WolfPAC > Resources > Regulator Comment on Your Business Continuity Plan? Here’s What You Should Do Next
Back to Resources

Regulator Comment on Your Business Continuity Plan? Here’s What You Should Do Next

Your regulator has just provided commentary on your Business Continuity Plan (BCP). Now what?

BCP: Regulatory Comment

This article will help you determine where to start and what to consider to create remediation items within your plan efficiently and effectively. 

The Remediation Process:

When a regulator gives your organization comments, your first step will be determining and committing to a remediation plan for those issues.  A regulator will need to see that you are quickly addressing your plan’s gaps, even if resource constraints prevent you from remedying them immediately. 

This remediation plan must have a reasonable timeframe to address the issues mentioned in the regulator’s comments. The timetable for completing all remediation items within your plan could be immediate or take several months. Still, you must state this clearly if you want regulators to accept your plan.

The methods used for remediation items within your plan must also be explained. For instance, a common regulator comment might focus on inadequate personnel recovery steps within your Business Continuity Plan (BCP). Your organization, if given this feedback, has a few different options. 

  1. Establish an alternative site for your workers to meet if their primary site is down; or
  2. Build into your plan the opportunity for your employees to work from home until the initial site is online again.

Here are some key things to consider:

  • What are the challenges your organization and employees would face with each option? 
  • What works best for your organization’s structure and budget? 
  • How and how much does each option minimize the effect of downtime and loss within your institution? 

While both choices are solutions to the comment, the rationale behind your choice for your organization will ensure that your regulator knows you are making these decisions to satisfy the remediation item and better protect your business, staff, and clients. 

Use your resources to improve your BCP 

Utilizing your Business Impact Analysis and Risk Assessment, your organization has all the data it needs to find solutions to regulator concerns. Using these tools also lowers the likelihood of regulator comments in the future. 

  • Your Business Impact Analysis holds inventories of all people, processes, and products your organization needs and produces. 
  • Your Risk Assessment determines the likelihood of interruption to these assets’ ability to conduct “business as usual.” 

Integrating those two pieces of information to build your Business Continuity Plan (BCP) helps ensure that you have addressed each of the critical resources and processes that are important in keeping your institution running or getting them back up quickly in the event of an outage. 

Assess your organization’s future approach to Business Continuity Planning (BCP)

It is important to remember that while there are a few different reasons your Business Continuity Plan might warrant remediation items, each one stems from the answer to a very important question: What is your Business Continuity Plan designed to do? 

  • Reactive BCP: If your institution views your BCP as a compliance requirement that needs to be addressed for your regulators, you are thinking more reactively. In this case, you are more likely to have gaps that endanger the success of your plan. This thinking usually results in additions to the plan that can cause inefficiencies across the team, duplication of efforts within your plan, and difficulty scaling as your institution changes. 
  • Proactive BCP: Regulators are starting to look for more robust and strategic Business Continuity Plans. Examples of these expectations include more frequent and dynamic testing within your organization and more specific third-party service provider contingency planning considerations. 

Business Continuity Planning is becoming more comprehensive due to changing regulatory mandates. Moving to a more complete and strategic approach to your BCP will align your organization with your regulator’s expectations. Business Continuity Plans are less likely to be successful if your organization focuses solely on meeting the minimum regulatory requirements. 

Did your organization recently receive a regulatory comment on its BCP plan? Do you need help remediating the issue and implementing processes to ensure that similar issues won’t pop up again?

WolfPAC has the tools, technologies, and experts to help. Reach out today to speak with one of our world-class BCP experts.