In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released its Business Continuity Management (BCM) booklet, which is one of 11 booklets within the FFIEC’s Information Technology Examination Handbook. The first and most obvious change is redefining business continuity as a management principle rather than as just a plan. Accordingly, the FFIEC renamed the Business Continuity Planning booklet to BCM in order to stress that business continuity focuses on more than just planning for recovering operations after an event. The FFIEC states, “Business continuity also includes the continued maintenance of systems and controls for the resilience and continuity of operations. Business continuity is an integral part of the risk management life cycle of an entity’s systems, processes, and operations.” The BCM booklet assesses an entity’s resilience through an enterprise risk management perspective that takes into account technology, business operations, testing, communication strategies, training, testing, maintenance, and issues critical to the continuity of the business entity.
Business continuity includes the continued maintenance of systems and controls for the resilience and stability of operations. The BCM booklet emphasizes this point by referencing resilience 127 times and highlighting operational resilience concepts, such as the importance of understanding comprehensive process flow, potential systemic impacts, the need for more robust end-to-end testing, and maximum tolerable downtime (MTD). Resilience incorporates proactive measures to mitigate disruptive events and evaluate an entity’s recovery capabilities. A critical component of resilience is an inventory of critical assets (including people) and infrastructure upon which business functions depend, including the identification of single points of failure. The following are among the many resilience measures that should be considered:
- Cover a diverse range of events, including outages from a cyberattack
- Identify the appropriate personnel and skill sets to carry out the functions
- Establish redundant communications between branches and data centers
- Identify multiple power sources
- Geographically diversify key entity locations
- Maintain an accessible, off-site repository of software, configuration settings, and related documentation
- Protect offline data backups from destructive malware that may corrupt production and online backup versions of data
- Consider disruptive events that threaten the operational resilience and viability of the entity’s third-party service providers
Another area of increased emphasis within the BCM booklet is more detailed guidance on the development of a comprehensive business impact analysis (BIA). A BIA determines the impact of a disruptive event on an institution and should align with the institution’s risk assessment. The analysis should:
- Identify all business processes and the critical assets and infrastructure on which they depend
- Identify interdependencies, including services, production processes, hardware, software, application programming interfaces, data, vital records and third-party service providers, key suppliers, and business partners
- Determine criticality and define priorities
- Estimate recovery point objectives, recovery time objectives, and MTD
- Evaluate resource requirements
The resource requirements defined in the BIA form the basis for developing the business continuity plan (BCP), which should identify alternatives for core operations, facilities, infrastructure systems, suppliers, utilities, interdependent business partners, and key personnel. Areas often overlooked in the BCP include:
- Security measures for both the impacted facility and the recovery site
- Coordinating with first responders and local and state government agencies, when appropriate
- Processes for retrieving and transmitting transactions when payment systems are disrupted
- Plans for the entity’s operational cash needs
- Temporary purchase authority guidelines
- Procedures for restoring backlogged activity or lost transactions to identify how transaction records will be brought current within expected recovery time frames
- Developing reasonably foreseeable threat scenarios that simulate disruptions in business functions and document assumptions used in developing each scenario
- Identifying threats that could affect third-party service providers, including communication processes with applicable stakeholders
The BCM booklet also focuses on enterprise-wide testing of business continuity plans. Planning should involve the Board of Directors and senior management, with an enterprise-wide perspective by considering technology, business operations, communications, and testing strategies for the entire institution. A consolidated exercise and test schedule that is reflective of exercise and test objectives and the overall exercise and test universe should be defined. Management should ensure it covers all the functions in the exercise and test universe according to its established time frames. The BCM examination procedures note that by themselves, tabletop exercises are likely to be insufficient for validating recovery capabilities because they are limited to a discussion-based analysis of policies and procedures. The scope of the exercises should include connecting and processing at the organization’s backup location. Where organizations are dependent on vendors for critical outsourced services (e.g., core system processing), arrangements should be made to periodically participate with the vendor on their BCP exercises. Historically, the regulators have recommended that testing participation with a critical service provider should be scheduled at least every three years.
Last, the BCM booklet identifies the following requirements for Board of Directors oversight:
- Determine whether reports include a written BCM presentation, including the BIA, risk assessment, BCP, exercise and test results, and identified issues
- Determine whether management provides the Board with regular strategy updates based on changes in personnel, roles and responsibilities, and business operations
- Verify that management documents the reasons (e.g., cost and service level) for choosing recovery alternatives and why they are appropriate based on the entity’s risk profile and complexity
- Assess whether the Board provides a credible challenge to management, when appropriate
While much of the core content of the FFIEC booklet remains the same, areas of new emphasis summarized above should be considered when evaluating your organization’s business continuity program. For additional guidance, you can visit the FFIEC’s website (https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx) to obtain the entire BCM booklet and the IT work program used by the regulators when evaluating your BCM program.