By failing to prepare, you are preparing to fail, said Benjamin Franklin. Two centuries later, this quote continues to resonate with many, especially in the business world. It has, for instance, been estimated that 75% of companies without business continuity planning fail within three years of a natural disaster (see FEMA Grant to Create Economic Recovery Training Program for US Businesses.)
With such a high failure rate, how should one go about preparing its organization for the unexpected? This article aims to answer this question by reviewing Canada’s business continuity regulatory landscape, referencing standards and guidelines in the financial services sector from several of Canada’s federal and provincial regulatory agencies.
Business Continuity Policy
It all starts with a business continuity policy. The Financial Market Authority in Quebec (AMF in French) provides a comprehensive guideline as to what should be included in a “sound and prudent business continuity management” (BCM) policy:
- Responsibility of the board and senior management: The AMF expects that the board of directors approves the BCM policy and appoints a member of senior management to oversee BCM. This executive should ensure the effectiveness of the program and promote BCM within the organizational culture. He/she should report to the board and participate in the resumption of activities after major business continuity incidents. He/she should also ensure that necessary resources are allocated to the BCM program.
- Roles and responsibilities (R&Rs): The R&Rs of all parties involved in the business continuity management process are to be defined and documented. The three lines of defense model developed by the Institute of Internal Auditors provides a framework for this assignment. The first line is composed of business line managers involved in the delivery of products and/or services. The second line, made of business continuity practitioners, is to provide assistance with managing continuity risks. The third line, made of internal auditors, is to provide independent quality assurance of the BCM program.
- Training and awareness: Employees should be properly trained on their roles as it pertains to business continuity. Employees with primary recovery responsibilities should be trained to develop automatic reflexes and deep understanding of the business continuity process.
- Testing: The AMF expects “modular testing at various intervals and on a regular basis” of an organization’s business continuity and disaster recovery plans. Such exercises should aim to verify the organization’s capacity to recover its operations and the time required to do so. In this sense, the Montreal Exchange requires that business continuity tests be carried out at least on an annual basis (See Rules of the Montréal Exchange. Article 3,102). Moreover, though not mandatory for all financial institutions, it is recommended to participate in industry-wide business continuity testing like the one organized every two years by the Canadian Investment Regulatory Organization (CIRO).
- Risk assessment: The AMF expects that the organization identifies major incidents with the potential for operational disruptions. These incidents are to be assessed based on their likelihood of occurrence and the potential impacts to the organization. Factors to consider when assessing probable incidents include geographical location, potential duration of impacts, predictability, and propagation speed.
- Business Impact Assessment (BIA): The BIA is the “foundation for a effective and efficient Business Continuity Plan (BCP) and Disaster recovery plan (DRP).” As explained by Deloitte, the BIA allows the organization to determine its critical activities and gather detailed information about the key resources (facilities, equipment, technology, human resources, dependencies, and vital documents) that support those activities. The business continuity policy is to provide the scope of the BIA, the risk categories to be assessed in the BIA as well as the frequency at which the BIA should be conducted.
- Business Continuity Plan (BCP): The BCP provides the recovery strategies and documents the resources needed for resumption following a business disruption. It needs to be practical and updated regularly. Some of the recovery strategies to be considered in the development of the BCP include establishing a business recovery site to be used in the event of a loss of access to the business’s primary work facilities. Additionally, a disaster recovery site where core IT infrastructures can be failed over to, in the event of a loss of the primary data center, is to be considered. A succession plan with a skills matrix also needs to be developed to address potential human resources risks especially during pandemics situations. The business continuity policy ought to provide the general framework upon which the BCP is to be built.
- Crisis Communication Plan: The BCP policy should reference a communication plan that is to accompany the business continuity plan during a crisis. The communication plan sets guidelines in interacting with the media, emergency services, partners, and suppliers.
Third Party Risk Management (TPRM) Policy
The Office of the Superintendent of Financial Institutions (OSFI) in its B-10 guideline published in April 2023, provides a comprehensive framework of the continuity risks that are to be monitored as part of the organization’s TPRM policy.
- Pre-contractual due diligence: OSFI expects the business continuity and disaster recovery plans of third parties to be examined before any relationship agreement. These plans must be checked for quality and the frequency at which they are tested. The goal is to assess whether the third party has the capability to provide critical services following a disruption. Moreover, the continuity risks stemming from the third party’s subcontractor relationships must also be monitored. It is to be determined whether these relationships provide any concentration risks for the organization. Depending on the criticality of the service, joint design and testing of continuity plans must also be considered.
- Ongoing due diligence: The third-party risk management process must not stop after the signing of the contract. Ongoing due diligence is required to ensure that the third party maintains its business continuity capabilities. Contractual agreements should, therefore, require at minimum that the third party’s continuity and disaster recovery plans be tested regularly. The results of those tests along with plans to address any material deficiencies must be promptly communicated and reviewed.
- Recovery & Exit Strategy: In addition to ensuring that third parties have sound continuity plans, organizations must ensure that their own business continuity plans address scenarios where critical third parties could become unavailable during extended periods of time. The organization must also document exit strategies providing information about alternative suppliers, potential cost, and timeline for replacement.
Conclusion
In summary, to prepare for operational disruptions and unexpected business events, an organization needs at least a sound and prudent business continuity management policy supplemented by a third-party risk management policy.
The business continuity policy provides the general framework that helps the organization in identifying its critical activities and documenting the resources and strategies needed to keep the organization afloat during periods of operational disruptions. The third-party risk management policy provides a framework to manage and minimize continuity risks stemming from third party contractual arrangements.
As shown by the COVID 19 pandemic, only organizations who prepare for the unexpected fare well during times of crisis. Quoting Benjamin Franklin, diligence indeed is the mother of good luck.
This article is geared toward business continuity practitioners and people with working knowledge or interest in the industry. This publication is made in my name and is not endorsed by any organization or institution that I may be affiliated with.
Max Veve is a certified business continuity professional with experience in Business Continuity Management, Disaster Recovery, and Third Party Risk Management in the financial and extractive industries (Oil & Gas and Mining).
He is currently the Business Continuity Manager for Societe Generale’s Canadian division.