The shift in wording from business continuity planning to business continuity management reflects the changes in customer, regulatory, and industry expectations for the resilience of operations. How will this change affect you? Consider these four questions.
1. Are you resilient?
The word “resilience” appears in the BCM booklet over 100 times, which is more than double in the BCP booklet. According to Presidential Policy Directive 21, “Resilience is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”
In other words: resilience isn’t based on recovery capabilities alone. You have to ask yourself, “Have we incorporated proactive measures for mitigating the risk of a disruptive event in the overall design of operations and processes?” Resilience is an enterprise-wide strategy that should include maintaining security standards and any outsourced activities.
You can expect that examiners will be looking at your institution’s resiliency as a result of how business continuity is managed throughout the organization, not just IT.
2. Are your risk management strategies designed to achieve resilience?
In addition to the traditional elements of your existing business continuity plan, examiners will be looking at the following seven risk management strategies:
- The board and executive management must understand the organization’s continuity risk-appetite incorporated into enterprise risk management, ensuring the plan reflects that understanding.
- A more robust Business Impact Analysis (BIA) estimating the maximum allowable downtime and resource requirements for each critical business unit within the organization (not just IT.)
- Inclusion of applicable elements for Pandemic Planning within the BIA and corresponding sections within the enterprise-wide BCP.
- Annual enterprise-wide training involving all necessary individuals identified during the criticality analysis of the aforementioned BIA.
- A renewed focus on partnerships or third-party interdependencies, such as a managed service provider, energy provider, telecom provider, etc., and vendor management requirements explicitly considered throughout the BCP.
- A more visible integration between the BCP, Disaster Recovery, Incident Response, Backup and Recovery, and the Bank’s overall User Awareness and Information Security Programs.
- Enterprise-wide testing strategy, including technology, business operations, internal and external communications, third-party interdependencies, transportation, telecommunications, etc.
3. Is your Board of Directors involved?
The BCM booklet clearly defines the board’s role in business continuity. Specifically, how business continuity is governed through defining responsibilities and accountability, and by allocating adequate resources to the process. “The board and senior management should set the tone at the top and consider the entity’s entire operations, including functions performed by affiliates and third-party service providers when managing business continuity.”
Does your board:
- Assign BCM responsibility and accountability?
- Allocate resources to BCM?
- Align BCM with your institution’s business strategy and risk appetite?
- Understand the risks and adopted policies/plans to manage events?
- Review business continuity results from reporting, testing, and auditing?
- Provide a credible challenge to management responsible for the BCM process?
- Remember: Accountability begins with the board and flows down to all personnel.
4. Is everyone trained on your business continuity plan?
It’s critical that your training program aligns with your institution’s BCM strategy. You should maintain a list of the current skill sets of all personnel to identify training gaps. Do you have a training program in place to educate stakeholders about the BCM goals and objectives? Have you tailored the training program to each target audience based on their needs? Are you training board members, senior management, business process owners, and frontline personnel? Are you updating the training program as significant changes occur?
Your business continuity plan should be comprehensive yet clear, concise, and easy to implement. It should be effective in the institution’s resiliency in the event of a disruption. Risk management strategies should be adequate enough to achieve resilience. The board of directors’ oversight is key to the success of the BCM. Lastly, a well-conceived and thorough training program tailored to target audiences, including the board of directors, allows for rapid implementation of the plan.
Face 2020 with confidence
Confidence comes when you know what to expect, and you adequately prepare. If you’ve taken the time to reflect on the resiliency of your operations, you’ll feel stronger about your institution in 2020. When you’ve closed gaps in your risk management strategies, involved the board, and detailed your business continuity plan, you won’t just be checking the BCM boxes — you’ll be buffering your organization against a multitude of seen and unseen risks.