Skip to main content

Business Continuity Policies & Procedures: Protecting Your Organization from Disruptive Events

Do your policies and procedures help to ensure the Operational Resiliency of your organization?

Background

Although COVID-19 is at the top of everyone's mind today, there are many disruptive events such as natural disasters, cyber-attacks, pandemics, and civil disturbances that occur without warning and present significant operational challenges to businesses. As the threat landscape continues to evolve, organizations must demonstrate not only business and operational resiliency but also the ability to adapt quickly to dynamic events that can apply stress to existing plans.

Business Continuity (‘BC’) is a system of prevention, mitigation, and recovery from potential threats to an organization’s people, infrastructure, process, and assets as displayed in Figure 1. Business Continuity Management (‘BCM’) ensures that the organization is prepared to quickly respond to and recover from business disruptive events.

It is vital for organizations to consistently update their documentation for resiliency and recovery strategies and business plans. Maintaining current policies and procedures (‘P&P’) is essential to attaining a firm’s operational resilience. Modern P&P should include components that simplify and enhance resilience strategies in order to comprehensively manage threats and provide transparency into business unit interconnectivity and dependencies.

Does your organization operate with outdated BC P&P that could threaten your ability to operate through a major disruption or prevent your firm from meeting audit and regulatory requirements? Sia Partners proven methodology considers the specific requirements of your company and highlights potentially significant deficiencies that leave your business vulnerable to operational disruptions. We excel in assisting our clients to assess their current BC P&P, which includes an analysis of their BC Plans and Tests, technology capabilities, risks, and recovery strategies to ensure they are prepared for the next disruptive event.

Figure 1

Audit & Regulatory Drivers

The development of P&P for BC programs is based on the guidelines set forth in the “BCM Booklet”, which is one in a series of booklets that comprise the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook).

The BCM Booklet is prepared for the use of Auditors and Examiners and defines regulatory and reporting standards for financial institutions. These guidelines have been developed to help an organization identify threats and determine solutions for mitigating the impact of disruptive events. Additionally, the BCM Booklet also assists Auditors and Examiners in evaluating whether BC testing demonstrates an entity’s ability to meet its BC objectives, including management’s ability to recover, resume, and maintain operations after disruptive events.

BC P&P will be one of the first documents requested from an organization by an Auditor or Examiner. It must align with applicable U.S. and international regulatory requirements, which require that firms maintain a framework that facilitates activities designed to protect the organization from the impacts of an Event. Financial regulations are summarized below.

Regulator Applicable Rule / Guidance
FFIEC (FRB, FDIC, NCUA, OCC, CFPB) Business Continuity Management (BCM) Booklet - Comprises the FFIEC Information Technology (IT) Examination Handbook
CFTC Final Rule part 23, Subpart J - Duties of Swap Dealers and Major Swap Participants - 23 603 Business Continuity and Disaster Recovery
CME Rule 983 - Disaster Recovery and Business Continuity
NFA 9052 - NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan
NFA RULE 2-38. Business Continuity and Disaster Recovery Plan
ISO ISO/IEC 24762:2008: Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services
FINRA Regulatory Notice 18-09: FINRA Updates Designation Criteria to Require Firms Reporting U.S. Treasury Securities to TRACE to Participate in FINRA's Business Continuity/Disaster Recovery Testing
FINRA Regulatory Notice 15-43: FINRA Files Rule with SEC for Authority to Designate Firms for Mandatory Participation in FINRA's Business Continuity/Disaster Recovery Testing, As Required by Regulation SCI
SEC Rule 1001(a)(2)(v) of SEC Regulation SCI
FEMA Disaster Recovery Reform Act of 2018
BASEL BASEL II, BASEL Committee on Banking Supervision 2003

Sectors for which Sia Partners has a strong regulatory background are shown in Figure 2. Sia’s expertise in more than 30 sectors and services allows us to guide projects and initiatives in Regulatory, Strategy, Transformation, Digital, and Analytics.

Figure 2

A BC policy (‘Policy’) outlines the approach and principles that govern a firm’s BC activities and delineates the responsibilities for the management and coordination of business disruptive events. An Event is an interruption with the potential to impact the normal business activity of the firm’s people, operations, technology, suppliers, and/or facilities. A Policy documents the required governance, monitoring, controls, and reporting as well as the review and escalation of Events. In addition to governing the BC activities of an organization, including a firm’s global operating affiliates and subsidiaries, a Policy addresses certain aspects of the firm’s responsibilities related to third-party risk and informs all BC procedures

BC Procedures (‘Procedures’) detail the specific processes and/or operating instructions for carrying out BC strategies that align to the firm’s Policy. The BCM Booklet mandates the following Procedures: Business Continuity Planning (‘BCP’), BC Testing, BC Crisis Management (‘CM’), BC Infectious Disease Preparedness (‘Pandemic Preparedness’), and BC Training and Awareness (‘BC Training’).   Additional details for these Procedures are provided in Figure 3.

Figure 3

Sia Partners Approach

Sia Partners focuses on actionable strategies aimed at safeguarding against events. We facilitate coordination among our client’s business units, teams, and leadership to develop firmwide P&P’s that define the specific responsibilities and processes for enhancing a firm’s operational resiliency.

P&P for BC must be precisely aligned to critical BC functions and stakeholder governance. A successful BC program starts with a set of coherent and actionable P&P that covers well-developed, execution strategies plus measurable KPI benchmarks with accepted SLA reaction times for all possible BC events. Objectives of a project to develop P&P are listed below.

P&P Analysis and Planning

  • Research the rules and regulations driving the P&P for a particular industry
  • Gain an understanding of the groups, processes, and stakeholders for a particular organization

P&P Development

  • Develop, enhance, and update the Global BC Policy to meet the regulatory requirements and the business requirements of an organization
  • Write or enhance multiple procedures, including the completion of one in-flight set, that will govern existing or enhanced BC processes and align to the Policy

P&P and the BCM Team

  • Assist in the transition of a Business Continuity Management Group (“BCM”) from a primarily tactical and administrative function to a more proactive Second Line of Defense (“2LOD”) model
  • Segregate the BC Planning (“BCP”) and Crisis Management (“CM”) functions and develop teams that are both globally and regionally aligned
  • Enhance the governance model of the BCM Group and establish new governance, controls, metrics, and reporting within segregated BCP and CM teams

Sia Partners performs a multi-phased Policies and Procedures process. An example of our approach for a client is shown in Figure 4.

Figure 4

Capability