Business Continuity/Disaster Recovery: Executive Summary of FFIEC IT Examination HandbookEDITOR'S NOTE: This is the first installment of an occasional series summarizing key banking/security regulatory documents.
The Business Continuity Planning manual is part of the IT Examination Handbook from Federal Financial Institutions Examination Council (FFIEC). The March 2008 version of the BCP manual has been updated since it original release in March 2003.
This booklet is intended to provide guidance to the financial institutions regarding Business Continuity Planning, which helps companies recover and resume business processes when operations have been disrupted unexpectedly. Because financial institutions are part of the nation's critical infrastructure, it is important to minimize disruptions to their business.
The BCP booklet is divided into two main areas: Business Continuity Plans and examination procedures. The first part describes the planning process of creating a Business Continuity Plan, along with the responsibilities of senior management during that process. The second part describes the technical aspects regarding risk, including assessment, management, testing and monitoring.
Business Continuity Plan
Financial institutions should develop a comprehensive Business Continuity Plan based on the size and complexity of the institution. The goal of the BCP should be to minimize financial losses to the institution, serve customers and financial markets with minimal disruptions, and mitigate the negative effects of disruptions on business operations.
A financial institution's board and senior management are responsible for the following:
The following describes the different aspects of creating and maintaining a Business Continuity plan. These different topics allow organizations to evaluate the critical aspects of their business and include them in their BCP.
A Business Impact Analysis is the first step in creating a Business Continuity Plan. This part of the process includes all of the critical functions and processes of the business along with the potential threats to these different aspects.
A Business Impact Analysis report should include:
The risk assessment is the second step in the process of creating a Business Continuity Plan. During the risk assessment step, business processes and the Business Impact Analysis assumptions are evaluated using various threat scenarios.
A Risk Assessment should include:
Risk Management is the process of identifying, assessing and reducing risk to an acceptable level through a proper Business Continuity Plan.
Through Risk Management, the Business Continuity Plan should be:
Risk monitoring and testing is the final step in the business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the:
The above listed examination procedures are intended to be a cyclical process. The Business Continuity Plan is an ongoing process that needs to be updated as events occur.
As an organization's risk testing and monitoring detects changes in the company, a new Risk Assessment phase should occur to evaluate the impact of the changes and modify the Business Continuity Plan as needed.
To see the full BCP booklet or any of the other sections of the FFIEC IT Examination Handbook, visit: http://www.ffiec.gov/ffiecinfobase/html_pages/bcp_book_frame.htm