Regulatory principles and practices for business continuity management are spelled out in a booklet in the Federal Financial Institutions Examination Council’s IT Examination Handbook. When regulators revised the booklet in 2019, they changed its title from “Business Continuity Planning” to “Business Continuity Management.” The FFIEC said this move reflects the changes in customer and industry expectations for the resilience of operations.
The emphasis on resilience is important. With this word, regulators said they are emphasizing “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience Pincludes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”[1]
What does effective governance of the business continuity management process look like? The FFIEC booklet lists these attributes:
- Aligning business continuity management practices with the risk appetite.
- Identifying the continuity level needed, consistent with the operation’s criticality.
- Establishing business continuity policy and plans.
- Allocating resources to business continuity activities.
- Providing competent management to implement the program.
- Monitoring and assessing business continuity performance relative to these goals.
What is the board’s role in this process? The FFIEC booklet stipulates:
- Assigning business continuity management responsibility and accountability.
- Allocating resources to business continuity management.
- Aligning business continuity management with the entity’s business strategy and risk appetite.
- Understanding business continuity risks and adopting policies and plans to manage events.
- Reviewing business continuity operating results and performance through management reporting, testing and auditing.
Providing a credible challenge to management responsible for the business continuity management process.
[1] National Institute of Standards and Technology definition, as cited by FFIEC.