peshkova - Fotolia
Handbooks and standards are helpful tools for all aspects of business continuity planning. These widely used industry guidelines receive updates to reflect the changing IT landscape and provide the most accurate guidance. In just the past few years, the requirements for BC planning have changed significantly.
Issued in November 2019, the latest update to the Federal Financial Institutions Examination Council (FFIEC) Business Continuity Management handbook consolidates items from the last edition, Business Continuity Planning, issued in 2015. The updated handbook delves deeper into BC strategies and exercises to take full advantage of planning resources. It also includes more details about threats to cybersecurity.
Financial institutions use the FFIEC Business Continuity Management handbook as a planning, design and audit tool, because it provides detailed guidance on all aspects of BC plan development and the many supporting activities associated with a business continuity program. Nonfinancial organizations can also benefit from the handbook to perform assessments and conduct audits of their business continuity programs and activities.
Changes between the 2015 and 2019 handbooks are clear from the beginning. Some of the changes between the 2015 and 2019 handbooks include the following:
- items that were appendices in 2015 are now part of the overall text of the 2019 handbook;
- greater detail on key activities such as risk assessments and business impact analyses;
- greater detail on strategies, especially the inclusion of cybersecurity as a topic area;
- greater focus on senior management responsibilities regarding the business continuity program;
- the inclusion of specific financial considerations, such as payment systems and liquidity, and other scenarios that could be affected by a disruptive event;
- greater detail on testing and exercising;
- greater detail on the audit criteria; and
- each section has an updated action summary that includes activities the reader must perform.
The 2019 edition of the FFIEC Business Continuity Management handbook includes the following statement: "The focus of this revised booklet is on enterprise-wide, process-oriented approaches that consider technology, business operations, testing, and communication strategies critical to the continuity of the entire entity. However, business continuity should not be focused only on the planning process to recover operations after an event, but rather it should include the continued maintenance of systems and controls for the resilience of operations. Business continuity should be incorporated into the risk management life cycle of all systems, processes, and operations of an entity."
Using the 2019 edition
The 2019 update provides useful preparation tips for the examination process that organizations can use for general business continuity assessments and audits.
Follow the table of contents in sequence to develop a structured business continuity program that addresses the key issues and program requirements. In many ways, the FFIEC handbook mirrors the ISO 22301:2019 business continuity standard. The major differences are with the FFIEC's inclusion of financial operation functions among the other scenarios for which an organization should develop a plan. The FFIEC handbook also serves as a training manual to help people relatively new to the profession get acquainted with the various components of business continuity management (BCM).
The first 49 pages provide the basic elements of the FFIEC Business Continuity Management handbook, including the following:
The FFIEC handbook has four appendices, compared to 10 in the 2015 version. Most of the previous appendices have been blended into the main text of the 2019 handbook. Two of the 2019 appendices are new.
Both the 2019 and 2015 editions of the FFIEC Business Continuity Management handbook provide detailed and useful guidance organizations can use to establish a new BCM program and validate the components of an existing activity. The handbook, available on the FFIEC's website, provides a free and ready-to-use guide to BCM good practices.