FFIEC Updates the Business Continuity Standard for Banks

Avalution Team Avalution Team | Apr 07, 2008

ffiec newIntroducing the New FFIEC Business Continuity Planning Booklet
The Federal Financial Institutions Examination Council (FFIEC) is responsible for establishing the standards to which financial institutions are held.  This interagency group publishes individual booklets specific to various risk management disciplines.  In 2003, the FFIEC updated Chapter 10, Corporate Contingency Planning, based on the 1996 FFIEC Information Systems Examination Handbook, to reflect new technologies, business practices and the threat of terrorism impacting the availability of critical banking processes and technologies.  The 2003 version, or “Gold Standard” as many business continuity professionals refer to it, emphasized the importance of business process response and recovery, as opposed to a program focused almost exclusively on technology availability.  This marked a key evolutionary point in financial services business continuity planning.

The newly-released 2008 FFIEC Business Continuity Planning booklet continues to incorporate new business continuity themes and trends.  While the tables at the end of this perspective provide detailed comparisons between the 2003 and 2008 requirements, there are five broad areas of improvements the FFIEC focused on:

  • The role of the board and senior management;
  • The addition of pandemic planning guidance;
  • A push toward risk management integration;
  • The emphasis on proactive risk mitigation; and
  • An overall attempt to eliminate or minimize ambiguity.

Senior Management Involvement
The 2003 booklet clarified and expanded the role of the financial services organization’s board and senior management.  In 2008, the role expands once again.  Three key points are made by the FFIEC:

  1. Management is responsible for ensuring the business continuity program is independently reviewed annually, a challenge given independent review and oversight is often driven by an Internal Audit risk assessment (which may or may not be annually).
  2. Employee awareness is now a process owned by management.  Also, the scope of the awareness effort expands beyond the core business continuity team to employees in general.
  3. The board and senior management not only should review test results, but they are responsible for ensuring that enterprise-wide testing and the program is sufficient to measure readiness and performance.

Overall, the growth of management’s role in business continuity is consistent with the strategic expansion of business continuity as a key element of the organization’s risk management efforts.

Addition of Pandemic Planning Guidance
In response to the government-issued National Strategy for Pandemic Influenza and the recent Avian Flu threat, the FFIEC included an appendix focused on pandemic planning.  Pandemic planning warrants its own section because it adds an element of complexity to business continuity (employee absenteeism and the possibility of system failure) and requires a somewhat unique approach.  While most professionals agree that business entities, including financial institutions, should not plan for specific types of interruptions, a growing number of businesses are planning (and should plan for) for high levels of absenteeism and product/service disruption associated with a public health event.  Financial institutions cannot expect full employee availability during a public health event and cannot expect uninterrupted service offered by third-party entities, such as suppliers and business partners.  A pandemic would cause high rates of absenteeism for a number of weeks due to personal sickness, familial sickness, travel restrictions, suspension of public transportation, school closures and more broadly, fear.  Customers would experience similar challenges, which could increase their dependency on financial institutions’ electronic interfaces, such as ATMs and online services.  While the addition of the pandemic planning index is important, financial institutes have been aware of this change since the public of the FFIEC’s Interagency Statement on Pandemic Planning in December 2007.  The FFIEC’s guidance for the booklet remains nearly the same as their interagency statement.  For additional information on actions and strategies specific to pandemic planning for financial institutions, refer to Avalution’s recent perspective: FFIEC Expands Pandemic Planning Guidance for Financial Institutions which summaries the FFIEC’s pandemic requirements.

Risk Management Integration
The section titled, “Other Policies, Standards and Processes”, demonstrates continual growth in the area of risk management collaboration and integration.  For years, even in the absence of regulatory requirements, executive managers mandated coordination between various risk management disciplines as a method of controlling costs and improving the performance of business risk controls.  The FFIEC booklet not only identifies the following risk management disciplines (an expanded and revised list when compared to 2003), but also notes the importance of coordination with government and the community.

  • Security standards (new)
  • Project management
  • Change control policies
  • Data synchronization procedures
  • Crises management (new)
  • Incident response (new)
  • Remote access (new)
  • Employee training (revised)
  • Notification standards (revised)
  • Insurance

Emphasis on Risk Mitigation
Consistent with executive management mandates to realistically prevent, not just react to, business interruptions, the FFIEC expanded its view of business continuity to include pre-business interruption risk treatment decision-making.  The standard puts a focus on more proactive measures to protect business operations and employees, such as physical structure reinforcements, alternate vendors, alternate power sources, alternate data backup technologies, alternate data recovery methods, additional critical inventories, and adequate food, water and medical supplies.  Extra precautions to protect infrastructure, employee health and safety, and operations may eliminate or decrease the likelihood or severity associated with business interruptions.  The 2008 booklet also discusses the need to proactively treat third-party risk introduced by service providers and other business partners.

