What NCUA Examiners Actually Look For in Your Business Continuity Plan

They Want to See Risk Assessment, Not Risk Theater

The first thing examiners look for is a thorough internal risk assessment that matches your institution's size, complexity, and risk profile. They're not interested in generic templates copied from the internet. They want to see that you've thought through what could actually go wrong at your credit union, not at some theoretical financial institution.

Your risk assessment should identify specific vulnerabilities: Which core systems support member-facing services? What happens if your primary internet provider goes down? How long can you operate without access to your loan origination system? Examiners expect a process for initial risk assessment and ongoing refinement as new information becomes available. If your last risk assessment was done three years ago and hasn't been updated since you migrated to cloud banking, that's a red flag.

The assessment should prioritize scenarios by impact. A four-hour core system outage affects every member transaction. A failed HVAC unit in one branch affects dozens. Examiners want to see that you understand the difference and have allocated resources accordingly.

Testing Is Where Most Plans Fail Inspection

You can have the most detailed continuity plan ever written, but if you haven't tested it, examiners will assume it doesn't work. And they're usually right. In 2024, many credit unions struggled to recover quickly from disruptions because of inadequate testing of their business continuity and disaster recovery plans.

Examiners review whether you've conducted exercises, what those tests included, and what you learned from them. They're looking for evidence that testing goes beyond tabletop discussions. Did you actually fail over to your backup systems? Did you simulate losing access to your primary facility? Did you test communication protocols when email was unavailable?

Succession planning is a specific testing focus. The FFIEC IT Examination Handbook emphasizes defined roles and responsibilities, identification of decision-makers, and succession plans for key personnel. Examiners want to know: If your IT director is unreachable, who makes the call to activate disaster recovery? If your CEO is on vacation when a data breach occurs, who talks to regulators?

Tests should be documented with results, issues identified, and corrective actions taken. If your last test revealed that your emergency contact list was outdated, examiners want to see that you fixed it.

They're Checking Your Incident Response Protocols

Since September 1, 2023, the Cyber Incident Notification Reporting Rule requires credit unions to report cyber incidents to the NCUA within 72 hours. Examiners verify that you have procedures in place to meet this requirement and that third-party breaches affecting your institution are also reported.

But compliance with the 72-hour rule is just the baseline. Examiners want to see clear incident response playbooks that define who does what, when they do it, and how decisions get escalated. Many institutions lack these clear playbooks and struggle with delayed or inefficient responses when incidents occur.

Your protocols should cover detection, containment, investigation, notification, and recovery. Examiners will ask: How do you determine whether an IT issue is a reportable cyber incident? Who makes that determination? How do you notify members if their data may have been compromised? What's your process for getting systems back online safely?

Communication protocols are part of this assessment. Unclear crisis communication roles have left many credit unions scrambling during actual incidents. Your plan should specify who communicates with members, who talks to the board, who contacts vendors, and who handles regulatory notifications.

Third-Party Dependencies Are Under Increased Scrutiny

Credit unions rely on vendors for core banking systems, payment processing, online banking, and disaster recovery services. Examiners know this, and they're asking harder questions about third-party risk management.

Over-reliance on single vendors emerged as a major weakness in 2024 business continuity assessments. If your core processor goes down and you have no backup access to member account data, you can't serve members. If your disaster recovery is hosted by the same provider as your production systems, you've got a single point of failure.

Examiners want to see that you've assessed vendor continuity capabilities. Does your core processor have a tested disaster recovery plan? Have you reviewed their business continuity documentation? Do you have service level agreements that specify maximum downtime? What happens if they suffer a ransomware attack?

The incident involving 60 credit unions affected by a BCP provider's security failure illustrates why this matters. Examiners increasingly expect you to have contingency plans for vendor failures, not just internal operational disruptions.

Documentation Standards Have Gotten Stricter

A business continuity plan isn't just a document. It's a system of records that prove due diligence. Examiners use tools like the Automated Cybersecurity Examination Tool (ACET) and the FFIEC IT Examination Handbook to assess your information security and business continuity programs.

Your documentation should include the plan itself, risk assessments, testing records, incident logs, vendor assessments, and board meeting minutes showing oversight and approval. Management must demonstrate due diligence in planning for future conditions, including updating plans based on lessons learned after crises or disruptions.

The NCUA didn't complete 30 out of 44 required post-mortem reviews of failed credit unions on time, according to the GAO. But you can't count on the NCUA being lenient about your documentation. Examiners expect contemporaneous records. If you had an incident nine months ago and there's no documentation of what happened, how you responded, or what you learned, that's a problem.

Audit trails are part of this expectation. Who approved the current plan? When was it last reviewed? Who participated in the last test? What changes were made based on test results? These aren't academic questions. They demonstrate that your continuity program is active, not just compliant.

They're Evaluating Management Oversight and Board Governance

Business continuity planning isn't an IT function. It's an enterprise risk management responsibility that requires board and senior management engagement. Examiners assess whether your governance structure reflects this.

Does your board review and approve the business continuity plan? How often? Do they receive reports on testing results? Are they briefed after incidents? The GAO recommended that the NCUA more fully use CAMEL component ratings to guide enforcement actions, particularly when individual component ratings are worse than the composite rating. Management oversight is one of those components.

Examiners want to see that management can explain its review and assessment methodology. If the COO can't walk through how the credit union prioritizes continuity risks or allocates recovery resources, that suggests the plan is someone else's responsibility, not a management priority.

Board minutes should show regular continuity planning updates, not just annual rubber-stamp approvals. When was the last time the board discussed disaster recovery testing? Have they reviewed the institution's ability to meet the 72-hour cyber incident reporting requirement? Do they understand the credit union's dependencies on critical vendors?

Static Plans Fail, Learning Systems Pass

The credit unions that pass examinations with strong ratings don't have perfect plans. They have plans that improve over time. Examiners look for evidence of a continuous improvement cycle: assess risks, document plans, test procedures, identify gaps, make corrections, and repeat.

Your plan should change as your institution changes. New branch locations, new services, new vendors, and new risks all require plan updates. Examiners expect a process for ongoing refinement as new information becomes available. If your credit union launched mobile deposit two years ago and your continuity plan doesn't address what happens if that system goes down, that's a gap.

The institutions that struggle during examinations treat continuity planning as a compliance exercise, not an operational capability. They have plans that look good on paper but haven't been tested, haven't been updated, and wouldn't work in a real crisis. The institutions that excel treat continuity planning as a living program that protects members, preserves operations, and meets regulatory expectations.