This Is Not a Drill: Business Continuity Planning Is an Integral Risk Management Tool

The challenges of operating in a banking community, with its sophisticated products, services and integrated technology infrastructure, open the door to risk exposure and the need for recovery from catastrophic events. These events cannot be viewed as once-in-a-lifetime, black swan events. Accordingly, business continuity planning (BCP) is more than a check-the-box exercise.

In every bank’s strategic planning cycle, an operational risk management section should be included with links to risk appetite and associated tolerances by risk category. The link between strategic planning and risk appetite mitigates the risks associated with unpredictable events that can be significant and disastrous. Financial institutions need to execute scenario-based preparedness tests frequently. These tests must be taken seriously so that businesses can respond effectively and efficiently when an event occurs.

Business continuity should be a business-led exercise with strong support from IT, facilities management and other support departments. As the name suggests, business continuity management ensures business continues in the event of a disaster. IT systems, facilities management and other support departments must provide support to the lines of business for a bank to serve their customers’ needs.

Leveraging business continuity for the purposes of resiliency and operational risk management should be a key objective for any bank. Today, banks are operating in an increasingly complex, interconnected and risky world, especially with emerging risks including cybersecurity. Risk triggers can occur anywhere across a bank’s communications and infrastructure networks and platforms. Event triggers occur more frequently and arise from a growing array of sources, such as geo-political, environmental events, market disruptions or infrastructure failures.

The increase of event triggers has renewed banks’ focus on evaluating business continuity strategies more frequently. Additionally, when identified, emerging risks must be assessed thoroughly. Once the assessment occurs, risk mitigation strategies can be discussed and embedded in a business continuity strategy. Regulators and independent third parties expect banks to have business continuity and related activities at the core of their strategic planning and risk governance agendas. Operational and reputational losses, deficiencies and potential damage loom for institutions that do not proactively plan for interruptions that can affect its day-to-day activities.

While the nature of many events that trigger the activation of a business continuity event cannot always be anticipated, there are several lessons learned from prior events that converge into overarching themes.

Two lessons that stand out include:

  • A well-executed business impact analysis (BIA) - The business continuity strategy represents a critical aspect of the BCP and is derived from the information collected during the BIA process. A BIA should strive to identify critical business activities that must continue operation in order to conduct daily business, as well as identify the interdependencies of those activities and key people with other functions. A well-executed BIA will drive a successful recovery strategy through mitigating actions, such as split or rotational processing for any critical business functions.
  • Including a business continuity scenario - A business continuity scenario analysis or tabletop exercise can empower senior executives to respond effectively when an event occurs. Additionally, management can proactively address any business continuity enhancement opportunities.

Every bank’s strategic planning cycle should include operational risk management that contains business continuity strategies and plans. The board and risk committee should review the business continuity plan annually and openly renew its activities to invigorate a deficient program, if needed. The ultimate owner of the plan (senior executive management) should recommit to business continuity activities through visible leadership and involvement, balancing preparedness without appearing alarmist. Reporting business continuity testing results and leveraging lessons learned can contribute to a sustainable business continuity program focused on continuous enhancement and transparency.

The bank’s testing program should leverage the risk control self-assessment (RCSA) process. The program should consider the RCSA outputs (e.g., risks and deficiencies) with potential remedies and options. As banks attribute and reserve capital to risks and deficiencies, incentives should be provided to the user community to prioritize and address them, thus complimenting business continuity program efforts. Executives are responsible ultimately for risk and control functions and should meet to review and consolidate RCSA output to ensure the appropriate issues are escalated to senior management and the board. These meetings should raise the likelihood that those issues pertinent to business continuity will be properly framed since many of these executives work together in BCM efforts.

In addition to the board and senior management participation in the formulation, review and approval of the business continuity strategy, they should receive reports on business continuity activities, both after a high-profile event has occurred and following simulations. These reports should include a discussion with respect to lessons learned. It is recommended that business continuity reporting be done on an exception basis and include but not be limited to:

  1. An executive summary of the business continuity related event(s), the bank’s response and any lessons learned from the experience or intelligence gathered via industry communications;
  2. Any operational losses incurred from the business continuity event(s);
  3. Any adverse trends arising from key risk indicators (KRIs) applicable to business continuity; and
  4. The most important current deficiencies and emerging risks related to business continuity applicable to the bank.

KRIs are important metrics that banks can use to demonstrate how they are measuring and managing risks. Presumably, many KRIs already in place can also be used for business continuity. These may include, but are not limited to:

  • Systems (mainframes, critical applications covering market, liquidity risk information, etc.);
  • Telecommunications (e.g., telephones, cell phones);
  • Facilities/utilities (electricity, air conditioning, health standards, etc.);
  • Risk and key control deficiency remediation statistics applicable to business continuity issues including potential and actual triggers. These should be divided by business lines, functions, regions, outsourced functions, vendors and/or third parties that could cause business continuity program activation;
  • Business continuity simulation participation statistics and testing results; and
  • Business continuity education/training, testing statistics and results.

These KRIs, many of which can be correlated with key controls, should be used to alert senior management and the board to adverse trends. These trends may impact the bank’s ability to manage operational and reputational risks optimally and potential damage arising from business continuity activities.

Considering the increasing complexity and interconnection of risks impacting the banking industry, business continuity program testing should be performed on a frequent basis, which helps the bank in preparation for a real event. The decision regarding whether a bank is prepared adequately must be based upon the professional judgment of a bank’s senior executive management. That opinion should be driven by the ability to meet the bank’s articulated strategy, which has been reviewed with and approved by the board. The results of business continuity tests should be evaluated critically by stakeholders (e.g., senior executive management, enterprise risk management, incident management teams, internal audit) to identify any risks or deficiencies that require remediation. Simulations should be conducted with scenarios constructed to resemble those events that arise from emerging risks in the industry (e.g., power outage, market disruption, liquidity crisis). These simulations should be held in the most serious manner possible without becoming unnecessarily alarmist.

Within the Three Lines of Defense model is internal audit, which plays its usual important independent role, applicable to business continuity. Internal audit holds two important roles in the business continuity program. First, the program should include an audit scope review of the functions responsible for business continuity consolidation and coordination to cover organization-wide requirements. Second, it should examine business continuity preparedness efforts in each of the business lines and functions it audits to provide an independent set of opinions. This will help determine whether the first line of defense businesses are meeting business continuity requirements and properly managing operational (and potential reputational) risks. Regulatory supervisors and other third parties (such as external auditors) rely on these internal independent set of reviews.

In the final analysis, engaging all employees to mobilize their efforts to protect the bank, its customers and shareholders is what drives a successful business continuity program. Regardless of how a bank chooses to operationalize its business continuity strategy, equipping employees to organize their protective efforts is crucial. Once this has been accomplished, a business continuity program can deliver real business value, which is undoubtedly its most important objective.

About DHG Financial Services

DHG Financial Services professionals provide you with in-depth industry knowledge and a wide range of advisory, assurance and tax services to address issues facing your industry in today’s challenging environment. For more information, visit


Jon Tomberlin
Managing Partner, Financial Services
© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.