Subject: FFIEC Information Technology Examination Handbook
Date: March 19, 2008
To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers and Software Vendors, Department and Division Heads, and All Examining Personnel
Description: Business Continuity Planning Booklet
The guidance attached to this bulletin continues to apply to federal savings associations.
The Federal Financial Institutions Examination Council (FFIEC) released an updated Business Continuity Planning Booklet (booklet), which replaces the version issued in March 2003. The Business Continuity Planning Booklet is one of 12 that, in total, comprise the FFIEC IT Examination Handbook. The enterprise-wide perspective taken on business risk and human elements makes this booklet a valuable tool to the entire organization in addition to the information technology department.
The majority of material changes in the updated booklet focuses on sound risk management; the need for enterprise-wide involvement in the business continuity planning process; the importance of business continuity planning for all financial institutions, regardless of whether their systems are provided in-house or through third-party servicer providers; and, lessons learned from financial institutions that suffered damage from hurricanes Katrina and Rita. Significant revisions to the booklet include the following:
- Risk Monitoring and Testing – This section now addresses the "Federal Reserve's Testing Guidance (FRTG)." Additional guidance was also included to address testing requirements for serviced versus in-house processing situations, and the description of the various testing methods was clarified.
- Other Policies, Standards, and Processes – Text was added regarding security standards, project management, crises management, incident response, remote access, and notification standards. Problems encountered by financial institutions affected by hurricanes Katrina and Rita were addressed, and mitigating controls that worked well for these financial institutions were also included in this section.
- Examination Procedures (Appendix A) – The FRTG was added, and redundant work steps within the work program were removed. Subheadings were added to enhance readability and ease of use.
- Glossary (Appendix B) – Terminology included in the edited sections of this booklet was incorporated into a glossary.
- Internal and External Threats (Appendix C) – Text was added to address issues encountered by financial institutions that experienced problems from hurricanes Katrina and Rita, and that were related to ensuing technical disasters (e.g., communications failure and problems encountered with customers, employees, electronic payment system providers, and third-party providers).
- Pandemic Planning (Appendix D) – This appendix incorporates the recently issued Interagency Statement on Pandemic Planning (OCC Bulletin 2007-49). The adverse economic effects of a pandemic could be significant, both nationally and internationally. Due to their crucial financial and economic role, financial institutions should have plans in place that describe how they will manage through a pandemic event. Sound planning should minimize the disruptions to the local and national economy, and should help the institution maintain the trust and confidence of its customers.
- Interdependencies (Appendix E) – Text was added to address interdependencies associated with telecommunications infrastructure regarding single points of failure and related diversity guidelines. In addition, third-party interdependencies and related telecommunications issues, liquidity concerns, transaction processing and report distribution, and due diligence requirements were also addressed. Material was also added to address internal systems and business process interdependencies based on experience of financial institutions that had problems derived from hurricanes Katrina and Rita.
- Business Impact Analysis (BIA) (Appendix F) – This is a new section of the booklet. The prior booklet provided only general guidance regarding the BIA process. This section was added to provide to management of small-to-medium sized financial institutions the specific steps they should follow to complete a BIA.
- Business Continuity Plan Components (Appendix G) – The most significant problems faced by the senior management of financial institutions that suffered devastation from hurricanes Katrina and Rita involved the lack of available personnel; the communication breakdown among financial institution employees, regulators, and service providers; the unavailability of telecommunications systems; cash shortages; and employee unfamiliarity with manual operations. As such, mitigating strategies to resolve potential problems surrounding these issues were specifically addressed in this section.
- Testing Program – Governance and Attributes (Appendix H) – This new section incorporated guidance from the FRTG, which includes testing expectations based on the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," (OCC Bulletin 2003-14).
- Laws, Regulations, and Guidance (Appendix I) – This new section provides the reader with internal and external resources related to business continuity planning.
The attached FFIEC press release describes the booklet update and provides a link (http://www.ffiec.gov/guides.htm) to the electronic version of the booklet. To accommodate banks with limited access to the Internet, the OCC will also include the booklet in the next release of e-files, the DVD-based library of OCC publications provided to all national banks. Any bank that is unable to download the booklet may order a printed copy. Please send your request to the Office of the Comptroller of the Currency, 250 E Street, SW, Mail Stop 4-8, Washington, DC 20219. If you need assistance, please contact the OCC's Communications Division at (202) 874-4700.
You may direct questions regarding the Business Continuity Planning Booklet to your OCC supervisory office or the Bank Information Technology Division at (202) 874-4740.
Mark L. O'Dell
Deputy Comptroller for Operational Risk