Elimination of Ambiguity
While the new version includes more content (as measured by word count), it also includes more careful elaboration and clarification specific to business continuity program expectations.  The elimination of ambiguity will allow financial institutions to better understand examiner expectations and also drive more uniform application of the standard by examining bodies.  As an example, the new guidance makes clear that employees must understand how to implement business continuity plans (verified via Risk Monitoring and Testing), and board and senior management must formally approve resources necessary to implement business continuity strategies (verified via Business Impact Analyses, Risk Assessments and Risk Monitoring).  Other business continuity topics with increased clarification include interdependencies, internal/external threats, plan components and testing process characteristics.

What Does This Mean for Financial Institutions and Examiners?
As of March 19, banks and their service providers must comply with the 2008 FFIEC requirements.  Depending on program maturity, this may mean more resources, more time, and more management / employee involvement may be needed to comply with all of the requirements.  For examiners, the clarification and detail apparent within the new version means more careful evaluations for financial sector regulatory compliance, but less explanation for post-evaluation recommendations.

The following four tables highlight the differences between the 2003 and 2008 requirements, with an explanation of what each topic means specific to the 2008 documentation.

Business Impact Analysis (BIA)

* Denotes content within Appendix F: Business Impact Analysis Process

A BIA is the first stage of the business continuity planning process for financial institutions.  The comparison below highlights key changes to the FFIEC Business Continuity Planning booklet (bold text), and provides excellent examples of how the 2008 version uses more concise language and more clarification.  The 2008 version not only elaborates on impact analysis techniques, but also procedures and guidance via Appendix F: Business Impact Analysis Process.  Furthermore, the 2008 version incorporates board and senior management participation to include BIA review and approval.
2003 Guidance / Requirements 2008 Guidance / Requirements

Interview:

  • Every department
  • Every business functio

Interview:

  • Departments and business processes critical for recovery*

Consider:

  • Uncontrolled, non-specific events
  • Legal and regulatory requirements

Consider:

  • Uncontrolled, non-specific events
  • Legal and regulatory requirements

Identify impact on:

  • Business processes
  • Customers

Identify impact on:

  • Business processes
  • Employees, customers, property and business operations  via a vulnerability assessment*

Determine acceptable levels of loss for:

  • Data
  • Operations
  • Financial

Determine acceptable levels of loss for:

  • Data
  • Operations
  • Financial
  • Reputation
  • Market share

Estimate:

  • Maximum allowable downtime (MAD)
  • Recovery point objectives (RPOs)
  • Backlog transactions
  • Cost of downtime

Estimate:

  • Maximum allowable downtime (MAD)
  • Recovery point objectives (RPOs)
  • Recovery time objectives (RTOs)
  • Critical operations’ recovery timeline

Prioritize based upon:

  • Critical business functions

Prioritize based upon:

  • Maximum allowable downtime (MAD)*
  • Work flow analysis of critical business functions and processes
  • Interdependencies between business functions and processes
  • Direct or indirect interaction with critical markets (if applicable)
  • Interaction with regional and national critical market activities (if applicable)

Document:

  • Resource requirements such as critical personnel, technologies, facilities, communications systems, records and data

Document:

  • Resource requirements such as personnel,equipment, software, facilities, records, data files and third-party relationships*

Share:

  • Results with select employees*
  • Final BIA report with board and senior management*
Risk Assessment
A Risk Assessment is the second stage of the business continuity planning process for financial institutions.  The comparison below highlights key changes to the FFIEC Business Continuity Planning booklet (bold text), and demonstrates how the new version reflects the recent business continuity trends of pandemic planning and external organization consideration.  The incorporation of recent business continuity trends promotes more extensive risk assessments and consequently, risk mitigation strategies.
2003 Guidance / Requirements 2008 Guidance / Requirements

Utilize:

  • Business Impact Analysis (BIA)

Utilize:

  • Business Impact Analysis (BIA)

Prioritize potential business interruptions based upon:

  • Severity
  • Likelihood

Prioritize potential business interruptions based upon:

