Avalution Consulting

The Ultimate Guide to FFIEC Business Continuity

What is the FFIEC Business Continuity Booklet?

On November 14, 2019, the Federal Financial Institutions Examination Council (FFIEC) released the revised version of the “Business Continuity Management” booklet, which is part of a series of booklets that make up the FFIEC Information Technology Examination Handbook (IT Handbook). This updated version replaces the February 2015 “Business Continuity Planning” booklet, as well as rescinds OCC Bulletin 2015-9, “FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet.”

This page summarizes what changes were made and how these changes will impact the entities beholden to these updates, as well as provides Avalution’s perspective on the changes.

While the updated booklet does not provide specific guidance on timelines for which impacted entities must align to the new guidance, we do know that these changes are effective as of the release date of the document (November 14, 2019). Avalution believes that it is safe to assume that the expectations surrounding alignment to these changes will be within the entity’s next audit cycle.

Who Needs to Comply with the FFIEC Business Continuity Booklet?

When the FFIEC refers to “entities,” it includes financial institutions and any organization that supports one. For example, depository financial institutions, non-bank financial institutions, bank holding companies, and third-party service providers are included under this term.

If you are an entity subject to the guidance and audit requirements noted on this page and you generally align to existing FFIEC expectations based on previous examinations, you may have some work to do to continue to meet expectations.

This page summarizes the changes you need to know and guidance to help you plan to stay in alignment to expectations as you move into the calendar year 2020.

What Changes were Made in the 2019 Version of the FFIEC BC Requirements?

In addition to several “minor” updates (clarified wording and document organization), Avalution noted a few strategic updates. First, the updates included broadening certain terms the booklet uses to describe business continuity. For example, the wording change from “Business Continuity Planning” to “Business Continuity Management” shows a shift toward thinking more holistically about business continuity. As most practitioners will attest, there is a major difference between having business continuity plans and having a fully functioning, strategy-connected business continuity program.

The document also mentions needing to establish “strategic goals and objectives” that are short-term, long-term, measurable, and focused on the entity’s products and services. These words again reflect an evolved view of a business continuity program that is connected to the entity’s strategy, as well as the entity’s ability to continue to deliver its products and services in the face of a disruption.

The 2019 Business Continuity Management booklet has a greater emphasis on proactive risk treatment with a focus on preventing the disruption by making the organization more resilient. The FFIEC places a greater emphasis on not just implementing a program to react to a disruption, but ensuring that the organization is evaluating strategies to proactively reduce the risk of disruption. The handbook points to a shift towards placing equal value on reducing the likelihood of a disruption and reducing the amount of downtime, versus just reducing the amount of downtime.

In addition to the more strategic developments mentioned above, the booklet contains subtle word choices, such as products/services, goals, and risk appetite. These choices imply that entities should design a program that focuses on effectively addressing business continuity requirements. The booklet references measurement (metrics) that ensure the program is meeting the requirements and continually improving.

Finally, the booklet iterates the importance of regular meetings with key stakeholder groups to discuss progress and goal completion.

See 10 Updates to the 2019 FFIEC Business Continuity Booklet and Recommended Actions for additional detail on these word choices and a comparison between the 2015 to 2019 examination criteria.

How Does the FFIEC Booklet Compare to ISO 22301?

The new FFIEC booklet aligns closer to the ISO 22301:2019 standard, both in terminology and methodology. The following table maps ISO 22301 requirements to the FFIEC guidance and examination criteria:

