This booklet is one in a series of booklets that comprise the Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook. This booklet provides guidance to assist examiners in evaluating financial institutionThis booklet uses the terms "institution" and "financial institution" to describe insured banks, thrifts, and credit unions, as well as technology service providers to such entities. and service provider risk management processes to ensure the availability of critical financial services. This booklet was also designed to provide helpful guidance to financial institutions regarding the implementation of their business continuity planning processes.
This booklet rescinds and replaces the previous "Business Continuity Planning Booklet," which was issued in March 2003, and has been revised to reflect technological and regulatory changes with a focus on management's responsibilities regarding oversight of the continuity planning process for business operations. While significant revisions have been made, the focus of this booklet continues to be based on an enterprise-wide, process-oriented approach that considers technology, business operations, testing, and communication strategies that are critical to business continuity planning for the entire business, instead of just the information technology department.
This booklet is divided into two parts. The first part, or narrative, describes the business continuity planning process and addresses the responsibilities of the board of directors (board) and senior management. The second part includes examination procedures, a glossary, detailed appendices supporting the narrative, and a reference list of each agency's applicable laws, regulations, and guidance. Each section in the narrative begins with an "Action Summary" that highlights the major points in that section. While not a substitute for reading the entire booklet, the action summaries may be used to quickly assess the most important issues discussed in that section. It is also important to read the detailed appendices, which can serve as a comprehensive reference guide for the topics discussed in the narrative.
The overall goal of this booklet is to provide guidance to the financial services industry about the importance of business continuity planning, which establishes the basis for financial institutions to recover and resume business processes when operations have been disrupted unexpectedly. Because financial institutions play a crucial role in the overall economy, disruptions in service should be minimized in order to maintain public trust and confidence in the financial system. As such, financial institution management should incorporate business continuity considerations into the overall design of their business model to proactively mitigate the risk of service disruptions.
Financial institution management should develop a comprehensive business continuity plan (BCP) as part of the business continuity planning process. The BCP should be based on the size and complexity of the institution and should be consistent with the financial institution's overall business strategy. The goal of the BCP should be to minimize financial losses to the institution, serve customers and financial markets with minimal disruptions, and mitigate the negative effects of disruptions on business operations. Reviewing a financial institution's business continuity planning process, which includes an assessment of the BCP, is an established part of examinations performed by the FFIEC member agencies.Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and the Office of Thrift Supervision.
Changes in business processes and technology increased terrorism concerns, recent catastrophic natural disasters, and the threat of a pandemic have focused even greater attention on the need for effective business continuity planning. Consequently, these issues should be given greater consideration in the business continuity planning process. Financial institution management should consider the potential for area-wide disasters that could affect an entire region and result in significant losses to the institution. The business continuity planning process should address interdependencies, both market-based and geographic, among financial system participants and infrastructure service providers. In most cases, recovery time objectives (RTOs) are now much shorter than they were a few years ago, and for some institutions, RTOs are based on hours and even minutes. Ultimately, all institutions should anticipate and plan for the unexpected and ensure that their business continuity planning process appropriately addresses the lessons they have learned from past disasters.
Board and Senior Management Responsibilities