Federal Financial Institutions Examination Council

FFIEC

IT EXAMINATION

HANDBOOK

BCPBusinessContinuity PlanningFEBRUARY 2015

Table of ContentsTable of ContentsTable of ContentsTable of Contents

IntroductionIntroductionIntroductionIntroduction 1

Board and Senior Management ResponsibilitiesBoard and Senior Management ResponsibilitiesBoard and Senior Management ResponsibilitiesBoard and Senior Management Responsibilities 2

Business Continuity Planning ProcessBusiness Continuity Planning ProcessBusiness Continuity Planning ProcessBusiness Continuity Planning Process 3

Business Impact AnalysisBusiness Impact AnalysisBusiness Impact AnalysisBusiness Impact Analysis 5

Risk AssessmentRisk AssessmentRisk AssessmentRisk Assessment 8

Risk ManagementRisk ManagementRisk ManagementRisk Management 9

Business Continuity Plan Development 9

Assumptions 11

Internal and External Components 11

Mitigation Strategies 12

Risk Monitoring and TestingRisk Monitoring and TestingRisk Monitoring and TestingRisk Monitoring and Testing 12

Principles of the Business Continuity Testing Program 13

Roles and Responsibilities 14

Testing Policy 15

Execution, Evaluation, Independent Assessment, and Reporting of Test Results 20

Updating Business Continuity Plan and Test Program 22

Other Policies, Standards and ProcessesOther Policies, Standards and ProcessesOther Policies, Standards and ProcessesOther Policies, Standards and Processes 22

Security Standards 23

Project Management 23

Change Control Policies 24

Data Synchronization Procedures 24

Crisis Management 24

Incident Response 25

Remote Access 25

Employee Training 26

Notification Standards 26

Insurance 26

Business Continuity Planning Booklet

Government and Community 27

SummarySummarySummarySummary 27

Appendix A: Examination ProceduresAppendix A: Examination ProceduresAppendix A: Examination ProceduresAppendix A: Examination Procedures A-1

Appendix B: GlossaryAppendix B: GlossaryAppendix B: GlossaryAppendix B: Glossary B-1

Appendix C: Internal And External ThreatsAppendix C: Internal And External ThreatsAppendix C: Internal And External ThreatsAppendix C: Internal And External Threats C-1

Appendix D: Pandemic PlanningAppendix D: Pandemic PlanningAppendix D: Pandemic PlanningAppendix D: Pandemic Planning D-1

Appendix E: InterdependenciesAppendix E: InterdependenciesAppendix E: InterdependenciesAppendix E: Interdependencies E-1

Appendix F: Business Impact Analysis ProcessAppendix F: Business Impact Analysis ProcessAppendix F: Business Impact Analysis ProcessAppendix F: Business Impact Analysis Process F-1

Appendix G: Business Continuity Plan ComponentsAppendix G: Business Continuity Plan ComponentsAppendix G: Business Continuity Plan ComponentsAppendix G: Business Continuity Plan Components G-1

Appendix H: Testing Program - Governance and AttributesAppendix H: Testing Program - Governance and AttributesAppendix H: Testing Program - Governance and AttributesAppendix H: Testing Program - Governance and Attributes H-1

Appendix I: Laws, Regulations, and GuidanceAppendix I: Laws, Regulations, and GuidanceAppendix I: Laws, Regulations, and GuidanceAppendix I: Laws, Regulations, and Guidance I-1

Appendix J: Strengthening the Resilience of Outsourced Technology ServicesAppendix J: Strengthening the Resilience of Outsourced Technology ServicesAppendix J: Strengthening the Resilience of Outsourced Technology ServicesAppendix J: Strengthening the Resilience of Outsourced Technology Services J-1

Business Continuity Planning Booklet

IntroductionIntroductionIntroductionIntroduction

This booklet is one in a series of booklets that comprise the Federal Financial InstitutionsExamination Council (FFIEC) Information Technology (IT) Examination Handbook. Thisbooklet provides guidance to assist examiners in evaluating financial institution [1] andservice provider risk management processes to ensure the availability of critical financialservices. This booklet was also designed to provide helpful guidance to financialinstitutions regarding the implementation of their business continuity planning processes.