ISO 22301:2019 FFIEC 2019 Guidance FFIEC 2019 Examination Criteria (Appendix A)
4.1 Understanding the organization and its context Introduction and Section I Objectives 1.3 and 14
4.2 Understanding the needs and expectations of interested parties Introduction and Section I Objective 2
4.3 Determining the scope of the business continuity management system (BCMS) Introduction and Section I Objective 1.3
5.1 Leadership and commitment Section IIA Objectives 2.2, 2.3, 2.4, 2.5, and 12
5.2 Policy Sections IIA and IVB Objective 2.1
5.3 Roles, responsibilities, and authorities Section IIA Objectives 2.3, 2.4, and 2.5
6.1 Actions to address risks and opportunities Section IIA Objectives 2
6.2 Business continuity objectives and planning to achieve them Section IIA Objective 2
6.3 Planning changes to the BCMS Section VIII Objective 6.8
7.1 Resources Section IIA Objective 2.4
7.2 Competence Section VI Objectives 6.1 and 9
7.3 Awareness Section VI Objective 9
7.4 Communication Section VI Objective 9
7.5 Documented information Throughout Throughout
8.1 Operational planning and control Section III and in other sections Objective 2.3
8.2.2 Business impact analysis Section IIIA Objective 4
8.2.3 Risk assessment Section IIIB Objective 5
8.3 Business continuity strategies and solutions Section IV Objectives 6 and 8
8.4 Business continuity plans and procedures Section V Objective 7
8.5 Exercise program Section VI Objective 10
8.6 Evaluation of business continuity documentation and capabilities Section IIB and Appendix A Objectives 3 and 10
9.1 Monitoring, measurement, analysis, and evaluation Partially addressed by Section VIIK Objectives 6.8, 11, and 12
9.2 Internal audit Section IIB and Appendix A Objective 3
9.3 Management review Sections IIA and IV Objectives 2.2, 2.4, and 12
10.1 Nonconformity and corrective action Section VIII Objective 13

When Do You Need to Comply with the Changes in the 2019 FFIEC Booklet?

Examiners will use the new FFIEC Business Continuity booklet effective immediately. Companies should expect to respond to these criteria during their next audit.

10 Updates to the 2019 FFIEC Business Continuity Booklet and Recommended Actions

This section lists 10 specific changes made to the booklet, details on the changes, and Avalution’s perspective and recommended actions.

We will explore each of the following updates:

  1. Broadened the language used when referring to business continuity to reflect an increased focus on ongoing, enterprise-wide business continuity and resilience
  2. Replaced the term “financial institutions” with the term “entities”
  3. Clearer references back to NIST, FEMA, and other authoritative sources
  4. Clarified the linkage between enterprise risk management (ERM) and BCM
  5. Highlighted the importance of managing supply-chain risk with respect to single points of failure
  6. Clarified the distinction between exercises and tests
  7. Elevated maintenance and improvement as an important component of the BCM lifecycle
  8. Emphasized the importance of considering products and services
  9. Established board reporting requirements and highlighted the importance of metrics
  10. Highlighted the importance of regular meetings

Although not addressed on this page, additional 2019 Business Continuity Management booklet changes include:

  • Eliminated the pandemic planning section and integrated the content into the main body of the document
  • Integrated relevant concepts from Appendix J into the main body of the booklet
  • Aligned definitions and terminology with authoritative standards organizations (i.e., NIST and ISO), where appropriate

Update 1 – Broadened the Language Used When Referring to Business Continuity to Reflect an Increased Focus on Ongoing, Enterprise-Wide Business Continuity and Resilience

In several instances throughout the updated booklet, the FFIEC uses broader terms when discussing business continuity than it did in 2015. As mentioned in the summary above, the seemingly minor wording change from “business continuity planning” to “business continuity management” points towards a significant shift in how the FFIEC views business continuity. Although this does not necessarily translate into specific, new requirements, this wording indicates an increased focus on developing and maintaining a fully functioning, strategy-connected business continuity program. Specifically, a program that meets these requirements has actionable mitigation, response, and recovery strategies, as opposed to just a business continuity plan. Additionally, the use of the words “enterprise-wide” and “resilience” tells us that the FFIEC wants to ensure that the entity is taking a strategic view of its program and ensuring that the program protects the business activities and resources most important to the entity and its customers.

Avalution’s Perspective:

The use of language that supports the benefits of taking a strategic, organization-centric view, as opposed to plan-centric view, is a significant and welcome change. Often, entities can get trapped into a compliance mindset, focused on meeting audit requirements and producing documentation. In doing so, the entity fails to realize the full benefits of having an operational program and finds themselves with a program that works well on paper, but not necessarily in practice.

