United States

FFIEC updates Business Continuity Planning Booklet


The Federal Financial Institutions Examination Council (FFIEC) updated the Business Continuity Planning Booklet (BCP Booklet) by adding a new Appendix J, titled Strengthening the Resilience of Outsourced Technology Services. The BCP Booklet is part of the FFIEC Information Technology Examination Handbook (IT Handbook) and is designed to provide guidance to financial institutions about implementing their business continuity planning process, as well as to assist examiners in evaluating financial institution's and service provider's risk management processes.

According to the appendix, even if financial institutions outsource technology services, it is still their responsibility to "ensure that outsourced activities are conducted in a safe and sound manner." Overseeing outsourced relationships is the responsibility of the institution's board of directors and senior management. An effective third-party management program "should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing." In addition to relying on the technology service providers (TSPs) to provide operational services, financial institutions also rely on TSPs to have the recovery capabilities necessary to recover IT systems and to return critical business functions to normal business operations after a disaster.

This resilience of technology is the focal point of Appendix J. The appendix discusses four key elements of business continuity planning that should be addressed when contracting with TSPs to ensure that they are strengthening the resilience of the institution's technology resources:

  • Third-party management emphasizes the financial institution management's responsibility to control the business continuity risks of its TSPs.
  • Third-party capacity highlights the possible impact of a major disruption on the TSP's ability to restore services to multiple clients.
  • Testing with third-party TSPs includes considerations for a robust testing program and addresses the importance of validating business continuity plans with TSPs.
  • Cyber resilience targets aspects of business continuity planning specific to disruptions that result from cyberevents.