← Back to Blog

Business Continuity Planning: How to Build a BCP Examiners Will Actually Respect

Published March 17, 2026

The Problem

Nearly every regulated institution has a business continuity plan. Many of those plans were written several years ago, were updated minimally since, and have never been tested in a meaningful way. The contact tree has phone numbers for people who no longer work there. The recovery procedures reference systems that were decommissioned. The alternate processing site is a location no one has visited in three years.

Examiners understand that business continuity planning is hard to prioritize when nothing is going wrong. But a BCP that has never been exercised isn’t a plan — it’s a document. The distinction matters, both to regulators and to the institution when an actual disruption occurs.

What Regulators Require

The FFIEC Business Continuity Management booklet is the primary reference for bank examiners. It describes BCM as a holistic management process that identifies potential threats to an organization, builds resilience, and ensures recovery capability. Key requirements include a business impact analysis (BIA), documented recovery strategies, a tested and maintained plan, and board oversight.

The NCUA’s guidance for credit unions, detailed in Letter to Credit Unions 21-CU-08 and its referenced FFIEC guidance, establishes similar expectations. State-chartered institutions may also be subject to state-specific BCM requirements layered on top of the federal baseline.

What Examiners Are Looking For

A Current Business Impact Analysis

The BIA is the analytical foundation of your BCP. It identifies your critical business functions, the systems and resources that support them, and the maximum tolerable downtime for each function. Without a current BIA, your recovery priorities are guesswork. Examiners will ask when the BIA was last updated and whether it reflects current operations — including any new products, services, or systems added since the last update.

Recovery Time and Recovery Point Objectives

Your BCP should document a Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each critical system. The RTO defines how long you can be without a system before the impact becomes unacceptable. The RPO defines how much data loss is tolerable in the event of a disruption. These objectives should be derived from the BIA, validated against your technical capabilities, and tested to confirm they are actually achievable.

Testing — and Not Just Tabletops

This is where most plans fall short. Examiners distinguish between different levels of testing: tabletop exercises, where staff walk through a scenario verbally; functional exercises, where individual components are actually tested; and full-scale exercises, where the complete recovery process is exercised end-to-end. Most institutions do tabletops. Examiners increasingly expect at least some functional testing, particularly for critical systems recovery and data backup restoration.

Backup restoration testing is specifically called out in examiner guidance. If you cannot confirm that your backups actually restore successfully, your backup strategy is unverified. Examiners will ask for documentation of the last backup restoration test — including what was tested, the results, and any gaps identified.

A Maintained and Current Plan

The plan should be reviewed and updated at least annually and after any significant change to operations, systems, or key personnel. Examiners will look for a version history and evidence of recent updates. A plan last revised more than two years ago is a finding waiting to happen. So is a plan whose contact information is demonstrably out of date.

Board Involvement and Approval

The board is responsible for establishing BCM as a strategic priority. That means reviewing and approving the BCP, receiving regular updates on the program’s status, and being briefed on test results and any significant gaps. Examiners will look for this in board meeting minutes. Approval that occurs without meaningful discussion — particularly at institutions with known BCP weaknesses — is a pattern examiners recognize.

Where to Start If Your BCP Needs Work

If your plan is significantly out of date, prioritize these steps before your next exam:

  1. Update your contact tree immediately. This takes an afternoon and eliminates one of the most visible indicators that the plan hasn’t been maintained.
  2. Conduct a tabletop exercise. Gather key stakeholders, walk through a realistic disruption scenario, and document the discussion. Even a basic tabletop generates evidence of program activity and typically surfaces gaps that can be addressed before an exam.
  3. Test backup restoration. Coordinate with your core processor or IT staff to restore data from a recent backup in a test environment. Document the process and the result. This single action addresses one of the most common BCP findings.
  4. Schedule a BIA update. Even a partial refresh — confirming that existing critical functions and RTOs/RPOs are still accurate — is better than leaving a multi-year-old BIA in place.

Practical Checklist

  • Business Impact Analysis completed and updated within the last 12–24 months
  • RTOs and RPOs documented for all critical systems and validated against technical capabilities
  • BCP reviewed and updated within the last 12 months; version history documented
  • Contact trees and notification procedures verified current
  • Tabletop exercise conducted within the last 12 months with results documented
  • Functional or technical testing of at least one critical recovery procedure within the last 12 months
  • Backup restoration test documented with results and any identified gaps
  • Vendor and third-party dependencies included in the plan, including their recovery commitments
  • Board review and approval of the BCP documented in meeting minutes within the last 12 months

Need help building or refreshing your BCP? Get in touch.