Business Continuity/Disaster Recovery: Executive Summary of FFIEC IT Examination Handbook

Thomas Donchez
June 18, 2008 | COMMENTS

The Business Continuity Planning (BCP) manual is part of the IT Examination Handbook from Federal Financial Institutions Examination Council (FFIEC). The March 2008 version of the BCP manual has been updated since it original release in March 2003. This booklet is intended to provide guidance to the financial institutions regarding business continuity planning, which helps companies recover and resume business processes when operations have been disrupted unexpectedly. Because financial institutions are part of the nation's critical infrastructure, it is important to minimize disruptions to their business.

Key Topics

The BCP booklet is divided into two main areas: Business continuity plans and examination procedures. The first part describes the planning process of creating a business continuity plan, along with the responsibilities of senior management during that process. The second part describes the technical aspects regarding risk, including assessment, management, testing and monitoring.

Business Continuity Plan

Financial institutions should develop a comprehensive BCP based on the size and complexity of the institution. The goal of the BCP should be to minimize financial losses to the institution, serve customers and financial markets with minimal disruptions, and mitigate the negative effects of disruptions on business operations.

A financial institution's board and senior management are responsible for the following:

• Establishing policy by determining how the institution will manage and control identified risks
• Allocating knowledgeable personnel and sufficient financial resources to implement the BCP
• Ensuring that the BCP is independently reviewed and approved at least annually
• Ensuring employees are trained and aware of their roles in the implementation of the BCP
• Ensuring the BCP is regularly tested on an enterprise-wide basis
• Reviewing the BCP testing program and test results on a regular basis
• Ensuring the BCP is continually updated to reflect the current operating environment

Examination Procedures

The following describes the different aspects of creating and maintaining a business continuity plan. These different topics allow organizations to evaluate the critical aspects of their business and include them in their BCP.

Business Impact Analysis

A business impact analysis is the first step in creating a business continuity plan. This part of the process includes all of the critical functions and processes of the business along with the potential threats to these different aspects.

A business impact analysis report should include:

• Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis
• Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution's business functions and processes
• Identification of the legal and regulatory requirements for the institution's business functions and processes
• Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes
• Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path

Risk Assessment

The risk assessment is the second step in the process of creating a business continuity plan. During the risk assessment step, business processes and the business impact analysis assumptions are evaluated using various threat scenarios.

A Risk assessment should include:

• Evaluating the BIA assumptions using various threat scenarios
• Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves
• Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence
• Performing a "gap analysis" that compares the existing BCP to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution

Risk Management

Risk management is the process of identifying, assessing, and reducing risk to an acceptable level through a proper business continuity plan.

Through risk management, the business continuity plan should be:

• Based on a comprehensive BIA and risk assessment
• Documented in a written program
• Reviewed and approved by the board and senior management at least annually
• Disseminated to financial institution employees
• Properly managed when the maintenance and development of the BCP is outsourced to a third party
• Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP
• Specific regarding what immediate steps should be taken during a disruption
• Flexible to respond to unanticipated threat scenarios and changing internal conditions
• Focused on the impact of various threats that could potentially disrupt operations rather than on specific events
• Developed based on valid assumptions and an analysis of interdependencies;
• Effective in minimizing service disruptions

Risk Monitoring and Testing

Risk monitoring and testing is the final step in the business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the:

• Incorporation of the BIA and risk assessment into the BCP and testing program
• Development of an enterprise-wide testing program
• Assignment of roles and responsibilities for implementation of the testing program
• Completion of annual, or more frequent, tests of the BCP
• Evaluation of the testing program and the test results by senior management and the board
• Assessment of the testing program and test results by an independent party
• Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results

Closing Thoughts

The above examination procedures are intended to be a cyclical process. The business continuity plan is an ongoing process that needs to be updated as events occur.

As an organization's risk testing and monitoring detects changes in the company, a new risk assessment phase should occur to evaluate the impact of the changes and modify the business continuity plan as needed.

To see the full BCP booklet or any of the other sections of the FFIEC IT Examination Handbook, visit: http://www.ffiec.gov/ffiecinfobase/html_pages/bcp_book_frame.htm.

This article originally appeared in CUInfoSecurity (www.CUInfoSecurity.com). Reprinted with permission.