Welcome » IT Booklets » Business Continuity Planning » Appendix A: Examination Procedures
EXAMINATION OBJECTIVE: Determine the quality
and effectiveness of the organization's business continuity
planning process, and determine whether the continuity testing
program is sufficient to demonstrate the financial institution's
ability to meet its continuity objectives. These procedures will
disclose the adequacy of the planning and testing process for the
organization to recover, resume, and maintain operations after
disruptions, ranging from minor outages to full-scale
This workprogram can be used to assess the adequacy of the
business continuity planning process on an enterprise-wide basis or
across a particular line of business. Depending on the examination
objectives, a line of business can be selected to sample how the
organization's continuity planning or testing processes work on a
micro level or for a particular business function or process.
This workprogram is not intended to be an audit guide; however,
it was developed to be comprehensive and assist examiners in
determining the effectiveness of a financial institution's business
continuity planning and testing program. Examiners may choose to
use only certain components of the workprogram based upon the size,
complexity, and nature of the institution's business.
The objectives and procedures are divided into Tier I and Tier
Tier I and Tier II objectives and procedures are intended to be
a tool set examiners may use when selecting examination procedures
for their particular examination. Examiners should use these
procedures as necessary to support examination objectives.
TIER I OBJECTIVES AND PROCEDURES
Objective 1: Determine examination scope and
objectives for reviewing the business continuity planning
2. Review management's response to audit recommendations noted
since the last examination. Consider the following:
3. Interview management and review the business continuity
request information to identify:
4. Determine management's consideration of newly identified
threats and vulnerabilities to the organization's business
continuity process. Consider the following:
5. Establish the scope of the examination by focusing on those
factors that present the greatest degree of risk to the institution
or service provider.
Board and Senior Management Oversight
Objective 2: Determine the quality of business
continuity plan oversight and support provided by the board and
1. Determine whether the board has established an on-going,
process-oriented approach to business continuity planning that is
appropriate for the size and complexity of the organization. This
process should include a business impact analysis (BIA), a risk
assessment, risk management, and risk monitoring and testing.
Overall, this planning process should encompass the organization's
business continuity strategy, which is the ability to recover,
resume, and maintain all critical business functions.
2. Determine whether a senior manager or committee has been
assigned responsibility to oversee the development, implementation,
and maintenance of the BCP and the testing program.
3. Determine whether the board and senior management has ensured
that integral groups are involved in the business continuity
process (e.g. business line management, risk management, IT,
facilities management, and audit).
4. Determine whether the board and senior management have
established an enterprise-wide BCP and testing program that
addresses and validates the continuity of the institution's mission
5. Determine whether the board and senior management review and
approve the BIA, risk assessment, written BCP, testing program, and
testing results at least annually and document these reviews in the
6. Determine whether the board and senior management oversee the
timely revision of the BCP and testing program based on problems
noted during testing and changes in business operations.
Business Impact Analysis (BIA) and Risk
Objective 3: Determine whether an adequate BIA and
risk assessment have been completed.
1. Determine whether the work flow analysis was performed to
ensure that all departments and business processes, as well as
their related interdependencies, were included in the BIA and risk
2. Review the BIA and risk assessment to determine whether the
prioritization of business functions is adequate.
3. Determine whether the BIA identifies maximum allowable
downtime for critical business functions, acceptable levels of data
loss and backlogged transactions, recovery time objectives
(RTOs), recovery point objectives (RPOs), recovery of the critical
path (business processes or systems that should receive the highest
priority), and the costs associated with downtime.
4. Review the risk assessment and determine whether the includes
the impact and probability of disruptions of information services,
technology, personnel, facilities, and services provided by
5. Verify that reputation, operational, compliance, and other
risks that are relevant to the institution are considered in the
BIA and risk assessment.
Objective 4: Determine whether appropriate risk
management over the business continuity process is in
place and if the financial institution's and TSP's risk
management strategies consider wide-scale recovery scenarios
designed to achieve industry-wide resilience.
