On Wednesday, November 19th, 2019, the Federal Financial Institutions Examination Council (FFIEC) released a new Business Continuity Management examination booklet which provides updated guidance for examiners to audit Business Continuity programs for financial institutions. While this provides guidance, all financial institutions and critical vendors of financial institutions should carefully read through the new examination booklet and consider how your institution may improve to meet the new guidance.
It is only a matter of time before banking regulators, auditors, or third party reviewers enters your office to audit your program against the new guidance. Check out these four areas you can improve on right now to meet the new FFIEC guidance:
1. Bye-bye continuity plans, hello business continuity management.
The days of impressing an auditor by sliding a big binder of continuity plans across the table are over. Now, like ISO 22301, key questions will be raised about how you are maintaining a healthy Business Continuity Management Program. Similar to ISO 22301, you will need to demonstrate that leadership is aware of both compliance and risk, scorecards are regularly communicated to all responsible for continuity efforts, and risks are being measured and closed. Leadership and examiners will look for evidence of two simple questions, “how are you doing?” measuring compliance, and “where are the risks?” measuring resiliency preparedness.
2. Report to Enterprise Risk Management
Since the dawn of examining Business Continuity, the FFIEC has and continues to classify Business Continuity under Information Technology, or “IT.” As we all know, Business Continuity is much more that “IT.” The FFIEC has now made the biggest and boldest statement to date by stating that Business Continuity Management should report into Enterprise Risk Management. Furthermore, on Page 7 of the handbook, it specifically illustrates this. While many still have Business Continuity and Disaster Recovery reporting into IT, it is time to change. The perception with IT managing risk is “the fox watching the henhouse.” Reporting into Enterprise Risk ensures that your organization can operate in the context of mitigating risks. If you are to re-organize under Enterprise Risk, you too must become governance and risk managers and empower those that are required for recovery and resiliency tasks execute the work that you require of them.
3. Time to get serious about Third Party preparedness
Third parties are essential to a financial institution’s success and the FFIEC is recommending examiners look at this even closer. The FFIEC has greatly increased the content outlining the importance of third-party vendors as a critical piece of the banking and financial institutions. Keep in mind, if a third-party isn’t prepared to restore key services that impact customers in a timely way, the parent bank may be the one fined, not the Vendor. Assessing a vendor’s continuity plan must go beyond taking the vendor at face value that it’s adequately prepared. It also must go beyond the stock questions that hired auditors may ask. Determining a key supplier’s business continuity program requires expertise—BC and DR specialists who will pose the detailed questions and verify the answers. Your business must be aware and receive reports on how prepared their critical vendors are so they can support your processes. If the answer is “I don’t know,” it is time to raise this to your new leader in Enterprise Risk to ensure that your vendor management team and you get the answer.
4. Table-top exercises, Thank You, Next
The FFIEC has expanded guidance on exercises to 10, yes, 10 full pages of what is expected to ensure financial institutions are prepared. While table-top exercises, where we sit around and talk through our plans, are good to start or act as a quick education session for executives, the FFIEC is clearly expecting much more. It’s time for you to cast an integrated vision of your organization’s strategic plan that includes third-parties and industry-wide testing. We are all sensitive to business priorities and reducing time to exercise for an event that may never occur. However, the FFIEC is providing guidance to examiners to ensure that the financial institution has fully exercised its capabilities to recover.
Do you feel you are prepared for an examination based on the FFIEC guidance?
We are assisting our Financial Industry customers by helping them mature their Continuity Program to meet the new FFIEC guidance. Continuity Logic’s CL360 solution anticipates the future for FFIEC and Global Banking regulations. If you would like to know more about how our software and services can help you, contact us at firstname.lastname@example.org.
By Philip Bigge
SVP Customer Solutions
Continuity Logic LLC