A business can never be too prepared for the unexpected. Natural disasters, third-party vendor breaches, and other emergencies can happen at any time and cause serious damage to a financial institution.
In today's article, we take a closer look at what business resiliency is, why it matters to your organization, and how business continuity software can help you better manage your risks.
Business resiliency is the ability of an organization to anticipate, prepare for, and adapt to changing conditions and withstand and rapidly recover from disruptions. Disruptions can come in many forms, such as power outages, data breaches, and system failures.
A business continuity plan (BCP) is a core component of business resiliency; however, it’s not a total solution for financial institutions like mortgage lenders, banks, credit unions, and fintechs.
In June 2019, the Federal Financial Institutions Examination Council (FFIEC) issued new guidance on business continuity planning — expanding its definition and offering additional guidance on topics like cloud computing, enterprise-wide risk management, and supplier management.
In particular, the guidance emphasizes the importance of Business Continuity Management (BCM) and governance. Let’s take a closer look.
Under guidance issued by the Federal Financial Institutions Examination Council (FFIEC), financial institutions have needed to adjust their business continuity mindset to a new reality.
The FFIEC update to its Information Technology Examination Handbook (IT Handbook) booklet on business continuity planning in 2019 gave it a new title to match its new outlook.
What was once called Business Continuity Planning (BCP) is now Business Continuity Management (BCM).
What’s the difference between BCP and BCM? BCP is about having a plan to recover and resume operations after an unexpected disruption. It covers just-in-case scenarios, ensuring an FI is prepared to respond to an outage or event. BCM goes beyond planning to address the risks and vulnerabilities that threaten resilience in the first place. It’s emphasizing the risk management aspect of business continuity.
As the booklet states:
BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services…Resilience incorporates proactive measures to mitigate disruptive events and evaluate an entity’s recovery capabilities. An entity’s BCM program should align with its strategic goals and objectives. Management should consider an entity’s role within and impact on the overall financial services sector when it develops a BCM program.
As has been the trend in other areas, including risk-focused exams, examiners are expecting FIs to understand how business continuity intersects with other areas of risk management. BCM and continuity risk should be considered when conducting assessments throughout the institution, including functional, departmental, product, and service risk assessments.
That includes considering the institution’s risk appetite. Risk appetite is a prominent concept in the new guidance with 10 mentions vs the one time in the previous version.
It’s part of an increased focus on governance, a topic that was relegated to an appendix in a previous version but is now front and center. It’s not enough for the board to sign off on a business continuity plan to restore operations or receive reports on how well BCP tests have gone. They need to understand continuity risk, or the risk that critical products or services might be disrupted.
As with other areas of risk management, BCM needs to tie into an institution’s strategic goals and objectives. These, along with risk appetite, are set by the board and executed by management. Specifically, management needs to evaluate and mitigate continuity risk, assess continuity performance, and make changes as needed by maintaining systems and controls to increase resiliency.
Under the guidance, business continuity isn’t relegated to a committee or staff person who develops a plan for the board to sign off on. It’s integrated with enterprise risk management (ERM) and is one of the many risks that is considered along with operational, compliance, financial, transaction, reputation, and other risks that are regularly assessed.
The guidance leans heavily into common risk management concepts like measuring inherent risk and the effectiveness of risk mitigation controls to determine residual risk.
Consider what examiners are looking to accomplish:
What does business continuity management look like? BCM should cover the entire enterprise, addressing what an FI is doing to maintain resilient operations. BCM should be integrated into the risk management lifecycle.
The FFIEC booklet provides a step-by-step look at the BCM lifecycle and its 10-step process. It includes:
Institutions have flexibility in how they implement the cycle, either as an overarching BCM policy or individual policies for functions, but at a minimum, BCM policies should address: scope and responsibilities within BCM, accountability, authority, and guidance to develop and maintain effective BCM.
Business continuity software is a software solution for planning for adverse events that would disrupt the operation of the financial institution. The software facilitates both developing and documenting business continuity management efforts. It also provides backup and recovery for the essential data and systems financial institutions use to do their work.
The components include stating the bank’s essential functions, identifying key systems and processes that need to be sustained in a crisis, and listing details about how to keep them going.
The purpose of the plan is to consider what would happen in an unexpected situation and set up procedures for dealing with that event if it happened. A BCP not only helps the business continue when an emergency strikes, but financial institutions are required to have a business continuity plan.
Business continuity software helps with gathering information for the plan, doing a risk assessment to identify and rate risks, creating a business impact analysis, developing the specific plan, testing the plan, and updating the plan.
Business continuity software uses databases and modules for guiding the financial institution in creating a business continuity plan that meets industry standards and regulatory compliance. It helps with planning for managing emergencies and assists with creating a plan for disaster recovery.
Because financial institutions rely on software to carry out their functions, one task for business continuity software is to provide data backup for the bank. Data is often stored in a private cloud. The software also addresses disaster recovery options and choices.
The software provides tools for analyzing review reports to minimize the impact of adverse situations. It includes features that help a business create and test its BCP. It addresses infrastructure needs as well as organizes software apps and processes for a variety of scenarios. Business continuity software assists with notifying personnel and with compliance testing.
The expansion of BCP into BCM shouldn’t come as a huge surprise. The industry has been moving in this direction for years as more institutions adopt enterprise risk management (ERM).
Institutions that have been keeping pace by implementing ERM programs to identify, assess, measure, monitor, and mitigate risk will be well prepared to integrate the BCM function. They have the ERM workflows in place, including the ability to examine inherent risk, measure and monitor controls, and determine if the institution is operating within its risk tolerance.
In fact, they might already be including continuity risk when making decisions as a best practice.
Treat business continuity management like any other risk function. Ensure it is regularly assessed, measured, and monitored with mitigation controls in place.
If you don’t have an ERM program in place, now is the time to develop one. The banking environment is only growing more dynamic and complex. You need the processes and tools to avoid undue risk.