FFIEC Rewrites the IT Examination Handbook
How does the FFIEC rewriting the IT Handbook affect you? Do you need to rewrite your plans? Here is the background. The previous version of the FFIEC (Federal Financial Institutions Examination Council) Information Technology Examination Handbook booklet named Business Continuity Planning, dated February 2015, was replaced with a new version named Business Continuity Management dated November 2019. This publication is more than an update. It is a new approach and rewrite to the managing of the business continuity process. Over the past year or so, I heard of a new buzz word “resilience” in business continuity planning without guidance, meaning, or standards. However, this all changed with the FFIEC publishing the new version of the handbook. This rewrite provided meaning and a new approach around the word resilience. The definition of Resilience pulled from the booklet states, “The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents”.
The change in focus on resilience led to several name changes to include: Business Continuity Planning (BCP) to Business Continuity Management (BCM); BCP is the subset to BCM. Financial Institutions to Entities; this change widened the focus and responsibility to include third-party service providers to adhere to the same standard.
The previous Handbook represented a process approach to Business Continuity Planning: Business Impact Analysis, Risk Assessment, Risk Management (essentially, recovery procedures), and Risk Monitoring and Testing. The new guidance recommends a slightly different approach: Risk Management (Business Impact Analysis, Risk/Threat Assessment), Continuity Strategies (Interdependency Resilience, Continuity and Recovery), Training & Testing (aka Exercises), Maintenance & Improvement, and Board Reporting.
In summary, understand what’s new, what’s changed, and how these changes affect your plans. If necessary, develop a plan with a phased approach in achieving compliance.
For more information, contact Weidenhammer.