This blog post is also featured on The Protiviti View.
Compared to the 2015 version, the updated business continuity management booklet released in November 2019 by the Federal Financial Institutions Examination Council (FFIEC) offers increased clarity, with detailed examples designed to make it easier for financial institutions to comply with its guidance and to help examiners determine whether management are addressing risks related to the availability of critical financial products and services.
In addition, the FFIEC renamed the business continuity planning booklet to business continuity management (BCM) to reflect updated information technology risk practices and frameworks.
Notable Updates in the 2019 Booklet
The detailed examples in the latest booklet cover various phases of the BCM lifecycle, from governance to aligning BCM elements with the organization’s strategic goals, developing a business impact analysis, conducting a risk assessment to identify risks, and creating effective strategies for resilience and recovery objectives. It walks through the process of establishing a business continuity plan, disaster recovery plan and crisis management plan, as well as implementing a training program, conducting exercises and tests, updating and improving programs, and reporting and monitoring.
One of the most significant changes in the new booklet is its emphasis on risk identification and risk assessment, such as the likelihood of impact of different threat categories. For instance, it describes the speed of onset or velocity of a threat, the size of the affected area, and how to assess the likelihood of impact appropriately. Another crucial update is the inclusion of a business impact analysis recovery objective timeline. This is helpful because it describes key concepts such as recovery point objectives, recovery time objectives, maximum tolerable downtime, data loss potential, and critical disruption points. These concepts are more fully defined in the new version than in the previous.
In the 2019 booklet, the FFIEC dedicates an entire page to the National Institute of Standards and Technology’s (NIST) definitions for risk assessments, risk identification and incident response. This is notable given NIST was only referenced as a source in the 2015 version. The purpose of the NIST glossary is to define technical terms used in the FFIEC IT Examination Handbook booklets in the context of supervisory activities for the entities over which FFIEC members have supervisory authority. It also employs common terms and builds on widely used standards – such as NIST, the International Organization for Standardization (ISO), the Business Continuity Institute (BCI) and the Disaster Recovery Journal (DRJ) – to facilitate effective supervision.
Greater Emphasis on Operational Resilience
Business continuity is more than just the planning process to recover operations after an event. It also includes the continued maintenance of systems and controls for the resilience and continuity of operations. The new booklet emphasizes this point by highlighting operational resilience concepts such as the importance of understanding comprehensive process flow, potential systemic impacts, the need for more robust end-to-end testing, and maximum tolerable downtime (MTD).
The reference to MTD is particularly noteworthy given the fact that the Bank of England, which is leading the effort to develop operational resilience as a supervisory objective, suggested, in its 2018 discussion paper on “Building the UK financial sector’s operational resilience,” that MTD could be a metric used to measure impact tolerance, a concept that defines an organization’s tolerance for disruption to a particular business service. In the booklet, the FFIEC describes MTD as the total amount of time the system owner or authorizing official is willing to accept for a business process disruption and includes all impact considerations. The MTD is important for contingency planners when selecting an appropriate recovery method and developing the scope and depth of recovery procedures. It notes that examiners may encounter other terminology, such as maximum allowable downtime, to describe MTD.
Unlike the 2015 version, in which references to resilience appear primarily in the appendix, there is a concentrated focus and section on resilience in the new booklet. The FFIEC defines resilience as the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions, which may include deliberate attacks, accidents, or naturally occurring threats or incidents. Resilience also extends beyond recovery capabilities to incorporate proactive measures for mitigating the risk of a disruptive event in the overall design of operations and processes.
The FFIEC emphasizes training on significant business continuity concepts, interdependencies, and disruption impacts, especially for contractors involved with business continuity programs. Examiners are encouraged to determine whether management documented and implemented, as appropriate, resilience measures for third-party service providers. Specifically, the examination objective should consider disruptive events that threaten the operational resilience and viability of the entity’s third-party service providers.
What the Updates Mean for Financial Institutions
In the past, complying with the BCM guidelines has been a challenge for some financial institutions given the lack of clear and easy-to-follow examples. With the new guidance being more aligned to NIST while maintaining the focus on risk management, risk and compliance, and incorporating up-to-date industry standards, the guidelines will be easier for organizations to follow.
The emphasis on operational resilience is the latest indication that operational resilience supervision is gearing up to become one of the most significant regulatory and compliance obligations financial organizations face in the coming years. To build resilience, organizations should define and plan for high-impact, low-likelihood threats, which are also described as extreme but plausible events. This means assessing and understanding their critical business services, or as the FFIEC calls them, “critical business functions.” This exercise involves a deeper level assessment, and implementation, of capabilities that, if disrupted, can result in a systemic event.
Organizations should also take a cue from the examiners’ interest in third-party resilience. The FFIEC references the importance of institutions understanding their relationships with third-party service providers and how they are connected to their critical business functions. These relationships should be under a more powerful microscope as it pertains to planning and response and resumption activities.
The updated booklet also points to the need for a higher level of scrutiny on a wider array of technologies used to carry out business services, end-to-end process flows or value chain within organizations. For those tools to be validated as being resilient, organizations should embrace an integrated testing model, encompassing internal and external dependencies, activities outsourced to domestic and foreign-based third-party service providers, as well as all aspects of the entity’s business continuity planning. As the FFIEC’s updated resilience language makes clear, point-level testing can no longer provide adequate validation of a resilient environment.
For a copy of the handbook, visit http://ithandbook.ffiec.gov.