Business Continuity Plan Template for Financial Services: What Regulators Actually Check
TL;DR
- The FFIEC’s 2019 Business Continuity Management booklet shifted the standard from plan-in-a-binder to enterprise-wide operational resilience — if your BCP is still a dusty Word doc, it will not survive an exam.
- Regulators check six specific things: governance, BIA, resilience strategies, testing, third-party continuity, and reporting to the board. Most MRAs hit on testing gaps and stale BIAs.
- A defensible BCP requires documented RTOs and RPOs for every critical process, at least annual testing with documented results, and a board report that shows senior leadership is actually engaged.
July 19, 2024: A faulty CrowdStrike software update pushed to 8.5 million Windows devices worldwide. Banks couldn’t process transactions. Trading platforms went dark. ATM networks failed. Fortune 500 companies collectively absorbed $5.4 billion in losses — and only 10-20% of that was insured.
The organizations that recovered fastest weren’t the ones with the most IT staff. They were the ones with tested, current business continuity plans that included third-party outage scenarios.
If that incident exposed gaps in your continuity program, you’re not alone — and you’re probably not ready for your next exam either. Here’s how to fix that.
Why “Business Continuity Planning” Is Now “Business Continuity Management”
That name change matters. In 2019, the FFIEC updated its IT Examination Handbook and deliberately renamed the Business Continuity Management booklet from “Business Continuity Planning” — and the shift wasn’t cosmetic.
The old model: write a plan, put it on a shelf, dust it off before exams.
The new model: build an enterprise-wide capability that integrates business operations, technology, third parties, training, and governance. BCM is a continuous program, not a document.
The revised booklet focuses on resilience — the ability to avoid disruptions entirely, not just recover from them. Examiners now look for evidence that management is running BCM as an ongoing discipline, not treating it as an annual checkbox.
Institutions subject to these standards include national banks and federal savings associations (OCC), state member banks (Federal Reserve), FDIC-supervised institutions, credit unions (NCUA), and non-bank financial companies. That covers most of the industry.
What Regulators Actually Look At (The 6-Area Framework)
Before you start building or rebuilding your BCP, understand what examiners are grading. The FFIEC BCM booklet structures its exam around six components. Every one of these will get scrutiny:
| BCM Component | What Examiners Look For | Common MRA Triggers |
|---|---|---|
| Governance | Board-approved policy, documented roles, BCM officer | No board policy; unclear ownership |
| Business Impact Analysis (BIA) | Current BIA with RTOs/RPOs for all critical processes | BIA older than 12-18 months; missing systems |
| Resilience Strategies | Documented strategies for each critical function | Plans that don’t match current operations |
| Testing & Exercises | Annual tests, documented results, remediation tracking | Tabletop only, no actual failover tests |
| Third-Party Continuity | Vendor BCP reviews, contractual requirements | No vendor BCP assessments; reliance on CSP without review |
| Reporting | Board/senior management reports with metrics | No evidence board receives BCM updates |
The two areas that generate the most MRAs: testing gaps and stale BIAs. More on both below.
Step 1: Build a Current Business Impact Analysis
The BIA is the foundation. Everything else — your recovery strategies, your RTOs, your resource requirements — flows from it. A BIA that’s two years old is a liability, not an asset.
What a solid BIA covers:
Critical process inventory. List every business function the institution needs to serve customers and meet regulatory obligations. At a community bank, this includes deposit processing, loan origination, payments (ACH/wire), customer service, and reporting. At a fintech, it might include your payment API, fraud decisioning engine, and customer onboarding workflow.
Recovery Time Objective (RTO). The maximum tolerable downtime for each function. How long can you be down before customers are materially harmed, you violate regulatory requirements, or reputational damage becomes severe? For wire transfers at a bank: maybe 4 hours. For a consumer lending platform’s application portal: maybe 24-48 hours.
Recovery Point Objective (RPO). The maximum tolerable data loss. If your core banking system fails right now, how old can your most recent backup be? For most transactional systems, the RPO is measured in minutes or hours, not days.
Financial and operational impact quantification. Don’t just say “high impact.” Quantify it. “A 4-hour outage during peak processing costs approximately $X in transaction fee revenue, affects Y customers, and triggers mandatory notification under Z regulation.”
Dependencies. What does this function need to work? Technology systems, staff, facilities, third-party services, utilities. If your ACH origination depends on a single vendor’s API and that vendor goes down, your RTO is actually constrained by their recovery time — not yours.
Sample BIA format for a critical process:
Process: ACH Origination
Business Owner: VP Operations
RTO: 4 hours
RPO: 1 hour
Critical Dependencies: Core banking system, ACH processor (Vendor: XYZ Corp), network connectivity
Financial Impact (4-hr outage): ~$45,000 in fee revenue; 2,400 customers affected
Regulatory Trigger: NACHA rules require member notification if processing delayed >X hours
Backup Strategy: Secondary ACH processor on contract; manual entry capability for critical batches
Run your BIA annually, or any time a major system, vendor, or business process changes. If you acquired a new product line, added a critical vendor, or moved to cloud infrastructure, your existing BIA may already be wrong.
