business continuity plan for banks

• (888) 244-1912
• [email protected]

• Understanding Business Continuity vs BDR: A Guide
• About Invenio IT
• Business Continuity

12-Point Bank Business Continuity Plan Checklist [Updated for 2024]

• May 3, 2023

In the finance industry, disasters are especially dangerous. Disruptions to a single bank’s operations have the power to tarnish the brand and disrupt entire markets. Data loss can compromise the financial information of thousands of customers. To avert these scenarios, a bank business continuity plan must account for every disaster possible, along with the proper protocols for recovery.

• What takes priority after a disaster?
• Who’s in charge?
• What if key stakeholders cannot be reached?
• Who should personnel turn to for answers?
• How will operations be restored, and when?

These are just a few of the questions that a bank business continuity plan must be able to answer – long before disaster strikes.

While there is no one-size-fits-all business continuity plan template for banks, we’ve put together a checklist of areas that every plan should address.

Essential Components of a Bank Business Continuity Plan

__ managerial protocols.

This is the foundation of a bank business continuity plan. It encompasses all of the sections listed below, outlining what needs to happen before, during and after a disruption. This framework will apply to virtually all scenarios, regardless of the type of disaster (natural, manmade or electronic) – or how many bank branches have been affected (just one or over a hundred). Your plan needs to outline:

• Who does the decision-making in an emergency situation?
• What are the mission-critical responsibilities of each executive and manager?
• What are the protocols for personnel in each department?
• Who  needs to do  what to restore operations?

__ Plan Objectives

Since each business continuity plan is unique, every plan must clearly state its scope. This information should be included at the beginning of the plan, so that there are no questions about what the plan covers and what it doesn’t. For example, a single bank might have several different BCPs intended for different business units, and a master plan for the entire company. Each document must therefore identify the specific objectives of the plan.

• What does the plan aim to achieve?
• Is the plan relevant to all bank operations, or specific departments such as IT?
• What is the core purpose of the plan?
• What are the limitations of the plan (if applicable)? Are additional planning documents needed?

__ Risk Assessment

No financial services business can adequately plan for disaster without understanding what those disasters look like. Banks must perform comprehensive risk assessments that identify every possible threat to their operations. These risks can include everything from cyberattacks to electrical outages, followed by detailed descriptions of what they entail and what causes them.

• Which operational risks does the bank face?
• Which threats have the greatest likelihood?
• What are the causes of each threat?
• What are the circumstances? What does each disaster scenario actually look like?

__ Business Impact Analysis

After identifying risks, the next step is analyzing the impact of those events. This is another critical component of a bank business continuity plan, because it uncovers the most urgent threats and enables you to prioritize your planning accordingly. Each operational disruption listed in the risk assessment should be defined by its effects on the bank, including the estimated length of an outage, impact on customer-facing services, financial impact and so on.

• How does each threat actually disrupt the bank’s operations?
• What is the immediate and long-term impact?
• What is the anticipated length of time for each disruption?
• What is the cost? How much money does the bank lose per hour in each scenario?

__ Prevention Strategies

Your bank business continuity plan cannot prevent every disaster. But it can greatly minimize the risks, while also preventing the worst aftermaths. Your plan should identify the steps  you are already actively taking  to prevent operational disruption in a disaster. This section should include disaster-specific scenarios and strategies currently being used to monitor and prevent these risks.

• What technologies are in place to  prevent cyberattacks ?
• What systems are implemented to block malicious files from entering the network?
• How adequate are your data backup and recovery systems?
• Are your bank branches built to withstand various natural disasters?

__ Disaster Response

The longer a bank is shut down, the worse the consequences. Every bank disaster recovery plan template must include the specific actions that need to be taken if operations have been halted. In a BCP or DRP, this is sometimes referred to as “disaster response.” These are the immediate steps following a disruption, which help to assess the situation and determine the best path to recovery.

• How should disruptions be evaluated to determine what actually happened and what happens next?
• Which banking services are the highest priority if limitations are in place?
• What protocols are in place if technological roadblocks prevent access to information systems?
• If staffing has been affected, what are the minimum staffing requirements required to maintain operations?  

__ Recovery Protocols

The immediate response to a disruption does not always translate into a full recovery. So, it’s critical to outline the additional protocols that will be needed to restore operations back to 100 percent. Depending on the type of disaster, this stage may take several days or even weeks. But by defining these procedures in the BCP, banks will be better prepared for every possible disruption and will be able to significantly shorten recovery time.

• What steps should be followed to fully restore operations?
• Which aspects of the business take priority if several operations are disrupted?
• Who will oversee the recovery for each type of disaster? To whom will they provide updates?
• What are the recovery objectives and expectations? How long is each type of recovery expected to take?

__ Data Backup & Recovery Technologies

More than most industries, financial institutions need to be especially aggressive in deploying technologies that thwart cyberattacks and accelerate recovery. Data backup is thus a critical component of continuity planning that needs to be defined in a bank’s BCP. In this section, you’ll identify the implemented technologies for restoring lost data in a variety of scenarios, along with clear recovery objectives. In addition to a bank’s data backup systems, this section can also include any other recovery technologies, such as redundant hardware, network repair tools and so on.

• What is the bank’s primary business continuity & disaster recovery system (BCDR)?
• Which data recovery methods should be used in various scenarios, such as ransomware, accidental deletion or hardware failure?
• What is the bank’s recovery point objective (RPO)? What is the maximum age of the most recent backup?
• What is the recovery time objective (RTO)? How long should it take to recover lost data or systems?

__ Contingencies

In addition to data backup, banks must have a “Plan B” for all other aspects of their operations. Better yet, they should have a Plan C, D and E. This section of the continuity plan should identify the bank’s contingency plans and redundancies for various disaster scenarios. These contingencies can be placed in their own section within the BCP or addressed in each of the other sections. Some example scenarios to consider:

• What happens if the physical bank location was destroyed in a disaster?
• What if  sensitive data was stolen in a cyberattack and held at ransom ?
• What if third-party service providers are unavailable and are disrupting your own operations (i.e. utilities, technology providers, ATM access providers and so on)?
• What if additional hardware is suddenly needed for a branch location? Where will it come from? If it’s already been acquired, where is it being stored?  

__ Training & Education

Employees should receive routine training on disaster prevention, response and recovery. For example, staff should be educated on how to safely use email and Internet, how to spot a phishing attack and what to do in a ransomware attack. This training applies not only to your disaster recovery teams, but to all bank employees, including upper management. In a bank business continuity plan, this section will outline these training programs and objectives in detail.

• What types of training are needed to achieve the bank’s continuity objectives?
• How often does that training occur?
• Who receives the training?
• Who develops and manages it?

__ Methods & Hierarchy of Communications

Imagine a scenario in which telecommunications and other utilities have been knocked offline for weeks. How will managers communicate with personnel, and vice versa, about the status of operations? Even for small disruptions, it’s critical to maintain clear communication between affected stakeholders. Otherwise, recovery will be far more challenging. In this section of the BCP, you’ll outline these communication strategies.

• Which methods will be used to maintain communications after a disaster?
• Which personnel will need emergency devices (i.e. mobile phones), and how will that process work?
• Will the public need to be notified of updates? If so, how, and what information will need to be submitted in a press release? Who will communicate with the press?

__ BCP Plan Writing, Testing and Reevaluation

A bank business continuity plan is a coordinated effort, written and reevaluated by several members of your organization on a regular basis. This is not a job for a single IT person or an executive’s assistant. It should be a comprehensive document that is reviewed and updated regularly. This section of the BCP will thus be devoted to identifying who manages the planning and when it gets updated.

• Who is in charge of maintaining your bank’s BCP?
• How often should it be reviewed?
• Who has access to the document and/or BC management software?
• How will the plan be tested? How will you know if the BCP’s protocols are effective?

When in doubt, always  speak to a business continuity professional.  This checklist is intended only for illustrative purposes to identify the core objectives of a bank disaster recovery plan. A professional will help you build out the most essential components of your plan, based on the specific needs of your business.

What are the most common threats to banks?

Your average consumer might assume that the greatest threat to a bank is a robbery or a devastating natural disaster. After all, these events make the big headlines. But in reality, banks face numerous other threats almost daily, and, in many cases, they are even more destructive. Here are just a few threats that can affect a bank’s operational continuity:

• Ransomware : A ransomware infection can rapidly disable a bank’s IT systems, destroy data and force it to close for days unless backups can be restored quickly.
• Malware & phishing scams : Like most businesses, banks face a barrage of malicious messages that sometimes get past firewalls and spam filtering technologies. This is a near-constant threat that financial institutions must guard against to avoid a potential operational disruption.
• System failure : Technology outages and interruptions are extremely common in the financial services industry. The causes can be anything from hard drive failure to application crashes. When it happens, it can have a far-ranging impact on operational continuity.
• Accidental data loss: Lost and deleted files can cause headaches and productivity losses. While a single lost spreadsheet may not derail a bank’s operations, large-scale data loss from a failed migration or unsuccessful O/S installation can absolutely disrupt the business.
• Service provider disruptions : It’s common for banks to leverage third-party solutions as part of their services, particularly for online banking systems and web applications. When these systems go down, they disrupt the bank’s services and damage its credibility.

Identifying the best data backup for banks

We’ve emphasized the importance of having data backup to prevent operational disruptions from data loss. But which data backup is best for financial institutions?

While there are many factors to consider when evaluating BCDR solutions, there are some core features and functions that most banks should look for. Backup frequency, speed and efficiency are extremely important. Additionally, backups should be reliable and easy to restore.

We recommend the Datto SIRIS because it offers the robust protection and versatile recovery options that today’s financial institutions need, especially in the age of ransomware. Some of the most critical capabilities that separate it from other bank data backup systems include:

• All-in-one solution: fully unified hardware, software and cloud backup
• High backup frequency of up to every 5 minutes
• Hybrid cloud storage (on-prem and cloud)
• Backup virtualization for instant access to protected apps & systems
• Built-in ransomware detection
• Resilient backup process via Datto’s Inverse Chain technology
• Automated backup validation and testing

Additional Resources for Bank Continuity Planning

Given the critical need for continuity planning within the financial services industry, there are numerous federal agencies and ancillary organizations that offer additional planning resources for banks. Some financial institutions are required to maintain continuity plans – particularly investment firms and brokerages, which must comply with the rules of FINRA (Financial Industry Regulatory Authority). While these regulations do not apply to all types of banks, the agency provides detailed recommendations that can be leveraged by virtually any financial institution.

Some helpful resources include:

• FFIEC (Federal Financial Institutions Examination Council) Business Continuity Management Booklet
• FINRA Business Continuity Planning Guidance
• Federal Reserve Business Continuity Guide

Frequently Asked Questions (FAQ)

1. what is the first step in business continuity planning in banks.

