Fill in the blank. Business continuity .
Did you answer “plan”?
In the past, you’d have been right. But under new guidance issued by the Federal Financial Institutions Examination Council (FFIEC) this month (you can read it here), you’re going to want to adjust your business continuity mindset to a new reality.
- New FFIEC BCP Guidance
- What Is Business Continuity Management?
- A New Emphasis on BCM, Governance and Risk Appetite
- BCM as a Part of ERM
- The BCM Lifecycle
- What Does BCM Guidance Mean for Your Institution?
- BCM Bottomline
New FFIEC BCP Guidance
The FFIEC just updated its Information Technology Examination Handbook (IT Handbook) booklet on business continuity planning, and it’s got a new title to match its new outlook.
What is Business Continuity Management?
What’s the difference between BCP and BCM? BCP is about having a plan to recover and resume operations after an unexpected disruption. It covers just-in-case scenarios, ensuring an FI is prepared to respond to an outage or event. BCM goes beyond planning to address the risks and vulnerabilities that threaten resilience in the first place. It’s emphasizing the risk management aspect of business continuity.
As the booklet states:
BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services…Resilience incorporates proactive measures to mitigate disruptive events and evaluate an entity’s recovery capabilities. An entity’s BCM program should align with its strategic goals and objectives. Management should consider an entity’s role within and impact on the overall financial services sector when it develops a BCM program.
A New Emphasis on BCM, Governance, and Risk Appetite
As has been the trend in other areas, including risk-focused exams, examiners are expecting FIs to understand how business continuity intersects with other areas of risk management. BCM and continuity risk should be considered when conducting assessments throughout the institution, including functional, departmental, product, and service risk assessments.
That includes considering the institution’s risk appetite. Risk appetite is a prominent concept in the new guidance with 10 mentions vs the one time in the previous version.
It’s part of an increased focus on governance, a topic that was relegated to an appendix in a previous version but is now front and center. It’s not enough for the board to sign off on a business continuity plan to restore operations or receive reports on how well BCP tests have gone. They need to understand continuity risk, or the risk that critical products or services might be disrupted.
As with other areas of risk management, BCM needs to tie into an institution’s strategic goals and objectives. These, along with risk appetite, are set by the board and executed by management. Specifically, management needs to evaluate and mitigate continuity risk, assess continuity performance, and make changes as needed by maintaining systems and controls to increase resiliency.
BCM as a Part of ERM
Under the new guidance, business continuity isn’t relegated to a committee or staff person who develops a plan for the board to sign off on. It’s integrated with enterprise risk management (ERM) and is one of the many risks that is considered along with operational, compliance, financial, transaction, reputation, and other risks that are regularly assessed.
The guidance leans heavily into common risk management concepts like measuring inherent risk and the effectiveness of risk mitigation controls to determine residual risk.
Consider what examiners are looking to accomplish:
- Objective 5: Determine whether management conducts a risk assessment sufficient to evaluate the likelihood and impact of potential disruptions and events.
- Objective 6: Determine whether the entity’s risk management strategies are designed to achieve resilience.
The BCM Lifecycle
What does business continuity management look like? BCM should cover the entire enterprise, addressing what an FI is doing to maintain resilient operations. BCM should be integrated into the risk management lifecycle.
The FFIEC booklet provides a step-by-step look at the BCM lifecycle and its 10-step process. It includes:
- Oversee and implement resilience, continuity and response capabilities.
- Align business continuity management elements with strategic goals and objectives.
- Develop a business impact analysis to identify critical functions, analyze interdependencies, and assess impacts.
- Conduct a risk assessment to identify risks and evaluate likelihood and impact of disruptions.
- Develop effective strategies to meet resilience and recovery objectives.
- Establish a business continuity plan that includes incident response, disaster recovery, & crisis/emergency management.
- Implement a business continuity training program for personnel and other stakeholders.
- Conduct exercises and tests to verify that procedures support established objectives.
- Review and update the business continuity program to reflect the current environment.
- Monitor and report business resilience activities.
Institutions have flexibility in how they implement the cycle, either as an overarching BCM policy or individual policies for functions, but at a minimum, BCM policies should address: scope and responsibilities within BCM, accountability, authority, and guidance to develop and maintain effective BCM.
- Concept of risk appetite as it relates to BCM.
- Mixing in ERM workflows and applying them to BCM: examining Inherent risk, controls and determining if the tolerances are acceptable.
- Bottom line: BCM should be handled like all other risks.
What Does BCM Guidance Mean for Your Institution?
The expansion of BCP into BCM shouldn’t come as a huge surprise. The industry has been moving in this direction for years as more institutions adopt enterprise risk management (ERM).
Institutions that have been keeping pace by implementing ERM programs to identify, assess, measure, monitor and mitigate risk will be well prepared to integrate the BCM function. They have the ERM workflows in place, including the ability to examine inherent risk, measure and monitor controls, and determine if the institution is operating within its risk tolerance.
In fact, they might already be including continuity risk when making decisions as a best practice.
Treat business continuity management like any other risk function. Ensure it is regularly assessed, measured, and monitored with mitigation controls in place.
If you don’t have an ERM program in place, now is the time to develop one. The banking environment is only growing more dynamic and complex. You need the processes and tools to avoid undue risk.