Contingency Funding Plan vs. Business Continuity Plan: What's the Difference?

TL;DR

• A CFP is a liquidity management tool: it answers how you fund your operations when normal funding channels fail
• A BCP is an operational resilience tool: it answers how you keep running when a disaster or disruption hits
• Both are required for regulated financial institutions — they’re governed by different guidance, owned by different functions, and triggered by different events
• The dangerous scenario: when both trigger simultaneously, and you haven’t planned for the intersection

They Sound the Same. They’re Not.

Risk managers new to financial services make this mistake constantly. “CFP” and “BCP” look like cousins — both are contingency plans, both are required by regulators, both live in the same filing cabinet. In smaller institutions, they sometimes even share a document.

But treating them as interchangeable is the kind of oversight that shows up as a finding after an exam. Or worse — after an actual crisis.

Here’s the core distinction:

• A Contingency Funding Plan asks: How do we fund our operations when our normal sources of liquidity disappear?
• A Business Continuity Plan asks: How do we keep our operations running when a disaster, cyberattack, or systems failure hits?

One is a balance sheet problem. The other is an operations problem. Different owners, different triggers, different regulatory frameworks — and critically, different failure modes when things go wrong.

What a Contingency Funding Plan Actually Does

A CFP is a liquidity risk management document. Its job is to ensure your institution can access funding under stress scenarios — the situations where your normal funding channels (deposits, repo lines, commercial paper markets, unsecured borrowing) become unavailable, expensive, or insufficient.

The 2010 Interagency Policy Statement on Funding and Liquidity Risk Management — signed by the Fed, OCC, FDIC, OTS, and NCUA — established the baseline regulatory expectations. The 2023 addendum, issued after Silicon Valley Bank, Signature Bank, and First Republic collapsed, reinforced and sharpened those expectations significantly.

What a CFP Contains

The 2023 addendum added specific emphasis on operational readiness for the discount window — meaning you can’t just list the Fed discount window as a contingent source. You need to have pre-pledged collateral and tested your ability to actually draw on it.

CFP ownership: Treasury, CFO, ALCO. This is a finance and balance sheet function.

What a Business Continuity Plan Actually Does

A BCP is an operational resilience document. Its job is to ensure your institution can maintain critical processes — payments, customer service, regulatory reporting, fraud monitoring — during disruptions that have nothing to do with your funding costs.

The FFIEC Business Continuity Management booklet (revised 2019) governs BCP requirements for banks, thrifts, and credit unions. It’s one of the most detailed and prescriptive guidance documents in financial services operational risk.

What a BCP Contains

BCP ownership: Operations, CRO, BCM team, COO. This is an operational and technology function.

Side-by-Side Comparison

When Both Trigger at the Same Time

Here’s the scenario that reveals the gap in most institutions’ planning: a major operational disruption that also creates a liquidity crisis.

It happens more often than people realize:

SVB (March 2023): What started as a balance sheet problem (unrealized HTM losses + rate sensitivity) became a social media-amplified deposit run. The operational crisis — processing $42 billion in withdrawal requests — was a BCP-adjacent event, but the root cause was a CFP failure. Board and ALCO didn’t have adequate liquidity stress scenarios or contingent funding pre-positioned.

Ransomware attack scenario: A ransomware attack takes your core banking system offline for 72 hours. That’s a BCP event. But if customers can’t access accounts for three days, you may face panic-driven deposit outflows when systems come back online. Now you have a CFP event on top of the BCP event.

Hurricane Katrina (Gulf-area banks, 2005): Regional banks facing flooded facilities, displaced staff, and inability to process transactions (BCP event) were simultaneously facing customers withdrawing every dollar they could get out — a liquidity stress event that required CFP-type responses.

The dangerous assumption is that a CFP event and a BCP event never co-occur. They can, and the intersection is where institutions discover they haven’t coordinated their response protocols between Treasury and Operations.

The 2023 addendum explicitly called this out: CFPs must be “integrated with crisis management” — which is the BCP function. That means:

1. The CFP should reference the BCP’s crisis communication protocols
2. The BCP should include a section on the liquidity implications of extended operational outages
3. Both plans should be tested together in at least some scenarios

The Regulatory Requirements, Side by Side

CFP Requirements (Banks and Credit Unions)

The 2010 Interagency Policy Statement applies to banks, thrifts, and credit unions regulated by the Fed, OCC, FDIC, and NCUA. Key requirements:

• Conduct liquidity stress tests using institution-specific and market-wide scenarios
• Maintain a menu of contingent funding sources with pre-tested operational access
• Set quantitative early warning indicators with documented escalation procedures
• Integrate the CFP with ALCO governance and board reporting
• Update and test the CFP at least annually

NCUA has codified CFP requirements directly into regulation at 12 CFR § 741.12, which applies to federally insured credit unions.