Conducting a risk assessment is an important first step in business continuity planning for financial institutions. This assessment identifies the threats that are most likely to disrupt the bank’s operations. In turn, this allows planners to implement systems and procedures that mitigate those risks and ensure a smooth recovery.

2. What are the 5 components of a business continuity plan?

While each plan is unique, every business continuity plan should include the following five components, at minimum:

• Plan objectives
• Risk assessment
• Business impact analysis
• Disaster recovery procedures
• Plan testing

Keep in mind, these five components represent only a fragment of the sections that should be included in a bank business continuity plan. However, together they achieve the most critical objective of the plan: implementing protocols that help to maintain continuity during a disaster and mitigate the impact of known risks.

3) What is the business continuity plan of a bank?

A business continuity plan (BCP) is a planning framework that is designed to prevent disruptions to a bank’s operations. The plan outlines the recovery systems and procedures for a variety of disruptive scenarios, which help to ensure the bank can stay open and continue serving customers during a disaster.

4) What does disaster recovery mean in banking?

Disaster recovery refers to the strategies used by a business to recover from an operational disruption. In banking, these strategies can include IT systems, such as data backup, or step-by-step procedures that should be followed when a disruption occurs to restore a bank’s critical operations.

5) Is business continuity a regulatory requirement for banks?

Some financial institutions are required to maintain business continuity plans in compliance with federal regulations. This is particularly true for investment firms, which must adhere to FINRA’s Emergency Preparedness Rule 4370 , requiring specific procedures for developing and maintaining a BCP.

Business continuity plans are critical for banks to ensure that they can recover quickly from an operational disruption. An effective BCP will include a thorough risk assessment and impact analysis, followed by the systems and procedures for recovering from a disaster. Having a documented plan ensures that a bank is prepared for every scenario, helping it to avert prolonged downtime and maintain operational continuity.

Learn more about business continuity solutions for banks

Get more information on BCDR solutions that can safeguard your bank from data loss and other disasters.  Request a free demo  or contact our business continuity experts at Invenio IT: call (646) 395-1170 or email  [email protected] .

Join 23,000+ readers in the Data Protection Forum

Related articles.

BCDR Faceoff: How Do Datto Competitors Stack Up? What are the Alternatives?

Do you know what makes Datto Encryption So Secure?

The Truth about All Datto SIRIS Models for BCDR

Where’s My Data? 411 on Datto Locations around the Globe

2023 Guide to Datto SaaS Protection for M365 and Google Workspace

Cybersecurity.

© 2023 InvenioIT. All rights reserved.

• Technology Services
• Compliance Services
• Security Services
• Webinar Schedule
• Customer Portal

The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

Regulatory Requirements

• How to Develop a BCMP

Pandemic Planning and Business Continuity Strategy

The importance of integrating vendor management into the bcmp, importance of exercises and tests when updating the bcmp, automating the planning process.

By Tom Hinkel

In November 2019, the Federal Financial Institution Examination Council (FFIEC) updated its BCP IT Examination Handbook and expanded its focus from Business Continuity Planning (BCP) to Business Continuity Management (BCM) . The change makes sense, because “planning” is only one part of the business continuity process. Business continuity management encompasses the entire process by integrating resilience, incident response, crisis management, third-party integration, disaster recovery , and business process continuity.

In the financial industry, community banks and credit unions are required to develop compliant business continuity plans that identify business processes along with their interdependencies that provide resilience to, and recovery from, all potential threats to the financial institution. BCM is designed to help organizations, regardless of their size, location or activity, minimize the impact of disruptions of any kind, natural or man-made, including cyber.

The new BCM guidance represents the first major update since 2015 and calls for all “entities” to rethink their approach to business continuity and be prepared to make appropriate plan revisions to meet these expectations. Entities are defined as depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers. The use of this term is significant, as it essentially pulls all interdependencies into the planning process.

With so much at stake, it is important for financial institutions to understand the BCM process and the key requirements to develop the business continuity plan:

• Regulatory requirements relevant to a compliant BCM Program
• How to develop the business continuity management plan (BCMP)
• Pandemic planning and business continuity strategy
• The importance of integrating vendor management into the BCMP
• Steps to effectively update and test the plan
• The benefits of automating the BCM process

  To comply with regulatory expectations, financial institutions are required to focus on an enterprise-wide, process-oriented approach that considers technology, business operations, testing, and communication strategies that are critical to business continuity management for the entire organization, not just the information technology department. Regulations make it clear that institutions need to plan to perform their critical business functions, even if technology may be impaired or unavailable.

Auditors and examiners are also scrutinizing business continuity plans to verify that the institution’s methodology and plan structure closely adhere to the 2019 regulatory guidance. A key change in the guidance is the increased focus on resilience. Resilience is the ability to prepare for—and adapt to—changing conditions and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. Two keys for understanding resiliency are the terms “withstand” and “recover”, with an emphasis on withstanding adverse events . In the past, business continuity planning has been focused more on recovery, but now the FFIEC has placed a heavy focus on resiliency. The ultimate goal is for financial institutions to be more proactive and minimize having to implement traditional recovery measures down the road. When going through the BCM process, resilience must be included from the very beginning of the process to successfully meet regulatory expectations.

How to Develop a BCMP – What to Include in the Plan

  It’s safe to say that most banks and credit unions have some sort of a BCMP in place, yet many struggle with determining what to include in the plan to ensure it is both recoverable and compliant. With the new changes to the guidance, many community banks and credit unions may also be wondering what specific changes they’ll need to make to meet these new expectations.

While each financial institution has a unique operating model based on its services, demographic profile, organizational processes, and technologies, the first step when drafting or updating the BCMP is to have a thorough understanding of all the functions and processes that make up those operations. This process, which we refer to as Enterprise Modeling , involves identifying all departments or functional units, with all associated processes and functions (including all internal and external interdependencies), and determining the team owners and members responsible for each department. Having representatives from each department take an active role in the planning process ensures the technologies and responsibilities for each area are accurately represented. This also helps the financial institution develop a more accurate assessment of its recovery time objectives and actual recovery capabilities. It is not realistic to have a single individual with all the knowledge and unique skill set required to put together a comprehensive BCMP.

A plan should consist of all the steps required to ensure key products and services remain available to customers or members. The BCMP consists of five phases including risk management (Business Impact Analysis, Risk/Threat Assessment); continuity strategies (Interdependency Resilience, Continuity and Recovery); training and testing (aka Exercises); maintenance and improvement; and board reporting.

Furthermore, the BCMP should be a “live” document that keeps pace with any changes in infrastructure, strategy, technology, and human resources. As soon as a plan is board approved, it should be tested, and a new draft plan should be initiated. At any point in time you should have both an approved plan, as well as a live draft to accommodate changes.

  In the past, financial institutions were required to have a separate pandemic plan, but the new FFIEC guidance instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters. This means the BCM plan is the pandemic plan, and financial institutions must analyze the impact a pandemic can have on the organization; determine recovery time objectives (RTOs); and build out a recovery plan.

As we’ve all learned, pandemic planning is very different from natural disasters, technical disasters, malicious acts, or terrorist events because the impact of a pandemic is much more difficult to determine due to the differences in scale and duration. Pandemics also directly impact financial institution and third-party employees rather than targeting infrastructure or technology-based interdependencies. Cross training and succession planning should be a key part of the pandemic planning process to ensure operations can continue even if key individuals are unavailable.

FFIEC guidance states that the financial institution’s BCMP should include five key elements to address the unique challenges posed by a pandemic event:

• A preventive program including monitoring of potential outbreaks; educating employees; communicating and coordinating with critical service providers and suppliers; and providing appropriate hygiene training and tools to employees
• A documented strategy that provides for scaling the institution’s pandemic efforts to align with the current six-stage CDC framework
• A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that large numbers of the institution’s staff are unavailable for prolonged periods
• A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue
• An oversight program to ensure ongoing review and updates to the pandemic plan

The vast majority of banks and credit unions today rely on third-party service providers, or vendors, to conduct business on a day-to-day basis. When financial institutions outsource key functions to a service provider, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations within pre-defined recovery time objectives in the event of a disruption. The FFIEC now expects critical third-party providers to be active participants in the BCM program, and it’s likely that regulators will require financial institutions to have a detailed understanding of the resilience capabilities of their core/technology service providers, cloud providers and others moving forward. When creating a BCMP, financial institutions have to account for all interdependent third-party relationships and identify the potential consequences a third-party disruption might have on its operations.

The criticality of the product or service the vendor provides is directly related to the criticality of the dependent process it supports, as identified by the business impact analysis. Some questions financial institutions should consider include:

• How important is this vendor to what we do?
• If they fail, how many of our dependent services would be negatively impacted?
• How challenging would it be to replace this vendor?

Vendor criticality is expressed in terms of Recovery Time Objectives (RTOs) , and each bank or credit union determines and assigns the same RTOs to the third-party vendor as they have to the underlying process they support. In other words, if you’ve identified a two-day recovery time objective for a particular process, any underlying vendors will also inherit that same two-day RTO. In the event that the vendor cannot match your RTO (validated by testing), you must have a contingency plan in place such as alternative procedures or providers to compensate for the gap.

Successfully integrating vendor management and business continuity planning is essential for financial institutions to truly understand their actual recovery capabilities by validating whether or not their third-party providers “have sufficient recovery capabilities” to meet your recovery objectives.

  Exercises and tests are important parts of the process, and in fact, the BCMP is not complete until the plan has been thoroughly tested. The new handbook makes an important distinction between exercises and tests in the BCMP process, defining an exercise as “a task or activity involving people and processes that is designed to validate one or more aspects of the BCMP or related procedures.” On the other hand, a test is often performed “to verify the quality, performance, or reliability of system resilience in an operational environment.” The handbook emphasizes the importance of both exercises and tests to demonstrate resilience and recovery capabilities.

Exercises and testing verify the effectiveness of the plan by validating all recovery time objectives; helps train the team on what to do in a real-life scenario; and identifies areas where the plan needs to be strengthened. In addition, examiners are also verifying that a BCMP has been tested, and the financial institution is able to execute the plan if and when the need arises. Because the financial industry is considered part of the nation’s critical infrastructure, testing, exercises, and training will continue to be a focus going forward.

Every test should start with a realistic scenario drawn from the top threats as identified by the risk management phase of the planning process. Top threats are those determined to have both high impact and high probability ratings. While initial testing of a plan can be relatively straightforward, a bank or credit union should strive to extend the scope and severity of the exercise with each consecutive test by making the tests consecutively more complex and including different individuals. Conducting the very same test with the same participants every year will not satisfy examiners nor will it give your management the assurance they need.

