You’re feeling confident in your business continuity plan. You’ve performed a business impact analysis, identified critical functions, analyzed interdependencies, and assessed impacts—at least that’s what you did last year.
If these past years have taught us anything, it's that good business continuity management means continuously adapting.
No matter how good your business continuity plan (BCP) is or how much heavy lifting you did to put it into place, it needs to be updated regularly. Even if the overarching strategy of the plan remains valid, there’s a good chance at least some details have changed, and those details become very important when a BCP is activated.
Related: What is Business Continuity Management?
Here are a few areas to consider:
New products, services, or lines of business. Did you add new digital banking options during the COVID-19 pandemic to help consumers access your services remotely? Maybe you added small business lending in response to the Paycheck Protection Program.
New locations. Did your institution add a new branch or office? If you’ve added a new location, that information should be integrated into your BCP.
Changed workflows and organizational charts. Were there changes to department objectives, responsibilities, or workflows over the past year that could impact how your institution responds to a crisis? Perhaps new back-up systems were implemented. These should be reflected in your BCP.
Lessons learned. Most financial institutions enacted their BCPs in 2020 when the pandemic struck—and others activated a secondary BCP when disasters like wildfires, tornadoes, or flooding occurred. If your institution learned anything about its BCP and how it can be improved, make sure your plan is updated with any necessary adjustments. While we like to think of the pandemic as a “once in a lifetime event,” the truth is we just don’t know what will happen next and should always be prepared for the unexpected.
Related: 5 Tips For Assessing Your Financial Institution’s Pandemic Performance
Third-party vendors. Did you add, eliminate, or change the role of a critical third-party vendor this year? If so, your plan needs updating. In an emergency, you don’t want to waste time reaching out to a vendor you don’t use anymore and figuring out who at the new vendor to contact.
It’s also important to verify that vendors’ business continuity plans remain effective and up to date. If you discover that a critical vendor has weaknesses in its BCP, you may need additional controls added to your own plan as a stopgap measure. The same is true for new vendors. You need to ensure they have adequate BCPs.
A good vendor management program should play a proactive role in accomplishing this goal.
Staffing changes. Sometimes staff members are replaced when they leave. Other times the role is reinvented and carries new responsibilities. Did someone who plays a key role in your BCP leave your institution this year? Was the organizational structure changed? If the individuals are specifically named in the plan or roles have changed, that needs to be reflected in your plan documents.
Contact information. In an emergency, you may need to contact your staff and vendors. Is all that contact information up to date or did someone change their phone number, address, emergency contact, or other information you’ll need in a crisis? Make sure those changes are reflected in your BCP or you could find yourself scrambling to find a way to contact a key staff member or vendor.
Cyber insurance. Is your cyber insurance coverage still adequate? If your customer base or number of accounts has increased, you may need more coverage.
Communication. Has your institution changed how it distributes information to staff? If your institution has adopted a new intranet solution or other new ways to communicate with staff, make sure the BCP information and training they need is available there.
Don’t be complacent when it comes to business continuity planning. Keep your plan updated so you’re ready for the next big event.
Subscribe to the Nsight Blog
Share this
Third-Party Breach Exposes Treasury Emails—And That May Be Just the Beginning
FS-ISAC Offers Free Cyberattack Exercise
