FFIEC Information Technology Examination Handbook
Business Continuity Management
NOVEMBER 2019
, FFIEC IT Examination Handbook Business Continuity Management
Contents
INTRODUCTION ............................................................................................................. 1
I BUSINESS CONTINUITY MANAGEMENT ....................................... 2
II BUSINESS CONTINUITY MANAGEMENT GOVERNANCE............. 3
II.A Board and Senior Management Responsibilities .......................... 4
II.B Audit .................................................................................................. 6
III RISK MANAGEMENT ........................................................................ 7
III.A Business Impact Analysis ............................................................... 9
Identification of Critical Business Functions ..................................... 10
Interdependency Analysis ................................................................ 10
Impact of Disruption ......................................................................... 11
III.B Risk Assessment............................................................................ 12
Risk Identification ............................................................................. 13
Likelihood and Impact ...................................................................... 14
IV BUSINESS CONTINUITY STRATEGIES ........................................ 16
IV.A Resilience ....................................................................................... 18
Physical ............................................................................................ 19
Cyber Resilience .............................................................................. 19
Data Backup and Replication ........................................................... 19
Personnel ......................................................................................... 21
Third-Party Service Providers........................................................... 22
Telecommunications ........................................................................ 23
Power ............................................................................................... 24
Change Management ....................................................................... 24
IV.B Communications ............................................................................ 25
V BUSINESS CONTINUITY PLAN ..................................................... 26
V.A Event Management ......................................................................... 27
V.B Continuity and Recovery ............................................................... 28
V.C Facilities and Infrastructure .......................................................... 29
Data Center Recovery Alternatives .................................................. 29
Branch Relocation ............................................................................ 30
V.D Payment Systems........................................................................... 31
V.E Liquidity Considerations ............................................................... 31
V.F Other Components ......................................................................... 31
Incident Response............................................................................ 32
November 2019 i
, FFIEC IT Examination Handbook Business Continuity Management
Disaster Recovery ............................................................................ 33
Crisis or Emergency Management ................................................... 34
VI TRAINING ........................................................................................ 35
VII EXERCISES AND TESTS ............................................................... 37
VII.A Exercise and Test Program ........................................................... 38
VII.B Exercise and Test Policy ............................................................... 39
VII.C Exercise and Test Strategies......................................................... 39
VII.D Exercise and Test Objectives ........................................................ 40
VII.E Exercise and Test Plans ................................................................ 40
VII.F Exercise and Test Scenarios ......................................................... 41
VII.G Exercise and Test Methods ........................................................... 42
Full-Scale Exercise........................................................................... 42
Limited-Scale Exercise ..................................................................... 43
Tabletop Exercise............................................................................. 43
Tests ................................................................................................ 44
VII.H Industry Exercises and Resilience ............................................... 44
VII.I Third-Party Service Provider Testing ........................................... 45
VII.J Testing for Core and Significant Firms ........................................ 45
VII.K Post-Exercise and Post-Test Actions ........................................... 46
VIII MAINTENANCE AND IMPROVEMENT .......................................... 47
IX BOARD REPORTING ...................................................................... 49
APPENDIX A: EXAMINATION PROCEDURES ...................................................... 50
APPENDIX B: GLOSSARY ..................................................................................... 70
APPENDIX C: ABBREVIATIONS............................................................................ 77
APPENDIX D: REFERENCES ................................................................................. 78
November 2019 ii
, FFIEC IT Examination Handbook Business Continuity Management
Introduction
The “Business Continuity Management” (BCM) booklet is one in a series of booklets that
comprise the Federal Financial Institutions Examination Council (FFIEC) 1 Information
Technology Examination Handbook (IT Handbook). The IT Handbook is prepared for use by
examiners. 2 With the publication of this booklet, the FFIEC member agencies replace the
“Business Continuity Planning” booklet issued in February 2015. The change from business
continuity planning to business continuity management reflects the changes in customer and
industry expectations for the resilience of operations.
The BCM booklet describes principles and practices for IT and operations for safety and
soundness, consumer financial protection, and compliance with applicable laws and regulations.
