Financial Continuity Planning, Or A BCP Addressing Financial Distress

Executive Summary:

Many financial firms are aware of the Business Continuity Planning (BCP) in relation to operational risk, but oddly enough no BCP exists for financial risk (despite the existence of living will, regulatory requirements for stress testing, and liquidity adequacy rules). Hence, the need to build a Financial Continuity Planning (FCP).

Instead of invoking a response to a natural or man-made event, the FCP will invoke when a legal entity or institution has a partial or complete financial failure. And, while BCP are focused on the critical resources required to run the business at a business process level, FCPs are focused on critical resources at a legal business entity level.

Financial Continuity Planning is an essential step in building a robust tail risk management architecture. But, as already mentioned in several previous articles, the key for such a framework is to have a FCP in conjunction with a risk mapping, an early warning system, and (reverse) stress testing tools.

We all know what Business Continuity means, right?

Business continuance (sometimes referred to as business continuity) describes the processes and procedures an organization puts in place to ensure that essential functions can continue during and after a disaster. Business continuance planning seeks to prevent interruption of mission-critical services, and to reestablish full functioning as swiftly and smoothly as possible.

Typically, in BCPs, the following risks are being assessed:

And, the following types of Business Impact Analysis are equally being conducted:

• Threat scenario impact analysis, whereby the overall impacts are assessed for each ‘threat scenario’ identified during the risk assessment;
• Technology impact analysis, whereby the time-dependent impact of loss of specific technologies or computer system is assessed across the organization. The principal objective is to determine the maximum downtimes for various technologies and the maximum data loss that can be tolerated.
• Business unit impact analysis, whereby the time-dependent impacts of an interruption in operations is assessed for each business unit. The primary objectives are to identify all essential functions, and to determine the maximum downtime for each function. The secondary objectives are to determine the minimum resources required to perform each function at an acceptable level, and to establish priorities for resumption of operations

Indeed, many are aware of the Business Continuity Planning (BCP) in relation to operational risk, but oddly enough no BCP exists for financial risk (despite the existence of living will, regulatory requirements for stress testing, and liquidity adequacy rules). Or, in other words, to have business continuity plan that focuses on financial crises.

Yes, there is the concept of Living Will, but that regulatory requirement is so cumbersome (several thousands of pages) that it is not as practical as a standard BCP would be. Hence, the need to bring to life a Financial Continuity Planning (FCP) tool.

So, in practice, what would be the distinction between a BCP and FCP?

1. While the Business Continuity Plans typically invoke in response to a natural or man-made event, these FCPs will invoke when a legal entity or institution has a partial or complete financial failure.
2. Business continuity plans are focused on the critical resources required to run the business at a business process level. FCPs are focused on critical resources at a legal business entity level.
3. Business continuity plans are executed by named business personnel who are aware of the functioning of the business and how to recover it. FCPs are executed by a combined team that includes internal and external (regulators, U.S. Trustees, and turnaround specialists) personnel working cooperatively with the institution’s key executives.

The bottom line? There is no reason to reinvent the wheel since most of the legwork and effort may have been completed through your business continuity planning team already. This is why business continuity team members should be pulled into the FCP process: they have a vast knowledge of how all this data fits together, and much of the necessary data already resides within their business continuity plans and business continuity management databases.

Establishing a partnership across your Risk Management, Finance, Legal, Business Continuity and third party regulatory advisors should take some of the pain out of developing and maintaining your FCP and adapting them to the inevitable changes in regulatory requirements. Why not investigate the reuse and repurposing of your business continuity data, planning tools, and software to save you time and money in preparing your company’s FCP?

Granted, quantification of financial exposure from extreme operational risk exists; however, no such measure is being used when extreme financial risks exist. While tail risk for operational business disruption is being measured, the effects from a business interruption arising from unexpected uncertain financial events are not being quantified. With such a BCP tool applicable to extreme financial risk, tail risk management aims at shielding the firm from a confidence crisis.

Now, while financial institutions could adopt best market practices from the manufacturing world, within the array of existing risk management areas credit, liquidity, capital and market risk would do well to learn from how operational risk is being managed.

Financial Continuity Planning is an essential step in building a robust tail risk management architecture. But, as already mentioned in several previous articles, the key for such a framework is to have a FCP in conjunction with a risk mapping, an early warning system, and (reverse) stress testing tools.

Again, a robust FCP is a result of an effective stress testing process. Financial firms have a tendency to build mild stress scenarios instead of extreme ones. In addition firms tend to be optimistic rather than pessimistic about their ability to sustain stress under different scenarios. Obviously, it is because there is a conflict of interest: business managers that are involved in the stress testing process will never search and try to uncover potential business weaknesses, as they prefer to mild stress tests that would demonstrate how resilient their business model is.

Business managers are optimists by the very nature of their job, and oddly enough this over-optimistic approach can be contagious even for the risk managers involved in the stress testing process. Solution? Assign the task of defining extreme stress scenarios to staff not directly involved in execution of the business activities, such as Internal Audit, Risk Management for example or even Finance.

In any case a strong FCP cannot be put into stone without credible extreme risk scenario building, and related early warning tools.