Step 2: Define Your Recovery Strategies
Once you know your RTOs and RPOs, you need documented strategies for actually hitting them. This is where most BCPs get vague — and where examiners push back.
A recovery strategy isn’t “move to backup site.” It’s:
- Which backup site? Where is it located? How far from primary (examiners want geographic separation)?
- How long does the failover actually take? Have you measured it?
- Who authorizes the failover decision, and who executes it?
- What’s the communication sequence — internal staff, customers, correspondent banks, regulators?
- What systems are restored first, and in what order?
Recovery strategies by function type:
Technology/IT systems: Define your recovery architecture. Active-active (highest resilience, highest cost), active-passive, or cold standby. Know your actual RTO for each configuration based on tested failover times, not vendor-claimed SLAs.
Facilities/physical space: If your primary office is inaccessible (flood, fire, building failure), where do employees work? Work-from-home capability became the default post-2020, but it needs to be in your plan — with documentation that remote access is tested, VPN capacity is sufficient, and that critical functions can actually be performed remotely.
Key personnel: What happens if your CFO, CTO, or head of operations is unavailable during a crisis? Document succession — not just for the executive team, but for the people who actually run the critical systems. Who else knows how to do the wire transfer reconciliation at 4 PM?
Third-party failures: The CrowdStrike incident was a third-party failure — and most BCPs hadn’t modeled it. For each critical vendor, document: what happens if they go down? Do you have a backup vendor? Can you operate manually in the interim? What’s your SLA/contract say about their recovery obligations?
Step 3: Write the Actual BCP Document
The plan itself needs to be structured so someone who wasn’t in the planning meetings can execute it under pressure. That means clear, operational content — not principles.
BCP document structure:
Section 1: Purpose and Scope
What the plan covers, what it doesn’t, and which regulatory standards it’s designed to meet (FFIEC BCM booklet, relevant OCC/FDIC guidance).
Section 2: Governance
BCM policy reference, BCM program owner (typically Chief Risk Officer, Chief Operating Officer, or a dedicated BCM Officer at larger institutions — at fintechs without a CRO, this usually sits with the Head of Compliance or VP of Engineering), board approval date, and update cadence.
Section 3: Risk Scenarios
The disruption scenarios the plan addresses. At minimum: technology outage (internal), technology outage (third-party/vendor), cybersecurity incident/ransomware, facility loss, pandemic/widespread staff unavailability, key person loss, natural disaster.
Section 4: Crisis Management and Escalation
Who declares a continuity event? What thresholds trigger activation? Communication tree — internal leadership, board notification, customer notification, regulator notification (FDIC requires notification within a specified timeframe for certain events). Who is the single point of contact for media?
Section 5: Business Recovery Procedures
Function-by-function recovery procedures. Each procedure should name a responsible team, list specific steps (not just “restore from backup”), include vendor contact information and contract numbers, and reference the manual workaround procedures for if systems can’t be restored within RTO.
Section 6: IT Disaster Recovery
This often lives as a separate DR plan that references the BCP. It covers system-by-system recovery procedures, backup schedules and testing results, failover infrastructure details, and recovery order sequencing.
Section 7: Testing Schedule and Results
Embed your testing calendar here. Document prior test results — including what failed and how it was remediated.
Section 8: Plan Maintenance
How often the plan is reviewed, who reviews it, and what triggers an off-cycle update (material change in systems, vendors, or business lines).
Step 4: Test. Actually Test.
This is where programs fall apart. Examiners consistently cite inadequate testing as an MRA driver, and “we did a tabletop” does not satisfy them when your RTO is 4 hours and you’ve never actually failed over to your backup datacenter.
Testing types and what regulators expect:
| Test Type | Frequency | What It Proves | Regulatory View |
|---|---|---|---|
| Tabletop exercise | Annual minimum | Team knows the plan, escalation paths work | Necessary but not sufficient on its own |
| Communication test | Annual minimum | Contact lists are current; notification chains work | Easy, often skipped — always an MRA |
| Functional/component test | Annual for critical systems | Individual recovery procedures work | Core expectation for any critical system |
| Full failover test | Every 1-2 years | End-to-end recovery to backup infrastructure works and meets RTO | Expected for institutions with a DR site |
| Pandemic/remote work test | Post-COVID expectation | Critical functions can operate fully remote | Often embedded in tabletops now |
What to document after every test:
- Date, scope, and participants
- Scenarios tested
- Systems or functions that failed to recover within RTO/RPO
- Issues identified and remediation actions with owners and due dates
- Sign-off from BCM officer and senior leadership
That last part matters: examiners want evidence that test results get to leadership and that findings actually get fixed. A test with five failures and no remediation plan is worse than a failed test with a documented corrective action.
