New Business Continuity Guidance Issued by FFIECRevised Booklet Stresses Business Impact Analysis, Pandemic Planning
This new booklet is aimed at examiners, financial institutions and technology service providers to identify business continuity risks and evaluate controls and risk management practices for effective business continuity planning. This guidance updates the "Business Continuity Planning Booklet," issued in March 2003.
Revisions to the business impact analysis and testing sections are of primary importance, says Michael Jackson, Associate Director of Division of Supervision and Consumer Protection Technology Supervision Branch with the Federal Deposit Insurance Corporation (FDIC). "I advise all institutions, especially the smaller ones, to focus their attention on the business impact analysis section," Jackson says. "This is the place to start."
A business impact analysis determines what impact a disruptive event would have on an institution. The analysis has three primary goals:
- Determine criticality;
- Estimate maximum downtime;
- Evaluate resource requirements.
The process has four cyclical steps:
- Gather information;
- Perform a vulnerability assessment;
- Analyze the information and document results;
- Present recommendations.
New to the booklet are key elements of the FFIEC's December 2007 Interagency Statement on Pandemic Planning. A pandemic outbreak would present unique business continuity challenges. The methodologies detailed in the booklet provide a framework for financial institutions to develop or update their pandemic preparedness plans. All financial institutions should have plans that address how the institution will function during a pandemic event.
Another area of new emphasis: enterprise-wide testing of business continuity plans. Planning should have board of directors and senior management involvement. "Especially when it comes to testing," Jackson says, "and this means making sure that the [business continuity plan] is regularly tested across the entire enterprise." The board and senior management should address business continuity planning with an enterprise-wide perspective by considering technology, business operations, communications and testing strategies for the entire institution.
Although this new guidance was much anticipated by financial institutions - there have been several major hurricanes, wildfires and power outages since the last update -- its arrival was no bombshell.
"There are no surprises in this guidance for institutions," says Doug Johnson, Vice President of Risk Management and Policy at the American Bankers Association. Yes, there will be increased scrutiny by regulators on how well institutions are meeting this guidance, he says, "But I expect it will be reasonable."
While many banks and credit unions have had some form of a business continuity plan since the 1970s, few plans encompass all of the risks that now face financial institutions, Jackson says. Indeed, the recent State of Information Security survey shows that, by their own admission, many institutions' plans are weakest in accounting for pandemic disaster - the threat federal regulators now focus on most.
Business continuity planning is for every institution, regardless of size, Jackson says. "But I'll stress that one size does not fit all." Larger institutions may require an entire department devoted to planning, where smaller entities may have one person in charge of the plan. This is regardless of whether institutions' systems are provided in-house or through third-party service providers. "In this electronic age, almost every institution has some type of service through a third party," Jackson says. "But that is not an excuse to not plan."
It is important during the planning process to focus on interdependencies that institutions have with outside industries, including telecommunications, transportation and energy. "From previous events (including Hurricanes Katrina and Rita) we've seen the overlooking of those interdependencies cause problems in the recovery of business," Jackson says.
Additionally, the interdependencies within an institution can't be overlooked. "When a disaster happens, you can't expect the IT department to recover the institution's entire operation," he says.
Deadline: Your Next Exam
While there isn't a specific deadline for meeting this updated guidance, it is effective immediately.
In other words, FDIC examiners won't be knocking on banks' doors next week to examine their business continuity plans, "But we expect all of our institutions under our agency to have a plan," Jackson says.
For banks overseen by the Office of the Comptroller of the Currency (OCC), the new updates will be worked in over time and will become part of the examination supervisory process, says Mark O'Dell, Deputy Comptroller of Operational Risk at the OCC.
Office of Thrift Supervision (OTS) examiners will base their conclusions on the efforts of each institution's management team. "An institution that has ignored the guidance will be viewed less favorably than an institution that has a plan that is in process and perhaps has experienced some slippage due to unforeseen occurrences," says William Henley OTS Director of IT Risk Management.
Based on past experience, Johnson of the ABA expects the initial stages of compliance to include the awareness of the updated guidance, then over the next one-to-two years examiners will begin assessing plans at institutions. "After that, we will expect that they'll hold institutions to comply fully with this guidance," he adds.
Sense of Urgency
Whether an institution is in the middle of the country or sitting on a earthquake fault, it should be ready to respond to a local, regional or nationwide disaster, says FDIC's Jackson. Changes in business processes and technology, increased terrorism concerns, recent natural disasters and the threat of a pandemic have all focused attention on the need for business continuity planning.
"Banks should sense urgency in the need to update their plans," says Henley of the OTS. "The regulatory agencies take BCP extremely seriously. From the natural disasters of the recent past, we see that a comprehensive BCP can be the difference."
OCC's O'Dell says this updated guidance should serve as a wake-up call for those banks that have not done enough to meet their business continuity planning requirements. "This is their reminder. They may already have an ongoing conversation from a supervisory point of view, and they're aware of them through recent supervisory activities," he says. All institutions should be talking to their examiners before an examination to determine weak points in their plan or shortcomings. "The examiners will be more than happy to help them," O'Dell says.
The point of the new guidance is not to punish institutions, but to accelerate their planning, says Jackson. "It's not going to be a 'gotcha' for institutions that are working on their plan," he says. "Banks that don't have a plan or haven't updated an existing one should have a sense of urgency to bring their plan up to date."