Been Through a Disaster? Be Ready to Talk BCP and Risk During Your Next Exam
Examiners can postpone examinations if a major disaster strikes a financial institution, but when exam time finally comes, that institution’s business continuity plans, response, and post-disaster risk management will be major points of discussion and may even impact its CAMELS or ROCA rating.
Assessing Risk After a Disaster
While the guidance encourages examiner flexibility for financial institutions impacted by Presidential declarations of a major disaster, including those with loans or investments in the area, it also recognizes that a disaster changes the risks facing an institution’s earnings, capital, funding, liquidity, operations, and sensitivity to market risk. That is why the agencies expect impacted institutions to conduct initial risk assessments in these areas based on available information and to regularly update them as more is known.
Operational risk assessments “should address the effectiveness of the institution’s operational capability and its business continuity plan. Institution management should be able to explain its review and assessment methodology and demonstrate reasonable progress, given the circumstances.”
BCP Plans and Response
When evaluating CAMELS or ROCA ratings, examiners are instructed to review an institution’s BCP and response plans to determine whether they are practical considering an institution’s business strategy and operations when the disaster has impacted economic and business conditions. “In particular, when assessing the management component, examiners should consider management’s effectiveness in responding to the changes in the institution’s business markets and whether the institution has addressed these issues in its longer-term business strategy and future response plans.”
While examiners may lower the CAMELS or ROCA rating as a result of this assessment, supervisory action may not be needed as long as “the institution’s management has appropriately planned for continuity of operations; implemented prudent policies; and is pursuing realistic resolution of the issues confronting the institution.”
The effectiveness of disaster recovery and business continuity plans will be assessed by how well management can communicate, deal with damage, and restore data and operations.
Financial institutions will be evaluated on how they communicate with employees, customers, and third-party providers before, during and after the disaster. That includes identifying and informing essential personnel where and how they’ll perform operations, addressing how to operate with a less-than-full staff roster, and sharing information. There should be plans for keeping customers in the loop about the institution’s ability to operate and informing third-party service providers and suppliers of the impending event to take preemptive action and then to follow through with the BCP plan.
Dealing with damage
Facilities, equipment and records can all be damaged. The guidance tells examiners to assess how the institution recovers, which includes steps such as:
- Establishing temporary facilities;
- Obtaining replacement equipment and supplies;
- Handling and reproducing contaminated loan files and legal and collateral documents;
- Replacing contaminated cash and coins;
- Handling contaminated safe deposit boxes and their contents; and
- Retrieving and restoring data systems, electronic information, and operational capabilities.
What does this mean for financial institutions? Several things.
- Have an actionable business continuity plan. The plan needs to be accessible, tested and implementation ready. It should have communication and disaster recovery components and management should be familiar with it. Your plan should ensure your institution recovers as quickly as possible.
- BCPs should be accessible. If your institution is relying on manual processes that count on specific employees finding documents or files on specific machines or filing cabinets, you’re adding more risk to an already a risky situation. Management needs to easily find, follow and report on its marching orders and make adjustments as it goes. Make sure you plan is centralized and includes components for reporting.
- BCPs should be updated. BCPs are not a one-time exercise. Your plan should be regularly maintained and updated to keep pace with your institution’s environment so that it will be effective.
- Be prepared to assess and reassess risk. If your institution already has a strong ERM program in place, it should be regularly identifying, assessing, measuring and monitoring risk. Those best practices and systems will be put to good use if disaster strikes. If your institution isn’t yet on board with ERM, this is yet another reason why risk management needs to be ingrained in your culture. Management needs to be prepared to assess the post-crisis landscape and steer the institution, its employees and its customers to safety. Make sure you have tools to analyze and measure risk and identify shortfalls.