In addition to the senior management and information security roles defined in a plan, the testing team should include key department heads with detailed knowledge of the processes and functions impacted by the scenario. Tests should cover the steps departmental managers must take to complete functions manually or in an alternate way. In addition, all departmental specialists should be included in the exercise and testing program. There are two reasons for that, the first is so they are familiar with alternate procedures in emergency scenarios, the second is to make sure you have backups, or successors, to your primary recovery resources. Succession planning is another hot button item with examiners now because of the pandemic.

While regulators require proof of exercises and testing annually, more frequent testing is indicated whenever a previous test uncovered significant gaps in the plan, or if there are significant internal changes to processes or infrastructure or personnel.

To help streamline this time-consuming process, banks and credit unions can automate repetitive portions of business continuity planning. Automating these activities eliminates the need to update cumbersome spreadsheets and manually copy/paste information from various reports and previous assessments. The 2019 guidance requires a number of changes to your existing plan, some subtle and some significant.

An automated BCP solution will also help guide banks and credit unions through the entire BCMP process, assuring that all required elements are included as they are necessitated by regulatory guidance changes. Automating the planning process makes it easier and much less time-consuming to perform annual plan updates by allowing static portions of the plan to carry forward, while incorporating changes wherever necessary. Any automated solution should also allow you to identify all material plan changes from year-to-year, so management and board approval is easier.

  Business Continuity Management is a critical process for banks and credit unions regardless of size and location, and the plan is central to that effort. To streamline the planning process, financial institutions should integrate business continuity into all business decisions; conduct periodic reviews of the plan; and perform regular testing. Everyone in the organization — from the tellers to the Board — should understand the importance of business continuity planning and how his or her unique role fits into the financial institution’s overall business continuity strategy.

Be the first to hear about regulatory guidance and industry trends

• +1 (800) 826-0777
• VIRTUAL TOUR
• Mass Notification
• Threat Intelligence
• Employee Safety Monitoring
• Travel Risk Management
• Emergency Preparedness
• Remote Workforce
• Location and Asset Protection
• Business Continuity
• Why AlertMedia
• Who We Serve
• Customer Spotlights
• Resource Library
• Downloads & Guides

BCP in Banking — 12 Steps to Disaster-Proof Operations

How will a disaster impact your business? What financial hit will your organization suffer? And how quickly can you recover? Take steps now with business continuity planning.

• 4 Phases of Crisis Management
• Build a BCP for Stability and Resilience
• Improving Your Business Continuity Plan

Financial institutions, including banks, credit unions, accounting firms, and loan offices, are all vulnerable to security breaches, unforeseen emergencies, and operational disruptions. With millions—or potentially billions—of dollars at risk, there is a critical need for business continuity planning. Well-detailed and regularly tested BCP in banking can help you protect customers and employees while maintaining critical operations.

The Four Phases of Crisis Management for Banks

Business continuity planning, or BCP, in banking must address all the threats a financial institution faces. Severe weather events like hurricanes, tornadoes, blizzards, and wildfires can disrupt physical locations. Digital threats and cyberattacks put customer privacy and critical information systems at risk. Operational disruptions, economic downturns, regulatory changes, and the impacts of the pandemic further underscore the need for an effective business continuity plan for banks.

Crisis management follows four stages: mitigation, preparedness, response, and recovery.

A business continuity plan for financial institutions focuses on the risk mitigation and preparedness stages. You will review your exposures, threats, and risks as you learn how to prepare for them.

Download Our Business Continuity Checklist

Achieve stability and resilience with a bcp in banking.

The need for robust business continuity strategies has taken center stage in an era marked by anticipated and unforeseen disasters. But beyond the planning, everyone from frontline employees to senior management must be on board with the plan and understand their parts in supporting business continuity. These twelve steps to BCP in banking will help you prepare, beginning with a thorough evaluation of your risks and leading to training and implementation once a version of the plan is complete.

For a more comprehensive, guided business continuity checklist, download our resource here . 

1. Complete a business impact analysis 

How will a disaster impact your business? What financial hit will your organization suffer? And how long will business recovery take? The first step in BCP in banking is to address some critical questions with a business impact analysis. You’ll want to thoroughly understand what a disaster means in the context of operational resilience .

Here are some key actions of your business impact assessment:

• Define critical business functions : This is important for prioritizing your financial institution’s resources and determining the costs associated with downtime. If your organization is open to the public (such as a bank), you’ll want to consider the impact on customers and proactive solutions for mitigation.
• Calculate downtime costs : Depending on the specific nature of the emergency, operations could be halted for hours, days, or even weeks—like with catastrophic damage due to a major hurricane. It’s essential to evaluate a range of financial consequences.
• Determine legal impact : With any disaster, there are inevitable regulatory considerations to address. Customer and data privacy will be a top concern for financial institutions’ business continuity. If you relocate any facilities, you’re required to notify the organization’s primary federal regulator.

You’ll also want to review each department’s vital needs for your business impact analysis . You might ask: Does my organization have the necessary specialized equipment/software? How will I notify my people if internet access is unavailable? And what communication system will I need to facilitate recovery?

2. Complete a risk assessment

One essential component of business continuity management is understanding the risks unique to your industry and specific to your organization. Threats can come in various forms: malicious activity targeting your employees and customers, a technical disruption, or a natural disaster beyond your control. Establishing a scale of anticipated threats helps evaluate the severity of the risk. A low-impact threat might be a temporary power outage, whereas an active shooter scenario or wildfire could have serious business repercussions.

The risk or threat assessment should consider the following:

• Internal and external danger to personnel, facilities, and service providers
• Business disruption due to natural, technical, and human threats
• Vulnerability of critical processes and vital data/records
• Probability of occurrence (use a rating system)
• Impact of a scenario on your people, business, and customers

Effective business continuity plans should consider your facilities’ geographic locations. Close proximity to a flood plain or critical infrastructures (e.g., airports, highways, nuclear power plants) can affect your organization’s risks.

3. Inventory internal resources 

Identify the resources you need to support operations during an emergency, including personnel, information technology and infrastructure, operational resources, and procedural resources.

Categorizing those items and alternative solutions will ensure you have the people, processes, and equipment needed to continue operations despite a disaster. 

4. Create an emergency communications strategy 

The first part of an emergency communications plan is detecting potential threats. Consider using a threat intelligence solution to stay on top of emerging critical events so you can prioritize time-sensitive notifications to employees and other stakeholders. 

When your threat intelligence is integrated with your employee communication software , you can ensure safety, security, and business continuity. Look for a communication solution that meets the following criteria:

• An intuitive interface: This feature will make it easier for anyone to send out critical information.
• Two-way messaging: This lets your people reply with real-time status updates. 
• Wellness checks: You can conduct quick surveys of employees to check if they’re safe or need assistance.
• Geofencing: This location-based feature allows you to group recipients based on who might be in close proximity to (or in the path of) a disaster
• Always available: A disaster can occur any day, at any hour. Your communications software should always be prepared. 

With the right supportive software, it’s easier to establish a strong employee communications plan to keep your workers up to date and on task, even during disaster response and recovery. 

5. Develop your backup plan 

In financial services, the recovery point objective–the point, as measured in time, where data loss exceeds what is acceptable–is very short. Your core data underpins dozens of processes and tasks, particularly in today’s real-time tracking environment where using even slightly outdated data is impractical.

In the case of banks and financial institutions, data backup should occur at frequent intervals, ideally every few minutes. Automated tools support this seamless process without disrupting business operations. Employing both incremental backups—which capture only newly created or changed data every few minutes—and full backups every few hours helps eliminate the risk of data loss.

Finally, evaluate your offsite data storage. If a natural disaster takes out your building, you’ll be glad to have a backup server system at an alternate site in an unaffected location. Also, establish a backup power source and arrangements for recovery teams in case of situations where primary work locations are inaccessible. 

6. Document the business continuity strategy 

In this step of the BCP process, you’ll produce a written business continuity plan to disseminate across your organization. Based on the insights you’ve gained from your business impact and risk assessments, you should have a wealth of information to consolidate into a single document.

Within your disaster recovery plan , clearly define roles and responsibilities and contact information for key stakeholders/emergency team members. This action will ensure you’re ready to notify your people, especially if you have an intuitive employee notification system in place.

Preparing for worst-case scenarios is also a best practice that will help your business weather even unforeseen disasters. You should also have contingency plans in place for common problems:

• Key personnel are not available
• Facilities are inaccessible
• Equipment malfunctions
• Software is corrupted
• Service providers are unavailable
• Utilities (power/communications) are down
• Critical documentation is not available

A note of caution: If your business has more than one location, you’ll need to prepare for potential damage/disruption to multiple facilities.

The more you can plan for, the better you’ll be able to weather various disasters and maintain business continuity.

7. Share the plan

You don’t need to flood employees with information about your disaster response plan. Giving them too many details can overwhelm them. It can also make retention challenging, and they may not be prepared during an emotionally charged disaster. Focus on

• Communication: First and foremost, make sure employees know how to receive emergency messages and how to respond. 
• Safety protocols: Clearly establish evacuation routes, fire drill procedures , and assembly points to get people to safety. 
• Leadership: Employees should know who to go to in an emergency, whether that’s a team leader, supervisor, or designated safety captain.  
• Critical tasks: Finally, notify anyone responsible for critical tasks during a crisis, making sure their roles are clear. Be sure to also notify people who are designated as backups in case the primary team members are unavailable.

Keeping it simple will allow your employees to retain this information during a disaster. Of course, all members of your safety team should have complete copies of the plan and should also participate in the next stage. 

8. Complete informal testing 

Test your business continuity plan at least once a year to ensure it covers all the bases and contingencies to avoid operational disruptions. But it’s a good idea to test segments of your plan more often with informal drills and tabletop exercises . You can conduct these exercises in a conference room or other low-stakes environment to have key parties “walk through” scenarios and test response plans. These exercises also serve as training to enhance preparedness.

The informal approach lets you test various disaster response plans without the disruption of a full-scale drill. Tabletop exercises are also a good opportunity to inject unexpected scenarios, so your team and your plan can adapt. Consider your geographic area and any risks related to your industry, and prioritize testing the disaster plans most likely to occur.  

9. Conduct formal testing and drills

An emergency drill tests your business continuity plan in a realistic environment. Conducting one of these at least annually and involving all critical stakeholders will help you prepare for the unexpected and protect your business and staff. 

The steps for running a full-scale drill are similar to those of a tabletop exercise, though they are more involved because you are conducting an actual simulation. A drill typically includes the following components: 

You will set goals to determine if your business continuity plan is successful. Some examples of goals might be achieving a 24-hour timeframe for resuming critical operations or maintaining customer satisfaction levels during a business disruption.

Participants

Every full-scale drill requires the involvement of all key stakeholders. These individuals will fit into one of four categories: facilitator, evaluator, observer, and participants.

A realistic scenario starts the activity. The facilitator will introduce the scenario to the group, including details such as the type of disaster, its location, the extent of its impact, and the specific challenges it poses. It is designed to immerse participants in a lifelike situation, prompting them to respond as they would in a genuine disaster.

An informal debrief or hot wash may occur following the disaster drill to capture immediate impressions and insights. All of this information will be documented for the next part of your continuity planning strategy: the after-action review.

10. Complete an after-action review 

An after-action review will allow all the stakeholders involved in your drill to share their impressions and gain feedback. This process is designed to answer four key questions: 

• What were our goals?
• What were our results?
• What did we do well?
• What could we do better?

You should involve all key stakeholders in this review and encourage frank, open discussion about how the drill unfolded. It may be helpful to anonymize feedback opportunities, like through anonymous surveys, to make individuals more comfortable with sharing. 

You can also use data from incident tracking software, communication logs, and participant feedback surveys to comprehensively understand the drill’s strengths and areas needing improvement. You can compile this information into an after-action report that you will use to document your findings and fix vulnerabilities. 

11. Fix vulnerabilities

Once you complete your after-action review and report, decide how to act on any vulnerabilities in your BCP, prioritizing them based on their severity and potential impact. Then, you will develop strategies for mitigation. These strategies may include updating or revising plan elements, investing in technology or infrastructure improvements, enhancing staff training, or refining a crisis management plan . 

This is an ongoing, continuous process. The threats to your business will change, and you’ll need to regularly assess their impact, kicking off the business continuity planning process all over again. 

12. Share your results

Finally, share your results and celebrate your wins with your team. Much like sharing the plan, you don’t have to give them all the details. Hit the high points and discuss areas of concern. 

You will also want to have internal reviews with key parties to provide an opportunity for feedback, learning, and continuous improvement. This collaborative approach fosters a culture of resilience. Everyone understands their role and actively safeguards the business during challenging times.

Financial firms face unique challenges when it comes to business continuity and disaster recovery . BCP in banking is your method of managing security threats, compliance requirements, and potentially catastrophic economic loss. Of course, maintaining business continuity isn’t just about recovering technology and assets. Above all, it’s about keeping your people safe, informed, and connected.

More Articles You May Be Interested In

Business Continuity Checklist

Please complete the form below to receive this resource.

Check Your Inbox!

The document you requested has been sent to your provided email address.

Cookies are required to play this video.

Click the blue shield icon on the bottom left of your screen to edit your cookie preferences.

Business Continuity Plan in Banks: Ensuring Uninterrupted Operations

February 1, 2024

A Business Continuity Plan (BCP) in banks is a strategic framework that ensures uninterrupted operations and service delivery during and after a disaster or crisis.

Banks need to remain resilient during crises and comply with regulatory requirements . A comprehensive BCP will include strategies for risk mitigation , preparedness, quick recovery from operational disruptions , and maintaining critical functions.

It often involves reviewing exposures , identifying critical business functions, and preparing for various scenarios, including natural disasters, cyber-attacks, or any event that could significantly impact the bank’s ability to operate.

An effective BCP in banking focuses on maintaining, resuming, and recovering business operations, including the technology infrastructure critical for day-to-day functions.

A bank’s BCP process should reflect objectives that align with regulatory expectations and best practices to ensure the institution can continue to provide essential services to its customers, even in adverse conditions.

This includes having a checklist, tips for creating a robust plan and addressing frequently asked questions to guide banks in developing their own BCP strategies ( AlertMedia , FDIC ).

Banks are essential to the global economy, and their operations must be resilient to disruptions. As such, business continuity planning (BCP) is a critical aspect of the banking industry.

A business continuity plan for a bank is a comprehensive set of procedures and strategies that aim to ensure that the bank can continue operating in the event of a disruption.

A business continuity plan in banks is designed to identify potential disruptions and outline the steps that must be taken to mitigate their impact. The plan should address various scenarios, including natural disasters , cyber-attacks, pandemics, and other events that can cause significant disruptions to the bank’s operations.

The BCP must also consider the bank’s critical functions, such as payment processing, customer service, and data management , among others.

Key Takeaways

• Business continuity planning is crucial for banks to ensure their operations can continue in the event of a disruption.
• A business continuity plan must identify potential disruptions and outline the steps that must be taken to mitigate their impact.
• The plan should address various scenarios, consider the bank’s critical functions, and comply with regulatory standards.

Understanding Business Continuity Planning

Concept of business continuity.

Business Continuity Planning (BCP) is the process of creating a strategy to ensure that essential business functions continue to operate during and after a disaster or other disruptive event.

The goal of BCP is to minimize the impact of the disruption and to ensure that the organization can continue to operate with as little disruption as possible.

Business continuity plans typically identify the critical business processes and the interdependencies between them. They also outline the steps that need to be taken to ensure that these processes can be restored quickly and efficiently in the event of a disruption.

This includes identifying the resources that will be needed, such as personnel, facilities, and technology.

Importance for Financial Institutions

Business Continuity Planning is particularly important for financial institutions like banks and credit unions. Regulators require these institutions to have a BCP in place to ensure that they can continue providing essential services to their customers during a disruption.

The impact of a disruption to a financial institution can be significant in terms of financial losses and damage to reputation.

A well-designed and tested BCP can help to minimize these risks and ensure that the institution can continue to operate with minimal disruption.

Business Continuity Planning is a critical process for financial institutions to ensure that they can continue to operate in the event of a disruption.

By identifying critical business processes and interdependencies and outlining the steps needed to restore them, financial institutions can minimize the impact of a disruption and ensure that they can continue to provide essential services to their customers.

Key Components of a Business Continuity Plan

A Business Continuity Plan (BCP) is a comprehensive plan that outlines an organization’s procedures and strategies for recovering from significant disruptions.

For banks, a BCP is essential to ensure that they can continue to provide services to their customers and maintain their reputation in the market.

Business Impact Analysis

The first step in developing a BCP is to conduct a Business Impact Analysis (BIA). A BIA identifies the bank’s critical functions and the potential impact of disruptions to those functions.

It also identifies the resources required to recover those functions. A BIA helps the bank prioritize its recovery efforts and allocate resources effectively.

Recovery Strategies

Once the BIA is complete, the bank can develop recovery strategies to address the potential disruptions identified in the analysis.

Recovery strategies should include procedures for restoring critical functions and systems and plans for communicating with customers, employees, and other stakeholders.

Plan Development and Documentation

The final step in developing a BCP is documenting the plan and procedures. The plan should be comprehensive and easy to understand, with clear instructions for each recovery process step.

It should also include contact information for key personnel and vendors and backup plans in case the primary recovery strategies are ineffective.

A well-developed BCP is critical to ensuring that a bank can continue to provide services to its customers and maintain its reputation in the market.

By conducting a thorough BIA, developing effective recovery strategies, and documenting the plan and procedures, a bank can be confident that it is prepared to recover from significant disruptions.

Operational Resilience in Banks

Banks must have a Business Continuity Plan (BCP) in place to ensure that they can continue to provide essential services to their customers in the event of a disruption.

However, in recent years, regulators have expanded the scope of BCP to encompass all aspects of resilience, including operational and cyber resilience . This shift has led to the development of the Operational Resilience (OR) concept in banks.

Technology and Infrastructure

Technology and infrastructure are critical components of OR in banks. Banks must ensure that their IT systems and infrastructure are resilient and can withstand disruptions.

This includes having redundant systems in place, ensuring that backups are regularly tested and updated, and having a disaster recovery plan .

Banks also need to ensure that their staff are trained in the use of the IT systems and infrastructure and that they are aware of the procedures to follow in the event of a disruption.

This includes having clear communication channels in place, both internally and externally, and having a system for reporting and tracking issues.

Financial Services Continuity

Financial services continuity is another key component of OR in banks. Banks need to ensure that they can continue to provide essential financial services to their customers in the event of a disruption.

This includes having contingency plans for critical business processes, such as payment processing and account management.

Banks also need to ensure that their staff are trained in the procedures to follow in the event of a disruption, and that they are aware of the importance of maintaining financial services continuity .

Operational Resilience is a critical component of the Business Continuity Plan in banks. Banks need to ensure that their IT systems and infrastructure are resilient, that their staff are trained in the procedures to follow in the event of a disruption, and that they have contingency plans for critical business processes.

By doing so, banks can ensure that they can continue to provide essential services to their customers in the event of a disruption.

Risk Management and Impact Analysis

Banks are exposed to various risks resulting in financial loss , reputational damage, and legal liabilities. Therefore, risk management is a critical aspect of business continuity planning .

The following are the two main components of risk management and impact analysis:

Identifying and Assessing Risks

The first step in risk management is to identify and assess potential risks that can disrupt the bank’s operations. This includes internal and external risks, such as cyber-attacks, natural disasters, power outages, and human errors.

Banks can use various techniques, such as risk assessment matrices , scenario analysis, and historical data analysis, to identify and prioritize risks .

Conducting Business Impact Analysis

Once the risks are identified and prioritized, the next step is to conduct a business impact analysis (BIA). A BIA assesses the potential impact of a disruption on the bank’s critical business processes and functions.

It helps banks identify their recovery time objectives (RTOs) and recovery point objectives (RPOs) for each critical process.

Banks should identify the interdependencies between their critical processes and functions during the BIA. This helps to ensure that the recovery of one process does not depend on the recovery of another process.

Banks should also identify the resources required to recover critical processes, such as personnel, technology, and facilities.

Risk management and impact analysis are critical components of business continuity planning for banks. By identifying and assessing potential risks and conducting a BIA, banks can develop effective strategies to mitigate the impact of disruptions on their critical business processes and functions.

Testing and Maintenance of BCP

Business Continuity Plan (BCP) is essential to any bank’s risk management strategy . Testing and maintaining the plan is crucial to ensure the bank is prepared for any unexpected event.

This section will discuss the importance of regular testing procedures and updating and improving the plan.

Regular Testing Procedures

Regular testing procedures are essential to ensure that the BCP is effective and can be implemented promptly and efficiently.

Banks should test their BCP at least once a year to identify any weaknesses and areas for improvement. The testing process should involve all relevant stakeholders, including senior management, IT staff, and other key personnel.

The testing process should include a range of scenarios, including natural disasters, cyber-attacks, and other potential threats.

Banks should also measure the effectiveness of their BCP against predefined metrics to ensure that the plan meets the required standards. The testing process results should be documented and reviewed by senior management to identify any areas for improvement.

Updating and Improving the Plan

BCP is not a one-time exercise, and banks should regularly update and improve their plan to ensure it remains effective.

Banks should review their BCP at least once a year to identify any changes in the business environment and update the plan accordingly. This includes changes in the bank’s operations, IT infrastructure, and regulatory requirements.

