2015 was a groundbreaking year for business continuity regulators and that makes 2016 a key year for compliance modifications.
What happened? Well, 2015 was the culmination of many variables:
Threats increased. Weather it’s our awareness or the actual activities themselves, there is more responsibility and accountability to guard against threats to operations risk than ever.
Marketplace tolerance exceeded the breaking point. The bar had been raised so high for banks that many vendors were noticeably below standard. So far that when the dam broke (literally) the regulators got involved, resulting in documents like Appendix J and the Cybersecurity Assessment Tool.
Time to revise the FFIEC Handbooks was up. The previous edition was beyond end of life. The industry had advanced beyond what the previous editions covered. Several have been updated and more are to come. Changes include incorporation of cybersecurity concepts as a part of information security, advancement of management-related concepts and IT risk-management as a part of enterprise-wide management.
Here’s where to put your resources in order to maintain compliance and create value in 2016
Leadership Denotes Character
The old saying goes, “the fish stinks from the head down” and examiners are more than casually aware of this. There is no one more accountable than the board of directors. Unfortunately, there is often no one less clued in. Fiduciary relationships – those where the board member must act in the best interest of the bank before himself- are not taken lightly in the eyes of the regulators. If your employees aren’t demonstrating healthy business behavior, the responsibility lies squarely in the shoulders of the board. This is a big jump up from what’s been enforced in the past.
Don’t expect your board to know it all right now but do find resources for coaching and basic training immediately. Work with your board to build their capacity and understanding so that they will have the resources to make the best decisions for the clients to which they are held responsible. There’s no plea of ignorance as a board member. Those who don’t take fiduciary seriously have gone to prison and paid hefty fines. 2015’s fines were in the billions.
In case you missed it’s release, the FFIEC developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness. While you’ll probably be fine not acing the test on the first go around, you must have a working knowledge that exceeds “familiar with the Assessment”. Where do you currently score and how are you working to upscale your security? Take the time to find out. Give the executive officers and directors the Overview and get to work on the profile. You’ll be glad you didn’t wait!
Lest you confuse all this work for a waste of time, think again! You’re actually securing the value of your organization. The FFIEC has released several statements to help clarify the threats and best practices.
Supply Chain Management
Move over Vendor Management. Banking is a business and it knows how it creates value. In order to maintain those performance indicators, banks know what and who it depends on to get the job done. Vendor relationships go far beyond handshake these days. Trust must be proven and a relationship that will make it through any storm is a must and Appendix J gives you four specifics. Though it outlines details for technology service providers (TSPs), it’s smart to apply this document to all critical service providers.
2016 calls for forms that standardize processes, develop information, measure impact and progress and are regularly used. What you don’t measure you can’t manage and evidence of that measuring is always in writing. Whether you have a top level software package with pre-populated templates or 3-ring binders and loose leaf paper, the value comes from keeping all that data organized and accessible. As long as you’re thorough and consistent, you’re doing it the right way.
Plan for the Future
Keep your vision clear – compliance is a small part of a bigger picture. Don’t shrink your standards by confining the scope to small parts. The planning process is an investment in the future value of the institution. It brings vision and hope. Have a vision and Plan for long term congruence in 2017 and beyond and share it with everyone from the tellers at the drive thru to the board as often as possible.
You’ve got something important you’re protecting! When you require more assistance don’t forget there are specialists who have traveled this road before. Give us a call and we’ll guide you in the right direction.
Continuity management has long been tied to disaster planning and crisis response as fundamental to emergency planning but the reality is: If you’re just practicing business continuity to survive you’re never going to get much out of it.
The key to effective value creation from continuity management is a strategy that builds on how the day-to-day business is designed to create value. Today’s global market puts us all in crisis. Corporate directors are in jail. Cyber terrorists can easily hide across borders around world yet still access information kept locked away. States and countries declare bankruptcy. Instability is everywhere.
Businesses are so interdependent on one another that supply chain and technology are complex grey zones of value and accountability. The bottom line is the business needs to create value to survive. Maybe value means money, maybe it’s customer satisfaction or maybe it’s serving its nonprofit goal. Regardless, the creation of that value must be the crux of your resilience plans.
One of the most common misconceptions of business continuity planning is that it starts with a disaster and in a lucky world no one would need a plan. Luck favors the prepared. A business with a healthy continuity management program doesn’t just survive crisis; it thrives daily. The reality of the business world is that every day is more complex and risk loaded. In order to work toward corporate maturity and institutionalization of the systems that create value you have to structure and live your plan.
Fantastic way to exercise your plans!
Pablo Suarez (associate director of programmes at the Red Cross/Red Crescent Climate Centre) was kind enough to drop us a note highlighting some of the work that they have been doing over the past few years using serious games to highlight and address the humanitarian consequences of climate change and extreme weather events. Some of this work has been done in conjunction with the PETLab at the Parsons—The New School for Design, who have also put together a website (here) devoted to this particular case of “developing public interest games for better crisis-decision-making.”
* * *
Weather or Not is a simple game where participants are given the probability of a major storm, and then must decide whether or not to pre-position relief supplies. If they DO and there IS a flood (or if they DON’T, and there is NO flood) all is good. However if they DO and…
View original post 720 more words