Business Continuity Planning Booklet

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Business Continuity Planning

Institutions should conduct Business Continuity Planning (BCP) on an enterprise-wide basis. In enterprise-wide business continuity planning an institution considers every critical aspect of its business in creating a plan for how it will respond to disruptions. It is not limited to the restoration of information technology systems and services, or data maintained in electronic form, since such actions, by themselves, cannot always put an institution back in business. Without a BCP that considers every critical business unit, including personnel, physical workspace, and similar issues, an institution may not be able to resume serving its customers at acceptable levels. Institutions that outsource the majority of their data processing, core processing, or other information technology systems or services are still expected to implement an appropriate BCP addressing the equipment and processes that remain under their control.

Institutions should also recognize their role in supporting systemic financial market business processes (e.g., inter-bank payment systems, and key market clearance and settlement activities) and that service disruptions at their institution may significantly affect the integrity of key financial markets. It is advisable for all institutions to work with affected interdependent parties to coordinate BCP development and testing. Financial institutions that play a major role in critical financial markets should have robust planning and coordinated testing with other industry participants.

Critical markets include, but may not be limited to:

  • Federal funds markets
  • Foreign exchange
  • Commercial paper
  • Government
  • Corporate
  • Mortgage-backed securities.


Firms that play significant roles in critical financial markets are those that participate in sufficient volume or value such that their failure to perform critical activities by the end of the business day could present systemic risk. The agencies believe that many, if not most, of the 15-20 major banks and the 5-10 major securities firms, and possibly others, play at least one significant role in at least one critical market. In the context of sound practices, some of the agencies are considering the benefit of providing additional guidance to help firms identify the category into which they fall for the specific activities they perform.

Institutions not directly participating in critical financial markets, but nonetheless performing financial services or supporting financial market activities deemed critical to regional or national financial sectors, are also expected to establish BCPs and recovery capabilities commensurate with their role. Smaller, less complex institutions generally do not need the same level of planning, but are expected to fulfill their responsibility by developing an appropriate BCP and periodically conducting adequate tests.

Management should update BCPs as business processes change. For example, financial institutions of all sizes are increasingly relying on distributed network solutions to support business processes. This increased reliance can include desktop computers maintaining key applications. While distributed networking provides flexibility in allowing institutions to deliver operations to where employees and customers are located, it also means that end-users should keep BCP personnel up-to-date on what constitutes current business processes and significant changes. Technological advancements are allowing faster and more efficient processing, thereby reducing acceptable business process recovery periods. In response to competitive and customer demands, many financial institutions are moving toward shorter recovery periods and designing technology recovery solutions into business processes. These technological advancements increase the importance of enterprise-wide business continuity planning.

The adoption of a process-oriented approach to business continuity planning is advised that involves:

  • Business impact analysis (BIA)
  • Risk assessment
  • Risk management
  • Risk monitoring


This framework is usable regardless of the size of the institution. Business continuity planning should focus on all critical business functions that need to be recovered to resume operations. Continuity planning for technology alone should no longer be the primary focus of a BCP, but rather viewed as one critical aspect of the enterprise-wide process. The review of each critical business function should include the technology that supports it.

See Also

Business Continuity Management

Resources