Why Business Continuity Is Personal for Banking Execs

Businessman taking money out of walletA business continuity planner once introduced himself to an executive as the business continuity manager. The executive responded, “No, I’m the business continuity manager.” Sound strange? Actually, that executive had the right idea.

There’s a lot of debate about who is responsible for disaster recovery, business continuity, infosecurity, etc. There are a lot of different answers about who handles the day-to-day tasks. But who’s ultimately responsible for all of these functions? If you’re a business executive, you are. And your reputation and career depend on it.

Why Are You Responsible for Business Continuity?

The FFIEC places the responsibility for business continuity on management’s shoulders. The Business Continuity Planning booklet says:

"The board and senior management should assign knowledgeable personnel and allocate sufficient financial resources to properly implement an enterprise-wide BCP."

You might assume that assigning knowledgeable personnel (IT, risk management, infosecurity, etc.) is all you need to do to meet your obligations. However, in the Operations booklet, it’s clear who has ultimate responsibility:

"Senior management and the board of directors are responsible for ensuring IT operates in a safe, sound, and efficient manner throughout the institution."

Imagine your institution facing a failure of systems or operations. Maybe a fire wipes out a branch. Or maybe a ransomware attack encrypts all your systems — and your data backups. Can you state without hesitation that your business continuity strategy is adequate in situations like these? If it’s not, could you prove that you showed due diligence and were not negligent? Or would you, like Equifax’s ex-CEO, blame the failure on a single employee’s human error?

How Does Inadequate Business Continuity Affect You?

Your institution has given you responsibilities with the understanding that your successes and failures reflect on the bank. That includes failures related to business continuity that result in losses to the bank. These failures lead to bad publicity for the company and could possibly lead to Civil Money Penalties (CMPs) against you personally.
Graph of issues related to board/management oversightIn an article on matters requiring board attention (MRBA), the FDIC says the most common issues over the past few years have been board and management related. The article states that evaluating a bank’s risk profile includes “the potential impact external threats could have on the bank’s operating environment.” It further notes that “the information technology (IT) environment remains a challenging area of business risk and warrants bank management’s oversight and continuing due diligence.”

One such case of an enforcement action against an individual for lack of oversight is a former executive vice president who received a $30,000 CMP. The FDIC determined that he’d breached his fiduciary duty by “failing to ensure his staff fully complied with the Bank Secrecy Act and regulations.”

If your bank is unable to appropriately respond to a disaster or other business interruption, you could be held legally responsible, according to Neil H. Kaufman, SVP and national BCP practice leader for a risk consulting firm. Kaufman says courts can use certain statutes as legal precedents. As an example, he cites an FFIEC circular stating that contingency planning requires an institution-wide emphasis.

If you’re found liable for a breach of fiduciary duty that causes a loss to the bank, you could be personally fined and have a blemish on your name for the rest of your career. Is that a risk you’re willing to blindly entrust to your personnel? Even the most talented employees are prone to error — especially if they aren’t accustomed to dealing with significant business interruptions day in and day out.

How to Protect Yourself and Your Bank

To protect your bank, career and reputation, start by following these steps:

  • Get involved in your business continuity planning process.
  • Familiarize yourself with the risks facing your business.
  • Make sure you’ve assigned roles and responsibilities to the right people.
  • Participate in business continuity tests and/or request a report of the test results and recommended remedial actions.

As you walk through these steps, you might find that it makes sense to outsource certain business continuity functions. A trusted technology service provider (TSP) can give you access to resources and expertise not available in-house. Additionally, a TSP that is experienced in handling business continuity events can help you mitigate areas of risk you might not have considered. You’ll also maximize your resources and allow your personnel to focus on their areas of expertise.

If your bank experienced an interruption, would you bet your reputation on the quality of your institution's business continuity response?

No comments:

Post a Comment

Popular Posts