Banks should also identify any weaknesses in their BCP and take steps to improve the plan. This may include updating the plan to include new processes, technologies, or procedures. Banks should also ensure their staff is trained to implement the updated plan effectively.

Testing and maintenance of the BCP is essential to ensure that banks can respond effectively to unexpected events. Regular testing procedures and updating and improving the plan are crucial to ensure that the BCP remains effective and meets the required standards.

Training and Awareness

Banks must have a comprehensive training program to ensure that all personnel know the business continuity plan and their roles in its implementation.

This training program can include both online and in-person training sessions and regular drills and exercises to test the plan’s effectiveness.

Employee Training Programs

Employee training programs should cover the following topics:

• The purpose and scope of the business continuity plan .
• The roles and responsibilities of each employee in the event of a disruption.
• The procedures for activating the plan and contacting key stakeholders.
• The communication channels that will be used during a disruption.
• The steps that must be taken to resume normal operations.
• The importance of maintaining accurate and up-to-date contact information.

Training sessions should be tailored to each employee’s specific roles and responsibilities.

For example, IT personnel may require more in-depth training on the technical aspects of the plan, while customer service representatives may require more training on communication protocols.

Stakeholder Communication

Effective communication with stakeholders is critical during a disruption. Banks should have a communication plan outlining the procedures for contacting stakeholders and keeping them informed.

The communication plan should include the following:

• A list of key stakeholders, including customers, vendors, and regulators.
• The communication channels, such as phone, email, or social media, will be used to contact stakeholders.
• The frequency of updates and the information that will be provided.
• The procedures for escalating communication if necessary.

Banks should also conduct regular communication drills to test the effectiveness of the communication plan and identify any areas that need improvement.

A comprehensive training and awareness program is essential for ensuring that banks are prepared to respond effectively to disruptions and minimize the impact on their operations.

Regulatory Compliance and Standards

Business Continuity Planning (BCP) is essential for banks to remain resilient during crises and comply with regulatory requirements and industry standards.

Banks must adhere to the Financial Industry Regulatory Authority (FINRA) Rule 4370, which spells out the required BCP procedures.

Compliance with Financial Regulations

Banks must ensure that their BCP is appropriate to the scale and scope of their operations and adheres to financial regulations.

Compliance with financial regulations is crucial for banks to maintain their reputation and avoid regulatory penalties. Banks must identify potential risks and develop a BCP to mitigate those risks and ensure continuity of operations.

Banks must also ensure that their BCP meets the objectives of financial regulations . The objectives of financial regulations include protecting customers’ interests, maintaining the financial system’s stability, and preventing financial crimes.

Adhering to Industry Standards

Banks must adhere to industry standards to ensure that their BCP is effective and meets the requirements of regulators.

Industry standards provide guidance on the development and implementation of BCPs, including risk assessment , technical solutions, HR and training, and a Business Impact Analysis (BIA).

Banks must also ensure their vendors or third-party service providers maintain a BCP. Exit strategy plans are developed by front-line units and control functions to ensure that the bank can continue to operate during a crisis.

Banks must comply with financial regulations and adhere to industry standards to develop an effective BCP . Compliance with financial regulations and industry standards is essential for banks to maintain their reputation, avoid regulatory penalties, and ensure continuity of operations.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.

Business Continuity and Disaster Recovery Plan Example: A Template for Resilience

Elements of a Business Continuity Plan: Key Components for Resilience

Reach out to understand more about Enterprise Risk Management, Project Management and Business Continuity.

© 2024 Risk Management

Business continuity planning in banking and finance

Oro provides content designed to educate and help audiences on their compliance journey.

“In banking or finance, trust is the only thing you have to sell.” Patrick Dixon

Banking and finance is a key part of the modern economy, and ensuring the stability of financial institutions is paramount. But how do banks maintain their operations during unforeseen disruptions and crises? 

The answer is robust Business Continuity Planning (BCP) . 

If you’re in banking or finance, you’ll know BCP is a critical component of any bank’s risk management strategy, and its importance cannot be overstated. In this post, we delve into the world of BCP in banking, highlighting its role and key components.

Key takeaways

• Business Continuity Planning (BCP) is essential for banks to remain resilient during crises and comply with regulatory requirements.
• BCP should include risk assessment, technical solutions, HR & training, and a Business Impact Analysis (BIA).

The role of Business Continuity Plans in banking

Business Continuity Planning is a proactive process designed to anticipate potential threats, vulnerabilities, and weaknesses. The BCP process bolsters a bank’s resilience during crises. It aims to reduce losses and maintain business operations despite disruptions. 

Imagine a scenario where a major natural disaster or cyber attack impacts your bank’s operations, and you have no plan in place. The consequences could be dire, leading to financial loss, reputational damage, and regulatory non-compliance.

Banking’s BCP encompasses having an established plan, adhering to regulatory standards, and stabilizing financial markets. It encompasses a broader scope than Disaster Recovery Planning (DRP) or Business Continuity and Disaster Recovery ( BCDR ) plan, which focuses solely on the technical aspects of recovering IT infrastructure and systems. 

At its core, a thorough BCP in banking: 

• Addresses all aspects of a bank’s operations
• Trains employees to manage disruptions
• Ensures uninterrupted service to customers while retaining its market position

Regulatory requirements

Banks are required to have a comprehensive BCP in place to address potential disruptions and ensure compliance with industry standards. This includes adhering to the ISO 22301:2019 standard, the global benchmark for business continuity management.

Adherence to these regulatory standards allows banks to show dedication to sustaining operations, customer service, and financial asset protection during disasters.

Financial market participants and infrastructure service providers

The modern financial system is a complex web of interconnected market participants and infrastructure service providers, including financial institutions such as:

• Investment banks
• Broker-dealers
• Individuals

As a result, the stability of the entire financial system hinges on the ability of each participant to maintain their operations during disruptions.

In this context, BCP in banking must consider the interconnectedness of financial market participants and infrastructure service providers to minimize systemic risks.

To develop a thorough BCP, banks need to gauge the prospective impacts of disruptions on the market, along with the geographic interdependencies that shape contemporary local, national, and global banking networks. This way, their BCP can tackle the distinct challenges presented by this interlinked financial environment, allowing them to persistently serve their customers and stabilize financial markets amidst considerable disruptions.

Understanding specific disruptions to banking

A significant business disruption can take many forms. Banks must address specific disruptions, such as natural disasters, cyber attacks, and pandemics, in their BCPs to ensure comprehensive coverage and preparedness. By considering these unique challenges, banks can develop targeted strategies and solutions that address the specific risks and vulnerabilities posed by each type of disruption.

Damage from natural disasters

The frequency and intensity of natural disasters (earthquakes, hurricanes, wildfires, floods, etc.) are on the rise. While these pose a significant risk to habitat and humanity, they also cause significant disruptions to business operations, including banking. Banks, therefore, require contingency plans for physical damage, power outages, and disruptions to transportation and communication networks. 

Banks can also use financial products, such as insurance, to address the financial risks of natural disasters. By having comprehensive plans in place to address the unique challenges posed by natural disasters, banks can minimize the impact on their customers and ensure the stability of the financial system during such events.

Cyber attacks and technological failures

Cyber attacks and technological failures also pose significant threats to banks, as they can lead to data breaches, system outages, and financial loss. According to the IMF :

“The financial sector is particularly vulnerable to cyber-attacks. These institutions are attractive targets because of their crucial role in intermediating funds. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system.”

To address these threats, banks must implement robust cybersecurity measures, such as firewalls, encryption software, and endpoint protection, to safeguard their IT infrastructure and systems from malicious actors.

In addition to cybersecurity measures, banks must also invest in data backup and recovery solutions to ensure the availability of their data and systems in the event of a cyber attack or technological failure. These solutions, coupled with comprehensive incident response plans, can help banks minimize the impact of cyber-attacks and technological failures on their operations and customers.

Pandemics and staff inaccessibility

Pandemics ( such as the COVID-19 outbreak ) present unique challenges for banks, as they can lead to staff inaccessibility, remote work requirements, and health and safety concerns. To address these challenges, banks must establish plans for remote work, alternative staffing arrangements, and health and safety protocols to ensure the well-being of their employees and customers during such events.

Prioritizing employee well-being and safety allows banks to:

• Foster a supportive work environment
• Enable employees to perform optimally during disruptions and emergencies
• Maintain the continuity of critical functions and services
• Ensure that the bank can continue to serve its customers
• Maintain the stability of the financial system during pandemics and other staff inaccessibility events

Business Continuity Planning is an important element of ISO 27001 compliance. Find out what it looks like for your organization.

3 key components of a bank’s Business Continuity Planning process

So, how do you stay ahead of these disruptions? A well-rounded bank’s BCP consists of three key components : 

• Risk assessment and management
• Technical recovery solutions
• Human resources and training

Each component plays a crucial role in ensuring the bank’s ability to withstand disruptions and continue providing essential services to its customers. Let’s look at each in more detail.

1. Risk assessment and management

Risk assessment and management is the first step in developing a comprehensive BCP for banks. It involves:

• Identifying potential threats and vulnerabilities, such as data loss, regulatory non-compliance, reputational damage, financial risk, and human-caused disasters
• Implementing measures to mitigate their impact on operations
• Ensuring the continuity of critical functions

An efficient risk management process also requires frequent BCP updates to accommodate changes in the bank’s operations, threat scenarios, and audit suggestions. Continuous risk assessment and management allow banks to:

• Keep their Business Continuity Plans updated
• Ensure their plans are efficient in handling possible disruptions
• Minimize the effect on their customers and financial system stability

2. Technical recovery solutions

Technical recovery solutions focus on the restoration of IT infrastructure and systems during a disruption, ensuring the continuity of critical functions and contributing to business recovery. In today’s digital age, the resilience of a bank’s IT systems is of utmost importance, as even minor disruptions can have far-reaching consequences for the bank’s operations and customers.

To address this challenge, banks must invest in robust technical recovery solutions. These solutions not only help banks restore their core systems and data following a disruption but also provide the necessary tools for monitoring and managing their IT infrastructure, ensuring the highest level of resilience and preparedness.

3. Human resources and employee training

Human resources and employee training are essential components of a bank’s BCP, as they ensure that employees are aware of their roles and responsibilities during a disruption and can effectively execute the plan. Training should incorporate emergency response drills, BCP procedure overviews, and periodic plan reviews to keep employees current and conversant with the processes.

Moreover, banks must invest in the well-being and safety of their employees, as they are the backbone of the organization. By providing access to mental health support, flexible work options, and clear health and safety guidelines, banks can create a supportive work environment that enables employees to perform at their best during disruptions and emergencies.

The importance of Business Impact Analysis (BIA) in banking

Business Impact Analysis (BIA) is an important aspect of BCP in banking, as it helps banks identify critical functions, assess the potential impact of disruptions, and set recovery time objectives to prioritize resources and efforts.

