The Federal Financial Institutions Examination Council (FFIEC) today issued updated guidance for examiners, financial institutions, and technology service providers to identify business continuity risks and evaluate controls and risk management practices for effective business continuity planning. The guidance, which is included in the FFIEC Information Technology Examination Handbook, is an update to the "Business Continuity Planning Booklet," which was issued in March 2003.
The revised booklet includes enhancements to the business impact analysis and testing discussions, and addresses emerging threats and lessons learned in recent years. The booklet also stresses the responsibilities of each institution’s board and management to address business continuity planning with an enterprise-wide perspective by considering technology, business operations, communications, and testing strategies for the entire institution.
The FFIEC Guidance on Pandemic Planning (SR Letter 07-18) has been incorporated into the booklet as an appendix. A pandemic outbreak would present unique business continuity challenges, and the methodologies detailed in the booklet provide a framework for financial institutions to develop or update their pandemic plans. All financial institutions should have plans that address how the institution would operate during a pandemic event. Other changes in the booklet highlight the importance of business continuity planning for all financial institutions, regardless of whether their systems are provided in-house or through third-party service providers. Electronic versions of the Business Continuity Planning Booklet, as well as the other Information Technology Examination Handbook booklets, are available at http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html.
Reserve Banks are asked to distribute this SR letter to the Federal Reserve supervised banking organizations in their Districts, as well as to their supervisory and examination staff. If you have any questions regarding the revised guidance, please contact Brad Beytien, Manager, Operational and IT Risk Section, at (202) 452-3759, or Elton Hill, Senior Supervisory Financial Analyst, Operational and IT Risk Section, at (202) 452-2514. In addition, questions may be sent via the Board’s public website.1