Fillable Printable Formal Business Continuity Planning Booklet
Fillable Printable Formal Business Continuity Planning Booklet
Formal Business Continuity Planning Booklet
MARCH 2003
Federal Financial Institutions Examination Council
FFIEC
IT EXAMINATION
H ANDBOOK
BCP
Business
Continuity Planning
TABLE OF CONTENTS
INTRODUCTION ................................................................................ 1
BOARD AND SENIOR MANAGEMENT RESPONSIBILITIES ......... 3
BUSINESS CONTINUITY PLANNING PROCESS............................ 4
Business Impact Analysis .....................................................................................6
Risk Assessment ..................................................................................................8
Risk Management ............................................................................................... 10
Business Continuity Plan Development ...................................................10
Other Policies, Standards and Processes...........................................................12
Systems Development Life Cycle and Project Management....................12
Change Control ........................................................................................13
Data Synchronization ...............................................................................13
Employee Training and Communication Planning....................................13
Insurance .................................................................................................14
Government and Community ...................................................................15
Risk Monitoring ...................................................................................................15
Overall Testing Strategy...........................................................................15
Testing Scope and Objectives..................................................................16
Specific Test Plans...................................................................................17
Test Plan Review .....................................................................................17
Validation of Assumptions........................................................................ 17
Accuracy of Information............................................................................18
Completeness of Procedures ...................................................................18
Testing Methods.......................................................................................18
ORIENTATION/WALK-THROUGH ......................................................... 18
TABLETOP/MINI-DRILL.......................................................................... 18
FUNCTIONAL TESTING ......................................................................... 19
FULL-SCALE TESTING .......................................................................... 19
Conducting a Test ....................................................................................20
Analyzing and Reporting Test Results ..................................................... 20
Updating a Business Continuity Plan .......................................................21
Audit and Independent Reviews............................................................... 21
SUMMARY.......................................................................................22
APPENDIX A: EXAMINATION PROCEDURES...........................A-1
APPENDIX B: GLOSSARY ..........................................................B-1
APPENDIX C: INTERNAL AND EXTERNAL THREATS .............C-1
APPENDIX D: INTERDEPENDENCIES .......................................D-1
APPENDIX E: BCP COMPONENTS ............................................E-1
Business Continuity Planning Booklet - March 2003
FFIEC IT Examination Handbook
Page 1
INTRODUCTION
This Federal Financial Institutions Examination Council (FFIEC) Business Continuity
Planning booklet provides guidance and examination procedures to assist examiners in
evaluating financial institution and service provider risk management processes to ensure
the availability of critical financial services.
Operating disruptions can occur with or without warning, and the results may be
predictable or unknown. Because financial institutions play a crucial role in the United
States economy, it is important their business operations are resilient and the effects of
disruptions in service are minimized in order to maintain public trust and confidence in
our financial system.
1
Effective business continuity planning establishes the basis for
financial institutions to maintain and recover business processes when operations have
been disrupted unexpectedly.
Business continuity planning is the process whereby financial institutions ensure the
maintenance or recovery of operations, including services to customers, when confronted
with adverse events such as natural disasters, technological failures, human error, or
terrorism. The objectives of a business continuity plan (BCP) are to minimize financial
loss to the institution; continue to serve customers and financial market participants; and
mitigate the negative effects disruptions can have on an institution's strategic plans,
reputation, operations, liquidity, credit quality, market position, and ability to remain in
compliance with applicable laws and regulations. Changing business processes
(internally to the institution and externally among interdependent financial services
companies) and new threat scenarios require financial institutions to maintain updated
and viable BCPs.
Reviewing a financial institution's BCP is an established part of examinations performed
by the FFIEC member agencies.
2
However, new business practices, changes in
technology, and increased terrorism concerns, have focused even greater attention on the
need for effective business continuity planning and have altered the benchmarks of an
effective plan. For example, an effective BCP should take into account the potential for
wide-area disasters that impact an entire region and for the resulting loss or
inaccessibility of staff. It also should consider and address interdependencies, both
market-based and geographic, among financial system participants as well as
infrastructure service providers. In most cases, recovery time objectives are now much
1
This booklet uses the terms "institution" and "financial institution" to describe insured banks, thrifts, and credit
unions, as well as technology service providers that provide services to such entities.
