Keys to Develop a Compliant Business Continuity Management Program

Financial institutions (and examiners) are still adjusting to the Federal Financial Institution Examination Council’s (FFIEC) 2019 update to its BCP IT Examination Handbook. The handbook, now renamed Business Continuity Management (BCM), included several updates to the previous 2015 guidance. According to the FFIEC, BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

To ensure financial institutions do this effectively, the FFIEC expanded the original BCM process.

The previous handbook encouraged institutions to adopt a four-step approach:

1. Business Impact Analysis
2. Risk Assessment
3. Risk Management (essentially, recovery procedures), and
4. Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

1. Risk Management (Business Impact Analysis, Risk/Threat Assessment)
2. Continuity Strategies (Interdependency Resilience, Continuity and Recovery)
3. Training & Testing (aka Exercises)
4. Maintenance & Improvement
5. Board Reporting

Additionally, the business continuity management process outlines 10 key steps financial institutions must complete to achieve a more enterprise-wide approach and meet examiner expectations. This is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance.

The FFIEC handbook also provides a more detailed break-down of the BCM lifecycle:

1. Oversee and implement resilience, continuity and response capabilities
2. Align business continuity management elements with strategic goals and objectives
3. Develop a business impact analysis to identify critical functions, analyze interdependencies, and assess impacts
4. Conduct a risk assessment to identify risks and evaluate likelihood and impact of disruptions
5. Develop effective strategies to meet resilience and recovery objectives
6. Establish a business continuity plan that includes incident response, disaster recovery, & crisis/emergency management
7. Implement a business continuity training program for personnel and other stakeholders
8. Conduct exercises and tests to verify that procedures support established objectives
9. Review and update the business continuity program to reflect the current environment and
10. Monitor and report business resilience activities.

As many of these items were part of the previous guidance, here is a checklist consisting of required elements that may be missing from your program:

1. Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
2. Does the BIA produce sufficient information to establish the following?
   • Recovery point objectives (RPO)
   • Recovery time objectives (RTO) for each business process (prioritized)
   • Maximum tolerable (or allowable) downtime (MTD/MAD)
3. Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?
4. Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?
5. Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)
6. Does your Board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

If you would like to make sure your BCM is up to date with the latest regulatory expectations, a complimentary plan review is the best place to start.