A Proposed To-Do List For 2020 and Beyond:

  • Assess the scope of your program by asking yourself the following two questions:
    • Why do we need business continuity (drivers and expectations)?
    • What should we protect – and prioritize – specific to our products and services?
  • Get clear with management on its “risk appetite” (or risk tolerance) and be prepared to use this information to measure the adequacy of existing risk mitigation, response, and recovery solutions
    • Note: At the same time the term “risk appetite” was added to the booklet, ISO 22301 (and ISO 31000) removed the term given the difficulty that the standard’s users had with it. To help with this, replace the term with a simple definition, such as the one ISO 22301 uses: the amount and type of risk the organization may or may not take (ISO 22301:2019).
  • Compare the answers to the first two questions against the current program scope to ensure that the business activities and resources that contribute to the delivery of each product and service are in-scope

Discuss program scope modifications and areas for improvement as necessary (begin to set goals to make modifications and improvements)

Update 2 – Replaced the Term “Financial Institutions” with the Term “Entities”

As you may have noticed, this page has adopted the revised language already and refers to “entities,” not just “financial institutions.” This is an important point of differentiation, as the FFIEC is not just referring to the financial institution itself any longer, but also the organization’s business partners, service providers, and suppliers.

Avalution’s Perspective:

This is a small but important point of differentiation, as disruptions experienced by the financial institution’s third-party dependencies can be just as impactful as a disruption to the financial institution itself. Regardless of whether the disruption occurs to the supplier or the financial institution, the disruption can impact the ability to deliver products and services, impacting customers. This mirrors a shift Avalution is seeing across nearly all industries: an increased focus on third-party risk management and supply chain resiliency.

One more point, as this is a point of confusion for many entities: It is our perspective the 2019 Business Continuity booklet clarifies the applicability of the content to all key suppliers, not just those providing technology services (TSPs). As you may know, the previous Appendix J emphasized TSPs rather than a broader focus on all key third-party dependencies.

A Proposed To-Do List For 2020 and Beyond:

  • Evaluate your organization’s third-party (not just TSPs) risk management practices as they relate to business continuity
  • Help your third-party dependencies by offering input based on your successes with business continuity planning
  • Consider adding or modifying standard contract language for relevant vendors to address business continuity-related expectations

Update 3 – Clearer References Back to NIST, FEMA, and Other Authoritative Sources

By providing clearer references back to standards and authoritative sources (e.g., ISO standards and NIST SP 800-34), the FFIEC is making the role of the business continuity program manager easier by enabling compliance with standards to ensure compliance with examiner expectations.

Avalution’s Perspective:

Anytime you can remove ambiguity or provide clarity, it is usually a positive!

The FFIEC guidance appears to align more closely overall with ISO 22301. Avalution has long encouraged clients to leverage the ISO 22301 management system to meet a broad range of obligations and expectations. Entities subject to the FFIEC Business Continuity booklet are no different and many are already using ISO 22301 to implement a continual improvement mindset and meet examiner expectations. With this shift in alignment, the work is that much easier.

For a crosswalk comparing ISO 22301 to the FFIEC guidance and examination criteria, see How Does the FFIEC Booklet Compare to ISO 22301?.

A Proposed To-Do List For 2020 and Beyond:

  • Review the ISO 22301/FFIEC crosswalk above
  • Identify gaps in your program when compared to the ISO standard or study the many ways ISO 22301 can help achieve alignment with the new FFIEC guidance

Prioritize identified gaps for discussion in your next business continuity steering committee meeting

Update 4 – Clarified the Linkage Between ERM and BCM

The FFIEC describes BCM as a subset of operational risk. The BCM outcomes and continual improvement actions should be coordinated with, or integrated into, the entity’s ERM practice. By feeding into the larger ERM practice, this integration should enable the entity to “allow for the identification and management of risk across the entire entity.” Here, the FFIEC aligns its thinking with, and cites, the COSO ERM Integrated Framework.

Avalution’s Perspective:

By clarifying how BCM should integrate with overall enterprise risk management, the FFIEC furthers its stance on addressing business continuity more strategically. As the 2019 FFIEC Business Continuity booklet states, this integration “allows for the identification and management of risks across the entire entity.” This point of clarification helps identify where the business continuity program should live and ultimately report, track, and resolve identified risks/gaps based on a more strategic prioritization.