2
Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit
Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.
Business Continuity Planning Booklet - March 2003
FFIEC IT Examination Handbook
Page 2
shorter than they were even a few years ago, and for some institutions recovery time
objectives are based on hours and even minutes.
Many financial institutions are incorporating business continuity considerations into
business process development to mitigate proactively the risk of service disruptions. In
creating an effective BCP, financial institutions should not assume a reduced demand for
services during the disruption. In fact, demand for some services (e.g., ATMs) may
increase.
This booklet rescinds and replaces Chapter 10 of the 1996 FFIEC Information Systems
Examination Handbook, Corporate Contingency Planning. This update is necessary due
to advances since 1996 in technology, changes in business practices, and increased
concerns over terrorism.
This booklet also provides an opportunity to incorporate lessons learned from Year 2000
activities. The Year 2000 activities recognized that while technology was the primary
basis for concern, an enterprise-wide, process-oriented approach that considers
technology, business processes, testing, and communication strategies is critical to
building a viable BCP.
Each primary section of the booklet begins with an “Action Summary” that summarizes
and highlights the major themes in that section. While not a substitute for reading the
entire booklet, these Action Summaries may be used to more quickly assess the most
important points discussed in that section.
Business Continuity Planning Booklet - March 2003
FFIEC IT Examination Handbook
Page 3
BOARD AND SENIOR
MANAGEMENT RESPONSIBILITIES
Action Summary
A financial institution's board of directors and senior management are
responsible for:
Allocating sufficient resources and knowledgeable personnel to
develop the BCP;
Setting policy by determining how the institution will manage and
control identified risks;
Reviewing BCP test results;
Approving the BCP on an annual basis; and
Ensuring the BCP is kept up-to-date and employees are trained
and aware of their role in its implementation.
Senior management and the board of directors are responsible for identifying, assessing,
prioritizing, managing, and controlling risks. They should ensure necessary resources are
devoted to creating, maintaining, and testing the plan. The board fulfills its business
continuity planning responsibilities by setting policy, prioritizing critical business
functions, allocating sufficient resources and personnel, providing oversight, approving
the BCP, reviewing test results, and ensuring maintenance of a current plan. The
effectiveness of business continuity planning depends on management's commitment and
ability to clearly identify what makes existing business processes work. Each financial
institution must evaluate its own unique circumstances and environment to develop a
comprehensive BCP.
The board and senior management should designate personnel to participate in BCP
development. Properly allocating resources will challenge an institution throughout the
development and maintenance of a BCP. A large, complex institution may need a
business continuity planning department with a team of departmental liaisons throughout
the enterprise. A smaller, less complex institution may only need an individual business
continuity planning coordinator. While the planning personnel may recommend certain
prioritization, ultimately the board of directors and senior management are responsible
for understanding critical business processes and subsequently establishing plans to meet
business process requirements in a safe and sound manner.
Business Continuity Planning Booklet - March 2003
FFIEC IT Examination Handbook
Page 4
BUSINESS CONTINUITY PLANNING
PROCESS
Action Summary
A financial institution's business continuity planning process should
reflect the following objectives:
Business continuity planning is about maintaining, resuming, and
recovering the business, not just the recovery of the technology.
The planning process should be conducted on an enterprise-wide
basis.
A thorough business impact analysis and risk assessment are the
foundation of an effective BCP.
The effectiveness of a BCP can only be validated through testing
or practical application.
The BCP and test results should be subjected to an independent
audit and reviewed by the board of directors.
A BCP should be periodically updated to reflect and respond to
changes in the financial institution or its service provider(s).
Financial institutions should conduct business continuity planning on an enterprise-wide
basis. In enterprise-wide business continuity planning an institution considers every
critical aspect of its business in creating a plan for how it will respond to disruptions. It
is not limited to the restoration of information technology systems and services, or data
maintained in electronic form, since such actions, by themselves, cannot always put an
institution back in business. Without a BCP that considers every critical business unit,
including personnel, physical workspace, and similar issues, an institution may not be
able to resume serving its customers at acceptable levels. Institutions that outsource the
majority of their data processing, core processing, or other information technology
systems or services are still expected to implement an appropriate BCP addressing the
equipment and processes that remain under their control.
