The board of directors, along with senior management, is responsible for a bank’s business continuity plan (BCP). The board and management determine provisions for the identification, assessment, prioritization and management of the bank in the event of uncontrollable, non-specific risks (in other words, random events). They also establish polices that set how the bank will manage these risks and develop training programs to ensure that employees understand their roles and responsibilities under the bank’s BCP. Additionally, they subject the business continuity process to independent review by internal and external audit. They periodically test the plan to determine its adequacy and to ascertain gaps that need to be fixed, and periodically review the plan and update it for changes in the bank’s operating environment.

The business continuity process of a bank is no different than the processes to control or mitigate other risks. The words may be different, but the process boils down to:

• What is risk and how will it affect the bank?
• What can the bank do to control or reduce the risk to acceptable levels?
• What information is needed to determine that the risk management process is working or in need of change?

Why Do Banks Have Business Continuity Plans?

Your bank should have a business continuity plan and implement the basic components of the business continuity process to ensure resiliency from uncontrolled, nonspecific events. These events include:

• malicious activities, including fraud, theft, blackmail, sabotage and terrorism,
• natural disasters, such as fire, flood and other water damage, severe weather, air contaminants, hazardous chemical spills, and pandemics, and
• technical disasters, including communications failure, power failure, equipment and software failure, and transportation system disruptions.

The primary focus of BCP is to restore a bank to normal operations following an unpredicted random event. Consequently, attention is directed toward minimizing the impact of the event on your personnel, facilities, utilities, vital records access, hardware/software accessibility, etc., rather than addressing the cause.

For example, weather conditions that can lead to a tornado are well known. However, the old adage, “everyone talks about the weather, but nobody does anything about it,” is particularly relevant here. A bank has no ability to change the factors that can lead to a tornado. Instead, the bank can instead minimize the tornado’s effects on its operations with a good BCP.

Back to top