The BCM booklet also outlines BCM principles to help examiners evaluate how management
addresses risk related to the availability of critical financial products and services. This booklet
discusses BCM governance and its related components, including resilience strategies and plan
development; training and awareness; exercises and tests; maintenance and improvement; and
reporting for all levels of management, including the board of directors.
The focus of this revised booklet is on enterprise-wide, process-oriented approaches that
consider technology, business operations, testing, and communication strategies critical to the
continuity of the entire entity. However, business continuity should not be focused only on the
planning process to recover operations after an event, but rather it should include the continued
maintenance of systems and controls for the resilience of operations. Business continuity should
be incorporated into the risk management life cycle of all systems, processes, and operations of
an entity.
For IT Handbook purposes, the term “entities” includes depository financial institutions, 3
nonbank financial institutions, 4 bank holding companies, 5 and third-party service providers. 6
1
The FFIEC was established on March 10, 1979, pursuant to Title X of the Financial Institutions Regulatory and
Interest Rate Control Act of 1978, Pub. L. 95-630. The FFIEC members include the Board of Governors of the
Federal Reserve System (FRB), the Consumer Financial Protection Bureau (CFPB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the
Currency (OCC), and the State Liaison Committee (SLC).
2
Each FFIEC member agency may use the principles outlined in this booklet, consistent with the member agency’s
supervisory authority.
3
The term “depository financial institution” includes national banks, federal savings associations, state savings
associations, state member banks, state nonmember banks, and credit unions.
4
The term “nonbank financial institution” includes non-depository financial institutions under CFPB’s jurisdiction
and subject to CFPB supervision and examination.
5
The term “bank holding company” includes any company which has control over any bank or over any company
that is or becomes a bank holding company as defined by the Bank Holding Company Act.
6
The term “third-party service providers” includes those entities that provide banking services subject to
examination under the Bank Service Company Act, the Home Owners Loan Act of 1933, the Dodd-Frank Wall
Street Reform and Consumer Protection Act, or other relevant law.
November 2019 1
Business Continuity Management
NOVEMBER 2019
, FFIEC IT Examination Handbook Business Continuity Management
Contents
INTRODUCTION ............................................................................................................. 1
I BUSINESS CONTINUITY MANAGEMENT ....................................... 2
II BUSINESS CONTINUITY MANAGEMENT GOVERNANCE............. 3
II.A Board and Senior Management Responsibilities .......................... 4
II.B Audit .................................................................................................. 6
III RISK MANAGEMENT ........................................................................ 7
III.A Business Impact Analysis ............................................................... 9
Identification of Critical Business Functions ..................................... 10
Interdependency Analysis ................................................................ 10
Impact of Disruption ......................................................................... 11
III.B Risk Assessment............................................................................ 12
Risk Identification ............................................................................. 13
Likelihood and Impact ...................................................................... 14
IV BUSINESS CONTINUITY STRATEGIES ........................................ 16
IV.A Resilience ....................................................................................... 18
Physical ............................................................................................ 19
Cyber Resilience .............................................................................. 19
Data Backup and Replication ........................................................... 19
Personnel ......................................................................................... 21
Third-Party Service Providers........................................................... 22
Telecommunications ........................................................................ 23
Power ............................................................................................... 24
Change Management ....................................................................... 24
IV.B Communications ............................................................................ 25
V BUSINESS CONTINUITY PLAN ..................................................... 26
V.A Event Management ......................................................................... 27
V.B Continuity and Recovery ............................................................... 28
V.C Facilities and Infrastructure .......................................................... 29
Data Center Recovery Alternatives .................................................. 29
Branch Relocation ............................................................................ 30
V.D Payment Systems........................................................................... 31
V.E Liquidity Considerations ............................................................... 31
V.F Other Components ......................................................................... 31
Incident Response............................................................................ 32
