II Business Continuity Management Governance
This section provides specific information about BCM governance, including board and senior management responsibilities. General information about governance and risk management is contained in the IT Handbook’s “Management” booklet and the FFIEC members’ examination handbooks.
BCM governance should include:
- Aligning BCM practices with the risk appetite.
- Identifying the continuity level needed, consistent with the operation’s criticality.
- Establishing business continuity policy and plans.
- Allocating resources to BCM activities.
- Providing competent management to implement the program.
- Monitoring and assessing business continuity performance relative to these goals.
Figure 1 depicts a typical BCM cycle that entities may follow to manage business continuity risks on an ongoing basis. To manage these risks, the entity may develop a single encompassing BCM policy or individual policies and plans for different functions, depending on the size and complexity of the entity’s operations. An effective practice for business continuity-related policies is to address, at a minimum, the following areas: scope and responsibilities within BCM, accountability, authority, and guidance to develop and maintain effective BCM.
I Business Continuity Management
II.A Board and Senior Management Responsibilities