FFIEC Rewrites Business Continuity Guidance

FFIEC Rewrites Business Continuity Guidance

The all new IT Examination Handbook is more than an update, it’s a complete re-write, and represents a significant change in how the business continuity process is managed. It also has several new expectations regulators will be looking for from financial institutions1. In fact, that is one of the most interesting changes; the term “institution” has been changed to “entity”, and this may prove to be more than simply semantic because entities are defined as

“…depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers.”
(emphasis added)

It looks like your critical third-party providers will be expected to meet the same standard you are, and that makes sense, as these providers may be key interdependencies of your internal systems and business processes.

By the Numbers

Before we get into some of the other changes, let’s look at some select differences between the current and previous Handbooks.

Business Continuity Planning Handbook

February 2015

Business Continuity Management Handbook

November 2019

Total Pages 135 pages 85 pages
Appendices 10 (A – J) 4 (A – D)
Testing section 5 11
“Resilience” references 57 126
“Institution(s)” references 645 32
“Entity/Entities” references 1 253
“Risk Appetite” references 1 10
Pandemic sections2 1 0

Material Changes

One of the most significant changes is also more than simply semantic. The end result of the planning process is no longer referred to as a Business Continuity Plan (BCP), but more broadly, Business Continuity Management (BCM). Your recovery plan (the traditional BCP) is now simply a sub-section in your overall BCM document.

This leads to perhaps the most significant change; a focus on “resilience” in addition to (and in advance of) your response and recovery efforts. Resilience is defined as

“the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”

Since most traditional BCPs probably already have detailed recovery procedures documented, the missing piece is the pre-recovery part, the pro-active measures you either already have in place, or can implement, to withstand and/or minimize the impact of a disruptive event. As the guidance states:

“Resilience extends beyond recovery capabilities to incorporate proactive measures for mitigating the risk of a disruptive event in the overall design of operations and processes.”

One way to measure (and document) resilience is to factor any existing threat-specific measures such as fire suppression, data backups, redundant data circuits, succession plans, alternate vendors, etc. into your net risk/threat impact formula. Simply put, resilience is the difference between the inherent impact of a threat, and the residual impact.

Perhaps the best way to characterize the new approach to business continuity is to look at the recommended development process.

The previous Handbook encouraged institutions to adopt a four-step approach:

  1. Business Impact Analysis
  2. Risk Assessment
  3. Risk Management (essentially, recovery procedures), and
  4. Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

  1. Risk Management (Business Impact Analysis, Risk/Threat Assessment)
  2. Continuity Strategies (Interdependency Resilience, Continuity and Recovery)
  3. Training & Testing (aka Exercises)
  4. Maintenance & Improvement
  5. Board Reporting

Next Steps

What do all these changes mean for your continuity plan? Is it time to start fresh, or can a few simple adjustments bring your current program into alignment with the new guidance? For example, it may be tempting to do a simple word search/replace and change all occurrences of “Business Continuity Plan” to “Business Continuity Management”. But even if your current program is compliant with the 2015 Handbook, simple fixes may miss the spirit of the new guidance unless more substantive changes are made.

Here is a high-level checklist using the structure of the new guidance to help you decide whether a few minor tweaks, or a major re-write is in order.

Answer each question as “Yes, completely,” “Yes, somewhat,” or “No”:

  1. Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
  2. Does the BIA produce sufficient information to establish the following?
    • Recovery point objectives (RPO)
    • Recovery time objectives (RTO) for each business
      process (prioritized)
    • Maximum tolerable (or allowable) downtime (MTD/MAD)
  3. Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?
  4. Have you identified all existing resilience (including cyber) measures for all critical interdependencies in your program? Interdependencies include all assets and all vendors for each business process.
  5. Do you use the business processes identified in your BIA, including the interdependencies and recovery priorities, to guide your BCP testing? (Must be documented)
  6. Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?
  7. Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)
  8. Does your Board report include a written presentation providing the BIA, risk assessment, BCP, exercise and test results, and identified issues?
  9. BONUS QUESTION: Do you assess Pandemic impact and probability alongside other risks/threats instead of separately?

If you answered more than 5 out of the 9 questions with “No” or “Yes, somewhat” it might be a good time to reevaluate the entire plan. On the other hand, if you are able to respond “Yes, completely” or “Yes, somewhat” to 6 or more, you should be in pretty good shape with only minor adjustments necessary.

Summary

All plans, even largely compliant plans, will need some level of adjustment. The good news is that historically it takes time for auditors and examiners to adjust to new regulations, so there should be enough time to make even major adjustments. Use your regularly scheduled 2020 BCP/BCM update sessions as an opportunity to re-visit your program, and be ready to provide all stakeholders (including auditors, examiners, and the Board) with a definitive plan, including timeline, for achieving compliance.


1 The Handbook states at the outset that “This booklet does not impose requirements on entities. Instead, this booklet describes practices that examiners may use to assess an entity’s BCM function.” Regardless, as anyone in the banking industry knows, any standard the regulators deem worthy of use as the basis of assessing an entity’s practices is a defacto requirement!
2 The new Handbook eliminates the separate Pandemic section.
Print Friendly, PDF & Email

Join Our Community

Related Posts