a new era for business continuity management for community financial institutions

The US banking industry has been a vital part of our nation all the way back to 1780 when the Bank of Pennsylvania was founded by Philadelphia merchants to fund the American Revolutionary War.

Later, merchants in the thirteen colonies needed currency as a medium of exchange and the Bank of North America was opened to address more advanced financial transactions for the new nation.

Banks were also the first stocks traded on the New York Stock Exchange in 1792. 

Trust Is the Heart of the Banking System

The one key element to the success of the banking industry from 1780 to now is that customers and members trust that their monies are safe and that their transactions will be handled on a timely basis by their financial institutions (FIs).

But unplanned disruptions, which could result in the inability of an FI to provide key services on a timely basis, is a perennial and significant threat. These disruptions are a threat to the trust between FIs and their account holders that has usually taken years to build. If customers and members aren’t able to complete transactions or access their funds in a timely manner, those years of trust-building could disappear in a flash. 

That’s where business continuity management (BCM) comes in. BCM is the process in which management develops and implements resilience, continuity, and response capabilities to safeguard employees, account holders, products, and services.

To ensure that banks and credit unions are able to respond and recover operations with effective business continuity plans, the Federal Financial Institutions Examination Council (FFIEC) established business continuity guidelines in 1996. The most recent business continuity management guidelines are in the FFIEC IT Examination Handbook.

Two of the major objectives of the FFIEC BCM guidelines are to provide:

• Examiners with a set of tools and criteria to measure the effectiveness of an FI’s BCM programs.
• FIs with guidelines to build, test, maintain and execute their BCM programs. It also provides FIs with the criteria that their BCM programs will be measured against.

The Evolution of Business Continuity Guidelines

Over the years, these FFIEC guidelines and criteria have evolved. Below is a brief recap of the revisions designed to address changes impacting the financial industry:

• 1996 – Focus on corporate contingency planning.
• 2003 – Addressed advances in technology since 1996, increased concerns with terrorism and lessons learned from Y2K issues.
• 2008 – Enhancements to the Business Impact Analysis (BIA) process, testing and pandemic planning.
• 2015 – Focus on enterprise-wide, process-oriented approach and resilience of outsourced technology services and cybersecurity.
• 2019 – Addressed the linkage of business continuity management to the Enterprise Risk Management (ERM) component of the FI.

Throughout the guidelines’ revisions, the fundamental elements remain the same. However, each revision adds additional elements, and forces FIs to peel the onion even further to demonstrate their level of preparedness.

The recent emphasis to integrate business continuity management into the ERM component is a direct attempt to move business continuity management higher within the strategic planning process. This ensures that the board and executive management recognize the importance of identifying risks associated with unplanned outages and are allocating the proper resources to ensure resiliency. Examiners are increasingly insisting that proof of this integration exists.

A New Era for Business Continuity Planning

All of this introduces a new era for business continuity planning (BCP). Prior to the migration of business continuity planning to business continuity management, BCP was usually addressed as a stand-alone entity and not necessarily integrated into other elements of the Information Security Program that consists of:

• Vendor management
• Risk assessment
• Incident response
• Compliance and reporting
• Security training, etc.

At many FIs, these key elements of information security were handled in silos. Each entity would have to identify and assess specific risks within their element. Not only could the assessment process vary between elements, the results and how they were reported to management could vary (i.e. MS Word, spreadsheets, PowerPoint, etc.) Couple this with a lack of integration between the elements and it’s apparent what dangerous consequences siloed, varied processes could have for management’s risk-based decisions and strategies.

Governance, Risk, and Compliance for Community Financial Institutions

Although integrating business continuity management into the enterprise risk management process presents a challenge, it also presents an opportunity for community FIs to take steps toward enhancing their ERM program by instituting the Governance, Risk, and Compliance (GRC) model.

The GRC model has been successfully used for enterprise risk management in many larger FIs. Now, the GRC model is readily available for community FIs that want to improve the way they manage enterprise risk. 

But the community FI needs a robust governance, risk, and compliance software platform to leverage the most benefits from the GRC model. The software platform provides total integration and automation of business continuity planning, vendor management, risk assessments, incident response, and audit reporting. The benefits of implementing a GRC platform include but aren’t limited to improved collaboration, notable cost savings, reduction of guesswork and gained efficiencies.

I’ve helped customers develop their business continuity plans for over 30 years, and I’m confident that with the combination of the new business continuity management guidelines and the implementation of a GRC platform, community banks and credit unions can reach and maintain the highest levels of enterprise risk management and business continuity management. And that strengthens their Information Security Program significantly. It’s time to see how a GRC platform can benefit your enterprise risk management program.