Skip to content
Weathering the Storm: Extreme Event Business Continuity
Business Continuity & Resilience

Weathering the Storm: Extreme Event Business Continuity

William C Hord
William C HordChief Strategy Officer - ERM Pilot

Natural disasters have always been part of the business continuity landscape. What has changed is the frequency, geographic spread, and compounding nature of weather-related disruptions — and the degree to which regulators expect institutions to have tested, not just documented, their response to extreme events.

The Regulatory Baseline

The FDIC and Federal Reserve have jointly identified natural disasters as a classic resilience threat category — one that demands the same disciplined planning and testing as cyber incidents or pandemics. While the interagency climate risk guidance issued in October 2023 was subsequently withdrawn in late 2024, regulators have been clear that geographic climate and weather risk remains within the scope of standard safety and soundness examination. FDIC examiners, in particular, have historically given additional scrutiny to institutions in coastal, flood-prone, or wildfire-exposed areas.

The FFIEC's BCM Booklet is explicit that continuity plans must address physical disruptions — branch closures, data center outages from flooding or power failures, staff unavailability due to local emergency conditions — with the same rigor applied to technology failures.

Multi-Site Resilience: Beyond Alternate Site Planning

Traditional disaster recovery planning assumed an alternate site: a second data center or branch location where operations could be relocated if the primary site became unavailable. That model, while still foundational, has been supplemented by the reality that modern financial services operations are distributed by design — cloud-hosted, network-dependent, and staffed by workers who may be geographically dispersed.

The question for extreme event continuity is not simply "where is our alternate site" but "how do our distributed operations function when regional infrastructure — power, communications, transportation — is compromised across a broad geographic area?"

Institutions in hurricane-prone coastal markets face this question acutely: a major storm doesn't just take out one facility. It can disrupt power, cellular, and internet infrastructure across a multi-county region for days or weeks, affecting staff availability, member communication, and access to core systems simultaneously.

Recovery planning for these scenarios requires addressing generator readiness, satellite or alternate communication channels, pre-positioned authority for distributed decision-making, and coordination with local emergency management agencies — none of which appear automatically in a standard IT disaster recovery plan.

What Examiners Evaluate in Severe-Weather Markets

For institutions in geographic areas with elevated natural disaster exposure, examiner scrutiny on BCPs tends to focus on:

—Physical facility resilience:Are branches and data centers in flood zones? Do they have generator backup? What is the backup communications plan if cellular and broadband are both unavailable?

—Staffing continuity:What happens to staffing when local road conditions or evacuations prevent employees from reaching facilities? Is there a remote-work capability for critical functions?

—Member access continuity:How do members access accounts and conduct transactions if branch and ATM networks are offline? What communication goes to members about service availability?

—Recovery sequencing:Which operations restart first, and in what order? Are the recovery priorities consistent with member needs and regulatory requirements?

The FDIC's sound practices guidance recommends that institutions in high-exposure geographic areas conduct weather-event scenario exercises specifically — not generic natural disaster planning, but exercises tied to the types of events their geography actually makes likely.

Connecting Weather Risk to Enterprise Risk Management

Even in the absence of specific climate regulation, weather and geographic risk belong in the enterprise risk assessment. The OCC's FY2025 Operating Plan directs examiners to evaluate whether institutions account for external shocks — including physical disruptions — in their enterprise risk programs.

An institution in Tornado Alley, a Gulf Coast flood zone, or a Western wildfire corridor that has not incorporated geographic physical risk into its ERM and BCP programs has a gap that is visible to a careful examiner — and a gap that becomes acutely visible during an actual event.


Article References — Weathering the Storm: Extreme Event Business Continuity

1. Federal Financial Institutions Examination Council. Business Continuity Management. IT Examination Handbook. Washington, D.C.: FFIEC, November 2019. Available at:https://ithandbook.ffiec.gov/it-booklets/business-continuity-management

2. Federal Financial Institutions Examination Council. 'Financial Regulators Revise Business Continuity Management Booklet to Stress to Examiners the Value of Resilience to Avoid Disruptions to Operations.' Press Release, November 14, 2019. Available at:https://www.ffiec.gov/news/press-releases/2019/pr-11-14

3. Office of the Comptroller of the Currency. Fiscal Year 2025 Bank Supervision Operating Plan. Washington, D.C.: OCC, October 2024. Available at:https://www.occ.gov/news-issuances/news-releases/2024/nr-occ-2024-111a.pdf

4. Federal Deposit Insurance Corporation. Risk Review (Annual Publication). Washington, D.C.: FDIC. Available at:https://www.fdic.gov/analysis/risk-review

Ready to transform your risk management?

Discover how ERM Pilot can streamline your compliance, automate workflows, and provide real-time insights for your organization.

Stay Updated on ERM Pilot

Join our newsletter to receive the latest news, feature updates, and expert insights on all things risk related.

We respect your privacy. Unsubscribe at any time.