risk Assessment – Negative things that can happen to what you do
3. Risk Management – How you recover if the negative things identified in Step 2 happen
4. Risk Monitoring and Testing – Reviewing, testing, and repeating the process

The Previous 4 Steps of Business Continuity Planning

While this approach is reflected in four steps, the business continuity planning process actually represents a continuous cycle.

The FFIEC has made significant changes to better reflect this in the 2019 guidance. Now, instead of four steps, there are 10 steps financial institutions need to complete to develop the plan. This is a bit more complicated than the process has been in the past and will require more time for plan preparation and maintenance.

The Current 10 Steps of Business Continuity Management

The new 2019 BCM guidance gives financial institutions a host of new items to evaluate and prepare for this year. If you’d like to find out what other changes were made that will impact your financial institution, download our recorded webinar, “Does the New Business Continuity Guidance Require a Whole New Plan?”

Or, if you’re not sure if your institution is BCM ready, then request a complimentary plan review to ensure that your business continuity plan is keeping up with changing regulations.