Federal Financial Institutions Examination Council
FFIEC
Business
Continuity Planning BCP
MARCH 2003
IT EXAMINATION
HANDBOOK
, TABLE OF CONTENTS
INTRODUCTION ................................................................................ 1
BOARD AND SENIOR MANAGEMENT RESPONSIBILITIES ......... 3
BUSINESS CONTINUITY PLANNING PROCESS ............................ 4
Business Impact Analysis ..................................................................................... 6
Risk Assessment .................................................................................................. 8
Risk Management ............................................................................................... 10
Business Continuity Plan Development ................................................... 10
Other Policies, Standards and Processes........................................................... 12
Systems Development Life Cycle and Project Management.................... 12
Change Control ........................................................................................ 13
Data Synchronization ............................................................................... 13
Employee Training and Communication Planning.................................... 13
Insurance ................................................................................................. 14
Government and Community ................................................................... 15
Risk Monitoring ................................................................................................... 15
Overall Testing Strategy........................................................................... 15
Testing Scope and Objectives.................................................................. 16
Specific Test Plans................................................................................... 17
Test Plan Review ..................................................................................... 17
Validation of Assumptions ........................................................................ 17
Accuracy of Information............................................................................ 18
Completeness of Procedures ................................................................... 18
Testing Methods....................................................................................... 18
ORIENTATION/WALK-THROUGH ......................................................... 18
TABLETOP/MINI-DRILL.......................................................................... 18
FUNCTIONAL TESTING ......................................................................... 19
FULL-SCALE TESTING .......................................................................... 19
, Conducting a Test .................................................................................... 20
Analyzing and Reporting Test Results ..................................................... 20
Updating a Business Continuity Plan ....................................................... 21
Audit and Independent Reviews............................................................... 21
SUMMARY .......................................................................................22
APPENDIX A: EXAMINATION PROCEDURES...........................A-1
APPENDIX B: GLOSSARY ..........................................................B-1
APPENDIX C: INTERNAL AND EXTERNAL THREATS .............C-1
APPENDIX D: INTERDEPENDENCIES .......................................D-1
APPENDIX E: BCP COMPONENTS ............................................E-1
, Business Continuity Planning Booklet - March 2003
INTRODUCTION
This Federal Financial Institutions Examination Council (FFIEC) Business Continuity
Planning booklet provides guidance and examination procedures to assist examiners in
evaluating financial institution and service provider risk management processes to ensure
the availability of critical financial services.
Operating disruptions can occur with or without warning, and the results may be
predictable or unknown. Because financial institutions play a crucial role in the United
States economy, it is important their business operations are resilient and the effects of
disruptions in service are minimized in order to maintain public trust and confidence in
our financial system.1 Effective business continuity planning establishes the basis for
financial institutions to maintain and recover business processes when operations have
been disrupted unexpectedly.
Business continuity planning is the process whereby financial institutions ensure the
maintenance or recovery of operations, including services to customers, when confronted
with adverse events such as natural disasters, technological failures, human error, or
terrorism. The objectives of a business continuity plan (BCP) are to minimize financial
loss to the institution; continue to serve customers and financial market participants; and
mitigate the negative effects disruptions can have on an institution's strategic plans,
reputation, operations, liquidity, credit quality, market position, and ability to remain in
compliance with applicable laws and regulations. Changing business processes
(internally to the institution and externally among interdependent financial services
companies) and new threat scenarios require financial institutions to maintain updated
and viable BCPs.
Reviewing a financial institution's BCP is an established part of examinations performed
by the FFIEC member agencies. 2 However, new business practices, changes in
technology, and increased terrorism concerns, have focused even greater attention on the
need for effective business continuity planning and have altered the benchmarks of an
effective plan. For example, an effective BCP should take into account the potential for
wide-area disasters that impact an entire region and for the resulting loss or
inaccessibility of staff. It also should consider and address interdependencies, both
market-based and geographic, among financial system participants as well as
infrastructure service providers. In most cases, recovery time objectives are now much
1
This booklet uses the terms "institution" and "financial institution" to describe insured banks, thrifts, and credit
unions, as well as technology service providers that provide services to such entities.
2
Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit
Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.
