What are the key elements of a business continuity plan and how does it relate to operational resilience?
FRM II covers business continuity planning (BCP) under operational risk. I understand it's about keeping critical functions running during disruptions, but what are the specific components regulators expect, and how has the concept evolved toward 'operational resilience'?
Business Continuity Planning (BCP) is the process of preparing for, responding to, and recovering from disruptive events that could prevent a firm from performing its critical business functions. Post-2020, regulators have expanded BCP into a broader concept called 'operational resilience.'
Core BCP Components:
- Business Impact Analysis (BIA)
- Identifies critical business services and functions
- Determines Maximum Tolerable Downtime (MTD) for each function
- Establishes Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
- Maps dependencies (systems, personnel, third parties, data)
- Risk Assessment
- Identifies threats: natural disasters, cyber attacks, pandemics, infrastructure failures, vendor outages
- Assesses likelihood and potential impact of each threat
- Prioritizes scenarios for detailed planning
- Recovery Strategies
- Alternate processing sites (hot, warm, cold sites)
- Data backup and restoration procedures
- Workforce relocation or remote work capabilities
- Communication plans (internal and external)
- Vendor contingency arrangements
- Plan Documentation and Maintenance
- Written procedures for each critical function
- Contact lists, escalation matrices, decision trees
- Regular updates (at least annually and after significant changes)
- Testing and Exercises
- Tabletop exercises (walk-through discussions)
- Functional tests (testing specific recovery procedures)
- Full-scale simulations (end-to-end recovery testing)
- Testing frequency: at least annually for critical functions
From BCP to Operational Resilience:
Traditional BCP focuses on recovering FROM disruptions — getting back to normal after an event. Operational resilience focuses on operating THROUGH disruptions — maintaining critical services even during stress.
| Feature | Traditional BCP | Operational Resilience |
|---|---|---|
| Focus | Recovery after disruption | Continuity during disruption |
| Starting point | Internal processes | Critical business services |
| Scope | IT and operations | End-to-end service delivery |
| Tolerance | RTO/RPO targets | Impact tolerances (customer-facing) |
| Testing | Can we recover? | Can we stay within tolerances? |
| Third parties | Vendor contingency | End-to-end supply chain resilience |
Regulatory Expectations (Key Jurisdictions):
- UK PRA/FCA: Important Business Services must have defined impact tolerances and be able to remain within them during severe but plausible scenarios
- US (OCC/Fed/FDIC): Sound practices for operational resilience, emphasis on third-party risk and cyber resilience
- Basel Committee: Principles for Operational Resilience (2021) — seven principles covering governance, risk management, BCP, dependencies, and testing
Exam Tip: FRM II tests the difference between traditional BCP (recovery-focused) and operational resilience (continuity-focused), and the key components like BIA, RTO/RPO, and testing requirements.
Study operational resilience frameworks in our FRM Part II materials.
Master Part II with our FRM Course
64 lessons · 120+ hours· Expert instruction
Related Questions
How exactly do futures margin calls work, and what happens if I can't meet one?
How do you calculate the settlement amount on a Forward Rate Agreement (FRA)?
When should I use Monte Carlo simulation instead of parametric VaR, and how does it actually work?
Parametric VaR vs. Historical Simulation VaR — when does each method fail?
What are the core components of an Enterprise Risk Management (ERM) framework, and how does it differ from siloed risk management?
Join the Discussion
Ask questions and get expert answers.