Executing an exhaustive BIA provides banks with valuable insights into their operations and weaknesses, which aids in the development of targeted recovery strategies and disruption impact minimization on customers and the financial system.

Identifying critical functions

Critical business functions in banks (e.g., transaction processing or customer account services) are those that would have a disastrous effect on stakeholders or the bank if they were to fail.

Identifying these functions is crucial for determining which processes and systems must be prioritized for recovery during a disruption.

Concentrating on the most critical operation aspects enables banks to allocate resources and efforts effectively, thereby reducing the disruption impact on customers and financial system stability.

Setting recovery time objectives

Recovery time objectives (RTOs) are a key component of the BIA process, as they help banks establish the maximum acceptable downtime for critical functions. 

Setting RTOs involves assessing the: 

• Bank’s risk appetite
• Cost of downtime
• Availability of resources
• Potential impact of downtime on customers and stakeholders

Clear RTOs help banks steer recovery strategy development and ensure their readiness to handle disruptions promptly and effectively.

Examples of RTOs in banking include restoring core banking systems within 24 hours, gaining customer access within 48 hours, and resuming full operations within 72 hours. These objectives serve as benchmarks for banks to measure their progress and preparedness, helping them identify areas for improvement and adjust their BCP accordingly.

Implementing and testing a bank’s Business Continuity Plan

Implementing and testing a bank’s BCP is a structured process that involves regular maintenance and updates to ensure its effectiveness during a disruption. The process encompasses:

• Recovery strategy development
• Roles and responsibilities allocation
• Communication protocol establishment
• Regular reviews and updates to maintain an up-to-date and effective plan

BCP implementation process

The BCP implementation process begins with the development of recovery strategies, which outline the specific actions and resources required to restore critical functions and systems following a disruption. These strategies should be based on the findings of the bank’s BIA and risk assessment, ensuring that they address the most significant threats and vulnerabilities.

Once recovery strategies have been developed, banks must assign roles and responsibilities to employees, outlining their duties during disruption and ensuring that they are trained and prepared to execute the BCP, which includes the disaster recovery plan. Establishing clear communication protocols is also essential, as it enables the bank to maintain effective coordination and information sharing during a disruption.

Testing and maintenance

Regular testing and maintenance are critical to the success of a bank’s BCP, as they help identify weaknesses and areas for improvement, ensuring that the plan remains current and effective. Testing can involve various methods, including tabletop exercises, walkthroughs, and full-scale simulations. These exercises not only evaluate the plan’s viability but also assess the ability of employees and executives to handle stress and make decisions under pressure.

Alongside testing, regular BCP maintenance is vital to keep the plan updated and responsive to changes in the bank’s operations, threat scenarios, and audit suggestions. By conducting regular reviews and updates, banks can ensure that their BCP remains effective in addressing potential disruptions, thereby minimizing the impact on their customers and financial system’s stability.

Conclusion: BCP is a critical component of a bank’s risk 

By addressing potential threats, vulnerabilities, and disruptions, banks can ensure the continuity of operations, comply with regulatory requirements, and maintain the stability of financial markets. 

A comprehensive BCP encompasses risk assessment and management, technical recovery solutions, human resources, and training, as well as business impact analysis to identify critical functions and set recovery time objectives. With proper planning, communication, and regular testing and maintenance, banks can be well-prepared to face any disruption and continue to serve their customers and support the financial system during challenging times.

Recommended reading

Your guide to ISO 27001 and the path to certification

Gain comprehensive insights into ISO 27001, understand its pivotal role in enhancing data security, discover its strategic importance for business success, and learn the step-by-step path to certification.

Share this post with your network:

Related Posts

What is soc 1 compliance, essential gdpr compliance checklist: navigate data protection with confidence, stay connected.

Subscribe to receive new blog articles and updates from Thoropass in your inbox.

Help Thoropass ensure that compliance never gets in the way of innovation.

Drop us a line and we’ll be in touch.

The New Equation

Executive leadership hub - What’s important to the C-suite?

Tech Effect

Shared success benefits

Loading Results

No Match Found

Banking on resilience: Critical paradigm shift for Financial Service examiners

The FFIEC’s recent  release  of its Business Continuity Management handbook sets critical new paradigms for FS examiners, signaling a shift to operational resilience.

Guidance from the Federal Financial Institutions Examination Council (FFIEC) makes it clear that, in the financial services industry, recovering IT systems quickly after an outage is no longer good enough.

Bank regulators are expanding the old business continuity planning and disaster recovery (BCP/DR) model to encompass all aspects of resilience (ie. operational and cyber), effectively setting a new bar for regulated entities.

Rethinking resilience

As Financial services (FS) regulators around the world shift their focus, PwC has done the same . We’ve been calling for a rethinking of resilience for a number of reasons:

• With globalization and increased competitive pressures leading to more outsourcing, offshoring and automation, FS firms are now more interconnected and complex than ever before. A breakdown at any one step can disrupt the entire chain.
• Financial institutions are innovating in new areas—migrating more and more services and data to the cloud, for example—but managers’ understanding of these technologies doesn’t keep pace with the speed of change. Too often they don’t update their risk and resilience programs to account for critical dependencies that emerge.
• Since the last financial crisis, enhanced risk management, stress testing, capital planning and liquidity management have generally improved financial resilience. But traditional BCP/DR activities have received less attention in some firms, and often are focused on maintaining existing capabilities, rather than continuously improving in maturity and depth.
• Regulators increasingly expect boards of directors to don the mantle of operational resilience oversight, a task for which they may not be adequately prepared.

The FFIEC addresses these concerns and sets parameters for regulatory examiners of  financial institutions and their third-party service providers.

Issued in November 2019, the FFIEC’s  Business Continuity Management booklet represents the council’s first significant update in more than four years. It expands its focus to business continuity management , not just business continuity planning. In doing so, it echoes some of the key tenets of the 2018 Bank of England’s (BoE) influential discussion paper, Building the UK financial sector’s operational resilience  (PDF, 868 KB).

The update formalizes a definition of resilience found in the National Institute of Standards and Technology (NIST) glossary: “The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”

It also enjoins examiners to hone in on FS enterprises’ and service providers’ ability to keep their most important business functions operating and available to customers and other stakeholders. And it wants to see FS entities working to minimize any ripple effects an outage might have on others in its business ecosystem and on overall financial systems.

Subtle but significant shifts to resilience that the FFIEC will trigger

While the BoE’s paper introduced bold new concepts, the 2019 FFIEC update appears to aim for a more nuanced pivot from BCP/DR to operational resilience.

Here are the shifts in a nutshell:

1. Moves emphasis away from business continuity planning (BCP) to business continuity management (BCM)

2. provides a repeatable process for identifying critical business functions, 3. introduces the term “maximum tolerable downtime”, 4. emphasizes need for more meaningful testing, 5. allows more flexibility in testing, 6. refers to entities, not just “financial institutions”, 7. expands the role of business impact analysis (bia), 8. spells out resilience duties of management and boards.

The 2015 FFIEC document spoke of systems recovery, whereas the new booklet emphasizes the continuity of operations throughout the overall entity: technology, operations, testing and communication, focusing on the "continued maintenance of systems and controls for the resilience of operations."

The new document provides a clear, repeatable process for identifying critical business functions and analyzing their interdependencies internally and externally (also known as “mapping”). It also says that entities should understand how a disruption of these functions could affect markets and the entity’s larger community.

The FFIEC booklet directs entities to determine how much disruption they can tolerate—including data loss as well as downtime. It also clarifies how entities should establish their targets for post-cyber-event systems recovery and data restoration, advising organizations to  be realistic : “Establishing realistic RTOs (recovery time objectives) assists management in determining a critical path and hierarchy for recovery. For example, a process with a shorter RTO that is dependent upon on a process with a longer RTO may indicate a gap that should be analyzed further,” the document states. The concept appears similar to the BoE discussion paper’s “impact tolerances.”

Conducting tabletop exercises is no longer enough: the FFIEC guidance instructs examiners to also look for integrated tests of technology and business functions using multiple, complex and threat-intelligence-driven scenarios with event simulations.

While yearly testing of BCP/DR plans has long been the norm, the 2019 FFIEC booklet affords a multi-year testing schedule where appropriate—a change enabled in part by more robust testing. While high-priority business functions might still need annual testing, those deemed less critical could be tested every two or three years, for example. This change recognizes the burden that undifferentiated yearly testing can place on financial institutions, and lets them use periodic tests to build maturity over time.

Again, this change is subtle, but the language of the FFIEC document now encompasses non-financial organizations such as cloud service providers, establishing that, if they provide services to financial institutions, they must follow the same rules.

The new booklet expands the role of BIA from merely identifying risk to also maintaining business continuity with continuous systems monitoring, which can help to ensure that changes in business operations are always accounted for. It also calls for continually improving resilience processes by using metrics to analyze the effects of every disruption and to determine whether recovery objectives are reasonable.

The new guidance is clear on the duties and functions of  management and the board of directors . “The board and senior management should set the ‘tone at the top’ and consider the entity’s entire operations, including functions performed by affiliates and third-party service providers, when managing business continuity,” the document advises.

Get started with PwC's preference center

Our insights. Your choices.

The case for proactive action to build resilience

Resilience is taking precedence among FS regulators not only in the US but worldwide. One reason is the escalation of cyberattacks on the FS industry, including nation-state sponsored incidents. Financial institutions globally experienced six nation-state attacks alone in 2018, up from two each in 2016 and 2017.

On the heels of its influential 2018 discussion paper, the BoE’s decision to stress test UK banks’ operational resilience this fall prefigured the FFIEC changes. ( The BoE published the results of those tests in December 2019 .)

But regulators already have been issuing resilience-focused Matters Requiring Attention (MRA) letters directly to financial institutions—even before the FFIEC published its update.

The writing is on the proverbial wall, and every financial entity and service provider would do well to pay attention. Those who embark now on the road to resilience will enjoy many advantages over those forced to contend with an MRA. 

Remediating an MRA triggers a costly and stressful process of developing plans and implementing them on a tight schedule. Those so penalized must also satisfy regulators that they can maintain their resilience posture over the longer term, beyond remediation.

In the meantime, savvier organizations worldwide (those who scored high on resilience measures, so-called “high-RQ”) have already been revamping their BCP/DR programs with resilience in mind, according to PwC’s Digital Trust Insights study.

Being proactive on resilience means being able to manage the scope, costs and timing involved in building an organization's operational resilience.

