Tag: BCP

16 Jun 2022
E-Banking Booklet

FFIEC Cancels E-Banking Handbook

On May 13, 2022, the FFIEC very quietly rescinded the FFIEC Information Technology Examination Handbook (IT Handbook) booklet entitled E-Banking.  The original booklet was released in 2003 and was accompanied by a flurry of activity by financial institutions to come up with a separate E-banking policy and risk assessment.  In effect, the FFIEC is now declaring (admitting?) that these are no longer necessary because all the basic risk management principles that apply to E-Banking are already addressed in other Handbooks.  Operational risk is addressed in the Business Continuity Management Handbook, information security risk is addressed in the Information Security Handbook, cyber risk is assessed in the Cybersecurity Assessment Tool, and third-party risk is addressed here, here, and here

We agree with this approach, and have long held that separately addressing each new emerging or evolving technology was cumbersome, duplicative, and unnecessary.  In our opinion, shifting the focus of the handbooks to basic risk management principles and best practices that can apply to all business processes makes more sense and is long overdue. Could the Wholesale and Retail Payment Systems handbooks be phased out next?  How about the Cybersecurity Assessment Tool?  Since cybersecurity is simply a subset of information security more broadly, could we see a phase-out of a separate cyber assessment?  Or even better, could we see the Information Security Handbook include a standardized risks and controls questionnaire that includes cyber?

Admittedly this is only one less policy and one less risk assessment, but we’ll be watching this trend with great interest. Anything that can help ease the burden on overworked compliance folks is a welcome change!

20 Oct 2020

Compliance Quick Bites – Tests vs. Exercises, and the Resiliency Factor

One of several changes implemented in the 2019 FFIEC BCM Examination Handbook is a subtle but important differentiation between a BCMP “test” and an “exercise”. I discussed some of the more material changes here, but we’re starting to see examiner scrutiny into not just if, but exactly what and how you’re testing.

According to the Handbook:

  • “An exercise is a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures.”
  • “A test is a type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment.”

Essentially, “…the distinction between the two is that exercises address people, processes, and systems whereas tests address specific aspects of a system.” Simply put, think of an exercise as a scenario-based simulation of your written process recovery procedures (a table-top exercise, for example), and a test as validation of the interdependencies of those processes, such as data restoration or circuit fail-over.

The new guidance makes it clear that you must have a comprehensive program that includes both exercises and tests, and that the primary objective should be to validate the effectiveness of your entire business continuity program. In the past, most FI’s have conducted an annual table-top or structured walk-through test, and that was enough to validate their plan. It now seems that this new differentiation requires multiple methods of validation of your recovery capabilities. Given the close integration between the various internal and external interdependencies of your recovery procedures, this makes perfect sense.

An additional consideration in preparing for future testing is the increased focus on resiliency, defined as any proactive measures you’ve already implemented to mitigate disruptive events and enhance your recovery capabilities. The term “resiliency” is used 126 times in the new Handbook, and you can bet that examiners will be looking for you to validate your ability to withstand as well as recover in your testing exercises. Resilience measures can include fire suppression, auxiliary power, server virtualization and replication, hot-site facilities, alternate providers, succession planning, etc.

One way of incorporating resilience capabilities into future testing is to evaluate the impact of a disruptive event after consideration of your internal and external process interdependencies and accounting for any existing resilience measures. For example, let’s say your lending operations require 3 external providers and 6 internal assets, including IT infrastructure, scanned documents, paper documents, and key employees. List any resilience capabilities you already have in place, such as recovery testing results from your third-parties, data replication and restoration, and cross-training for key employees, then evaluate what the true impact of the disruptive event would be in that context.

In summary, conducting both testing and exercises gives all stakeholders a high level of assurance that you’ve thoroughly identified and evaluated all internal and external process interdependencies, built resilience into each component, and can successfully restore critical business functions within recovery time objectives.

29 Apr 2015

FFIEC Issues Stealth Update to BCP Handbook

This caught me by surprise as it was not formally announced in the “What’s New” section, but the Appendix J update to the Business Continuity Planning Handbook apparently constituted a complete update to the Handbook.  Here is what the press release said in part:

The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services. (emphasis added)

If you only focused on the last sentence (as I did), you would think all they did was add an appendix to the existing booklet.  But the first sentence states that they issued a revised booklet.  And sure enough, they changed the date.

Here is the old booklet:

Cover page from 2008 FFIEC_IT_Booklet_BusinessContinuityPlanning

And here is the new booklet:

Cover page from 2015 FFIEC_IT_Booklet_BusinessContinuityPlanning

I’ve written about the wide-ranging implications of “Appendix J” previously.  In comparing the old and new BCP booklets I was unable to find any other changes in the document except the addition of Appendix J, and some changes to Appendix A.  Regular readers know that each of the 11 booklets has an Appendix A which contains the examination procedures. The message here is that the FFIEC considered the addition of Appendix J significant enough to warrant new examination procedures, and a whole new handbook with a new revision date!


7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

I’ve gone through Appendix A of both the new booklet and the previous booklet and highlighted all of the changes.  If you’re interested in how your next BCP exam might differ, you can download a copy of my marked-up document here.  The complete BCP Handbook is here.

10 Feb 2015

FFIEC Issues Update to Business Continuity Guidance

The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship between the two.

The following excerpt summarizes the intent of the update pretty succinctly:

A financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP (technology service provider) for all types of adverse events (e.g., natural disaster, infrastructure failure, technology failure, availability of staff, or cyber attack).

The appendix is focused on third-party Technology Service Providers (TSP’s), and organized in four sections (with associated sub-sections):

  • Third-party management
    • Due Diligence
    • Contracts
    • Ongoing Monitoring
  • Third-party capacity
    • Significant TSP Continuity Scenarios
    • TSP Alternatives
  • Testing with third-party TSP’s
    • Testing Scenarios
    • Testing Complexity
  • Cyber resilience

Assuming that you already have a relatively compliant* business continuity plan, I see several areas that may need immediate attention:

  1. Vendor management.  Expect expanded vendor pre-contract due diligence and on-going oversight, including a detailed understanding of how the vendor manages their subcontractors.  The guidance also introduces the concept of “concentration risk”, which is the increased use of, and over-reliance on, one or more key service providers.
  2. Contracts.  Expect increased contract requirements, including provisions related to subcontracting (see above), the right-to-audit, data ownership and handling, and how the servicer plans to respond to new guidance and regulations.
  3. Testing.  Expect an expanded testing section, including participation in critical vendor testing.
  4. Cyber security.  Cyber events should be factored into all aspects of your BCP, with emphasis on responding effectively to a cyber attack.  Expect your incident response planning and testing to get increased scrutiny as well.

There is one more element of the guidance that may prove to be the most challenging of all for outsourced institutions.  In the past, manual procedures were always the primary alternative to automation, but because of the increased dependence on outsourcing, it may no longer be feasible for an institution to operate manually for any length of time.  In those situations the guidance suggests that you have an alternative service provider identified to assume operations, or that you consider the possibility of moving the operations in-house.  Since the guidance admits that the latter option is likely not a valid one, that really only leaves the alternate provider as a possible solution.  Of course any institution that has converted their core system to a new provider knows that process is fraught with challenges even when the conversion is anticipated and carefully planned.  Undertaking the process after a sudden disruptive event is almost unthinkable, but the guidance expects you to going forward.

 

* A compliant BCP is built around a business impact analysis which identifies all critical business processes and their interdependencies, establishes clearly defined recovery time and recovery point objectives (RTO’s & RPO’s) for each process, specifies recovery procedures sufficient to restore process functionality within RTO’s, and then validates all procedures via testing.