1. Determine whether management has engaged other firms in
the discussion of sce-narios, performed continuity planning using
wide-scale or severely disruptive scenarios, and assessed capacity
and feasibility of resuming normal operations.
2. Determine whether adequate risk mitigation strategies have
been considered for:
3. Determine whether satisfactory consideration has been given
to geographic diversity for:
4. Determine whether management has considered the
possibility of transferring critical aspects of the institution's
operation to alternate backup providers or other industry
participants to ensure continuity of operations in extreme
5. Verify that appropriate policies, standards, and processes
address business continuity planning issues including:
6. Determine whether personnel are regularly trained in their
specific responsibilities under the plan(s) and whether current
emergency procedures are posted in prominent locations throughout
7. Determine whether the continuity strategy addresses
interdependent components, including:
8. Determine whether management has reviewed all
interrelated components of each mission critical application and
the underlying continuity strategy to determine "single point of
9. Determine whether there are adequate processes in place to
ensure that a current BCP is maintained and disseminated
appropriately. Consider the following:
10. Determine management's process for determining the scope of
disaster recovery test scenarios, including whether management
augments the tests with multiple concurrent or widespread
interruptions to simulate the impact of "worst case" scenarios.
11. Determine whether audit involvement in the business
continuity program is effective, including:
Business Continuity Planning (BCP) -
Objective 5: Determine the existence of an
appropriate enterprise-wide BCP.
1. Review and verify that the written BCP:
BCP - Hardware, Back-up and Recovery Issues
Objective 6: Determine whether the BCP includes
appropriate hardware back-up and recovery.
1. Determine whether there is a comprehensive, written agreement
or contract for alternative processing or facility recovery.
2. If the organization is relying on in-house systems at
separate physical locations for recovery, verify that the equipment
is capable of independently processing all critical
3. If the organization is relying on outside facilities for
recovery, determine whether the recovery site:
4. Determine how the recovery facility's customers would be
accommodated if simultaneous disaster conditions were to occur to
several customers during the same period of time.
5. Determine whether the organization ensures that when any
changes (e.g. hardware or software upgrades or modifications) in
the production environment occur that a process is in place to make
or verify a similar change in each alternate recovery location.
6. Determine whether the organization is kept informed of any
changes at the recovery site that might require adjustments to the
organization's software or its recovery plan(s).
BCP - Security Issues
Objective 7: Determine that the BCP includes
appropriate security procedures.
1. Determine whether adequate physical security and access
controls exist over data back-ups and program libraries throughout
their life cycle, including when they are created,
transmitted/delivered, stored, retrieved, loaded, and
2. Determine whether appropriate physical and logical access
controls have been considered and planned for the inactive
production system when processing is temporarily transferred to an
3. Determine whether the intrusion detection and incident
response plan considers facility and systems changes that may exist
when alternate facilities are used.
4. Determine whether the methods by which personnel are granted
temporary access (physical and logical), during continuity planning
implementation periods, are reasonable.
5. Evaluate the extent to which back-up personnel have been
reassigned different responsibilities and tasks when business
continuity planning scenarios are in effect and if these changes
require a revision to systems, data, and facilities access.
6. Review the assignment of authentication and authorization
credentials to determine whether they are based upon primary job
responsibilities and if they also include business continuity
BCP - Pandemic Issues
Objective 8: Determine whether the BCP effectively
addresses pandemic issues.
1. Determine whether the Board or a committee thereof and senior
management provide appropriate oversight of the institution's
pandemic preparedness program.
2. Determine whether the BCP addresses the assignment of
responsibility for pandemic planning, preparing, testing,
responding, and recovering.
3. Determine whether the BCP includes the following elements,
appropriately scaled for the size, activities and complexities of
4. Determine whether pandemic risks have been incorporated into
the business impact analysis and whether continuity plans and
strategies reflect the results of the analysis.
