The Imperative of Business Continuity Management: A Note to Financial Institution CROs

Dear CRO,

As the Chief Risk Officer (CRO) in a financial institution your role is more crucial than ever. Business Continuity Management (BCM) has become an integral part of the CRO's purview, ensuring that financial institutions can withstand disruptions, whether they result from natural disasters, cyberattacks, or many other unavoidable events and their impacts. 

Regarding natural disasters, research has established a link between global warming and the increasing intensity of storms, droughts, and wildfires. Additionally, deforestation, droughts, and fracking have heightened the risk of landslides and earthquakes in affected areas, emphasizing the connection between climate change and natural disasters. This trend is expected to worsen in the coming decades, with record-breaking temperatures becoming more common.[1]

The financial impacts of cybercrime – inclusive of theft, embezzlement, data hacking and destruction – is up 600% and with a growth rate of 15% YoY, is estimated to cost companies worldwide $10.5 trillion annually by 2025.[2]

In the world of risk, where numbers and forecasts reign supreme, let's not forget to sprinkle a little mischief into the mix. After all, what's life without a dash of unpredictability?

Sincerely,

The Inevitable

Here's why every financial institution CRO needs to prioritize BCM:

1. The BCM Lifecycle: BCM follows a systematic lifecycle that encompasses risk assessment, planning, implementation, monitoring, and continuous improvement. This comprehensive approach forms the foundation of resilience, enabling financial institutions to continue business as usual in the face of various challenges and uncertainties.

2. Key Elements of a Successful BCM Program: Compliance with regulatory frameworks, senior management involvement, employee training, and robust cybersecurity are essential elements of a thriving BCM program. As the world grows more interconnected, the ability to adapt and respond to disruptions is essential for financial institutions to maintain stability and protect stakeholders.

3. The Stakes Are High: Data from FEMA reveals that 90% of businesses fail within a year if they can't resume operations within five days of a disaster. This holds immense importance for financial institutions and the clients they serve. Here are some noteworthy statistics:

• Just one hour of downtime can cost small businesses $10,000, and for larger companies, it can exceed $5 million.
• 9 in 10 small companies may permanently close if they can't resume operations within 5 days after a disaster.
• During the COVID-19 pandemic, 100,000 small businesses in the U.S. were forced to close permanently.
• A break in continuity can cost $10,000 per hour at a minimum.
• 51% of companies worldwide do not have a business continuity plan.
• 1 in 5 SMB executives do not have a recovery plan, often due to resource and budget constraints.

4. Multifaceted Challenges: The challenges presented by small business statistics during disruptions include heightened default risk, influenced credit risk assessment, impacted insurance and risk mitigation processes, and repercussions on investment decisions and portfolio strategies. Economic consequences from small business disruptions affect financial institutions' lending, investment, and risk management practices.

The Way Forward

To navigate these challenges, financial institutions must rigorously assess risks, encompassing threats from natural disasters, cyberattacks, operational shortcomings, and evolving regulations. A thorough Business Impact Analysis (BIA) is essential to evaluate potential disruption impacts on critical business functions.

• Basel III Framework mandates robust BCM processes.
• The Dodd-Frank Act mandates recovery and resolution plans.
• International standards like ISO 22301 and ISO 27001 provide global best practices.

Key best practices include senior management involvement, employee awareness and training, redundancy and diversification to reduce single points of failure, robust cybersecurity measures, and extending BCM to third-party vendors.

Financial institutions should implement redundancy and diversification in critical systems and processes to reduce single points of failure, including data centers, communication channels, and supply chains. Robust cybersecurity measures are integral to BCM, given the increasing threat of cyberattacks. Moreover, financial institutions should ensure that third-party vendors also have robust continuity management framework in place.

The most recent business continuity statistics highlight an ongoing trend of disruptions, underscoring the importance of a strong business continuity plan and dependable BC/DR technologies. CROs play a vital role in safeguarding the institution's stability and protecting stakeholders, making BCM an indispensable pillar of the financial sector.