may be hard to obtain, and it may be desirable to have some basic supplies
on hand as back up to suffice until federal aid is available.
Primary supplies of the bank’s business forms as well as fuel may be affected,
and replacement supplies unavailable. Basic maintenance and disaster supplies should be maintained at all times such as tarps, duct tape, plywood, etc.
since these items will be in high demand and difficult to obtain for a while.
Military, law enforcement and/or rescue workers will have priority, meaning
they receive fuel and other essentials first so that they can respond to dire needs
in the community. To understand the priority given to a particular financial
institution to restore critical services, check with the specific state’s homeland
security contact. Joining regional coalitions to facilitate critical infrastructure
efforts will help institutions anticipate and address such issues in advance.
Review and Reporting
It is expected that as circumstances and risks change within and without the
institution, the BCP will also undergo metamorphosis. Without a doubt, the
BCP should be reviewed and amended if necessary following any recent cata-
strophic disaster to assure your institution could respond to a similar event.
Management and the Board must review the plan at least annually; the
annual review must include an independent review of the plan.
So, About Those Zombies:
If you think a zombie apocalypse isn’t to be taken seriously, the Centers for
Disease Control and Prevention (CDC) Office of Public Health Preparedness
and Response has a dedicated Zombie Preparedness page at www.cdc.gov/
phpr/zombie/ index.htm. You should probably check it out!
There are a bunch of “online tests” where you can see if you would survive a
zombie attack. Spoiler alert: you probably wouldn’t unless you live in a highly
fortified mountain retreat and know how to hunt, gather, farm, perform serious medical procedures and also are willing to kill zombies and other human
threats. But hey, zombies don’t really need banking services—so, no worries! ■
ABOUT THE AUTHOR
MARGARET “MAGGIE” WEIR, ESQ., CRCM, is an experienced
regulatory compliance and legal professional with more than 25
years’ experience in leadership roles with multiple financial
institutions and consulting groups. Maggie is a practicing attorney
and adjunct faculty for the J.D. and LL.M. programs at Boston
Maggie can be reached at magweirlaw@gmail.com.
Banks must monitor municipal securities
and loans affected by the event, as
government projects may be negatively
affected. Often overlooked is the ancillary
load placed on the institution post-disaster
with insurance and FEMA funds flowing in.
step BIA and creating the BCP. The analysis
that goes into evaluating here allows for
a critical view of essential services and
resources that are shared, an understanding
of the consequences were there to be an
interdependent system or process failure,
and identification of mitigating controls as
well as strategies for recovery. The section
covers three common interdependencies:
telecommunications infrastructure; third-party providers including key suppliers, and
business partners; and internal systems and
business processes.
■ ■ ■ BUSINESS IMPACT ANALYSIS PROCESS—
The appendix outlines the three primary goals
for a BIA: determining the criticality of every
business function, including the impact of the
disruption; estimating maximum downtime
that the institution can tolerate while
remaining viable; and evaluating resource
requirement for resuming critical operations
and interdependencies on the shortest time
horizon. Further, the BIA process is broken
down into four cyclical steps of: 1) gathering
information, 2) performing a vulnerability
assessment, 3) analyzing the information and
4) documenting the results and presenting
recommendations.
■ ■ ■ BUSINESS CONTINUITY PLAN
COMPONENTS—This section is the closest
one will come to a “template” for a BCP.
Of course, the devil is in the details, and
having a solid plan does not ensure a robust
“program!”
■ ■ ■ TESTING PROGRAM—GOVERNANCE
AND ATTRIBU TES—As mentioned above,
tabletop exercises and drills/simulations are
not sufficient for complete testing program.
This appendix is helpful in developing testing
to determine the efficacy of your BCP plan
to effectuate full recovery. You must be
creative and test not only situations that are
“expected” in your area, but also those that
seem remote. Gap analysis is key.
■ ■ ■ LAWS, REGULATIONS, AND GUIDANCE—
This section is regularly updated, and serves
as a source for up to date guidelines and
regulations pertaining to continuity planning.
■ ■ ■ STRENGTHENING THE RESILIENCE OF
OU TSOURCED TECHNOLOG Y SERVICES—
The final appendix of this edition points out
that institutions which depend on third-party
service providers to perform or support
critical operations are still on the hook for
that performance. This is a pretty obvious
concept to all us compliance folk, but this
appendix spells it out for those “others” in the
institution that just don’t believe us when we
say that we are still 100% responsible for the
performance of third-party providers—as is the
focus of the institution’s separate third-party
management program. Further, the FFIEC
emphasizes that the institution should be able
to demonstrate “the ability to recover critical
IT systems and resume normal business
operations regardless of whether the process
is supported in-house or at a third party for
all types of adverse events.” The appendix
discusses four key elements of the BCP here:
1) third-party management, 2) third-party
capacity, 3) testing/validation, and 4) cyber-resilience‚—where the evaluation is specific to
disruptions caused by “cyber events”.