Financial institutions should also recognize their role in supporting systemic financial
market business processes (e.g., inter-bank payment systems, and key market clearance
and settlement activities) and that service disruptions at their institution may significantly
affect the integrity of key financial markets. The FFIEC agencies encourage all
institutions to work with affected interdependent parties to coordinate BCP development
and testing. The FFIEC agencies expect financial institutions that play a major role in
critical financial markets to have robust planning and coordinated testing with other
industry participants. Critical markets include, but may not be limited to, the markets for
Business Continuity Planning Booklet - March 2003
FFIEC IT Examination Handbook
Page 5
federal funds; foreign exchange; commercial paper; and government, corporate, and
mortgage-backed securities.
Firms that play significant roles in critical financial markets are those that participate in
sufficient volume or value such that their failure to perform critical activities by the end
of the business day could present systemic risk. The agencies believe that many, if not
most, of the 15-20 major banks and the 5-10 major securities firms, and possibly others,
play at least one significant role in at least one critical market. In the context of sound
practices, some of the agencies are considering the benefit of providing additional
guidance to help firms identify the category into which they fall for the specific activities
they perform.
Financial institutions not directly participating in critical financial markets, but
nonetheless performing financial services or supporting financial market activities
deemed critical to regional or national financial sectors, are also expected to establish
BCPs and recovery capabilities commensurate with their role. Smaller, less complex
institutions generally do not need the same level of planning, but are expected to fulfill
their responsibility by developing an appropriate BCP and periodically conducting
adequate tests.
Management should update BCPs as business processes change. For example, financial
institutions of all sizes are increasingly relying on distributed network solutions to
support business processes. This increased reliance can include desktop computers
maintaining key applications. While distributed networking provides flexibility in
allowing institutions to deliver operations to where employees and customers are located,
it also means that end-users should keep BCP personnel up-to-date on what constitutes
current business processes and significant changes. Technological advancements are
allowing faster and more efficient processing, thereby reducing acceptable business
process recovery periods. In response to competitive and customer demands, many
financial institutions are moving toward shorter recovery periods and designing
technology recovery solutions into business processes. These technological
advancements increase the importance of enterprise-wide business continuity planning.
The FFIEC agencies encourage financial institutions to adopt a process-oriented approach
to business continuity planning that involves:
1. Business impact analysis (BIA);
2. Risk assessment;
3. Risk management; and
4. Risk monitoring.
This framework is usable regardless of the size of the institution. Business continuity
planning should focus on all critical business functions that need to be recovered to
Business Continuity Planning Booklet - March 2003
FFIEC IT Examination Handbook
Page 6
resume operations. Continuity planning for technology alone should no longer be the
primary focus of a BCP, but rather viewed as one critical aspect of the enterprise-wide
process. The review of each critical business function should include the technology that
supports it.
3
BUSINESS IMPACT ANALYSIS
Action Summary
A business impact analysis (BIA) is the first step in developing a BCP. It
should include:
Identification of the potential impact of uncontrolled, non-specific
events on the institution's business processes and its customers;
Consideration of all departments and business functions, not just
data processing; and
Estimation of maximum allowable downtime and acceptable levels
of data, operations, and financial losses.
The institution’s first step in developing a BCP is to perform a BIA. The amount of time
and resources necessary to complete the BIA will depend on the size and complexity of
the financial institution. The institution should include all business functions and
departments in this process, not just data processing.
The BIA phase identifies the potential impact of uncontrolled, non-specific events on the
institution's business processes. The BIA phase also should determine what and how
much is at risk by identifying critical business functions and prioritizing them. It should
estimate the maximum allowable downtime for critical business processes, recovery point
objectives and backlogged transactions, and the costs associated with downtime.
Management should establish recovery priorities for business processes that identify
essential personnel, technologies, facilities, communications systems, vital records, and
data. The BIA also considers the impact of legal and regulatory requirements such as the
privacy and availability of customer data and required notifications to the institution's
primary federal regulator and customers when facilities are relocated.
