Read through FFIEC's 10 steps for effective business continuity management.
In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which include the FRB, FDIC, NCUA, OCC, and CFPB.
The update replaced the Business Continuity Planning booklet in the IT Handbook with a new version, titled Business Continuity Management. It’s the first update to this booklet since 2015, and the first update to the handbook overall since 2016.
Banks and other financial institutions are taking notice of this update because it could signal changing priorities and new expectations surrounding business continuity within FFIEC member agencies.
In order to be optimally prepared for future audits and assessments, IT, risk, and compliance professionals in the finance industry should familiarize themselves with the contents of the updated booklet.
Our latest whitepaper goes into detail about the updates and includes suggestions for how financial firms can use them. Here are some of the key takeaways:
The updates to the FFIEC business continuity booklet come at a time when financial institutions are becoming increasingly reliant on SaaS technologies, cloud-based service providers, and other third-party IT resources.
These third parties have also outsourced portions of their IT infrastructures, creating a deeply interconnected web that’s rife with opportunities for outages, cyber attacks, and data breaches.
This web of relationships and its associated risks are constantly changing, creating a business continuity challenge for financial firms.
The updates to the FFIEC business continuity guidelines include new emphasis on continuously monitoring and managing business continuity plans, as well as identifying and creating contingencies for single points of failure within supply chains.
What’s included in the update?
The new business continuity booklet contains several significant changes. (You can review the complete list on the FFIEC website.)
Two of the biggest changes are a shift from planning to management and a new focus on interdependency analysis.
Let’s examine what these changes might mean for financial firms:
It’s business continuity management, not planning
The most immediately apparent change to this portion of the IT Handbook is its title: “Business Continuity Management” has replaced “Business Continuity Planning.”
In a press release accompanying the update, the FFIEC writes:
“As the booklet makes clear, business continuity focuses on more than just the planning process to recover operations after an event.”
New guidelines within the booklet emphasize that planning is just one of a financial institution’s business continuity responsibilities.
In addition to planning, the FFIEC is instructing examiners to assess capabilities like:
- Training stakeholders on business continuity
- Testing business continuity plan effectiveness
- Continuously updating business continuity plans to reflect changing conditions
- Monitoring and reporting on the business continuity program
In other words, it’s not good enough to keep a plan in a file cabinet. Business continuity management, according to the FFIEC, is about continuously updating and testing that plan to maximize preparedness.
Identifying interdependencies in the supply chain
One of the updates to the booklet is a discussion of interdependencies, or single points of failure in the supply chains of financial institutions. You can find this discussion in the section called “Interdependency Analysis” as well as the section on “Third-Party Service Providers.”
This update is especially relevant in the context of the finance industry’s increasingly large and interconnected supply chains.
Single points of failure in these supply chains often exist without financial firms’ knowledge. They could be data centers, DNS providers, or other infrastructural elements that are shared by several providers.
In the event that a cyber attack or other disaster takes these elements offline, even for a short time, financial firms could find themselves disabled, as in the case of the attack on DNS provider Dyn. Firms must have contingency plans for events like these.
By highlighting interdepencies in the revised booklet, the FFIEC is signaling that this new source of risk should be included in business continuity plans, with provisions made to continuously identify and update those plans based on changing business relationships.
Understanding the updated FFIEC IT Handbook can help IT, risk, and compliance professionals in the finance industry prepare for their next regulatory audit and avoid MRAs and fines.