Ensuring resilience: Business continuity for financial services internal auditors
Compliancejuli 01, 2024

Ensuring resilience: Business continuity for financial services internal auditors

Business continuity issues for banks can manifest in various forms, often with significant impacts on operations and customer trust. For instance, the devastating impact of Hurricane Sandy in October 2012 forced banks like Goldman Sachs and Morgan Stanley to activate their business continuity plans, including relocating critical staff and operations to backup sites due to power outages and flooding in their New York headquarters. More recently, the COVID-19 pandemic in 2020 posed unprecedented challenges for banks globally, such as the need for banks to rapidly transition a significant portion of its workforce to remote operations while managing an abrupt surge in digital banking usage. These examples underscore the critical need for robust business continuity planning to ensure banks can withstand and recover from diverse and unexpected disruptions.

This article addresses business continuity, its significance in the financial sector, and the essential components of robust business continuity management (BCM). It also provides internal auditors guidance on how to effectively audit BCM.

What is business continuity management?

The Federal Financial Institutions Examination Council (FFIEC) is an interagency group that sets standards and principles for the federal examination of financial institutions. Per the FFIEC, “Business continuity management (BCM) is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services. Disruptions such as cyber events, natural disasters, or man-made events can interrupt an entity’s operations and can have a broader impact on the financial sector. Resilience incorporates proactive measures to mitigate disruptive events and evaluate an entity’s recovery capabilities.”

Business continuity is a proactive process designed to ensure that an organization can continue to operate and deliver critical services during and after a disruptive event. The goal of business continuity is to minimize the impact of these disruptions, ensuring that the organization can maintain essential functions and recover swiftly to normal operations.

The diagram linked here from the FFIEC maps out the lifecycle of robust business continuity management.

Benefits of business continuity in financial services

The financial services industry is particularly vulnerable to disruptions due to its reliance on technology and the critical nature of its services. For internal auditors, here are some important areas to include in the audit planning process:

  • Operational resilience: Business continuity planning ensures that critical operations can continue despite disruptions. Reliable access to banking services ensures financial stability for customers. It allows them to manage their finances effectively, make timely payments, and avoid potential financial difficulties caused by service disruptions. This is vital for maintaining the smooth functioning of financial markets and preventing systemic risks.
  • Customer trust: Financial institutions handle sensitive information and manage significant financial transactions. A disruption in services can erode customer trust and lead to substantial financial losses.
  • Regulatory compliance: Regulatory bodies — such as the Federal Financial Institutions Examination Council (FFIEC) and the Financial Industry Regulatory Authority (FINRA)— mandate financial institutions to have robust business continuity management, including plans and testing. Failure to comply can result in severe penalties and loss of credibility. See FINRA requirements here and FFIEC requirements here.

Review and consider future ready software used by financial services auditors around the globe to support business continuity audits and more!

Auditing business continuity management

Performing an audit of business continuity management (BCM) in financial services involves several key steps to ensure the institution's preparedness and resilience in the face of disruptions. While each audit will be unique to the size, complexity, and programs of the financial institution, here are some general best practices to include:

  • Planning and scoping: Define the scope of the audit, including the specific BCM processes, systems, and departments to be reviewed. Establish audit objectives, criteria, and the methodology to be used. Detailed FFIEC examination procedures are found here and can be a helpful resource during audit planning. The Institute of Internal Auditors Practice Guide for Business Continuity Management is also a useful guidance.
  • Understanding the BCM framework: Review the financial institution’s BCM policies, procedures, and frameworks to understand how BCM is integrated into the overall risk management strategy. Ensure alignment with regulatory requirements and industry best practices. Determine whether the board and senior management promote effective governance of business continuity through defined responsibilities, accountability, and adequate resources to support the program.
  • Risk assessment and business impact analysis (BIA): Evaluate the effectiveness of the risk assessment and BIA processes. Verify that the institution has identified critical business functions, assessed potential risks, and determined the impact of disruptions on operations. The BIA helps in understanding the financial and operational impacts of disruptions and sets the stage for developing effective recovery strategies. For instance, a major bank might identify its online banking system as a critical function, requiring specific recovery strategies to ensure minimal downtime.
  • Review of BCM plans: Examine the business continuity plans (BCPs) to ensure they are comprehensive, up-to-date, and cover all critical business functions. Assess the adequacy of recovery strategies and procedures for different types of disruptions.
  • Testing and exercises: Assess the effectiveness of BCM testing and exercise programs. Verify that regular tests and drills are conducted, involve relevant stakeholders, and that these activities simulate realistic scenarios. Review the results and corrective actions taken based on these exercises.
  • Crisis management and communication: Evaluate the institution's crisis management and communication plans. Ensure there are clear protocols for internal and external communication during a disruption, including communication with customers, employees, regulators, and other stakeholders.
  • Training and awareness: Review the training and awareness programs to ensure that employees are knowledgeable about their roles and responsibilities in the BCM process. Verify that ongoing training is provided and that it is effective in preparing staff for potential disruptions.
  • Review of third-party dependencies: Assess how the institution manages third-party risks related to business continuity. Verify that third-party vendors and partners have their own robust BCM plans and that these are aligned with the institution's requirements.
  • Monitoring and continuous improvement: Ensure that there is a process in place for ongoing monitoring and continuous improvement of the BCM program. Review how incidents and near-misses are tracked, analyzed, and used to improve the BCM framework. 
  • Reporting and documentation: Document findings, conclusions, and recommendations in a detailed audit report. Present the report to senior management and the board, highlighting any gaps or weaknesses and suggesting improvements to enhance the BCM program.

By including these steps into a business continuity management audit, internal auditors can provide a reasonable assessment of the financial institution’s program, ensuring it is robust, effective, and capable of protecting the institution and its customers during disruptions.

Conclusion

For internal auditors in the financial services sector, ensuring the strength of business continuity management is not just a regulatory requirement but a critical component of the organization's risk management strategy. A well-developed and regularly tested BCM enhances operational resilience, maintains customer trust, and ensures compliance with regulatory mandates. By focusing on key components such as risk assessment, recovery strategies, training, and communication, internal auditors can play a pivotal role in safeguarding their organizations against potential disruptions and ensuring a swift recovery when crises occur.

Subscribe below to receive monthly Expert Insights in your inbox

Dana Lawrence Headshot
Sr. Director of Fintech Compliance
Dana Lawrence (CIA, CRMA, CFSA, CAMS, CRVPM, CCA) is the Sr. Director of Fintech Compliance at Pacific West Bank and Venture Partner at Purpose Built.
Back To Top