FFIEC Issues Stealth Update to BCP Handbook
This caught me by surprise as it was not formally announced in the “What’s New” section, but the Appendix J update to the Business Continuity Planning Handbook apparently constituted a complete update to the Handbook. Here is what the press release said in part:
The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services. (emphasis added)
If you only focused on the last sentence (as I did), you would think all they did was add an appendix to the existing booklet. But the first sentence states that they issued a revised booklet. And sure enough, they changed the date.
Here is the old booklet:
And here is the new booklet:
I’ve written about the wide-ranging implications of “Appendix J” previously. In comparing the old and new BCP booklets I was unable to find any other changes in the document except the addition of Appendix J, and some changes to Appendix A. Regular readers know that each of the 11 booklets has an Appendix A which contains the examination procedures. The message here is that the FFIEC considered the addition of Appendix J significant enough to warrant new examination procedures, and a whole new handbook with a new revision date!
7 Reasons Why Small Community Banks Should Outsource IT Network Management
I’ve gone through Appendix A of both the new booklet and the previous booklet and highlighted all of the changes. If you’re interested in how your next BCP exam might differ, you can download a copy of my marked-up document here. The complete BCP Handbook is here.
6 comments
Write a Comment
You must be logged in to post a comment.
April 29, 2015
Tom, I read the same thing you did I thought appendix J was the only addition. Thanks for the update.
April 29, 2015
Hi Marilyn, this one took me by surprise as well. I wonder if future booklet updates will be done this way? Guess I’ll have to pay even closer attention!
April 30, 2015
The Appendix A changes are significant, in my opinion. The focus continues to be on third-party oversight and cybersecurity. Although this isn’t brand new, it confirms that these two areas will come under ever-increasing scrutiny. Thank you for pointing this out, Tom! 🙂
April 30, 2015
Agreed, and as a second-tier TSP we have already made significant changes to accommodate Appendix J’s oversight expectations for financial institutions. The only question is when will the Appendix A changes make their way into examinations?
July 13, 2016
Thanks Tom.. this is a lot to update and consider.
July 14, 2016
Hi Carol! Yes it is, and it will be interesting (to say the least) to see how this actually looks when the examiners fully digest it.