The all new IT Examination Handbook is more than an update, it’s a complete re-write, and represents a significant change in how the business continuity process is managed. It also has several new expectations regulators will be looking for from financial institutions1. In fact, that is one of the most interesting changes; the term “institution” has been changed to “entity”, and this may prove to be more than simply semantic because entities are defined as
It looks like your critical third-party providers will be expected to meet the same standard you are, and that makes sense, as these providers may be key interdependencies of your internal systems and business processes.
By the Numbers
Before we get into some of the other changes, let’s look at some select differences between the current and previous Handbooks.
Business Continuity Planning Handbook
Business Continuity Management Handbook
|Total Pages||135 pages||85 pages|
|Appendices||10 (A – J)||4 (A – D)|
|“Risk Appetite” references||1||10|
One of the most significant changes is also more than simply semantic. The end result of the planning process is no longer referred to as a Business Continuity Plan (BCP), but more broadly, Business Continuity Management (BCM). Your recovery plan (the traditional BCP) is now simply a sub-section in your overall BCM document.
This leads to perhaps the most significant change; a focus on “resilience” in addition to (and in advance of) your response and recovery efforts. Resilience is defined as
Since most traditional BCPs probably already have detailed recovery procedures documented, the missing piece is the pre-recovery part, the pro-active measures you either already have in place, or can implement, to withstand and/or minimize the impact of a disruptive event. As the guidance states:
One way to measure (and document) resilience is to factor any existing threat-specific measures such as fire suppression, data backups, redundant data circuits, succession plans, alternate vendors, etc. into your net risk/threat impact formula. Simply put, resilience is the difference between the inherent impact of a threat, and the residual impact.
Perhaps the best way to characterize the new approach to business continuity is to look at the recommended development process.
The previous Handbook encouraged institutions to adopt a four-step approach:
- Business Impact Analysis
- Risk Assessment
- Risk Management (essentially, recovery procedures), and
- Risk Monitoring and Testing
The new guidance recommends a slightly different approach:
- Risk Management (Business Impact Analysis, Risk/Threat Assessment)
- Continuity Strategies (Interdependency Resilience, Continuity and Recovery)
- Training & Testing (aka Exercises)
- Maintenance & Improvement
- Board Reporting
What do all these changes mean for your continuity plan? Is it time to start fresh, or can a few simple adjustments bring your current program into alignment with the new guidance? For example, it may be tempting to do a simple word search/replace and change all occurrences of “Business Continuity Plan” to “Business Continuity Management”. But even if your current program is compliant with the 2015 Handbook, simple fixes may miss the spirit of the new guidance unless more substantive changes are made.
Here is a high-level checklist using the structure of the new guidance to help you decide whether a few minor tweaks, or a major re-write is in order.
Answer each question as “Yes, completely,” “Yes, somewhat,” or “No”:
- Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
- Does the BIA produce sufficient information to establish the following?
- Recovery point objectives (RPO)
- Recovery time objectives (RTO) for each business
- Maximum tolerable (or allowable) downtime (MTD/MAD)
If you answered more than 5 out of the 9 questions with “No” or “Yes, somewhat” it might be a good time to reevaluate the entire plan. On the other hand, if you are able to respond “Yes, completely” or “Yes, somewhat” to 6 or more, you should be in pretty good shape with only minor adjustments necessary.
All plans, even largely compliant plans, will need some level of adjustment. The good news is that historically it takes time for auditors and examiners to adjust to new regulations, so there should be enough time to make even major adjustments. Use your regularly scheduled 2020 BCP/BCM update sessions as an opportunity to re-visit your program, and be ready to provide all stakeholders (including auditors, examiners, and the Board) with a definitive plan, including timeline, for achieving compliance.
1 The Handbook states at the outset that “This booklet does not impose requirements on entities. Instead, this booklet describes practices that examiners may use to assess an entity’s BCM function.” Regardless, as anyone in the banking industry knows, any standard the regulators deem worthy of use as the basis of assessing an entity’s practices is a defacto requirement!
2 The new Handbook eliminates the separate Pandemic section.