5. Determine whether the BCP addresses management monitoring of
alert systems that provide information regarding the threat and
progression of a pandemic. Further, determine if the plan provides
for escalating responses to the progress or particular stages of an
6. Determine whether the BCP addresses communication and
coordination with financial institution employees and the following
outside parties regarding pandemic issues:
7. Determine whether the BCP incorporates management's analysis
of the impact on operations if essential functions or services
provided by outside parties are disrupted during a pandemic.
8. Determine whether the BCP includes continuity plans and other
mitigating controls (e.g. social distancing, teleworking,
functional cross-training, and conducting operations from
alternative sites) to sustain critical internal and outsourced
operations in the event large numbers of staff are unavailable for
9. Determine whether the BCP addresses modifications to normal
compensation and absenteeism polices to be enacted during a
10. Determine whether management has analyzed remote access
requirements, including the infrastructure capabilities and
capacity that may be necessary during a pandemic.
11. Determine whether the BCP provides for an appropriate
testing program to ensure that continuity plans will be effective
and allow the organization to continue its critical operations.
Such a testing program may include:
BCP - Third-Party Management and Outsourced
Objective 9: Determine whether management and the
BCP addresses critical third parties and outsourced activities and
whether there is appropriate oversight in place.
1. Determine if management has taken sufficient steps to ensure
third-party technology service providers (TSPs) employ the most
recent techniques and technologies (or identify where gaps exist)
to mitigate against:
2. Determine if the financial institution's due diligence
processes considered its service provider's business continuity
program. Consider whether management assessed:
3. Assess whether the third-party TSP's contract provides for
the following elements to ensure business resiliency:
4. Evaluate the financial institution's third-party ongoing
monitoring program, including the adequacy of information reviewed
to determine that the service provider can continue to meet its
obligations to provide financial services and support the
institution's business resilience. Consider:
5. Evaluate data governance standards and expectations with
third-party providers. Consider:
6. Determine whether the BCP addresses communications and
connectivity with TSPs in the event of a disruption at the
7. Determine whether the BCP addresses communications and
connectivity with TSPs in the event of a disruption at any of the
8. Determine whether there are documented procedures in place
for accessing, downloading, and uploading information with TSPs,
correspondents, affiliates and other service providers, from
primary and recovery locations, in the event of a disruption.
9. Determine whether the institution has a copy of the TSPs' BCP
and incorporates it, as appropriate, into their plans.
10. Determine whether management has received and reviewed
testing results of their TSPs.
11. Determine whether institution management has assessed the
adequacy of the TSPs' business continuity program through their
vendor management program (e.g. contract requirements, third-party
12. For foreign-based third-party service providers determine if
management has ade-quately addressed production and back-up data
that remains offshore. Consider:
Objective 10: Determine whether the financial
institution's and TSP's risk management strategies are designed to
achieve resilience, such as the ability to effectively respond to
wide-scale disruptions, including cyber attacks and attacks on
multiple critical infrastructure sectors.
5. Determine whether the financial institution and service
provider use a layered anti-malware strategy, including integrity
checks, anomaly detection, system behavior monitoring and employee
security awareness training, in addition to traditional
signature-based anti-malware systems.
6. Determine whether the financial institution and service
provider consider their susceptibility to simultaneous attacks in
their business resilience planning, testing, and recovery
7. Determine whether the financial institution and service
provider consider their susceptibility to an insider threat and
what impact this may have on business continuity and broader
8. Determine whether the financial institution and service
provider have made advance arrangements for both third-party
computer forensics and incident management services in advance of a
wide-scale cyber security event.
9. Determine whether the incident response program includes a
cyber component and assess whether it is appropriate for the size
and complexity of the financial institution or service
provider. Review the incident response plan to ensure that it
addresses the following:
Risk Monitoring and Testing
Objective 11: Determine whether the BCP testing
program is sufficient to demonstrate the financial institution's
ability to meet its continuity objectives.
1. Determine whether the institution has a business continuity
testing policy that sets testing expectations for the
enterprise-wide continuity functions, business lines, support
functions, and crisis management.
2. Determine whether the testing policy identifies key roles and
responsibilities of the participants in the testing program.
3. Determine whether the testing policy establishes a testing
cycle with increasing levels of test scope and complexity.
1. Determine whether the institution has a business continuity
testing strategy that includes documented test plans and related
testing scenarios, testing methods, and testing schedules and also
addresses expectations for mission critical business lines and
support functions, including:
2. Determine whether the testing strategy articulates
management's assumptions and whether the assumptions (e.g.
available resources and services, length of disruption, testing
methods, capacity and scalability issues, and data integrity)
appear reasonable based on a cost/benefit analysis and recovery and
3. Determine whether the testing strategy addresses the need for
enterprise-wide testing and testing with significant
4. Determine whether the testing strategy includes guidelines
for the frequency of testing that are consistent with the
criticality of business functions, RTOs, RPOs, and recovery of the
critical path, as defined in the BIA and risk assessment, corporate
policy, and regulatory guidelines.
5. Determine whether the testing strategy addresses the
documentation requirements for all facets of the continuity testing
program, including test scenarios, plans, scripts, results, and
6. Determine whether the testing strategy includes testing the
effectiveness of an institution's crisis management process for
responding to emergencies, including:
7. Determine whether the testing strategy addresses physical and
logical security considerations for the facility, vital records and
data, telecommunications, and personnel.
Execution, Evaluation, and Re-Testing
1. Determine whether the institution has coordinated the
execution of its testing program to fully exercise its business
continuity planning process, and whether the test results
demonstrate the readiness of employees to achieve the institution's
recovery and resumption objectives (e.g. sustainability of
operations and staffing levels, full production recovery,
achievement of operational priorities, timely recovery of
2. Determine whether test results are analyzed and compared
against stated objectives; test issues are assigned ownership; a
mechanism is developed to prioritize test issues; test problems are
tracked until resolution; and recommendations for future tests are
3. Determine whether the test processes and results have been
subject to independent observation and assessment by a qualified
third party (e.g., internal or external auditor).
4. Determine whether an appropriate level of re-testing is
conducted in a timely fashion to address test problems or
Testing With Third-Party Service Providers
Objective 12: Determine whether the
financial institution's testing program enhances resilience through
demonstrated ability to recover, resume, and maintain operations
after disruptions, ranging from minor outages to wide-scale
disasters consistent with the BIA and risk
1. Determine whether testing with third-party providers is
included in the institution's enterprise BCP testing program.
When testing with the critical service providers, determine whether
management considered testing:
2. Determine whether a process exists to rank third parties
based on criticality, risk, and testing scope.
3. Determine whether the financial institution has a process to
ensure they are included in their critical third-party providers'
testing program(s) at reasonable intervals. Consider whether:
4. Evaluate how the financial institution ensures timeliness,
thoroughness, and com-pleteness of periodic testing with their
5. Determine whether testing scenarios with critical
6. Assess documented process/transaction flow charts to evaluate
the thoroughness of the testing scope, plans and strategy.
7. Determine whether the client institution has received
assurance, via testing documen-tation, that the third party can
restore services to client institution and support typical volumes
during a recovery event.
8. Determine whether the institution relies on proxy
9. Determine whether the institution receives adequate testing
information which vali-dates and demonstrates the recovery
capability and capacity of their critical service providers.
Testing Expectations for Core Firms and Significant
Note: The following testing expectations only apply to
core and significant firms as defined by interagency
Core firms are defined as organizations that perform
core clearing and settlement activities in critical financial
markets. Significant firms are defined as organizations that
process a significant share of transactions in critical financial
For core and significant firms:
1. Determine whether core and significant firms have established
a testing program that addresses their critical market activities
and assesses the progress and status of the implementation of the
testing program to address BCP guidelines and applicable industry
2. Determine the extent to which core and significant firms have
demonstrated through testing or routine use that they have the
ability to recover and, if relevant, resume operations within the
specified time frames addressed in the BCP guidelines and
applicable industry standards.
3. Determine whether core and significant firm's strategies and
plans address wide-scale disruption scenarios for critical
clearance and settlement activities in support of critical
financial markets. Determine whether test plans demonstrate
their ability to recover and resume operations, based on guidelines
defined by the BCP and applicable industry standards, from
geographically dispersed data centers and operations
4. Determine that back-up sites are able to support typical
payment and settlement volumes for an extended period.
5. Determine that back-up sites are fully independent of the
critical infrastructure components that support the primary
6. Determine whether the tests validate the core and significant
firm's back-up arrangements to ensure that: :
7. Determine that the test assumptions are appropriate for core
and significant firms and consider:
For core firms:
8. Determine whether the core firm's testing strategy includes
plans to test the ability of significant firms, which clear or
settle transactions, to recover critical clearing and settlement
activities from geographically dispersed back-up sites within a
reasonable time frame.
For significant firms:
9. Determine whether the significant firm has an external
testing strategy that addresses key interdependencies, such as
testing with third-party market providers and key customers.
10. Determine whether the significant firm's external testing
strategy includes testing from the significant firm's back-up sites
to the core firms' back-up sites.
11. Determine whether the significant firm meets the testing
requirements of applicable core firms.
12. Determine whether the significant firm participates in
"street" or market-wide tests sponsored by core firms, markets, or
trade associations that tests the connectivity from alternate sites
and includes transaction, settlement, and payment processes, to the
Objective 13: Discuss corrective action and
1. From the procedures performed:
2. Review your preliminary conclusions with the
examiner-in-charge (EIC) regarding:
3. Discuss your findings with management and obtain proposed
corrective action and deadlines for remedying significant
4. Document your conclusions in a memo to the EIC that provides
report ready comments for all relevant sections of the report of
5. Organize and document your work papers to ensure clear
support for significant findings and conclusions.
Tier ll Objectives and Procedures
Tier II objectives and examination procedures may be used to
provide additional verification of the effectiveness of business
continuity planning or identify potential root causes for
weaknesses in the business continuity program. These
procedures may be used in their entirety or selectively, depending
on the scope of the examination and the need for additional
verification. Examiners should coordinate this coverage with
other examiners to avoid duplication of effort while reviewing
various issues found in other work programs.
The procedures provided in this section should not be construed
as requirements for control implementation. The selection of
controls and control implementation should be guided by the risk
profile of the institution. Therefore, the controls necessary
for any single institution or any given area may differ from those
noted in the following procedures.
Objective 1: Determine whether the testing strategy
addresses various event scenarios, including potential issues
encountered during a wide-scale disruption:
1. Determine whether the strategy addresses staffing
2. Determine whether the strategy addresses technology
3. Determine whether the business line testing strategy
addresses the facilities supporting the critical business functions
and technology infrastructure, including:
Objective 2: Determine if test plans adequately
complement testing strategies.
Scenarios - Test Content
1. Determine whether the test scenarios include a variety of
threats and event types, a range of scenarios that reflect the full
scope of the institution's testing strategy, an increase in the
complexity and scope of the tests, and tests of wide-scale
disruptions over time.
2. Determine whether the scenarios include detailed steps that
demonstrate the viability of continuity plans, including:
3. Determine that test scenarios
reflect key interdependencies. Consider the following:
Plans: How the institution conducts Testing
1. Determine that the test plans and test scripts are documented
and clearly reflect the testing strategy, that they encompass all
critical business and supporting systems, and that they provide
test participants with the information necessary to conduct tests
of the institution's continuity plans, including: