TOPICS

Thursday, May 2, 2024

Business Continuity Plan: Insufficient Recovery

QUESTION 

According to the bank examiner, our Business Continuity Plan does not provide “sufficient recovery and resolution planning requirements” to manage stresses caused by system failures during a disaster. The problem is that they did not give us guidelines to determine what constitutes sufficient recovery procedures. 

As a result, I am not sure we will satisfy their expectations. I have had our compliance department and lawyers come up with an outline of procedures, but they keep giving me scenarios, and I am not convinced that just listing scenarios is the way to go. I am our company’s founder and president. I will tell you we have never had a catastrophic system failure caused by a disaster. That’s not to say it can’t happen. And I get it! We need to be ready at all times. 

But I don’t want to go out with only scenarios. I am concerned that this approach is not comprehensive, and, more to the point, I think it will annoy the examiner. I need something that the whole company can integrate into operations. 

I hope you can provide a management approach I can implement in all our departments and divisions. Each department will then work to comply with management’s requirements. I will ask our compliance people to ensure companywide oversight of those requirements. 

What are some steps, an outline, toward managing business continuity during disasters? 

COMPLIANCE SOLUTION 

Business Continuity and Disaster Recovery Plan 

BCP Tune-up

ANSWER 

A credible Business Continuity Plan[i] must consider market and companywide stresses and idiosyncratic risks that can imperil the continuity of a financial institution’s critical operations and core business lines. Indeed, proper planning can reduce the adverse broader impact on the financial system. 

With our BCP Tune-up, we have reviewed the Business Continuity Plans of many companies, So, I believe we have a unique perspective on regulatory expectations. Many clients use the BCP Tune-up as a self-assessment tool. Self-assessment is an essential Best Practice encouraged by most banking departments. Our review is cost-effective and we provide a report that describes current risks as well as recommendations that help to meet regulatory scrutiny.

Business continuity is inherently linked to disaster recovery. Your company must develop the ability to prepare for, adapt to, and withstand or recover from disruptions. Disruptions may result from external events like natural disasters, malicious actors, pandemics, global conflicts, or weak internal systems, controls, or risk management. Adapting is essential. For instance, we revised our Business Continuity Plan during the pandemic to add an entire section for Pandemic and Epidemic Response. 

Obviously, disruptions may impede the provision of services, such as payments and clearing and settlement, or adversely impact systems or corrupt data. 

However, the current focus of many banking departments is on exploring baseline “operational resilience” requirements with respect to critical operations, including third-party service providers. 

Such baseline requirements often include the following: 

·       Establishing clear definitions for identifying critical activities and core business lines. 

·       Defining tolerances for disruption, such as caused by cyber-attacks.[ii] 

·       Requiring testing and validation of “resilience” capabilities. 

·       Incorporating third-party risk management expectations.[iii] 

·       Stipulating clear communication expectations among stakeholders and counterparties. 

·       Addressing expectations for critical service providers, emphasizing governance and risk management expectations. 

A company subject to recovery or resolution planning requirements can leverage the information I’m providing in an outline form. You can send it to your departments and divisions for feedback and implementation. In my view, the outline conforms to existing regulations and guidance, the results of which should promote sound business continuity management.[iv] 

In your question, you mentioned the term “recovery” was used by the bank examiner. I use that term, in accordance with regulatory guidance, to refer to the restoration of clearing and settlement activities after a wide-scale disruption. I use the term “resumption” to refer to the capacity to accept and process new transactions and payments after a wide-scale disruption.[v] 

I make no claim that the following nine practices are comprehensive. However, the outline may be considered “sufficient” for deriving an overall plan for business continuity and disaster recovery. 

Business Continuity Management 

1)    Business Impact Analysis 

The company’s business continuity management incorporates business impact analysis,[vi] testing, training, awareness programs, and communication and crisis management policies. 