A Proposed To-Do List For 2020 and Beyond:

  • Evaluate your business continuity program’s existing relationship with the broader ERM practice
  • Use the entity’s risk appetite as the “glue” between BCM and ERM, and share verbiage used for the entity’s organizational structure and resources
  • Discuss with the business continuity steering committee any missed opportunities for integration and escalate these to relevant parties for a discussion with ERM leadership

Update 5 – Highlighted the Importance of Managing Supply-Chain Risk with Respect to Single Points of Failure

The FFIEC draws attention to critical third-party single points of failure. The document directs entities to assess their critical third-party service providers’ susceptibility to multiple disruptive scenarios and to verify their resilience capabilities. If alternate providers are not readily available, the FFIEC states that the entity should evaluate its strategy options to continue business in the face of a third-party disruption and to reevaluate these options periodically. Additionally, the entity should ensure expectations are well-defined with the third party and that planning should be closely coordinated between the entity and third party.

Avalution’s Perspective:

As mentioned earlier, this FFIEC guidance aligns with a trend Avalution has seen across nearly all industries: an increased focus on third-party risk management and supply chain resilience. It is important to evaluate critical third parties’ resilience capabilities and plans up front and monitor them on a continual basis. Additionally, the statement about coordinating resilience planning between the entity and the supplier is a value-adding point, as this approach will ensure both parties are in alignment and working towards the same desired end state.

A Proposed To-Do List For 2020 and Beyond:

  • Reference the to-do list for Update 2 above

Update 6 – Clarified the Distinction Between Exercises and Tests

The words “exercise” and “test” are sometimes used interchangeably. The FFIEC provided the following clarification: “For purposes of this booklet, the term “exercise” represents both exercises and tests, unless the term “test” is specifically mentioned.” When tests are specifically mentioned, it is to represent “a type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment. Tests are evaluation tools that use quantifiable metrics to validate the operability of an IT system or system component in an operational environment (e.g., what happens as a result of removing power from a system or system component).”

Avalution’s Perspective:

We don’t have much additional commentary here. The bottom line is the FFIEC wants to ensure that when referencing a “test,” the reference is specifically regarding the validation of an IT system’s or component’s operability. Exercises, on the other hand, can encompass business operations and IT infrastructure/applications.

Update 7 – Elevated Maintenance and Improvement as an Important Component of the BCM Lifecycle

The elevation of maintenance and improvement activities shows another area where the FFIEC aligns more closely with the ISO 22301 standard (specifically Clauses 9 and 10). In these clauses, continual improvement is a core component of the business continuity management system and lifecycle. ISO 22301 and management systems in general focus on two key areas from an audit perspective: 1) The entity needs to identify, track, and manage corrective actions and 2) The entity needs to continually improve the suitability, adequacy, and effectiveness of the business continuity management system. The FFIEC provides a list of eleven triggers that may prompt maintenance and improvement activities:

  • Changes in enterprise strategies
  • New or reconfigured products, services, or infrastructure
  • Changes in products and services offered by third-party service providers
  • Deficiencies identified in third-party service provider business continuity processes
  • New legislation, regulatory requirements, or resilience practices
  • Results of operational metric analysis (e.g., key risk indications, key performance indicators)
  • Early warning indicators that may identify potential continuity events, crises, or incidents (e.g., frequency and severity of storms, increased cyber-attacks, or increases in customer service calls)
  • Variances between budgeted and actual business continuity expenses
  • Results from exercises and tests, and lessons learned
  • Changes in the threat landscape (e.g., new capabilities, intent of threat actors)
  • Recommendations (e.g., from audits, vulnerability assessments, and penetration tests)

Avalution’s Perspective:

The elevation of the importance of maintenance and improvement activities is further evidence of the FFIEC taking a more program-centric over plan-centric view, which is a major step in the right direction. Other highlights include some of the specific triggers that were noted, including changes in enterprise strategies; new or reconfigured products, services, or infrastructure; results of operational metrics (specifically key performance indicators). While nearly all of these triggers add some form of tangible value, they also reflect a desire for the entity to connect the program to the business’s overall strategy.

