Most Business Continuity Plans look reassuring—until you start asking uncomfortable questions that require evidence rather than good intentions. If you are responsible for resilience in a regulated institution, try this short interrogation.
When was your last end‑to‑end BCP exercise that involved IT, business lines, Legal/Compliance, and key third‑party providers in the same scenario? Not a tabletop for one department, but a realistic drill with cross‑functional decisions, communication, and recovery steps.
Have you ever simulated the sudden loss of a strategic US technology provider—not just for technical outage, but because of sanctions, data‑transfer rulings, or a change in your own risk appetite? What did you learn about data location, contracts, and your actual ability to pivot?
Is the Board regularly reviewing BCP outcomes, documented weaknesses, and remediation progress, or do they only see a static policy once a year? Can you show minutes and follow‑up actions?
If you cannot answer these with clear, up‑to‑date evidence, your real risk is not that the CSSF might ask these questions. It is that they will ask them before you have done so yourself. Are you comfortable waiting for that moment?