FFIEC IT Examination Handbook Page 1
FFIEC
Business
Continuity Planning BCP
MARCH 2003
IT EXAMINATION
HANDBOOK
, TABLE OF CONTENTS
INTRODUCTION ................................................................................ 1
BOARD AND SENIOR MANAGEMENT RESPONSIBILITIES ......... 3
BUSINESS CONTINUITY PLANNING PROCESS ............................ 4
Business Impact Analysis ..................................................................................... 6
Risk Assessment .................................................................................................. 8
Risk Management ............................................................................................... 10
Business Continuity Plan Development ................................................... 10
Other Policies, Standards and Processes........................................................... 12
Systems Development Life Cycle and Project Management.................... 12
Change Control ........................................................................................ 13
Data Synchronization ............................................................................... 13
Employee Training and Communication Planning.................................... 13
Insurance ................................................................................................. 14
Government and Community ................................................................... 15
Risk Monitoring ................................................................................................... 15
Overall Testing Strategy........................................................................... 15
Testing Scope and Objectives.................................................................. 16
Specific Test Plans................................................................................... 17
Test Plan Review ..................................................................................... 17
Validation of Assumptions ........................................................................ 17
Accuracy of Information............................................................................ 18
Completeness of Procedures ................................................................... 18
Testing Methods....................................................................................... 18
ORIENTATION/WALK-THROUGH ......................................................... 18
TABLETOP/MINI-DRILL.......................................................................... 18
FUNCTIONAL TESTING ......................................................................... 19
FULL-SCALE TESTING .......................................................................... 19
, Conducting a Test .................................................................................... 20
Analyzing and Reporting Test Results ..................................................... 20
Updating a Business Continuity Plan ....................................................... 21
Audit and Independent Reviews............................................................... 21
SUMMARY .......................................................................................22
APPENDIX A: EXAMINATION PROCEDURES...........................A-1
APPENDIX B: GLOSSARY ..........................................................B-1
APPENDIX C: INTERNAL AND EXTERNAL THREATS .............C-1
APPENDIX D: INTERDEPENDENCIES .......................................D-1
APPENDIX E: BCP COMPONENTS ............................................E-1
, Business Continuity Planning Booklet - March 2003
INTRODUCTION
This Federal Financial Institutions Examination Council (FFIEC) Business Continuity
Planning booklet provides guidance and examination procedures to assist examiners in
evaluating financial institution and service provider risk management processes to ensure
the availability of critical financial services.
Operating disruptions can occur with or without warning, and the results may be
predictable or unknown. Because financial institutions play a crucial role in the United
States economy, it is important their business operations are resilient and the effects of
disruptions in service are minimized in order to maintain public trust and confidence in
our financial system.1 Effective business continuity planning establishes the basis for
financial institutions to maintain and recover business processes when operations have
been disrupted unexpectedly.
Business continuity planning is the process whereby financial institutions ensure the
maintenance or recovery of operations, including services to customers, when confronted
with adverse events such as natural disasters, technological failures, human error, or
terrorism. The objectives of a business continuity plan (BCP) are to minimize financial
loss to the institution; continue to serve customers and financial market participants; and
mitigate the negative effects disruptions can have on an institution's strategic plans,
reputation, operations, liquidity, credit quality, market position, and ability to remain in
compliance with applicable laws and regulations. Changing business processes
(internally to the institution and externally among interdependent financial services
companies) and new threat scenarios require financial institutions to maintain updated
and viable BCPs.
Reviewing a financial institution's BCP is an established part of examinations performed
by the FFIEC member agencies. 2 However, new business practices, changes in
technology, and increased terrorism concerns, have focused even greater attention on the
need for effective business continuity planning and have altered the benchmarks of an
effective plan. For example, an effective BCP should take into account the potential for
wide-area disasters that impact an entire region and for the resulting loss or
inaccessibility of staff. It also should consider and address interdependencies, both
market-based and geographic, among financial system participants as well as
infrastructure service providers. In most cases, recovery time objectives are now much
1
This booklet uses the terms "institution" and "financial institution" to describe insured banks, thrifts, and credit
unions, as well as technology service providers that provide services to such entities.
2
Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit
Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.
FFIEC IT Examination Handbook Page 1
