Since the FFIEC updated its BCM IT Examination Handbook last year and expanded its focus from “business continuity planning (BCP)” to “business continuity management (BCM),” financial institutions are gaining a better understanding of what has changed and how it impacts their current business continuity planning efforts.
In a previous post, we outlined some of the major changes in the new business continuity management guidance and what financial institutions need to do to be prepared. However, there are some general observations that can have a significant impact on the way community banks and credit unions interpret this guidance. In this blog post, we’ll cover five key points to keep in mind when evaluating your BCM plan:
A reoccurring theme in the FFIEC’s new business continuity management handbook is the concept of resilience. In fact, the term “resilient” or “resilience” occurs 128 times in the document. Resilience is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from those disruptions. This includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
Traditional BCP has been focused on the recovery ability, but the FFIEC is clearly wanting institutions to focus on this notion of being able to “withstand” a disruption. Regulators want to know what proactive measures financial institutions have in place to mitigate risks and minimize the impact of an outage by planning in advance for the absence of a critical service provider or other interdependency. When going through the BCM process, resilience must be included from the very beginning of the process to successfully meet these new regulatory expectations.
“Entities” vs. “Institutions”
In the new BCM guidance, the FFIEC took every instance of the word “institution” and replaced it with the word “entity”. The significance of this change is to now include bank holding companies and third-party service providers along with traditional financial institutions in the new expectations. The FFIEC now expects critical third-party providers to be active participants in the BCM program, and it’s likely that regulators will require you to have a detailed understanding of the resilience capabilities of your core/TSP providers, cloud providers and others moving forward.
“MAD” vs. “MTD”
Another update that stands out is the change from “Maximum Allowable Downtime (MAD)” to “Maximum Tolerable Downtime (MTD).” MTD represents “the total amount of time the system owner or authorizing official is willing to accept for business process disruption and includes all impact considerations.” To put it simply, MAD/MTD is the point at which recovery becomes impractical or impossible, or losses become unacceptable.
So, while the definitions have essentially stayed the same, and the handbook makes it clear that either term is acceptable, it is important to show examiners that the institution is familiar with the new guidance and any new terminology it includes. The examiner may want to test your knowledge and make sure the institution understands the nuances of the updated handbook.
“Exercises and Tests”
The new handbook makes an important distinction between these two concepts, defining an exercise as “…a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures.” For many institutions, the scenario-driven table-top tests where participants simulate a disaster event and walk through performing their duties in a simulated environment is best described as a training exercise.
On the other hand, a test is often performed “…to verify the quality, performance, or reliability of system resilience in an operational environment.” Typically, this involves the recovery of a critical asset or infrastructure component, such as backup and recovery options, supplementary power, or circuit fail-over. The handbook makes it clear that both exercises and tests are necessary to demonstrate resilience and recovery capabilities.
“Guidance” vs. “Requirements”
Finally, it is also interesting to note that the handbook states that “This booklet does not impose requirements on entities. Instead, this booklet describes practices that examiners may use to assess an entity’s BCM function.” Our belief is that semantics aside, any “guidance” that examiners use to assess an entity’s BCM program is indeed a “requirement”, meaning that if a financial institution deviates from the guidance, the examiner could find fault. However, according to FIL-49-2018, examiners cannot take enforcement action based on supervisory guidance.
To be clear, it is important for financial institutions to follow the guidance as outlined by the FFIEC if at all possible, but if you choose to deviate from guidance, you must have a very good reason to do so. If your institution has not strictly followed the guidelines but still believe you are following the best practices for you, you may be able to push back on an examiner or auditor whose interpretation of the guidance may not be realistic in the context of the entirety of your organization’s particular situation. However, the burden is on you to make your case convincingly.
The 2019 BCM guidance gives financial institutions a host of new items to evaluate and consider for inclusion in your business continuity program for this year. If you’d like to find out what other changes were made that will impact your financial institution, download our recorded webinar, “Does the New Business Continuity Guidance Require a Whole New Plan?”
Or, if you’re not sure if your institution is BCM ready, then request a complementary plan review to ensure that your business continuity plan is keeping up with changing regulations.