Actions to take now

• Lay the governance foundation for resilience
• Set your recovery goals and targets
• Measure your program’s effectiveness
• Stay current with changes
• Establish a team to oversee resilience enterprise-wide, ideally under the leadership of a Chief Resilience Officer.
• Step up your first-line (management) and business teams’ involvement in responding to threats and disruptions.
• Revamp your remediation programs to include all affected functions: business units, operations, technology, RRP and your resiliency organization.
• Take advantage of existing industry initiatives such as  Sheltered Harbor , which the  FFIEC booklet mentions  as “An example of an industry initiative to assist in addressing the resilience of customer account information.”
• Expand the scope of your Business Impact Analysis to include identifying all your business functions, prioritizing them in order of their criticality, setting realistic RTOs, MTDs and data restoration targets, and emphasizing the restoration of operational processes and critical business functions within those targets.
• Map your dependencies between functions, processes, technology assets, and other internal and external participants.
• Use a common taxonomy enterprise-wide listing recovery plan inputs.
• Assess and test impacts of cyber incidents and disruptions using simulations and other more rigorous tests in addition to tabletop exercises. After an incident, ask: Were business functions interrupted? How quickly and effectively were they restored? Did you meet your targets? Why or why not?
• Build a dedicated test environment that can handle robust and complex simulations.
• Identify and monitor continuity risks, and scrutinize your metrics regarding incidents and disruptions using a variety of dashboards to analyze them from different perspectives. Include a “mandatory adherence to standards” test. Do you pass? Why or why not?
• Strengthen your third-party risk management so that you provide the same level of scrutiny to non-FS organizations and service providers as to those in FS.
• Update your scenario libraries to account for new risks such as cyber attack-related data loss.
• Adopt more complex operating models to safeguard third-party services (such as cloud services), remote workforces and increases in mobile end-users.
• Automate your recovery. Manual processes take more time, making it more likely that large, complex entities will miss restoration goals.

Financial services

Adam Gilbert

Global Senior Regulatory Advisor, PwC US

Julien Furioli

Principal, Financial Services Technology, PwC US

Tamika Boateng

Financial services, PwC US

Cybersecurity and privacy

Shawn Lonergan

Partner, Technology & Operational Resilience, PwC US

Michael Hodges

Managing Director, Cybersecurity and Privacy, PwC US

Related content

Operational resilience in financial services: time to act.

A joint report from PwC and TheCityUK to define and identify the key threats to operational resilience and recommendations to help ensure the UK remains a...

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

• Data Privacy Framework
• Cookie info
• Terms and conditions
• Site provider
• Your Privacy Choices

• Search Search Please fill out this field.
• Business Continuity Plan Basics
• Understanding BCPs
• Benefits of BCPs
• How to Create a BCP
• BCP & Impact Analysis
• BCP vs. Disaster Recovery Plan

Frequently Asked Questions

• Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

• Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
• BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
• BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

• Determining how those risks will affect operations
• Implementing safeguards and procedures to mitigate the risks
• Testing procedures to ensure they work
• Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

• Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
• Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
• Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
• Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

• The impacts—both financial and operational—that stem from the loss of individual business functions and process
• Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

Business continuity planning at central banks during and after the pandemic

Report by the Consultative Group on Risk Management (CGRM) established at the BIS Representative Office for the Americas

In August 2021 the Consultative Group on Risk Management (CGRM) set up a task force to examine how Business Continuity Planning (BCP) at BIS member central banks in the Americas has changed since the beginning of the Covid-19 pandemic. This report is the outcome of the work of the task force. Its findings might help central banks in the region and beyond to adjust their BCP to the new risks that emerged from the pandemic and the new ways of working that might outlive it.

Related information

• Consultative group on risk management
• Share this page
• Sign up to receive email alerts
• Translations
• Legal information
• Terms and conditions
• Copyright and permissions
• Privacy notice
• Cookies notice
• Email scam warning

How to Write a Business Continuity Plan Step-by-Step: Our Experts Provide Tips

By Andy Marker | October 21, 2020 (updated August 17, 2021)

• Share on Facebook
• Share on LinkedIn

Link copied

In order to adequately prepare for a crisis, your company needs a business continuity plan. We’ve culled detailed step-by-step instructions, as well as expert tips for writing a business continuity plan and free downloadable tools.  

Included on this page, find the steps to writing a business continuity plan and a discussion of the key components in a plan . You’ll also find a business continuity plan quick-start template  and a disruptive incident quick-reference card template for print or mobile, and an expert disaster preparation checklist .

Step by Step: How to Write a Business Continuity Plan

A business continuity plan refers to the steps a company takes to help it continue operations during a crisis. In order to write a business continuity plan, you gather information about key people, tools, and processes, then write the plan as procedures and lists of resources. 

To make formatting easy, download a free business continuity plan template . To learn more about the role of a business continuity plan, read our comprehensive guide to business continuity planning . 

• Write a Mission Statement for the Plan: Describe the objectives of the plan. When does it need to be completed? What is the budget for disaster and recovery preparation, including research, training, consultants, and tools? Be sure to detail any assumptions about financial or other resources, such as government business continuity grants.
• Set Up Governance: Describe the business continuity team. Include names or titles and role designations, as well as contact information. Clearly define roles, lines of authority and succession, and accountability. Add an organization or a functional diagram. Select one of these free organizational chart templates to get started.
• Write the Plan Procedures and Appendices: This is the core of your plan. There's no one correct way to create a business continuity document, but the critical content it should include are procedures, agreements, and resources.Think of your plan as lists of tasks or processes that people must perform to keep your operation running. Be specific in your directions, and use diagrams and illustrations. Remember that checklists and work instructions are simple and powerful tools to convey key information in a crisis. Learn more about procedures and work instructions . You should also note who on the team is responsible for knowing plan details.

• Set Procedures for Testing Recovery and Response: Create test guidelines and schedules for testing. To review the plan, consider reaching out to people who did not write the plan. Put together the forms and checklists that attendees will use during tests.

A business continuity plan is governed by a business continuity policy. You can learn more about creating a business continuity policy and find examples by reading our guide on developing an effective business continuity policy .

How to Create a Business Continuity Plan

Creating a business continuity plan (BCP) involves gathering a team, studying risks and key tasks, and choosing recovery activities. Then write the plan as a set of lists and guidelines, which may address risks such as fires, floods, pandemics, or data breaches.

According to Alex Fullick, your best bet is to create a simple plan. “I usually break everything down into three key categories: people, places, and things. If you focus on a couple of key pieces, you will be a lot more effective. That big binder of procedures is absolutely worthless. You need a bunch of guidelines to say what you do in a given situation: where are our triggers for deciding we’re in a crisis and we have to stop doing XYZ, and just focus on ABC.” 

“Post-pandemic, I think new managers will develop more policies and guidelines of all types than required, as a fear response,” cautions Michele Barry. 

Because every company is different, no two approaches to business continuity planning are the same. Tony Bombacino, Co-Founder and President of Real Food Blends , describes his company’s formal and informal business continuity approaches. “The first step in any crisis is for our nerve center to connect quickly, assess the situation, and then go into action,” he explains. 

“Our sales manager and our marketing manager might discuss what’s going on, and say, ‘Are we going to say anything on social media? Do we need to reach out to any of our customers? The key things, like maintaining stock levels or what if somebody gets sick? What if there's a recall?’ Those plans we have laid out. But we're not a 5,000-person multi-billion-dollar company, so our business continuity plan is often in emails and Google Docs.” 

“I've done planning literally for hundreds of businesses where we've just filled out basic forms,” says Mike Semel, President and Chief Compliance Officer of Semel Consulting . “For example, noting the insurance company's phone number — you know, on the back of your utility bill, which you never look at, there's an emergency number for if the power goes out or if the gas shuts off. We've helped people gather all that information and put it down. Even if there's no other plan, just having that information at their fingertips when they need it may be enough.”

You can also approach your business continuity planning as including three types of responses:

• Proactive Strategies: Proactive approaches prevent crises. For example, you may buy an emergency generator to keep power running in your factory, or install a security system to prevent or limit loss during break-ins. Or you may create a bring-your-own-device (BYOD) policy and offer training for remote workers to protect your network and data security.
• Reactive Strategies: Reactive strategies are your immediate responses to a crisis. Examples of reactive methods include evacuation procedures, fire procedures, and emergency response strategies.
• Recovery Strategies: Recovery strategies describe how you resume operations to produce a minimum acceptable level of service. The recovery plan includes actions to stand up temporary processes. The plan also describes the longer-term efforts, such as relocation, data restoration, temporary workaround processes, or outsourcing tasks. Recovery strategies are not limited to IT and data recovery.

Quick-Start Guide Business Continuity Plan Template

If you don’t already have a business continuity plan in place, but need to create one in short order to respond to a disruption, use this quick-start business continuity template. This template is available in Word and Google Docs formats, and it’s simply formatted so that you can focus on brainstorming and problem-solving. 

Download Quick-Start Guide Business Continuity Plan Template

Word | PDF | Google Docs | Smartsheet

For other most useful free, downloadable business continuity plan (BCP) templates please read our "Free Business Continuity Plan Templates" article.

Key Components of a Business Continuity Plan

Your company’s complete business continuity plan will have many details. Your plan may differ from other companies' plans based on industry and other factors. Each facility or business unit may also conduct an impact analysis and create disaster recovery and continuity plans . Consider adding these key components to your business plan:

• Contact Information: These pages include contact information for key employees, vendors, and critical third parties. Locate this information at the beginning of the plan. 
• Business Impact Analysis: When you conduct business impact analysis (BIA), you evaluate the financial and other changes in a disruptive event (you can use one of these business impact templates to get started). Evaluate impact in terms of brand damage, product failure or malfunction, lost revenue, or legal and regulatory repercussions.
• Risk Assessment: In this section, assess the potential risks to all aspects of the organization’s operations. Look at potential risks related to such matters as cash on hand, stock levels, and staff qualifications. Although you may face an infinite number of potential internal and external risks, focus on people, places, and things to keep from becoming overwhelmed. Then analyze the effects of any items that are completely lost or need repairs. Also, understand that risk assessment is an ongoing effort that works in tandem with training and testing. Consider adding a completed risk matrix to your plan. You can create one using a downloadable risk matrix template . 
• Critical Functions Analysis and List: As a faster alternative to a BIA, a critical functions analysis reveals what processes are critical to keeping your company running. Examples of critical functions include payroll and wages, accounts receivable, customer service, or production. According to Michele Barry, with a values-based approach to critical functions, you should consider who you really are as a company. Then decide what you must continue doing and what you can stop doing. 
• Trigger and Disaster Declaration Criteria: Here, you should detail how your executive management will know when to declare an emergency and initiate the plan.
• Succession Plan: Identify alternate staff for key roles in each unit. Schedule time throughout the year to observe alternates as they make important decisions and complete recovery tasks.
• Alternate Suppliers: If your goods are regulated (i.e., food, toy, and pharmaceutical manufacturing), your raw resources and parts must always be up to standard. Source suppliers before a crisis to ensure that regulatory vetting and approval do not delay supplies. 
• Operations Plan: Describe how your organization will resume and continue daily operations after a disruption. Include a checklist with such items as supplies, equipment, and information on where data is backed up and where you keep the plan. Note who should have copies of the plan. 
• Crisis Communication Strategy: Detail how the organization will communicate with employees, customers, and third-party entities in the event of a disruption. If regular communications systems are disabled, make a plan for alternate methods. Download a free crisis communication strategy template to get started on this aspect. 
• Incident Response Plan: Describe how your organization plans to respond to a range of likely incidents or disruptions, and define the triggers for activating the plan. 
• Alternate Site Relocation: The alternate site is the location that the organization moves to after a disruption occurs. In the plan, you can also note the transportation and resources required to move the business and the processes you must maintain in this facility.
• Interim Procedures: These are the critical processes that must continue, either in their original or alternate forms.
• Restoration of Critical Data: Critical data includes anything you must immediately recover to maintain normal business functions.
• Vendor Partner Agreements: List your organization’s key vendors and how they can help you maintain or resume operations.
• Work Backlog: This includes the work that piles up when systems are shut down. You must complete this work first when processes start again.
• Recovery Strategy for IT Services: This section details the steps you take to restore the IT processes that are necessary to maintain the business.
• Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): RTO refers to the maximum amount of time that a company can stop its processes and the length of time without access to data before productivity substantially drops. Determine RTOs for each unit, factoring in people, places, and things. 
• Backup Plans: What if plans, processes, or resources fail or are unavailable? Determine alternatives now, so you don't have to scramble. Decide on a backup roster for personnel who are unavailable.
• Manual Workarounds: This section details how a business can operate by hand, should all failsafe measures break down.
• External Audit Details: For regulated organizations, external audits may be compulsory. Your scheduled internal audits will prepare you for external audits.
• Test and Exercise Plan: Identify how and when you will test the continuity plan, including details about periodic tabletop testing and more complex real-world scenario testing.
• Change Management: Note how you will incorporate learnings from tests and exercises, disseminate changes, and review the plan and track changes.

Key Resources for Business Continuity

To fix problems, restore operations, or submit an insurance claim, you need readily available details of the human resources and other groups that can assist with business continuity. (Your organization's unique situation may also require specific types of resources.) Add this information to appendices at the back of your continuity plan.

Fullick suggests broadening the definition of human assets. "People are our employees, certainly. But we forget that the term ‘people’ includes executive management. Management doesn't escape pandemics or the flu or a car crash. Bad things can happen to them and around them, too." 

Use the following list as a prompt for recording important information about your organization. Your unique situation may require other types of information.

• Lists of key employees and their contact information. Also, think beyond C-level and response team members to staff with long-term or specialized knowledge
• Disaster recovery and continuity team contact names, roles, and contact information
• Emergency contact number for police and emergency services for your location
• Non-emergency contact information for police and medical
• Emergency and non-emergency contact numbers for facilities issues
• Board member contact information
• Personnel roster, including family or emergency contact names and numbers for the entire organization
• Contractors for any repairs
• Client contact information and SLAs
• Insurance contacts for all plans
• Key regulatory contacts.
• Legal contacts
• Vendor contact information and partner agreements and SLAs
• Addresses and details for each office or facility
• Primary and secondary contact and information for each facility or office, including at least one phone number and email address
• Off-site recovery location
• Addresses and access information for storage facilities or vehicle compounds
• Funding and banking information
• IT details and data recovery information, including an inventory of apps and license numbers  
• Insurance policy numbers and agent contact information for each plan, healthcare, property, vehicle, etc.
• Inventory of tangibles, including equipment, hardware, supplies, fixtures, and fittings (if you are a supplier or manufacturer, include an inventory of raw materials and finished goods)
• Lease details
• Licenses, permits, other legal documents
• List of special items that you use regularly, but don't order frequently
• Location of backup equipment
• Utility account numbers and contact information (for electric, gas, telephone, water, waste pickup, etc.)

Activities to Complete Before Writing the Business Continuity Plan

Before you write your plan, take these preliminary steps to assemble a team and gather background information. 

• Incident Commander: This person is responsible for all aspects of an emergency response.
• Emergency Response Team: The emergency response team refers to the group of people in charge of responding to an emergency or disruption.
• Information Technology Recovery Team: This group is responsible for recovering important IT services.
• Alternate Site/Location Operation Team: This team is responsible for maintaining business operations at an alternate site.
• Facilities Management Team: The facilities management team is responsible for managing all of the main business facilities and determining the necessary responses to maintain them in light of a disaster or disruption.
• Department Upper Management: This includes key stakeholders and upper management employees who govern BCP decisions.
• Conduct business impact analysis or critical function analysis. Understand how the loss of processes in each department can affect internal and external operations. See our article on business continuity planning to learn more about BIAs.
• Conduct risk analysis. Determine the potential risks and threats to your organization.
• Identify the scope of the plan. Define where the business continuity plan applies, whether to one office, the entire organization, or only certain aspects of the organization. Use the BIA and risk analysis to identify critical functions and key resources that you must maintain. Set goals to determine the level of detail required. Set milestones to track progress in completing the plan. "Setting scope is essential," Barry insists. "You need to define the core and noncore aspects of the business and the minimum requirements for achieving continuity."
• Strategize recovery approaches: Strategize how your business should respond to a disruption, based on your risk assessment and BIA. During this process, you determine the core details of the BCP, add the key components and resources, and determine the timing for what must happen before, during, and after a disruptive event.

Common Structure of a Business Continuity Plan

Knowing the common structure should help shape the plan — and frees you from thinking about form when you should be thinking about content. Here is an example of a BCP format:

• Business Name: Record the business name, which usually appears on the title page.
• Date: The day the BCP is completed and signed off. 
• Purpose and Scope: This section describes the reason for and span of the plan.
• Business Impact Analysis: Add the results of the BIA to your plan.  
• Risk Assessment: Consider adding the risk assessment matrix to your plan.
• Policy Information: Include the business continuity policy or policy highlights.
• Emergency Management and Response: You can detail emergency response measures separately from other recovery and continuity procedures.
• The Plan: The core of the plan details step-by-step procedures for business recovery and continuity.
• Relevant Appendices: Appendices can include such information as contact lists, org charts, copies of insurance policies, or any supporting documents relevant in a crisis.

Keep in mind that every business is different — no two BCPs look the same. Tailor your business continuity plan to your company, and make sure the document captures all the information you need to keep your business functioning. Having everything you need to know in an emergency is the most crucial part of a BCP.

Disruptive Incident Quick-Reference Card Template

Use this quick-reference card template to write the key steps that employees should take in case of an emergency. Customize this template for each business unit, department, or role. Describe what people should do immediately and in the following days and weeks to continue the business. Print PDFs and laminate them for workstations or wallets, or load the PDFs on your mobile phone. 

Download Disruptive Incident Quick-Reference Card Template 

Expert Disaster Preparation Checklist

Business continuity and disaster planning aren’t just about your buildings and cloud backup — it’s about people and their families. Based on a document by Mike Semel of Semel Consulting, this disaster checklist helps you prepare for the human needs of your staff and their families, including food, shelter, and other comforts.

Tips for Writing a Business Continuity Plan

With its many moving parts and considerations, a business continuity plan can seem intimidating. Follow these tips to help you write, track, and maintain a strong BCP:

• Take the continuity management planning  process seriously.
• Interview key people in the organization who have successfully managed disruptive incidents.
• Get approval from leadership early on and seek their ongoing championship of continuity preparedness.
• Be flexible when it comes to who you involve, what resources you need, and how you achieve the most effective plan.
• Keep the plan as simple and targeted as possible to make it easy to understand.
• Limit the plan to practical disaster response actions.
• Base the plan on the most up-to-date, accurate information available.
• Plan for the worst-case scenario and broadly cover many types of potential disruptive situations. 
• Consider the minimum amount of information or resources you need to keep your business running in a disaster. 
• Use the data you gather in your BIA and risk analysis to make the planning process more straightforward.
• Share the plan and make sure employees have a chance to review it or ask questions. 
• Make the document available in hard copy for easy access, or add it to a shared platform. 
• Continually test, review, and maintain your plan to keep it up to date. 
• Keep the BCP current with organizational and regulatory changes and updates.

Empower Your Teams to Build Business Continuity with Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Business Continuity Plan Template for Retail Banks

What is a Business Continuity Plan for Retail Banks?

A Business Continuity Plan for Retail Banks outlines the strategies, processes, and practices that will be used to protect the bank’s operations and services in the event of an emergency or disruption. This plan can help minimize the impact of an emergency on the overall operations of the bank, allowing it to continue its operations with minimal interruption or disruption.

What's included in this Business Continuity Plan for Retail Banks template?

• 3 focus areas
• 6 objectives

Each focus area has its own objectives, projects, and KPIs to ensure that the strategy is comprehensive and effective.

Who is the Business Continuity Plan for Retail Banks template for?

This Business Continuity Plan template is designed for retail banks and other financial institutions to help them develop their own business continuity plans. These plans are essential to ensure the continuity of banking operations, customer services, and financial transactions during emergencies or disruptions.

1. Define clear examples of your focus areas

A focus area is a broad area of the business which an organization wishes to improve or maintain. In this plan, the focus areas are Business Continuity, Risk Management, and Data Security. Each focus area should have a set of objectives, measurable targets (KPIs), and related projects that can be implemented to achieve the desired outcomes.

2. Think about the objectives that could fall under that focus area

Objectives are specific, measurable goals that an organization wishes to achieve. Each focus area should have a set of objectives that can be achieved through the implementation of related projects. Examples of some objectives for the focus area of Business Continuity could be: Develop a comprehensive Business Continuity Plan, and Ensure continuity of banking operations, customer services, and financial transactions.

3. Set measurable targets (KPIs) to tackle the objective

KPIs or Key Performance Indicators are measurable targets that help track the progress of objectives. These are defined for each objective and can be used to measure the success of the projects implemented to achieve the objectives. An example of a KPI for the focus area of Business Continuity could be: plan Business Continuity Plan.

4. Implement related projects to achieve the KPIs

Projects or actions are the specific steps taken to achieve the objectives and reach the KPIs. Each project should have a set of actions and responsibilities that need to be completed in order to achieve the desired outcome. An example of a project related to Business Continuity could be: Establish a Business Continuity Committee.

5. Utilize Cascade Strategy Execution Platform to see faster results from your strategy

Cascade Strategy Execution Platform is a comprehensive platform designed to help organizations develop and execute their strategies faster and more effectively. The platform provides intuitive tools and features to help you manage your strategy, track progress and results, and collaborate with your team.

This site uses cookies to optimize functionality and give you the best possible experience. If you continue to navigate this website beyond this page, cookies will be placed on your browser. To learn more about cookies, click here .