This booklet rescinds and replaces the previous "Business Continuity Planning Booklet,"which was issued in March 2003, and has been revised to reflect technological andregulatory changes with a focus on management's responsibilities regarding oversight ofthe continuity planning process for business operations. While significant revisions havebeen made, the focus of this booklet continues to be based on an enterprise-wide,process-oriented approach that considers technology, business operations, testing, andcommunication strategies that are critical to business continuity planning for the entirebusiness, instead of just the information technology department.

This booklet is divided into two parts. The first part, or narrative, describes the businesscontinuity planning process and addresses the responsibilities of the board of directors(board) and senior management. The second part includes examination procedures, aglossary, detailed appendices supporting the narrative, and a reference list of eachagency's applicable laws, regulations, and guidance. Each section in the narrativebegins with an "Action Summary" that highlights the major points in that section. Whilenot a substitute for reading the entire booklet, the action summaries may be used toquickly assess the most important issues discussed in that section. It is also important toread the detailed appendices, which can serve as a comprehensive reference guide forthe topics discussed in the narrative.

The overall goal of this booklet is to provide guidance to the financial services industryabout the importance of business continuity planning, which establishes the basis forfinancial institutions to recover and resume business processes when operations havebeen disrupted unexpectedly. Because financial institutions play a crucial role in theoverall economy, disruptions in service should be minimized in order to maintain publictrust and confidence in the financial system. As such, financial institution managementshould incorporate business continuity considerations into the overall design of theirbusiness model to proactively mitigate the risk of service disruptions.

Financial institution management should develop a comprehensive business continuityplan (BCP) as part of the business continuity planning process. The BCP should bebased on the size and complexity of the institution and should be consistent with thefinancial institution's overall business strategy. The goal of the BCP should be tominimize financial losses to the institution, serve customers and financial markets withminimal disruptions, and mitigate the negative effects of disruptions on businessoperations. Reviewing a financial institution's business continuity planning process,which includes an assessment of the BCP, is an established part of examinationsperformed by the FFIEC member agencies. [2]

Changes in business processes and technology increased terrorism concerns, recentcatastrophic natural disasters, and the threat of a pandemic have focused even greaterattention on the need for effective business continuity planning. Consequently, theseissues should be given greater consideration in the business continuity planning

Business Continuity Planning Booklet

Page 1

process. Financial institution management should consider the potential for area-widedisasters that could affect an entire region and result in significant losses to theinstitution. The business continuity planning process should address interdependencies,both market-based and geographic, among financial system participants andinfrastructure service providers. In most cases, recovery time objectives (RTOs) are nowmuch shorter than they were a few years ago, and for some institutions, RTOs are basedon hours and even minutes. Ultimately, all institutions should anticipate and plan for theunexpected and ensure that their business continuity planning process appropriatelyaddresses the lessons they have learned from past disasters.

Board and Senior Management ResponsibilitiesBoard and Senior Management ResponsibilitiesBoard and Senior Management ResponsibilitiesBoard and Senior Management Responsibilities

Action SummaryAction SummaryAction SummaryAction Summary

A financial institution's board and senior management are responsible for overseeingthe business continuity planning process, which includes:

Establishing policy by determining how the institution will manage and controlidentified risks;

Allocating knowledgeable personnel and sufficient financial resources to properlyimplement the BCP;

Ensuring that the BCP is independently reviewed and approved at least annually;

Ensuring employees are trained and aware of their roles in the implementation ofthe BCP;

Ensuring the BCP is regularly tested on an enterprise-wide basis;

Reviewing the BCP testing program and test results on a regular basis; and

Ensuring the BCP is continually updated to reflect the current operatingenvironment.

It is the responsibility of an institution's board and senior management to ensure that the institutionIt is the responsibility of an institution's board and senior management to ensure that the institutionIt is the responsibility of an institution's board and senior management to ensure that the institutionIt is the responsibility of an institution's board and senior management to ensure that the institutionidentifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planningidentifies,