Business Continuity Planning Process
A financial institution's business continuity planning process should reflect the following objectives:
- The business continuity planning process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components;
- Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery;
- Business continuity planning includes the integration of the institution's role in financial markets;
- Business continuity planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing; and
- Business continuity planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing.
The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.
Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery. This enterprise-wide framework should consider how every critical process, business unit, department, and system will respond to disruptions and which recovery solutions should be implemented. This framework should include a plan for short-term and long-term recovery operations. Without an enterprise-wide BCP that considers all critical elements of the entire business, an institution may not be able to resume customer service at an acceptable level. Management should also prioritize business objectives and critical operations that are essential for survival of the institution since the restoration of all business units may not be feasible because of cost, logistics, and other unforeseen circumstances.
Business continuity planning includes the integration of the institution's role in financial markets. Financial industry participants that perform clearing and settlement activities for critical financial markets (core firms) and organizations that process a significant share of transactions in critical financial markets (significant firms) are required to follow interagency guidelines,Refer to the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," issued by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission. which are designed to ensure the continued functioning of settlement and clearing activities that support critical financial markets. Critical markets include, but may not be limited to, the markets for federal funds; foreign exchange; commercial paper; and government, corporate, and mortgage-backed securities. Based on these guidelines, key financial industry participants are expected to identify activities that support these critical markets, continually maintain their ability to recover and resume critical operations in a timely manner, and routinely use or test recovery and resumption arrangements. Since these organizations participate in one or more critical financial markets and their failure to perform critical activities by the end of the business day could present systemic risk to financial systems, their role in financial markets should be addressed as part of the business continuity planning process
Financial institutions that do not directly participate in critical financial markets, but support critical financial market activities for regional or national financial sectors, are also expected to establish business continuity planning processes commensurate with their importance in the financial industry. Similarly, smaller, less complex institutions are expected to fulfill their responsibilities by developing an appropriate business continuity planning process that incorporates comprehensive recovery guidelines based on the institution's size and risk profile.
The business continuity planning process should include regular updates to the BCP. The BCP should be updated based on changes in business processes, audit recommendations, and lessons learned from testing. Changes in business processes include technological advancements that allow faster and more efficient processing, thereby reducing acceptable business process recovery periods. In response to competitive and customer demands, many financial institutions are moving toward shorter recovery periods and designing technology recovery solutions into business processes. These technological advances underscore the importance of maintaining a current, enterprise-wide BCP.
Additional industry practices that are commonly used to maintain a current BCP include:
- Integrating business continuity planning into every business decision;
- Incorporating BCP maintenance responsibilities in applicable employee job descriptions and personnel evaluations;
- Assigning the responsibility for periodic review of the BCP to a planning coordinator, department, group, or committee; and
- Performing regular audits and annual, or more frequent, tests of the BCP.
The FFIEC agencies encourage financial institutions to adopt a cyclical, process-oriented approach to business continuity planning. This process-oriented approach will be discussed in the first part of the booklet, with additional information included in the appendices. The four steps in this process include:
- Business Impact Analysis;Refer to Appendix F: "Business Impact Analysis Process" for additional information.
- Risk assessment;Refer to Appendix C: "Internal and External Threats," Appendix D: "Pandemic Planning," Appendix E: "Interdependencies" and Appendix F: "Business Impact Analysis Process" for additional information.
- Risk management;Refer to Appendix G: "Business Continuity Plan Components." and
- Risk monitoring and testing.Refer to Appendix H: "Testing Program - Governance and Attributes" for additional information.
While this approach is reflected as four steps, the business continuity planning process actually represents a continuous cycle that should evolve over time based on changes in potential threats, business operations, audit recommendations, and test results. In addition, this process should include each critical business function and the technology that supports it.Refer to the "Interagency Guidelines Establishing Information Security Standards," Board of Governors of the Federal Reserve System, 12 CFR part 208, Appendix D-2, and 12 CFR part 225, Appendix F; Federal Deposit Insurance Corporation, 12 CFR part 364, Appendix B; National Credit Union Administration, 12 CFR part 748, Appendix A & B; Office of the Comptroller of the Currency, 12 CFR part 30, Appendix B; Office of Thrift Supervision, 12 CFR part 570, Appendix B, for additional information. As such, other policies, standards, and processes should also be integrated into the overall business continuity planning process.
Board and Senior Management Responsibilities
Business Impact Analysis