A Proposed To-Do List For 2020 and Beyond:

  • Review ISO 22301 Clauses 9 and 10, as well as the FFIEC list of eleven triggers (noted above); compare these against your entity’s current drivers for continual improvement
  • Define an approach to identify, track, prioritize, and manage corrective actions and goals; prepare to review prioritization and resource needs during meetings with management
  • Modify your approach to maintenance and improvement activities as necessary

Update 8 – Emphasized the Importance of Considering Products and Services

The updated booklet refers to the entity’s products and services on several occasions. While this does not represent a new specific examination requirement, the use of “products and services” is significant. It helps highlight the importance of ensuring that the entity is properly addressing risk as it relates to the availability of its key products and services. Using this approach also creates an expectation of measuring preparedness at the product and service level. Finally, perhaps most importantly, structuring a business continuity program using products and services enables engagement from management. Management views the organization as whole in this manner, versus the components of facilities, functions, and applications. Lastly, a product- and service-focused view of the program enables the entity to evolve towards designing resilient products and services.

Avalution’s Perspective:

Avalution has long espoused the value of developing and maintaining focused, strategy-connected business continuity programs. We develop strategy-connected programs by mapping the program directly to entity’s key products and services. Using a top-down scoping approach, the entity first identifies its most critical products and services. The entity uses this list to scope the business activities and resources that directly and indirectly support the delivery of the products and services. In doing so, an entity covers all critical components without “boiling the ocean.”

A Proposed To-Do List For 2020 and Beyond:

  • Have a discussion with leadership using these two questions to ensure the program is protecting what it needs to:
    • What products and/or services do we want to protect with this program?
    • What is leadership’s appetite for downtime as it relates to these in-scope products/services?
  • Ensure that the program scope includes all departments/business functions that directly and indirectly support the delivery of the products/services leadership identified

Update 9 – Established Board Reporting Requirements and Highlighted the Importance of Measurement

The updated booklet clearly articulates the Board reporting requirements. The following statement is found in Section IX of the updated booklet:

 “…management should report on the status of business continuity to the board, completing the BCM cycle. Reports should include a written presentation providing the BIA, risk assessment, BCP, exercise and test results, and identified issues. Additionally, reports should include regular strategy updates based on changes in personnel, roles and responsibilities, and business operations. The board should monitor business continuity and resilience activities regularly to verify that they are implemented as envisioned and reviewed periodically or as changes dictate. The board should be updated in a timely manner based on lessons learned. Board minutes should reflect business continuity discussion (including credible challenges) and approvals.”

The booklet provides a bulleted list of these items, including a bullet that refers to metrics. The bullet referring to metrics notes the requirement to include key risk indicators and key performance indicators. This is a very important callout, as it requires that the entity is tracking and reporting on the right metrics.

Avalution’s Perspective:

Avalution believes that great metrics, or “measurables,” are one of the six core components of a great business continuity program. Avalution looks at a few different types of metrics: activity and compliance metrics (also known as Key Performance Indicators or KPIs) and product/service metrics (also known as Key Risk Indicators or KRIs).

Activity metrics serve to measure the performance of program activities (e.g., number of BIAs or plans completed), while compliance metrics measure alignment with requirements imposed on the program (e.g., ability to meet customer or regulatory requirements).

Product/service metrics, on the other hand, measure the entity’s ability to meet the agreed-upon recovery requirements of in-scope products and services (e.g., recovering the entity’s call center capabilities within four hours). Measuring and reporting on these items is key to ensuring that the entity meets its overall goals.

A Proposed To-Do List For 2020 and Beyond:

  • Make a list of your entity’s current business continuity-related metrics
  • Map the list of metrics to the stakeholders that care about each
  • Evaluate the effectiveness and relevance of these metrics as it relates to the various stakeholder groups and modify the reporting, as necessary
  • Develop, track, and report on activity and compliance metrics; deliver to the right audience at the right cadence
  • Develop, track, and report on product/service metrics; deliver to the right audience (including the Board) at the right cadence

Update 10 – Highlighted the Importance of Regular Meetings

Regular meetings with “a designated coordinator or a business continuity committee to discuss items such as policy changes, exercises, tests, and training plans” are mentioned in the guidance and the examination criteria in the updated booklet. Regular meetings provide a forum to discuss progress of goals and organizational business continuity-related objectives. Regular meetings also provide a forum to process performance issues, obtain consensus, assign actions, and maintain accountability.