2)    Contingency 

The company periodically reviews its business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities.[vii] Containment strategies must align with existing guidance for a company that performs payment, clearing, and settlement activities in critical financial markets.[viii] 

3)    Testing 

The company tests business continuity plans, reviews the execution of tests, and improves plans by incorporating lessons learned. Business continuity tests and exercises incorporate dependencies of critical operations and core business lines on third parties. The company participates in disaster recovery and business continuity testing with third parties associated with critical operations and core business lines. 

4)    Scenarios 

The company confirms that functional testing procedures for assessing the ability of a company’s IT systems to deliver minimum service capacity to critical operations and core business lines are consistent with its business continuity objectives. Business continuity management incorporates scenarios where service capacity and business continuity objectives cannot be met. 

5)    Personnel 

The company identifies and manages the availability of personnel essential to executing its critical operations and core business lines.[ix] The company has (an) alternate site(s) that has sufficient resources (including personnel), technology capabilities, and functionality to execute the company’s critical operations and core business lines in the event of a disruption.[x] The alternate site(s) is (are) located at a sufficient geographical distance from the primary site and has (have) a distinct risk profile. 

6)    Remote Access 

Business continuity management includes remote access contingencies that allow personnel to continue delivering the company’s critical operations and core business lines during the disrupting event.[xi] The management of contingencies prioritizes critical operations and core business lines and provides personnel with adequate connectivity, communication, collaboration tools, essential technology resources, and access to network systems. These contingencies incorporate transitioning personnel back to normal operations following the resolution of a disruption.[xii] 

7)    Training 

The company trains essential personnel responsible for executing critical operations and core business lines and performing backup roles should a disruption occur. The company implements an operational resilience training and awareness program to evaluate the effectiveness of personnel-related business continuity arrangements, and the program is continually improved as shortcomings are identified. 

8)    Implementation 

The company’s recovery or resolution planning is integrated into its governance and operating processes and is part of business-as-usual activities, including companywide risk management processes. To ensure sufficient implementation, recovery or resolution planning is understood as complementary to, and linked with, existing risk management and business continuity management processes. 

9)    Interconnections 

The company harvests and leverages information in its recovery or resolution plans to identify options to respond to a wide range of severe but plausible internal and external stress scenarios. The company similarly leverages the identification of interconnections and interdependencies among critical operations and core business lines affiliates, subsidiaries, and third parties. 

While sound practices prioritize business continuity and disaster recovery of critical operations and core business lines of a financial institution and its material entities,[xiii] it also should identify and address the resilience of other operations, services, and functions for which a disrupting event could have a significant adverse impact on the company or its customers.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group
_______________________________

[i] For more information, consider the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook, which includes the booklet Business Continuity Management (November 2019). This booklet describes principles and practices for IT and operations to ensure safety and soundness, consumer financial protection, and compliance with applicable laws and regulations.
[ii] In 2021, the federal banking agencies adopted the Computer-Security Incident Notification Rule to bolster cyber defenses.
[iii] The federal banking agencies have issued interagency guidance on third-party risk management, building off of the Office of the Comptroller of the Currency’s (OCC) longstanding guidance on the topic.
[iv] Guidance includes SR letter 03-9 and OCC Bulletin 2003-14 Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (April 8, 2003), which outline practices for geographic diversity and resiliency of data centers and operations, as well as recovery and resumption time objectives and related testing standards for firms that perform payment, clearing, and settlement activities in critical financial markets.
[v] Idem
[vi] Op. cit. i, Section III.A. Business Impact Analysis of the FFIEC Information Technology Examination Handbook booklet Business Continuity Management describes the business impact analysis process.
[vii] Ibid, Section II.A. Board and Senior Management Responsibilities
[viii] Op. cit. iv
[ix] Op. cit. i, Section IV.A.4 Personnel
[x] Op. cit. i, Section V.C Facilities and Infrastructure
[xi] Operational risk management and independent internal (or external) audit functions should also consider remote access and any other related conditions.
[xii] Op. cit. ix
[xiii] For purposes of this article, I define a material entity as one that is significant to the activities of an identified critical operation or core business line or is financially or operationally significant to the company's recovery from a disrupting event.