We had a great turnout for our weekly webcast yesterday which was all about BCM for financial services. I especially want to thank Dan Minter from Equifax for co-presenting with me. Here's the link if you want to listen Listen to the Recording or see the presentation View PDF. Dan also recently presented at the RSA Archer Roadshow and here's his full presentation Equifax BCM and RSA Archer presentation.
I had a few thoughts after the call that I wanted to talk about here. Isn't it nice when things fall into place or complement each other and make our lives easier? In a highly regulated industry like FS it feels at times as if regulations and regulators have different agendas, priorities and approaches - and sometimes they do. However, sometimes things line up nicely, as is the case with these authoritative sources we talked about on the webcast yesterday. These are just a few, but focus on the underlined wording:
- ISO 22301: A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
- FFIEC: Specifies that directors and managers are accountable for organization wide contingency planning and for timely resumption of operations in the event of a disaster.
- FDIC: ...perform an appropriate enterprise-wide business continuity risk assessment, which duly considers the results of the departmental business impact analyses.
So, here are a few points to consider. Have you ever had a hard time justifying your BCM program, funding and priority? These regulation among others each highlight the need for holistic, organizational, enterprise-wide resilience. Not a "check the box" program, but real strategies tied into those of the organization with priority and funding to build organizational recovery. I once consulted for a utility company that consistently included business continuity as one of its top ten strategic objectives for the year and this was 10 years ago before all of the attention BCM has started to get.
This leads into something else, which is the need to coordinate and leverage other related disciplines across your oganization. For example, in your BCM program do you evaluate and account for risks that could result in a business disruption? Think your Enterprise Risk Management (ERM) function does the same? How about your loss prevention group, reinsurance or legal groups if you have them. Have anything in common with them? Would aligning with and leveraging these groups help you drive holistic, organizational and enterprise-wide BCM? I'd also venture to guess that the better story you have around how your BCM function has coordinated, planned and tested with these other related groups, the better you'll fare in your next audit, not to mention how much better and stronger your BCM program will be.
My last point, and one that Dan hammered home on the webcast, is that your external partners have a vested interest and want to contribute to your organizational resilience and are a critical part of your "holistic management process". Equifax showed us how their planning and BIA approach considers effects on their customers. Like those internal groups that also perform loss prevention, risk mitigation and other resilience type activities, your external partners are a critical piece to the puzzle and are an integral part of your contingency planning activities.
In closing, and not just to adhere to a methodology or regulation, let's think holistically about organizational resilience. There are lots of critical dependencies and intersections you'll come across. Look for them and embrace them into your enterprise-wide recovery program. You'll have a much stronger approach and your recovery results will show it!