Recently, in November 2019, the Federal Financial Institutions Examination Council (FFIEC) announced the newest version of their Business Continuity Planning (BCP) booklet, now called “Business Continuity Management.” To make it simpler and easier to understand, we’ve put together a list of the most important updates to the FFIEC booklet that may affect your business.
It’s important to note that the new handbook is a near complete overhaul of the prior guidance. According to the FFIEC, “The change from business continuity planning to business continuity management reflects the changes in customer and industry expectations for the resilience of operations.” As such, the new guidance focuses on the ongoing activities that ensure the continuity of operations, rather than just focusing on disaster recovery. The enhanced section on Risk Management contains a new chart showing how Business Continuity Management fits into the overall Enterprise Risk Management structure at a financial institution. As with many other areas of regulatory guidance, emphasis is placed on the Board of Directors’ responsibility for awareness and partnership with senior management in managing business continuity and resilience.
Board oversight should always include:
- Assigning BCM responsibility and accountability
- Allocating resources to BCM
- Aligning BCM with the entity’s business strategy and risk appetite
- Understanding business continuity risks and adopting policies and plans to manage events
- Reviewing business continuity operating results and performance through management reporting, testing and auditing
- Providing a credible challenge to management responsible for the BCM process
In addition to the above changes, an effort was made to simplify and reorganize the guidance. The focus of the overhaul is clear – cybersecurity and third party risk management are key to ensuring a strong Business Continuity Management function.
Highlights of the new booklet
- Audit – This is a new section and should be reviewed closely and shared with your internal audit function or third party service provider. Expectations of the audit function are clearly outlined.
- Business Impact Analysis – The need for a detailed BIA has been emphasized in recent regulatory examinations. The new guidance hones in on the expectations that critical processes are identified and interdependencies considered and documented.
- Risk Assessment – The Risk Assessment section has been expanded to include discussion on risk identification, likelihood and impact considerations.
- Business Continuity Strategies – This new section is a refresh of the Risk Mitigation section in the prior guidance.
- Resilience – This important new section discusses the need for resilience practices, including the recovery infrastructure and backup processes, disaster recovery services, alternative data communication infrastructure and designation of emergency personnel. Cyber Resilience is a particular focus, as are third party service provider implications. This is a refresh and update of certain components previously included in Appendix J, the most recent update to the Business Continuity Planning handbook, issued in February 2015.
- Communications – This new section contains a greater emphasis on ensuring there are alternate means of communication in the event of a disaster.
- Training – This topic is expanded significantly from one paragraph to two pages in the new guidance. BCP Training has been a focus of recent examinations and will likely continue to be going forward.
- Exercises and Tests – This area of the guidance has been consolidated from the previous appendices and incorporated into one section. A total of nine pages in the new guidance are dedicated to this topic. It is now more important than ever to make sure you are testing your business continuity plans and disaster recovery solutions routinely, at least on an annual basis.
- Maintenance and Improvement – a brand new section that clearly defines regulatory expectations for ongoing review and enhancement of the Business Continuity Management function.
The issuance of this new guidance is indicative of the continued focus the federal regulators are giving to the topics of cyber resilience and business continuity. Financial institutions can expect their auditors and examiners to be taking a closer look at not only their Business Continuity Plan, but all aspects of Business Continuity Management, including everything from board governance, risk assessment, systems backup and redundancy, telecommunications and third party risk management to testing and improvement.
All Covered’s seasoned information security and compliance specialists can assist your financial institution with Business Continuity Management and Planning, as well as disaster recovery and redundancy solutions. Visit us online for more information.