FFIEC Releases Updated Business Continuity Management Booklet
A few weeks ago, the FFIEC released an updated version of its Business Continuity Management booklet, which is one of the eleven booklets that make up the FFIEC’s IT Examination Handbook.
Plan vs. Management
One major change is the name of the booklet. The 2015 booklet was titled “Business Continuity Planning” versus the updated version titled “Business Continuity Management.” The introduction to the booklet states that this change reflects the changes in customer and industry expectations for the resilience of operations.
The previous booklet discussed the importance of effective business continuity planning and an adequate planning process. Rather than conceptualizing business continuity as discrete planning process to address a potential future threat, the current booklet approaches business continuity management as the ongoing management to maintain resiliency.
The Definition of Resiliency
Going hand-in-hand with the focus on ongoing management, the Business Continuity Management (BCM) booklet also contains the updated definition of “resilience” adopted by NIST a couple years ago. This updated definition reflects the focus on adapting to conditions in the moment and withstanding and recovering from disruptions, rather than just on planning for disruptions. Below is a redline of the definition:
While the old Business Continuity Planning booklet did reference resilience, the concept really takes center stage as the end-goal for BCM processes and examination under the updated booklet.
New Process Detail
The 2015 booklet included a four step process for business continuity planning:
1. Business impact analysis;
2. Risk assessment;
3. Risk management;
4. Risk monitoring and testing.
The booklet indicated that while the process was reflected as four steps, the process should actually be a “continuous cycle that should evolve over time,” and include each critical business function and technology that supports it.
In the updated booklet, the FFIEC moved away from the simple four steps and elaborated on this continuous cycle:
The booklet describes principles and practices for managing business continuity and provides examiners with updated procedures for assessing resilience through an enterprise risk management perspective; however, the FFIEC also indicated that these changes do not actually impose any new requirements for credit unions. It merely provides better, more in-depth guidance for credit unions and examiners about effective BCM programs.