Business Continuity Planning for Banks

The history of business continuity planning for banks and financial crises that inevitably impact banking institutions has taught us that nothing is 100 percent certain or safe. We can come up with analyses and forecasts, but a crisis can strike at any time. It can come in the form of natural catastrophes. Crises can also arise from human-made disasters, such as acts of terrorism, civil war, fraud in various forms and at different levels, cybercriminal attacks, technological failures, human error, and many others.

This is why business continuity planning is such an essential company-wide responsibility. It involves the development of strategies designed to ensure the restoration of critical business processes, as well as the technical recovery of critical information systems integral to such functions during bank-wide service or operational disruptions. It plans for how critical processes, departments, information systems, and business units will work in tandem as a coordinated response to any disruption.

For timely business resumption and recovery, there should be a tightly unified planning process involving each business unit’s plans and roles in the resumption of essential processes. This includes both short-term and long-term disruptions and subsequent recovery operations. Moreover, senior management must set the tone for everyone else that business continuity is an organizational responsibility, and not an information technology (IT) department matter for which only the IT function is liable.

The objectives of business continuity planning

Business continuity planning is essential to all companies during disruptions. In the banking industry, in particular, it aims to accomplish the following objectives:

• To reduce financial loss to the banking institution.
• To ensure customers and financial market participants continue to be served.
• To diminish the negative impact of disruptions on the bank’s reputation, market position, liquidity, credit quality, strategic plans, and operations.
• To maintain the bank’s ability to comply with applicable laws and regulations.

Today, technological innovation and changing internal and external business processes, as well as the emergence of new threat scenarios, require the continuous review and update of business continuity plans.

A bank’s business continuity plan must always take into account regional disasters, and possible staff inaccessibility and losses. This is especially useful in the case of pandemics, such as epidemic-prone diseases like Ebola, influenza, and SARS, which affected several countries. Such outbreaks do not only impact staff availability but also affect customers who may become paralyzed with fear and panic, leading to increased delinquencies, higher internet banking volume, more requests for additional credit, and, at worst, bank runs.

The importance of impact analysis

An essential step in any business continuity plan is a Business Impact Analysis that distinguishes critical from non-critical functions.

A critical function is one whose implication for stakeholders or the extent of damage to the bank is considered unacceptable or disastrous. Moreover, any function that is dictated or required by law is automatically regarded as critical. What are perceived to be acceptable disruptions may be changed based on the cost of establishing and maintaining the necessary business or technical recovery solutions?

Furthermore, impact analysis leads to the identification of each critical function’s recovery requirements. These include the timeframe in which the critical operation is restored after a disaster, the business and technical requirements essential to the recovery of each vital process.

These days, banks have shorter business recovery time objectives compared to just a few years ago. In fact, recovery time for some institutions takes only a matter of hours, minutes, and sub-minutes, depending on the reason for the disruption.

A business continuity plan must also address or take into account market-based and geographic interdependencies since there are now local, national, and global banking networks, as well as infrastructure service providers.

Critical components of a business continuity plan

According to the Financial Industry Regulatory Authority’s (FINRA) FINRA Rule 4370, the elements comprising a member’s business continuity plan are flexible. They can be tailored to the scale and requirements of each member. However, all plans must address the following:

• Data backup and recovery (hard copy and electronic): This encompasses a clear identification of where primary books and records, as well as backup files (hard copy and electronic) of the same, are kept or located. Establishments should also be prepared to provide a detailed description of the data backup and recovery process during major business disruptions.
• All mission-critical systems: What is deemed to be mission-critical systems vary based on each member’s business. For banks, these would include online banking, access to customer accounts, and encryption.
• Financial and operational assessments: These assessments include a record of procedures to be undertaken, allowing for a bank to identify changes in its operational, financial, and credit risk exposures.
• Alternate communications between customers and the firm and between the firm and its employees: These encompass the provisions to be made to ensure an interrupted connection among everyone involved. 
• Alternate physical location of employees: In the case of disruptions, there should be designated alternative sites for employees (this includes key personnel) in the resumption of business operations.
• Critical business constituent, bank, and counterparty impact: This covers the effect significant business disruption can have on a bank’s relationships with other banks, counterparties, and other stakeholders, and how it will address such impacts.
• Regulatory reporting: This should spell out the capability of a bank to ensure compliance with regulatory reporting requirements in the event of business disruption.
• Communications with regulators: This covers how a bank can communicate with FINRA during a significant disruption, and identifies designated business continuity plan contacts with FINRA who will assist in the communication.
• How the firm will assure customers’ prompt access to their funds and securities: Comprises details on how the bank will make funds and securities available to customers in the event of an extensive business disruption.

The business continuity planning process should be a continuously evolving step and bank-wide responsibility. It must be resilient and current to be capable of efficiently responding to changes in business operations and potential threats, and must completely address all audit recommendations and test results.