FFIEC Updates Business Continuity Planning Booklet with Appendix J

Courtney Bowers Courtney Bowers | Apr 06, 2015

FFIEC_Appendix_JAppendix J: Strengthening the Resilience of Outsourced Technology Services

The Federal Financial Institutions Examination Council (FFIEC) recently released an updated a version of its Business Continuity Booklet, which is one in the series of booklets that comprise the larger Information Technology (IT) Examination Handbook.

This article provides an overview of Appendix J and discusses the confirmed importance that continuity planning isn’t limited to just your organization; rather, it extends to all outsourced and supplier relationships as well.


Appendix J: Strengthening the Resilience of Outsourced Technology Services highlights that a financial institution’s reliance on third-party technology service providers (TSPs) to perform or support critical operations does not dismiss the responsibility to ensure that the outsourced activities are conducted in a secure and recoverable manner.

Appendix J specifically covers four key elements:

  1. Third-Party Management
  2. Third-Party Capacity
  3. Testing with Third-Party Technology Service Providers
  4. Cyber Resilience

Let’s take a quick look at each.

Third-Party Management
This section of Appendix J “addresses a financial institution management’s responsibility to control the business continuity risks associated with its TSPs and their subcontractors.”1

Specifically, this section provides guidance regarding:

  • Due Diligence
  • Contracts
  • Ongoing Monitoring
  • Strategic Considerations

Bottom-line: Your organization (senior management and board) is responsible for ensuring the recoverability of IT systems and all business operations within established business continuity requirements – regardless of whether the process is supported in-house or through a TSP.

In addition, it’s noted that the content included in this section is specific to the business continuity aspects of third-party management, and that the Outsourcing Technology Services Booklet should be referenced for expectations regarding managing third-party relationships.

Third-Party Capacity
This section of Appendix J “addresses the potential impact of a significant disruption on a TSP’s ability to restore services to multiple clients.”1

This section notes two industry concerns and potential impacts, including:

  • The reliance of the many (banks and financial institutions) on the few (specialized TSPs), where a widespread disaster could require TSPs to provide simultaneous recovery assistance for a large number of institutions, or where a disruption at a single TSP could simultaneously affect the critical operations of numerous financial institutions.
  • The reliance on technology and the inability of a financial institution to operate manually for a prolonged period of time.

Specifically, this section provides guidance regarding:

  • Significant TSP Continuity Scenarios
  • TSP Alternatives
  • Strategic Considerations

Testing with Third-Party TSPs
This section of Appendix J “addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.”1

Beyond validating plan content and ensuring that business continuity strategies are capable of providing response and recovery results within approved timeframes (or capabilities), testing also highlights weaknesses and areas for improvement (or where capabilities fail to align to business continuity and IT disaster recovery requirements), and provides critical hands-on training to the personnel responsible for the response and recovery activities (which ensures an appropriate level of performance and develops confidence).

Specifically, this section provides guidance regarding:

  • Testing Scenarios
  • Testing Complexity
  • Strategic Considerations

In addition, it’s noted that the while the Business Continuity Planning Booklet addresses the governance and attributes of testing in Appendix H, that the FFIEC IT Examination Handbook’s Outsourcing Technology Services Booklet should also be referenced for expectations regarding testing third-parties.

Cyber Resilience
This section of Appendix J “covers aspects of BCP unique to disruptions caused by cyber events.”1

It’s not surprising that this was included in this update, as cyber threats are becoming more common and more sophisticated every day. In this ever-changing threat environment, it’s not just about trying to prevent or reduce the likelihood of occurrence, but also having a strong capability to quickly detect and efficiently respond when it does.

Broken into two parts, Risks and Strategic Considerations, this section provides guidance regarding:

  • Risks
    • Malware
    • Insider Threats
    • Data or Systems Destruction and Corruption
    • Communications Infrastructure Disruption
    • Simultaneous Attach on Financial Institutions and TSPs
  • Strategic Considerations
    • Incident Response

For years, many organizations (regardless of industry) believed that if they implemented business continuity programs, then they were protected. However, in today’s inter-connected business environment – in which many organizations rely on third-party relationships to support the delivery their most critical products and services – that, quite frankly, is a very wrong and very dangerous assumption to make.

The addition of Appendix J to the FFIEC Business Continuity Planning Booklet, as well as recent updates to other business continuity-related industry and regulatory standards, reinforces the importance of addressing Supplier Risks in the development of your business continuity programs.

To learn more about protecting your supply chain, check out the following educational resources:

Avalution has helped banks and financial institutions of all sizes successfully overcome their business continuity and IT disaster recovery challenges. If you’re looking for assistance with improving your business continuity program or addressing Appendix J before your next audit, contact us today.

We look forward to hearing from you!

Additional Resources:


Courtney Bowers
Avalution Consulting: Business Continuity Consulting


1. FFIEC IT Examination Handbook’s “Business Continuity Planning Booklet, Appendix J: Strengthening the Resilience of Outsourced Technology Services“. Refer to “Background and Purpose” Section.