Step 5: Get Third-Party Continuity Right
Post-CrowdStrike, regulators are paying much closer attention to third-party resilience. The FFIEC BCM booklet explicitly includes third-party service providers in scope — your BCP needs to address what happens when a critical vendor fails.
For each critical vendor, document:
- Does their contract require them to maintain a BCP? Does it give you the right to review it?
- Have you actually reviewed their BCP in the last 12 months?
- What’s their published RTO for services you depend on? Does it match your own RTO for the dependent function?
- Is there a backup vendor available? If so, how long does it take to activate?
- Can you operate manually if the vendor is down? For how long?
Cloud service providers (AWS, Azure, GCP) get special attention. Reliance on a single CSP without a multi-region or multi-cloud strategy is increasingly flagged. You don’t need to rebuild everything in a second cloud — but you need a documented, tested plan for what happens when your primary cloud region goes down.
Step 6: Board Reporting
The FFIEC expects evidence that the board is actually engaged in BCM — not just rubber-stamping a policy annually. Senior management should receive BCM updates at least quarterly; the board should receive meaningful updates at least annually.
What board/senior management reports should include:
- Current status of the BCM program against the testing schedule
- Results of the most recent tests, including any failures and remediation status
- Material changes to the threat landscape or the institution’s critical functions
- Third-party resilience review status
- Any plan activations during the period (even partial)
Keep a copy of every board report with approval dates. Examiners ask for them.
The Exam Reality: What Gets MRAs
Based on consistent FFIEC examination findings and common deficiencies, the most frequent BCP MRAs are:
1. BIA not updated after material changes. You moved core banking to the cloud 18 months ago. Your BIA still references the old on-premise setup with a different RTO. Examiner finds it. MRA.
2. Testing is tabletop-only. For any institution with a DR site or cloud failover capability, examiners expect functional tests. “We haven’t tested full failover” is a reliable MRA trigger.
3. Third-party BCPs not reviewed. Having a contract clause requiring vendor BCPs doesn’t count. You need evidence of actual review — a summary or attestation on file.
4. Contact lists and escalation trees out of date. Communication tests catch this, which is why they should be annual. Nothing says “we didn’t maintain this” like calling the emergency line of someone who left the company two years ago.
5. No documented board reporting. The board approves the policy. That’s not the same as the board receiving meaningful updates. Examiners want board meeting minutes that reference BCM status.
6. Plans that don’t match current operations. If your BCP references a business line you divested or a technology you decommissioned, it signals the plan is shelf-ware. Update it when things change.
So What?
Business continuity isn’t about satisfying examiners — though satisfying examiners matters. It’s about being the institution that continues operating when something breaks, while your competitors are scrambling.
The CrowdStrike outage cost Fortune 500 companies $5.4 billion collectively. The firms that burned through most of that damage were the ones whose business continuity plans hadn’t modeled third-party software failures, hadn’t tested their failover procedures, and hadn’t kept their contact trees current.
Your next exam will test whether you’ve built a BCM program or just a document. The difference is evidence: a current BIA, tested procedures, documented results, and board engagement.
Start here if you’re rebuilding from scratch:
- Days 1–10: Inventory your critical processes and stand up a BIA. Don’t overthink it — a spreadsheet with RTOs, RPOs, and dependencies per function is a real BIA.
- Days 11–20: Document your current recovery strategies (even if they’re imperfect — knowing where the gaps are is better than pretending they don’t exist).
- Days 21–30: Schedule a communication test and tabletop for Q2. Put it on the board’s agenda for the next meeting.
- Days 31–60: Pull your top 5 critical vendor contracts and document whether each vendor has a reviewed BCP on file.
- Days 61–90: Execute the tabletop. Document findings. Create a remediation tracker.
The Business Continuity & Disaster Recovery Kit includes a BIA template, BCP document framework, testing log, and board report template — everything you need to stand up a defensible program without starting from a blank page.
FAQ
What’s the difference between a BCP and a DR plan?
A Business Continuity Plan covers the full enterprise — how critical business functions continue operating during a disruption, including non-IT elements like facilities, staffing, and communication. A Disaster Recovery plan is IT-focused — the specific technical procedures for restoring systems and data. Most institutions have both, with the DR plan nested under or referenced by the BCP.
How often do I need to update my BCP?
Formally, at least annually. In practice, you should review and update whenever there’s a material change: new critical system, new significant vendor, major operational change, post-incident, or after a test surfaces gaps. The FFIEC expects the plan to reflect current operations — if it doesn’t, that’s an exam finding.
Do fintechs and non-bank financial companies need a BCP?
If you’re regulated — by a state banking regulator, CFPB, SEC, FINRA, or a bank regulator because you’re a bank service provider — you likely have BCP obligations. Even if you’re not directly examined on it, your bank partners are. Their vendor management programs require them to review your BCP, and a gap in your continuity program can put the bank relationship at risk. Build it before someone asks for it.
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.