IX Board Reporting
The board should establish expectations for management’s business continuity reporting, regularly monitor business continuity and resilience activities, and provide credible challenges to management.
Examiners should review reports and meeting minutes and conduct discussions with management on the following:
- Risk assessment.
- Exercise and test results.
- Identified issues.
- Strategy updates.
- Audit results.
- Metrics, including key risk indicators and key performance indicators for BCM and resilience.
As illustrated in Figure 1, management should report on the status of business continuity to the board, completing the BCM cycle. Reports should include a written presentation providing the BIA, risk assessment, BCP, exercise and test results, and identified issues. Additionally, reports should include regular strategy updates based on changes in personnel, roles and responsibilities, and business operations. The board should monitor business continuity and resilience activities regularly to verify that they are implemented as envisioned and reviewed periodically or as changes dictate. The board should be updated in a timely manner based on lessons learned. Board minutes should reflect business continuity discussion (including credible challenges) and approvals.
VIII Maintenance and Improvement
Appendix A: Examination Procedures