Women At The Helm
Do your policies and procedures help to ensure the Operational Resiliency of your organization?
Although COVID-19 is at the top of everyone's mind today, there are many disruptive events such as natural disasters, cyber-attacks, pandemics, and civil disturbances that occur without warning and present significant operational challenges to businesses. As the threat landscape continues to evolve, organizations must demonstrate not only business and operational resiliency but also the ability to adapt quickly to dynamic events that can apply stress to existing plans.
Business Continuity (‘BC’) is a system of prevention, mitigation, and recovery from potential threats to an organization’s people, infrastructure, process, and assets as displayed in Figure 1. Business Continuity Management (‘BCM’) ensures that the organization is prepared to quickly respond to and recover from business disruptive events.
It is vital for organizations to consistently update their documentation for resiliency and recovery strategies and business plans. Maintaining current policies and procedures (‘P&P’) is essential to attaining a firm’s operational resilience. Modern P&P should include components that simplify and enhance resilience strategies in order to comprehensively manage threats and provide transparency into business unit interconnectivity and dependencies.
Does your organization operate with outdated BC P&P that could threaten your ability to operate through a major disruption or prevent your firm from meeting audit and regulatory requirements? Sia Partners proven methodology considers the specific requirements of your company and highlights potentially significant deficiencies that leave your business vulnerable to operational disruptions. We excel in assisting our clients to assess their current BC P&P, which includes an analysis of their BC Plans and Tests, technology capabilities, risks, and recovery strategies to ensure they are prepared for the next disruptive event.
The development of P&P for BC programs is based on the guidelines set forth in the “BCM Booklet”, which is one in a series of booklets that comprise the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook).
The BCM Booklet is prepared for the use of Auditors and Examiners and defines regulatory and reporting standards for financial institutions. These guidelines have been developed to help an organization identify threats and determine solutions for mitigating the impact of disruptive events. Additionally, the BCM Booklet also assists Auditors and Examiners in evaluating whether BC testing demonstrates an entity’s ability to meet its BC objectives, including management’s ability to recover, resume, and maintain operations after disruptive events.
BC P&P will be one of the first documents requested from an organization by an Auditor or Examiner. It must align with applicable U.S. and international regulatory requirements, which require that firms maintain a framework that facilitates activities designed to protect the organization from the impacts of an Event. Financial regulations are summarized below.
|Regulator||Applicable Rule / Guidance|
|FFIEC (FRB, FDIC, NCUA, OCC, CFPB)||Business Continuity Management (BCM) Booklet - Comprises the FFIEC Information Technology (IT) Examination Handbook|
|CFTC||Final Rule part 23, Subpart J - Duties of Swap Dealers and Major Swap Participants - 23 603 Business Continuity and Disaster Recovery|
|CME||Rule 983 - Disaster Recovery and Business Continuity|
|NFA||9052 - NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan|
|NFA||RULE 2-38. Business Continuity and Disaster Recovery Plan|
|ISO||ISO/IEC 24762:2008: Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services|
|FINRA||Regulatory Notice 18-09: FINRA Updates Designation Criteria to Require Firms Reporting U.S. Treasury Securities to TRACE to Participate in FINRA's Business Continuity/Disaster Recovery Testing|
|FINRA||Regulatory Notice 15-43: FINRA Files Rule with SEC for Authority to Designate Firms for Mandatory Participation in FINRA's Business Continuity/Disaster Recovery Testing, As Required by Regulation SCI|
|SEC||Rule 1001(a)(2)(v) of SEC Regulation SCI|
|FEMA||Disaster Recovery Reform Act of 2018|
|BASEL||BASEL II, BASEL Committee on Banking Supervision 2003|
Sectors for which Sia Partners has a strong regulatory background are shown in Figure 2. Sia’s expertise in more than 30 sectors and services allows us to guide projects and initiatives in Regulatory, Strategy, Transformation, Digital, and Analytics.
A BC policy (‘Policy’) outlines the approach and principles that govern a firm’s BC activities and delineates the responsibilities for the management and coordination of business disruptive events. An Event is an interruption with the potential to impact the normal business activity of the firm’s people, operations, technology, suppliers, and/or facilities. A Policy documents the required governance, monitoring, controls, and reporting as well as the review and escalation of Events. In addition to governing the BC activities of an organization, including a firm’s global operating affiliates and subsidiaries, a Policy addresses certain aspects of the firm’s responsibilities related to third-party risk and informs all BC procedures
BC Procedures (‘Procedures’) detail the specific processes and/or operating instructions for carrying out BC strategies that align to the firm’s Policy. The BCM Booklet mandates the following Procedures: Business Continuity Planning (‘BCP’), BC Testing, BC Crisis Management (‘CM’), BC Infectious Disease Preparedness (‘Pandemic Preparedness’), and BC Training and Awareness (‘BC Training’). Additional details for these Procedures are provided in Figure 3.
Sia Partners focuses on actionable strategies aimed at safeguarding against events. We facilitate coordination among our client’s business units, teams, and leadership to develop firmwide P&P’s that define the specific responsibilities and processes for enhancing a firm’s operational resiliency.
P&P for BC must be precisely aligned to critical BC functions and stakeholder governance. A successful BC program starts with a set of coherent and actionable P&P that covers well-developed, execution strategies plus measurable KPI benchmarks with accepted SLA reaction times for all possible BC events. Objectives of a project to develop P&P are listed below.
Sia Partners performs a multi-phased Policies and Procedures process. An example of our approach for a client is shown in Figure 4.