Business Continuity Plans for Banks

Business continuity is a concept that refers to the planning and preparation to make sure a company overcomes serious incidents or disasters and resumes its normal operations within a short period of time. This concept includes the following key elements:

  • Resilience: critical business functions and the supporting infrastructure must be designed in such a way that they are materially unaffected by relevant disruptions, for example through the use of redundancy and spare capacity.
  • Recovery: arrangements have to be made to recover or restore critical and less critical business functions that fail for some reason.
  • Contingency: the organization establishes a generalized capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.

Typical disasters that business continuity addresses include fires, floods, accidents caused by key people, server crashes or virus infections, insolvency of key suppliers, negative media campaigns, and market upheavals.

In 2004, the Securities and Exchange Commission approved NASD Rules 3510 and 3520 and NYSE Rule 446, which require member firms to create and maintain business continuity plans. NASD Rules 3510 and 3520 have since been superseded by FINRA Rule 4370. In accordance with these rules, a business continuity plan will enable the firm to continue its business in the event of a significant business disruption or, in the alternative, conduct an orderly wind-down of operations.

Effective business continuity measures are critical for any business entity. A bank must be committed to protecting its staff and ensuring the continuity of critical businesses and functions in order to protect the bank franchise, mitigate risk, safeguard revenues and sustain both a stable financial market and customer confidence. The development, implementation, testing and maintenance of an effective global Business Continuity and Disaster Recovery program are required to sustain these objectives.

The business continuity planning process includes developing strategies for the resumption of critical business processes and the technical recovery of critical information systems supporting those functions. A bank should approach business continuity planning as a bank-wide responsibility that should prioritize business objectives. Business continuity planning should consider how essential processes, business units, departments, and information systems will contribute to a coordinated response to a bank-wide disruption. The approach should include plans for both short-term and long-term disruptions and recovery operations. A tight integration of the institution’s overall planning process with that of the individual business units’ plans for resumption of essential processes is critical for business resumption and recovery. Bank senior management should set the tone at the top that business continuity is everyone’s responsibility and not just an information technology (IT) issue handled by the IT function.

Fusion Risk Management, a leading provider of business continuity and risk management solutions agreed to share the following case study with Brilliance Security Magazine to help our readers better understand what to look for in a bank business continuity plan.

FRM TBK Case Study Final


Ten key areas that FINRA and NYSE state must be addressed:

  1. All mission-critical systems – systems that are necessary, depending on the nature of a member’s business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
  2. Financial and operational assessments – written procedures that allow a firm to identify changes in its operational, financial, and credit risk exposures. Operational risk focuses on the firm’s ability to maintain communications with customers and to retrieve key activity records through its “mission-critical systems.” Financial risk relates to the firm’s ability to continue to generate revenue and to retain or obtain adequate financing and sufficient equity. Firms may also face credit risk (e.g., where its investments may erode from the lack of liquidity in the broader market), which would also hinder the ability of the firm’s counter-parties to fulfill their obligations.
  3. Alternate communications between customers and firm – alternate means of communications that a firm will use to communicate with its customers in the event of a significant business disruption.
  4. Alternate communications between the firm and its employees – alternate means of communications that a firm will use to communicate with its employees in the event of a significant business disruption.
  5. Alternate physical location of employees – alternate locations must be designated for employees, including key personnel that have been identified to assist in the resumption of business operations.
  6. Critical business constituents, banks, and counter-party impact – effect a significant business disruption will have on a firm’s relationship with its critical business constituents, banks, and counter-parties, and how it will deal with those impacts.
  7. Regulatory reporting – available means a firm can use to continue its compliance with regulatory reporting requirements.
  8. Communications with regulators – communication with regulators through whatever means are still available, including the designation of business continuity plan contacts with FINRA to assist in these communications.
  9. Providing customers prompt access to their funds and securities – measures a firm will use to make customer funds and securities available to customers in the event of a significant business disruption.

Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine