Although a bank's risk management process can go a long way in reducing operational risk, there are some operational risks that can't be mitigated, short of permanently closing the bank. To deal with these risks, banks establish business continuity or resumption plans (BCP). The purpose of the BCP is to sustain the bank and its operations in the aftermath of “uncontrollable, nonspecific” events until permanent operations are restored. In the past, these plans were developed primarily in the context of a bank’s information technology and data-processing operations. Today information technology still receives attention. However, increased emphasis is directed toward the entire business of the bank, making business continuity plans an important, enterprise-wide, operational risk management tool.

With a BCP, "the proof of the pudding is in the eating," meaning that the real test for BCP is whether it achieves its intended purpose. To determine its adequacy requires regular testing of the plan. The most comprehensive test is one for the whole bank. A whole bank test takes into account the functional interdependencies among the bank’s many systems, functions and processes. This permits the identification of any gaps in the BCP that need to be addressed that might not otherwise be revealed in a partial test.

The validity of tests as a diagnostic tool depends heavily upon the assumptions made in the test plan. If the assumptions are unrealistic or incomplete, the test results may be incomplete and of limited value, making review of them an important matter.

The business continuity plan should include information regarding the following:

• assumptions regarding contingency work sites, including:
• location
• size,
• communications access,
• road access and
• susceptibility to the same problems that made the bank’s primary site inoperable.
• bank employees, especially the following points:
• key personnel and their responsibilities,
• transportation to the work site,
• impediments to travel that will likely be encountered,
• where they will live if their homes are destroyed, and
• things employees need to do their jobs (such as computer systems, data files, forms, safekeeping, etc.).
• communications with employees, customers and community, such as:
• who speaks for the bank and
• channels through which messages are delivered.

Keep in mind that it is impossible to think of everything. However, the experiences and lessons learned by others can fill in many holes that might not otherwise be identified. For example, click here to review the lessons learned as a result of Hurricane Katrina in 2005.

One related matter that is often overlooked, especially at community banks, is management succession planning. Business continuity plans often include contact information for individuals critical to implementing the policies and restoring the bank’s operations. Unfortunately, outside the context of business continuity planning, the possible loss of key management or critical staff at many banks is seldom discussed. And yet, people retire, become sick, unexpectedly die or take other jobs. “Key-man” insurance can lessen the financial consequences of sudden personnel loss, and cross-training can help reduce its operational effects until a successor can be named. However, they are inadequate substitutes for a formal plan that lays out the process for dealing with loss of a management official.

Succession planning is done to ensure the orderly replacement of bank personnel. It permits a thorough candidate search and thoughtful consideration of hiring alternatives without time pressure to fill a critical job vacancy. Like the BCP, a written succession plan helps mitigate one aspect of operational risk: the people part.

In summary, banks have many ways to control or mitigate their operational risk. Traditionally, banks use their internal controls process to reduce this risk. For risks associated with uncontrollable, nonspecific events, banks use business continuity planning to lessen the impact of these events upon their operations. For risks associate with personnel turnover, they use succession planning.

For more information, review the Business Continuity Plans lesson in the Meeting Materials.