November 2019 i
, FFIEC IT Examination Handbook Business Continuity Management
Disaster Recovery ............................................................................ 33
Crisis or Emergency Management ................................................... 34
VI TRAINING ........................................................................................ 35
VII EXERCISES AND TESTS ............................................................... 37
VII.A Exercise and Test Program ........................................................... 38
VII.B Exercise and Test Policy ............................................................... 39
VII.C Exercise and Test Strategies......................................................... 39
VII.D Exercise and Test Objectives ........................................................ 40
VII.E Exercise and Test Plans ................................................................ 40
VII.F Exercise and Test Scenarios ......................................................... 41
VII.G Exercise and Test Methods ........................................................... 42
Full-Scale Exercise........................................................................... 42
Limited-Scale Exercise ..................................................................... 43
Tabletop Exercise............................................................................. 43
Tests ................................................................................................ 44
VII.H Industry Exercises and Resilience ............................................... 44
VII.I Third-Party Service Provider Testing ........................................... 45
VII.J Testing for Core and Significant Firms ........................................ 45
VII.K Post-Exercise and Post-Test Actions ........................................... 46
VIII MAINTENANCE AND IMPROVEMENT .......................................... 47
IX BOARD REPORTING ...................................................................... 49
APPENDIX A: EXAMINATION PROCEDURES ...................................................... 50
APPENDIX B: GLOSSARY ..................................................................................... 70
APPENDIX C: ABBREVIATIONS............................................................................ 77
APPENDIX D: REFERENCES ................................................................................. 78
November 2019 ii
, FFIEC IT Examination Handbook Business Continuity Management
Introduction
The “Business Continuity Management” (BCM) booklet is one in a series of booklets that
comprise the Federal Financial Institutions Examination Council (FFIEC) 1 Information
Technology Examination Handbook (IT Handbook). The IT Handbook is prepared for use by
examiners. 2 With the publication of this booklet, the FFIEC member agencies replace the
“Business Continuity Planning” booklet issued in February 2015. The change from business
continuity planning to business continuity management reflects the changes in customer and
industry expectations for the resilience of operations.
The BCM booklet describes principles and practices for IT and operations for safety and
soundness, consumer financial protection, and compliance with applicable laws and regulations.
The BCM booklet also outlines BCM principles to help examiners evaluate how management
addresses risk related to the availability of critical financial products and services. This booklet
discusses BCM governance and its related components, including resilience strategies and plan
development; training and awareness; exercises and tests; maintenance and improvement; and
reporting for all levels of management, including the board of directors.
The focus of this revised booklet is on enterprise-wide, process-oriented approaches that
consider technology, business operations, testing, and communication strategies critical to the
continuity of the entire entity. However, business continuity should not be focused only on the
planning process to recover operations after an event, but rather it should include the continued
maintenance of systems and controls for the resilience of operations. Business continuity should
be incorporated into the risk management life cycle of all systems, processes, and operations of
an entity.
For IT Handbook purposes, the term “entities” includes depository financial institutions, 3
nonbank financial institutions, 4 bank holding companies, 5 and third-party service providers. 6
1
The FFIEC was established on March 10, 1979, pursuant to Title X of the Financial Institutions Regulatory and
Interest Rate Control Act of 1978, Pub. L. 95-630. The FFIEC members include the Board of Governors of the
Federal Reserve System (FRB), the Consumer Financial Protection Bureau (CFPB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the
Currency (OCC), and the State Liaison Committee (SLC).
2
Each FFIEC member agency may use the principles outlined in this booklet, consistent with the member agency’s
supervisory authority.
3
The term “depository financial institution” includes national banks, federal savings associations, state savings
associations, state member banks, state nonmember banks, and credit unions.
4
The term “nonbank financial institution” includes non-depository financial institutions under CFPB’s jurisdiction
and subject to CFPB supervision and examination.
5
The term “bank holding company” includes any company which has control over any bank or over any company
that is or becomes a bank holding company as defined by the Bank Holding Company Act.
6
The term “third-party service providers” includes those entities that provide banking services subject to
examination under the Bank Service Company Act, the Home Owners Loan Act of 1933, the Dodd-Frank Wall
Street Reform and Consumer Protection Act, or other relevant law.
November 2019 1
