In March of 2003, the Federal Financial Institutions Examination Council (FFIEC) released its Business Continuity Planning booklet — designed to provide guidance and examination procedures for examiners in evaluating financial institution and service provider risk management processes.
The updated business continuity planning (BCP) procedures are designed to reflect technological advancements, changes in business practices and increased concerns regarding terrorism. These updates are focused primarily on financial institutions and are intended to ensure the availability of critical financial services in the event of either a planned or unscheduled disruption of services. The new guidelines replace those outlined in the 1996 FFIEC Information Systems Examination Handbook.
Several important aspects of BCP are stressed in the Handbook, including:
Senior Management: A financial institution's board of directors and senior management are responsible for identifying, assessing, prioritizing, managing and controlling risks.
Holistic Approach: A BCP should be conducted on an enterprise wide basis. Without a BCP that considers every critical business unit, including personnel, physical workspace and similar issues, an institution may not be able to resume serving its customers at acceptable levels.
Process Oriented: Financial institutions are encouraged to adopt a process-oriented approach to BCP that involves business impact analysis (BIA) and risk assessment (RA). The BIA phase identifies the potential impact of uncontrolled, non-specific events on the institution's business processes. The RA includes a prioritizing of potential business disruptions based upon severity and likelihood of occurrence as well as a gap analysis.
Employee Awareness: The resulting BCP needs to be specific as to the immediate steps to take in the event of a disruption, yet flexible enough to respond to a variety of unanticipated scenarios. It needs to be disseminated throughout the organization so that all impacted groups have access to it and can implement it, as necessary.
"Because financial institutions play a crucial role in the United States economy, it is important their business operations are resilient and the effects of disruptions in service are minimized in order to maintain public trust and confidence in our financial system."
Business Continuity Planning, IT Examination Handbook," Federal Financial Institutions Examination Council, March 2003
The objectives of a BCP are to minimize financial loss to the institution; continue to serve customers and financial market participants; and mitigate the negative effects disruptions can have on an institution's strategic plans, reputation, operations, liquidity, credit quality, market position and ability to remain in compliance with applicable laws and regulations.
Testing: A BCP should be tested annually, subjected to an independent audit and review and periodically updated. The effectiveness of a BCP can only be validated through thorough testing.
Because of the increased focus on BCP within financial institutions, senior executives should be asking themselves the following types of questions:
- How do we gain confidence that our plans are comprehensive and meet both regulatory and leading industry guidelines?
- As a financial institution, how do we ensure that disasters to business partners and other third party vendors that we rely upon do not adversely affect our ability to deliver products and services to the marketplace?
- Have we recently undergone changes to our organizational structure through mergers and acquisitions, divestitures or spin-offs that affect our strategies for business continuity management?
- To help meet the demands of the new federal regulations, companies should consider the following answers that can help formulate up-to-date business continuity plans.
Business Continuity Management: Identify critical risks, quantify their potential impact, and develop recovery and restoration strategies.
Emergency Response Planning: Evaluate, organize and train on-site teams to effectively respond to emergencies.
Crisis Management: Develop strategies to help manage a situation with all internal and external audiences.
"A BCP is more than recovery of the technology, but rather a recovery of all critical business operations."
Business Continuity Planning, IT Examination Handbook," Federal Financial Institutions Examination Council, March 2003
By taking the necessary steps now, companies can reassure regulators, shareholders, customers and the board of directors that the organization's BCP not only meets the mandated regulations but also meets the specific needs of the financial institution.
If you have any questions or would like additional information, please contact us.