4
3
See Guidelines for Establishing Standards for Safeguarding Customer Information, 66 FR 8616 (February 1,
2001). The risk assessment required by the interagency guidelines may be helpful in performing the BCP risk
assessment. Board of Governors of the Federal Reserve System, 12 CFR parts 208, 211, 225, and 263; Federal
Deposit Insurance Corporation, 12 CFR parts 308 and 364; National Credit Union Administration, 12 CFR part
748; Office of the Comptroller of the Currency, 12 CFR part 30; Office of Thrift Supervision, 12 CFR parts 568
and 570.
4
See Policy Statement of the Office of the Comptroller of the Currency, Board of Governors of the Federal
Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision Concerning Branch
Business Continuity Planning Booklet - March 2003
FFIEC IT Examination Handbook
Page 7
Personnel responsible for this phase should consider developing uniform interview and
inventory questions that can be used on an enterprise-wide basis. Uniformity can
improve the consistency of responses and help personnel involved in the BIA phase
compare and evaluate business process requirements. This phase may initially prioritize
business processes based on their importance to the institution's achievement of strategic
goals and maintenance of safe and sound practices. However, this prioritization should
be revisited once the business processes are modeled against various threat scenarios so
that a BCP can be developed.
When determining a financial institution's critical needs, reviews should be conducted for
all functions, processes, and personnel within each department. Each department should
document the mission critical functions performed. Departments should consider the
following questions:
What specialized equipment is required and how it is used?
How would the department function if mainframe, network and/or
Internet access were not available?
What single points of failure exist and how significant are those
risks?
What are the critical outsourced relationships and dependencies?
What is the minimum number of staff and space that would be
required at a recovery site?
What special forms or supplies would be needed at a recovery site?
What communication devices would be needed at a recovery site?
What critical operational or security controls require implementation
prior to recovery?
Is there any potential impact from common recovery sites serving
multiple lines of business or departments?
Have employees received cross training and has the department
defined back-up functions/roles employees should perform if key
personnel are not available?
Are emotional support and family care needs adequately considered?
Closing Notices and Policies, 64 FR 34844 (June 30, 1999); Establishment and Relocation of Domestic Branches
and Offices, Board of Governors of the Federal Reserve System, 12 CFR part208.6; Federal Deposit Insurance
Corporation, 12 CFR part 303.44; Office of the Comptroller of the Currency, 12 CFR part5.30; and Office of
Thrift Supervision, 12 CFR part545.95.
Business Continuity Planning Booklet - March 2003
FFIEC IT Examination Handbook
Page 8
RISK ASSESSMENT
Action Summary
The risk assessment is the second step in developing a BCP. It should
include:
A prioritizing of potential business disruptions based upon severity
and likelihood of occurrence;
A gap analysis comparing the institution's existing BCP, if any, to
what is necessary to achieve recovery time and point objectives;
and
An analysis of threats based upon the impact on the institution, its
customers, and the financial markets, not just the nature of the
threat.
The risk assessment step is critical and has significant bearing on whether business
continuity planning efforts will be successful. If the threat scenarios developed are
unreasonably limited, the resulting BCP may be inadequate. During the risk assessment
step, business processes and the business impact analysis assumptions are stress tested
with various threat scenarios. This will result in a range of outcomes, some that require
no action for business processes to be successful and others that will require significant
BCPs to be developed and supported with resources (financial and personnel).
Financial institutions should develop realistic threat scenarios that may potentially disrupt
their business processes and ability to meet their client’s expectations (internal, business
partners, or customers).
5
Threats can take many forms, including malicious activity as
well as natural and technical disasters. Where possible, institutions should analyze a
threat by focusing on its impact on the institution, not the nature of the threat. For
example, the effects of certain threat scenarios can be reduced to business disruptions that
affect only specific work areas, systems, facilities (i.e., buildings), or geographic areas.
Additionally, the magnitude of the business disruption should consider a wide variety of
threat scenarios based upon practical experiences and potential circumstances and events.
If the threat scenarios are not comprehensive, BCPs may be too basic and omit
reasonable steps that could improve business processes' resiliency to disruptions.
Threat scenarios need to consider the impact of a disruption and probability of the threat
occurring. Threats range from those with a high probability of occurrence and low
impact to the institution (e.g., brief power interruptions), to those with a low probability
5
A summary of threats and basic safeguards is contained in Appendix C.