  • Severity
  • Probability

Develop:

  • Realistic threat scenarios of different magnitudes

Develop:

  • Realistic threat scenarios of different magnitudes

Analyze threats based upon:

  • Impact on the institution, its employees, its customers, its business partners and financial markets
  • Impact and probability combinations

nalyze threats based upon:

  • Impact on the institution, its customers, its business partners and financial markets
  • Impact and probability combinations

Consider:

  • Business Impact Analysis (BIA)
  • Geographic location of institution
  • Geographic location of service providers
  • Industry nearby institution
  • Threats of malicious activity, natural disasters and technical disasters

Consider:

  • Business Impact Analysis (BIA)
  • Geographic location of institution
  • Industry nearby institution
  • Threats of malicious activity, natural disasters, technical disasters and pandemics
  • Community and government alerts (Department of Homeland Security  and the World Health Organization)

Perform:

  • Gap analysis

Perform:

  • Gap analysis
Risk Management
Risk Management is the third stage of the business continuity planning process for financial institutions.  The comparison below highlights key changes to the FFIEC Business Continuity Planning booklet (bold text), and demonstrates how the new version reflects business continuity trends, such as third-party BCP development and maintenance.  The 2008 version also promotes risk mitigation via greater BCP documentation detail.
2003 Guidance / Requirements 2008 Guidance / Requirements

Utilize:

  • Business Impact Analysis (BIA)
  • Risk Assessment

Utilize:

  • Business Impact Analysis (BIA)
  • Risk Assessment
  • Testing program

Consider:

  • Resource availability assumptions
  • Risk mitigation strategies for operations and interdependencies

Consider:

  • Resource availability assumptions
  • Risk mitigation strategies for operations and interdependencies
  • Single points of failure
  • Third-party  BCP expertise and quality

Include well documented:

  • Strategies
  • Procedures
  • BCP activation triggers
  • BCP activation procedures
  • Continuity team responsibilities
  • Critical personnel contact information

Include well documented:

  • Business continuity strategies
  • Business continuity procedures
  • BCP activation triggers
  • BCP activation procedures
  • Continuity team responsibilities
  • Critical personnel contact information
  • Internal and external stakeholder communication processes
  • Relocation strategies
  • Unanticipated expense approval procedures

Responsible for risk identification and risk mitigation strategies:

  • Business continuity coordinator or team

Responsible for BCP:

  • Board and senior management

Board and senior management should:

  • Review BCP

Board and senior management should:

  • Review BCP
  • Approve BCP
Risk Monitoring and Testing
Risk Monitoring and Testing is the final stage of the business continuity planning process for financial institutions.  The comparison below highlights key changes to the FFIEC Business Continuity Planning booklet (bold text), and emphasizes a more cyclical BCP development approach.  Furthermore, the new version introduces Appendix H: Testing Program – Governance and Attributes for more instruction and guidance on testing.  A better BCP test generates better test results for BCP evaluation and upkeep, which promotes risk mitigation.
2003 Guidance / Requirements 2008 Guidance / Requirements

Utilize:

  • Business Impact Analysis (BIA)

Utilize:

  • Business Impact Analysis (BIA)
  • Risk Assessment

Evaluate:

  • Testing program
  • Test results
  • Viability of the BCP

Evaluate:

  • Testing program
  • Test results
  • Viability of the BCP

Testing program should be:

  • Enterprise-wide
  • Well documented (specific methods, objectives, participants, locations, and roles and responsibilities indentified)
  • More complex over time
  • Comprehensive to include interdependencies

Testing program (to include policy, strategies and planning) should be:

  • Enterprise-wide
  • Well documented (specific methods, objectives, participants, locations, and roles and responsibilities indentified)
  • More complex over time
  • Comprehensive to include interdependencies
  • Adaptable
  • A continuously evolving cycle
  • Subject to independent party review
  • Updated as appropriate

Test results should be:

  • Evaluated against the BCP
  • Quantifiable
  • Reported to the board

Test results should  be:

  • Evaluated against the BCP
  • Quantifiable
  • Reported to board and senior management, business line management, risk management, IT management and other stakeholders

Test participants include:

  • BCP coordinator or team
  • Board and senior management
  • Appropriate personnel for BCP implementation
  • Internal auditor or independent party

Test participants include:

  • BCP coordinator or team
  • Board and senior management
  • Business line management
  • IT management
  • Crisis management
  • Facilities management
  • Internal auditor or independent party