Welcome » IT Booklets » Business Continuity Planning » Board and Senior Management Responsibilities
A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes:
It is the responsibility of an institution's board and senior management to ensure that the institution identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process. The board and senior management should establish policies that define how the institution will manage and control the risks that were identified. Once policy is established, it is also important for the board and senior management to understand the consequences of these identified risks and support continuity planning on a continuous basis.
As part of their support for continuity planning, the board and senior management should assign knowledgeable personnel and allocate sufficient financial resources to properly implement an enterprise-wide BCP. A large, complex institution may need a business continuity planning department with a team of departmental liaisons throughout the institution. A smaller, less complex institution may only need an individual business continuity planning coordinator. Financial institutions may also choose to have a business continuity planning group or committee that meets regularly with the BCP coordinator to discuss various issues, such as policy changes, employee training, and test plans. Regardless of how personnel resources are allocated, financial institution management should establish roles, responsibilities, and succession plans for various operational disruptions, as they may affect business processes in different ways. The board and senior management should also allocate sufficient financial resources to cover the expenses associated with alternate processing arrangements, business recovery, and comprehensive insurance coverage..
The board and senior management are also responsible for ensuring that the BCP is independently reviewed by the internal or external auditor at least annually. The board and senior management should also review and approve the BCP, with the frequency based on significant policy revisions resulting from changes in the operating environment, lessons learned from BCP testing, and audit and examination recommendations. These review procedures will ensure a more complete validation of all aspects of the BCP planning and management processes.
Once the BCP has been approved, the board and senior management should ensure that a comprehensive business continuity training program has been established. As part of this process, they should ensure that employees understand their roles and responsibilities as defined by the BCP. Consequently, the board and senior management should oversee the development of the business continuity training program and ensure that existing and new employees are trained on a continuous basis. These training programs may include instructional classes, computer-based training, and hands-on experience using various testing methods.
To maintain the effectiveness of the BCP, the board and senior management should ensure that enterprise-wide BCP tests are conducted at least annually, or more frequently depending on changes in the operating environment. Formal procedures should be established for reporting the implementation of the testing program and test results to the board and senior management.
After the BCP is approved and tested, the board and senior management have an on-going responsibility to oversee critical business processes and ensure that the BCP is updated to reflect the current operating environment.