The FFIEC Gives the BCP Booklet a Facelift

From BCP to BCM

The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) is comprised of several IT booklets for use by examiners. In November of 2019, the FFIEC member agencies replaced the dated “Business Continuity Planning” (BCP) booklet that was issued in February 2015, with the “Business Continuity Management” (BCM) booklet.

There are so many terms and acronyms like BCP, DR, BIA, BCM, Incident Response, and Crisis Management that it becomes confusing. What do these terms mean, and how do they fit together in an organization?

An incident is an unplanned security threat event that potentially jeopardizes the confidentiality, integrity, or availability of a critical system or systems. An Incident Response Plan (IRP) is the document that captures the steps an organization executes to minimize the threat. The organization accomplishes this by isolating and eradicating the threat in a secure, timely fashion. Often when an organization experiences an incident, it results in the isolation of a critical system rendering it unavailable and thus invokes business continuity activities.

Disaster Recovery (DR) is the Information Technology aspect of recovery, i.e. system(s) recovery. As such, it is a subset of a Business Continuity Plan (BCP) that includes people, process, and the DR piece which encompasses technology.

To build the BCP document itself, the organization first needs to perform a Business Impact Analysis (BIA). As the name implies, the organization essentially analyzes critical business functions and determines the impact they have on the business when there is an interruption of normal processing. This analysis will identify crucial information, including the most critical functions of an organization, and the impact / cost they have if they are unavailable over time.

Crisis Management is the process for managing an unplanned system or function availability issue and / or the process for managing a security incident, in other words, a BCP or IR crisis / incident.

What is BCM?

There have been a number of changes in all industries as it relates to Business Continuity and Availability, as well as a significant increase in cyber threats. The shift has been one from planning, plan development, and testing, to more of an ongoing, holistic Business Continuity Management approach to be included in an organization’s ongoing Risk Management Program. In a nutshell, that is what BCM is. BCM Governance is Senior Management and Board oversight of the BCM. It is still a “tone at the top” approach where the Board of Directors sets the direction for the institution. This is achieved primarily through policies, procedures. Through the management team these directives are carried out.

Per the FFIEC BCM IT Booklet;

“BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services. Disruptions such as cyber events, natural disasters, or man-made events can interrupt an entity’s operations and can have a broader impact on the financial sector. Resilience incorporates proactive measures to mitigate disruptive events and evaluate an entity’s recovery capabilities. An entity’s BCM program should align with its strategic goals and objectives. Management should consider an entity’s role within and impact on the overall financial services sector when it develops a BCM program.”

In Summary

• The BCM booklet defines the practices for IT and operations for safety and soundness, consumer protection, and compliance with laws and regulations
• The BCM booklet outlines the key elements of BCM to help examiners evaluate how management addresses risk related to the availability of critical functions / systems
• BCM includes training and awareness; exercises and tests; maintenance and improvement; and reporting for all levels of management, including the board of directors
• The focus of this updated BCM booklet is an enterprise-wide, process-oriented approach that considers information technology, operations, testing, and communication strategies critical to the continuity of an organization
• Business continuity should be incorporated into the risk management life cycle of all systems, processes, and operations of an organization

The recent changes to the FFIEC “Business Continuity Management” (BCM) booklet hold significance for financial institutions across the United States. Please contact us if you'd like to further discuss the implications of these changes for your organization!