BCP Requirements (Banks and Credit Unions)

The FFIEC BCM booklet (2019) governs BCP for all FFIEC-examined institutions. Key requirements:

• Conduct a Business Impact Analysis identifying all critical processes with RTOs
• Develop recovery strategies covering IT, operations, and facilities
• Test and exercise the BCP at least annually (tabletop minimum; full simulation preferred)
• Document board and senior management oversight of the BCM program
• Address third-party dependency in the BCP (vendor continuity, contractual RTOs)

For more on what FFIEC examiners specifically look for in a BCP, see our guide to FFIEC Business Continuity Management requirements.

Can You Combine Them?

The honest answer: yes, but carefully and only at a certain size.

For a community bank under $500M in assets with a straightforward balance sheet and low funding complexity, embedding CFP elements within a liquidity risk management policy (which may sit adjacent to the BCP) is common and generally acceptable to examiners. Some institutions integrate CFP elements into a broader Risk Management Framework.

For institutions over $1B in assets, with broker-dealer operations, significant reliance on wholesale funding, or a complex deposit mix — examiners will expect a standalone CFP that goes well beyond a section of the BCP. The 2023 addendum made this expectation explicit in the wake of the regional bank failures.

The test isn’t document structure — it’s substance. A combined document that actually covers all CFP requirements with adequate scenario analysis, pre-positioned collateral, and tested operational readiness passes. A standalone CFP that’s two pages with no stress scenarios fails.

Practical Guidance: Who Owns What

If you’re the person building or inheriting these programs, here’s how ownership should work:

CFP owner responsibilities:

• Maintain the liquidity stress scenario library (including post-2023 social media-amplified scenarios)
• Ensure FHLB membership is current, collateral is pre-pledged, and discount window access is tested
• Set and monitor EWI thresholds
• Own ALCO reporting on CFP status
• Ensure the CFP is reviewed and approved annually by the board

BCP owner responsibilities:

• Maintain the BIA with current RTO/RPO targets for all critical processes
• Own the annual tabletop exercise and testing documentation
• Manage vendor continuity requirements in TPRM contracts
• Ensure IT DR plan is aligned with BCP recovery objectives
• Coordinate with CISO on cyber incident response integration

Coordination responsibilities (both own):

• Joint scenario exercises that include both liquidity stress and operational disruption elements
• Shared crisis communication framework activated under either plan
• Board reporting that includes both BCM and liquidity risk status

So What: The Action Checklist

If you’re not sure whether your institution’s CFP and BCP are adequately distinct and integrated, here’s where to start:

• Do you have two separate documents? (Or at minimum, clearly distinct sections with different owners?)
• Does your CFP include social media-accelerated deposit scenarios post-SVB?
• Is your discount window access operationally tested — not just listed as a contingent source?
• Does your BCP include a section on liquidity implications of extended operational outages?
• Have you ever run a scenario that triggers both plans simultaneously?
• Does your board receive separate reporting on CFP status and BCP readiness?

For more on what regulators specifically require in a CFP — and who needs one — see our guides on what is a contingency funding plan and who needs a CFP under FINRA, OCC, and interagency requirements.

If your BCP needs a rebuild, the Business Continuity & Disaster Recovery Kit includes a BIA template, BCP and DR plan templates, and a standalone tabletop exercise kit aligned with FFIEC BCM requirements.

Frequently Asked Questions

What is the main difference between a contingency funding plan and a business continuity plan?

A CFP addresses liquidity and funding risk — it answers “how do we fund our operations if access to liquidity dries up?” A BCP addresses operational disruption risk — it answers “how do we keep operating if a disaster, cyberattack, or systems failure hits?” CFPs are owned by Treasury/ALCO. BCPs are owned by Operations/BCM.

Do regulators require both a CFP and a BCP?

Yes. BCPs are required under the FFIEC Business Continuity Management booklet. CFPs are required under the 2010 Interagency Policy Statement on Funding and Liquidity Risk Management (and the 2023 addendum). These are separate requirements with different examination frameworks.

Can you roll a CFP into your BCP?

Smaller institutions sometimes include CFP elements within their BCP. Regulators allow this for small, low-complexity institutions. But examiners increasingly expect a standalone CFP for institutions with significant liquidity exposure, and the 2023 post-SVB addendum made this clearer.

What triggers a CFP vs. a BCP?

CFP triggers are financial: credit rating downgrade, significant deposit outflows, repo line unavailability, loss of market access. BCP triggers are operational: extended system outage, natural disaster, ransomware attack, pandemic staffing disruption.

What happened at Silicon Valley Bank — was that a CFP event or a BCP event?

SVB’s collapse was primarily a CFP event: a $42 billion deposit run driven by social media-amplified panic. The lesson: CFPs need social media-accelerated deposit outflow scenarios, not just traditional slow-developing liquidity stress scenarios.

Who owns the CFP versus the BCP?

CFP ownership sits with the CFO, Treasurer, or ALCO — the people who manage the balance sheet. BCP ownership sits with the COO, CRO, or BCM function — the people who manage operational processes. At smaller institutions these roles may overlap, but the documents and governance processes should remain distinct.