« Business Continuity

FFIEC revises business continuity guidance

The Federal Financial Institutions Examination Council released an updated Business Continuity Planning Booklet recently, revising its suggestions for continuity of operations planning, and adding a new appendix to the booklet.
The Federal Financial Institutions Examination Council released an updated Business Continuity Planning Booklet recently, revising its suggestions for continuity of operations planning, and adding a new appendix to the booklet.

The Federal Financial Institutions Examination Council released an updated Business Continuity Planning Booklet recently, revising its suggestions for continuity of operations planning, and adding a new appendix to the booklet. The new appendix is titled "Strengthening the Resilience of Outsourced Technology Services," and focuses on the integration of technology services with continuity efforts for financial institutions, specifically with regard to reliance on third-party service providers.

"When a financial institution relies upon third parties to provide operational services, they also rely on those service providers to have sufficient recovery capabilities for the specific services they perform on behalf of the financial institution," the appendix reads. "In addition to providing systems and processing, t​echnology service providers may also be retained by a financial institution to provide information technology recovery capabilities for the financial institution's internal systems."

The update goes on to state that effective business continuity planning requires that a financial institution is not only able to recover its IT systems, but return to normal operations within an establish recovery time objective, regardless of whether these processes are in-house or supported by a third-party service provider.

The revisions address four specific elements of business continuity planning for financial institutions, including:

  • Third-party management
  • Third-party capacity
  • Testing with third-party service providers
  • Cyber resilience

Ideally, any third-party service provider will ensure that the systems to identify, measure, monitor and mitigate the risks associated with outsourcing are in place for their clients. Firms should make sure to discuss these needs with any and all of their IT providers.

In order to optimize continuity planning, companies should consider investing in business continuity consultants who will make sure they are asking the tough questions and getting the answers, and service, they need in every aspect of operations, from IT to HR.