The 2019 FFIEC Business Continuity Management Handbook represented a significant change in how bank and credit union examiners will assess your business continuity planning efforts going forward. Here are 3 concepts to make sure you’ve incorporated into your Business Continuity Management Plan (BCMP):
1. Likelihood and Impact
According to the Federal Financial Institution Examination Council’s (FFIEC) Business Continuity Management Handbook, “management should evaluate the likelihood and impact of disruptive events. Risks may range from those with a high likelihood of occurrence and low impact such as brief power interruptions to those with a low probability of occurrence and high impact such as pandemics. The most difficult risks to address are those that may have a high impact on the entity but a low probability of occurrence.”
Performing a risk assessment helps financial institutions identify all potential risks and classify them based on probability and impact. They should also quantify the impacts and define loss criteria as either quantitative (financial) or qualitative (e.g., impact to customers, reputational impact). However, to efficiently assess these risks, banks and credit unions need to be able to visualize them and plan accordingly. One way to do this is to use a four-quadrant matrix to scatter graph and plot the likelihood and impact of every threat.
There are many other ways to do this, but whichever method you choose, examiners expect financial institutions to be able to document both probability and impact, and not only for the high probability and high impact threats, but also for the low probability high impact threats.
Although the Handbook lists Pandemic as an example of a low probability, high impact event, you may want to adjust the probability (and possibly the impact) rating upward based on the COVID 19 event. At this point, it is a certainty that everyone has been impacted somehow.
Resilience is the ability to prepare for—and adapt to—changing conditions, and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. The first step to resiliency is to identify your proactive measures for mitigating the risk of a disruptive event such as:
- Off-site repository of software (Data vaulting)
- Appropriate backups of data
- Cloud-based disaster recovery services may be considered as part of resilience programs
- Off-site/redundant infrastructure (Hardware, data circuits, etc.)
- Third parties (Alternate vendors/suppliers)
- Key personnel (Succession planning)
- Cybersecurity assessment tool
- Annual process of considering changes in inherent risk and how your evolving in maturity
These are things you probably are already doing. If so, you can use your calculations to show that you already have proactive resilience measures in place.
Make sure to incorporate any adjustments made and lessons-learned from the recent Pandemic into your inventory of resilience measure against the next pandemic.
3. Inherent vs. Residual Impact
Although the residual risk rating is often used as the measure of the effectiveness of your risk management program, best practices mandate that management should use inherent risk ratings to guide their recommendations for (and use of) mitigating controls. However, when calculating residual threat impact, you can factor in any existing impact mitigation measures you already have in place. For example, if you use forewarning, duration, and speed of onset to calculate impact, any measures taken to reduce those 3 factors can also reduce your impact rating:
- Example 1: Smoke detector & Fire detection equipment decreases the impact of fire by increasing the forewarning factor
- Example 2: Auxiliary power decreases the impact power outage by decreasing the duration factor
- Example 3: Good project management practices decrease impact of strategic risk by slowing the speed of onset factor
This is how you can take advantage of the existing measures you already have in place to decrease the residual impact of an event. You don’t have to do anything new, just take into account all of things you’ve already done to build resilience into your business continuity plan. Then simply add on where residual risks are still above your risk appetite!
For more information, watch our webinar recording, “The New Business Continuity Guidance Requires a Whole New Approach.”