Avalution’s Perspective:

Along with standard governance documentation (e.g., business continuity policy or standard operating procedures), Avalution believes that every business continuity program should have an Engagement Plan. The Engagement Plan identifies the program’s key stakeholders, defines the meetings in which various stakeholders should participate, and sets the cadence of these meetings. The Engagement Plan ensures that the right program participants receive the right message or discuss the right issues at the right time. Avalution is pleased that the importance of regular meetings is emphasized in the booklet. Without consistent and relevant engagement, the entity will struggle with maintaining a truly operational business continuity program.

A Proposed To-Do List For 2020 and Beyond:

  • List the various business continuity-related meetings in which your program participates; note the frequency with which these meetings occur (e.g., steering committee meetings – monthly)
  • Map which stakeholders attend each meeting
  • Evaluate the effectiveness of these meetings and determine what changes in participation or frequency are necessary
  • Identify if there are any ineffective meetings that can be eliminated altogether
  • Identify what new meetings may be necessary or missing
  • Discuss these proposed changes with your business continuity steering committee

Connect with Our Team

We hope this article was helpful in unpacking what changes to your program may be necessary. If you’re looking for assistance with aligning your program to the 2019 FFIEC business continuity requirements, please book a meeting with our team. We’d love to learn about your goals and challenges, and then explore how we can help.

With over 15 years of experience helping financial institutions of all shapes and sizes navigate the business continuity regulatory landscape, Avalution is well-positioned to help.

Avalution feels that the additions and enhancements made to the 2019 booklet are a major step in the right direction. In fact, many of the changes made align the FFIEC guidance closer to Avalution’s own proven process: the Business Continuity Operating System (BCOS).

The BCOS, comprised of six core components, is the culmination of over 15 years of experience helping organizations build and maintain high-performing business continuity programs. Avalution has found that when these six core components are present, it almost always indicates a high-performing business continuity program. Conversely, when programs are struggling, it can usually be tied back to a deficiency in one or more of these six core components.

Here is a brief summary of the six core components we have identified:

  1. Frame – Leadership is in sync on the answers to the following four questions:
    1. Why does this entity need business continuity (drivers and expectations)?
    2. What products and services should this program protect?
    3. “How much” business continuity is necessary?
    4. Who should sponsor, lead, and participate in the program?
  2. Process – The entity has documented its business continuity processes, and the processes are followed by everyone. Documentation is usually in the form of governance documentation, such as the BC Policy, Standard Operating Procedures, and Engagement Plan.
  3. Participation – All business continuity program roles and responsibilities are clearly defined. Those with a role in the program understand their role, want to perform their role, and have the capacity to perform their role well.
  4. Engage – The proper connection cadence is determined and documented. This ensures that the right people are in the right meetings, at the right frequency to process the right issues.
  5. Measurables – The entity properly tracks and reports on activity and compliance metrics, as well as product and service metrics. This ensures that the entity is not only performing the program activities that it should be performing, but also monitoring the current-state recoverability of its key products and services against leaderships expectations.
  6. Improvement – The entity sets annual and quarterly goals and tracks progress against these goals. The entity drives open action items to resolution and experiments with ways to reduce the organization’s overall risk footprint.

The six core components are represented in the updated FFIEC examination criteria. The following table maps each of the six BCOS core components to the examination criteria:

BCOS FFIEC 2019 Examination Criteria (Appendix A)
Frame Objectives 1.3 and 1.4
Process Objectives 2.1, 2.3 and 4 through 10
Participants Objectives 2.2, 2.4, 2.5 and 9
Engagement Objectives 2 and 12
Measurement Objectives 11 and 12
Improvement Objectives 3 and 13

 

Avalution EMEA
Level 1, The Chase
Carmanhall Road, D18 Y3X2
+353.1.536.3299 (Ireland)

Avalution Consulting, LLC
Suite 410
323 W Lakeside Ave
Cleveland, OH 44113
+1.866.533.0575 (USA)