Tag: business continuity

29 Apr 2015

FFIEC Issues Stealth Update to BCP Handbook

This caught me by surprise as it was not formally announced in the “What’s New” section, but the Appendix J update to the Business Continuity Planning Handbook apparently constituted a complete update to the Handbook.  Here is what the press release said in part:

The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services. (emphasis added)

If you only focused on the last sentence (as I did), you would think all they did was add an appendix to the existing booklet.  But the first sentence states that they issued a revised booklet.  And sure enough, they changed the date.

Here is the old booklet:

Cover page from 2008 FFIEC_IT_Booklet_BusinessContinuityPlanning

And here is the new booklet:

Cover page from 2015 FFIEC_IT_Booklet_BusinessContinuityPlanning

I’ve written about the wide-ranging implications of “Appendix J” previously.  In comparing the old and new BCP booklets I was unable to find any other changes in the document except the addition of Appendix J, and some changes to Appendix A.  Regular readers know that each of the 11 booklets has an Appendix A which contains the examination procedures. The message here is that the FFIEC considered the addition of Appendix J significant enough to warrant new examination procedures, and a whole new handbook with a new revision date!


7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

I’ve gone through Appendix A of both the new booklet and the previous booklet and highlighted all of the changes.  If you’re interested in how your next BCP exam might differ, you can download a copy of my marked-up document here.  The complete BCP Handbook is here.

10 Feb 2015

FFIEC Issues Update to Business Continuity Guidance

The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship between the two.

The following excerpt summarizes the intent of the update pretty succinctly:

A financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP (technology service provider) for all types of adverse events (e.g., natural disaster, infrastructure failure, technology failure, availability of staff, or cyber attack).

The appendix is focused on third-party Technology Service Providers (TSP’s), and organized in four sections (with associated sub-sections):

  • Third-party management
    • Due Diligence
    • Contracts
    • Ongoing Monitoring
  • Third-party capacity
    • Significant TSP Continuity Scenarios
    • TSP Alternatives
  • Testing with third-party TSP’s
    • Testing Scenarios
    • Testing Complexity
  • Cyber resilience

Assuming that you already have a relatively compliant* business continuity plan, I see several areas that may need immediate attention:

  1. Vendor management.  Expect expanded vendor pre-contract due diligence and on-going oversight, including a detailed understanding of how the vendor manages their subcontractors.  The guidance also introduces the concept of “concentration risk”, which is the increased use of, and over-reliance on, one or more key service providers.
  2. Contracts.  Expect increased contract requirements, including provisions related to subcontracting (see above), the right-to-audit, data ownership and handling, and how the servicer plans to respond to new guidance and regulations.
  3. Testing.  Expect an expanded testing section, including participation in critical vendor testing.
  4. Cyber security.  Cyber events should be factored into all aspects of your BCP, with emphasis on responding effectively to a cyber attack.  Expect your incident response planning and testing to get increased scrutiny as well.

There is one more element of the guidance that may prove to be the most challenging of all for outsourced institutions.  In the past, manual procedures were always the primary alternative to automation, but because of the increased dependence on outsourcing, it may no longer be feasible for an institution to operate manually for any length of time.  In those situations the guidance suggests that you have an alternative service provider identified to assume operations, or that you consider the possibility of moving the operations in-house.  Since the guidance admits that the latter option is likely not a valid one, that really only leaves the alternate provider as a possible solution.  Of course any institution that has converted their core system to a new provider knows that process is fraught with challenges even when the conversion is anticipated and carefully planned.  Undertaking the process after a sudden disruptive event is almost unthinkable, but the guidance expects you to going forward.

 

* A compliant BCP is built around a business impact analysis which identifies all critical business processes and their interdependencies, establishes clearly defined recovery time and recovery point objectives (RTO’s & RPO’s) for each process, specifies recovery procedures sufficient to restore process functionality within RTO’s, and then validates all procedures via testing.

21 Jul 2011

BCP plans continue to draw criticism

In a recent FDIC IT Examination, the examiner made the following criticism of the institutions’ DR/BCP:

“Business continuity planing should focus on all critical business functions that need to be recovered to resume operations. Continuity planing for technology alone should no longer be the primary focus of a BCP, but rather viewed as one critical aspect of the enterprise-wide process. The review of each critical business function should include the technology that supports it.” (bold is mine)

This is not the first time we’ve seen this finding, nor is it a new direction for regulators, but rather follows directly from the 2008 FFIEC Handbook on Business Continuity Planning when they state:

“The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.”

I still see way too many DR plans that focus on the recovery of technology, instead of recovery of the critical process supported by the technology.  Sure, technology is an interdependency of nearly every function you provide, but it must not be the primary focus of your recovery effort.  Focus instead on recovery of the entire process (teller, CSR, lending, funds management, etc.), by recognizing that each process is nothing more than the sum of its interdependencies.   For example, what does it take to deliver typical teller functionality?

  • A physical facility for customers to visit
  • A trained teller
  • A functional application, consisting of:
    • A workstation
    • A printer
    • A database, requiring:
      • LAN connectivity
      • WAN (core) connectivity, requiring:
        • Core functionality
      • A server, requiring:
        • Access rights
      • etc.
    • etc.
  • etc.

As you can see, technology certainly plays a very important role, but it is not the only critical aspect of the process.  All sub-components must work, and work together, for the overall  process to work.  Mapping out the processes through a work-flow analysis is an excellent way to get your arms around all of the interdependencies.

So next time you perform the annual review of your BCP (and you do review your plan annually, right?), make sure your IT department isn’t the only one in the room!