II.A Board and Senior Management Responsibilities
The board and senior management govern business continuity through defining responsibilities and accountability, and by allocating adequate resources to business continuity.
Examiners should review for the following:
- Alignment of BCM elements with the entity’s strategic goals and objectives.
- Board oversight.
- Management assignment of BCM-related responsibilities.
- Development of BCM strategies.
The boardMost financial institutions have boards of directors; however, not all third-party service providers do. When an entity does not have a board, the senior leaders may have the responsibilities of the board described in this booklet. and senior management should set the “tone at the top” and consider the entity’s entire operations, including functions performed by affiliates and third-party service providers, when managing business continuity. Management should evaluate continuity risk, set short- and long-term continuity objectives, adopt policies and procedures to mitigate continuity risk, evaluate continuity performance, and adjust operations in response to test results and actual events.
Management can strengthen resilience by assessing risk, planning, testing the plans, and incorporating lessons learned from tests and events. Furthermore, management should consider resilience in business functions and the design of new products and services.
Board oversight should include:
- Assigning BCM responsibility and accountability.
- Allocating resources to BCM.
- Aligning BCM with the entity’s business strategy and risk appetite.
- Understanding business continuity risks and adopting policies and plans to manage events.
- Reviewing business continuity operating results and performance through management reporting, testing, and auditing.
- Providing a credible challengeA credible challenge involves being actively engaged, asking thoughtful questions, and exercising independent judgment. to management responsible for the BCM process.
Management oversight should include:
- Defining BCM roles, responsibilities, and succession plans.
- Allocating knowledgeable personnelThe term “personnel” includes both permanent and temporary staff. and sufficient financial resources.
- Validating that personnel understand their business continuity roles and responsibilities.
- Establishing measurable goals against which business continuity performance is assessed, such as levels of preparedness and resilience targets.
- Designing and implementing a business continuity exercise strategy.
- Confirming that exercises, tests, and training are comprehensive and consistent with the BCM strategy.
- Resolving weaknesses identified in exercises, tests, and training that exceed the entity’s risk appetite.
- Meeting regularly with a designated coordinator or a business continuity committee to discuss policy changes, exercises, tests, and training plans.
- Assessing and updating business continuity strategies and plans to reflect the current business conditions and operating environment for continuous improvement.
- Coordinating plans and responses with external groups (as described in IV.B, “Communications”).
II Business Continuity Management Governance