James Thew - Fotolia


Updated FFIEC Business Continuity Planning booklet tips

The latest FFIEC BC handbook has made vendor resilience and cyber-resilience auditable issues. Even nonfinancial institutions should incorporate the handbook into their BC plans.

The first Business Continuity Planning booklet was issued by the Federal Financial Institutions Examination Council...

in 2003, and it continues to be an invaluable BC planning resource for financial and nonfinancial professionals.

The most recent edition was updated in 2015 to provide additional guidance and details on preparing business continuity plans and programs for auditing by financial examiners.

The foreword to the 2015 FFIEC Business Continuity Planning booklet notes that even with the revisions, "the focus of this booklet continues to be based on an enterprise-wide, process-oriented approach that considers technology, business operations, testing and communication strategies that are critical to business continuity planning for the entire business, instead of just the information technology department."

Each section of the FFIEC Business Continuity Planning booklet starts with an action summary that describes what will be addressed. This is a helpful resource for preparing summary-level documents and presentations to management.

Useful sections

The FFIEC Business Continuity Planning booklet uses a two-part format to provide excellent preparation for the examination process.

  • Part 1 offers detailed guidance on BC activities such as business impact analyses (BIAs), risk analyses, mitigation strategies, incident response, plan development, plan testing, standards and policies, and awareness and training. Each section is a tutorial on what the specific BC activity is, why it is important, and how to plan and execute it.
  • Part 2 discusses the all-important how-to activities. Starting with an appendix on preparing for an FFIEC examination, each subsequent appendix -- there are nine in total -- addresses key BC planning process activities, including internal and external threats, interdependencies, pandemic planning, details on the BIA process, specifics on BC plan components, test planning and execution, laws and regulations, and ensuring resilience of third-party technology service providers.

The importance of business continuity to bank leadership is underscored in the section on Board and Senior Management Responsibilities. Issues addressed include the significance of setting policy; assigning qualified employees to manage BC activities; regular, independent review of the plan; plan testing and updating; and awareness and training.

Following the BIA and risk analyses sections is one on risk management, which advocates the practice by preparing a BC plan. This may seem contrary to some views in the profession that business continuity management is a separate activity from risk management. The FFIEC views it as a true risk management activity.

Booklet highlights resilience

Resilience is one of the more popular terms in the profession, but debate still lingers as to how it differs from continuity. The FFIEC Business Continuity Planning booklet uses the term resilience almost 100 times, but mostly in the glossary (Appendix B) and in the newest addition, Appendix J, "Strengthening the Resilience of Outsourced Technology Services." It does not appear in earlier sections.

Appendix J focuses on two primary issues:

  • Assessing -- and thereby validating -- the resilience capabilities of third-party service providers; and
  • Evaluating the cybersecurity capabilities of service providers to ensure those activities contribute to the vendor's overall resilience posture.

Considering the dependence that banks and other financial institutions place on third-party or outsourced organizations, the FFIEC has made the assessment of business resilience and cyber-resilience by vendors a new and auditable issue. While some very large banks have completed an Appendix J assessment of their vendors, small and medium banks -- and other financial institutions, such as credit unions -- are encouraged to plan similar activities.

Much attention has been focused on internationally developed BC standards, such as those from the International Organization for Standardization. Domestic standards organizations, such as the National Institute of Standards and Technology, ASIS International, the National Fire Protection Association and the FFIEC, offer equally detailed and useful standards.

While the 2015 Edition of the FFIEC Business Continuity Planning booklet is primarily designed for banks and other financial organizations, all BC professionals should add it to their libraries and use it regularly.

Next Steps

Download a free BC plan template

FFIEC handbook among widely used BC/DR standards

Updated FFIEC 'Business Continuity' handbook highlights planning

Dig Deeper on Disaster recovery planning - management