On November 14, 2019, the Federal Financial Institutions Examination Council (FFIEC) released an updated Business Continuity Management (BCM) booklet, as part of their IT Examination Handbook. This update appears to be a restructuring of the document to make it more organized, shorter, and better focused on the importance of recovery planning. At this time, we do not believe there are any significant changes in regulatory expectations.
History of the Booklet
The first FFIEC booklet about business continuity was published in March 2003. The booklet was titled "Business Continuity Planning" and focused on foundational elements of the business continuity planning process (e.g., business impact analysis; risk management; policies, standards, and processes; risk monitoring; etc.).
In March 2008, an updated version of the booklet was published. While some updates were made to the contents of the booklet, the heart of the update could be found in the appendices, with new appendices for "Pandemic Planning," the "Business Impact Analysis Process," and the "Testing Program."
It was not until February 2015 that another version of the booklet would be released. The update came to be known as "Appendix J: Strengthening the Resilience of Outsourced Technology Services" and was the first guidance published by the FFIEC to directly join the concepts of business continuity and third-party oversight.
November 2019 Update Details
While previous updates to the booklet were primarily comprised of supplemental appendices to the existing content, the November 2019 update appears to be a restructuring of the document.
Beyond the change in the booklet's title, perhaps one of the most noticeable changes was in the booklet's page count, which decreased from 135 pages to 85 pages. This change is in large part due to the incorporation of Appendices C-J into the various applicable sections of the booklet itself.
For example, rather than relegating third-party service provider considerations into an appendix at the end, examples of incorporating third parties into the business continuity function now exist throughout the booklet (e.g., Section IV.A.5, VII.I, etc.). In addition, per the FFIEC's Press Release, this updated booklet is an opportunity to encourage examiners to consider how other regulated entities, including third parties, "have prepared their operations to avoid disruptions and recover services."
Foundational elements of the booklet remain very similar to previous versions, such as business impact analysis and risk management. Other elements appear to be renamed but contain similar concepts. For example, the "Board and Senior Management Responsibilities" section is now titled "Business Continuity Management Governance."
Nevertheless, it appears the core purpose of the updated booklet is to clarify intent and extend the reach of business continuity "planning" into the realm of recovery of operations following an event. The booklet does this through an emphasis on things like resilience, exercises and testing, and improved communications.
For more information about the updated booklet, visit:
- FFIEC Press Release
- FFIEC Business Continuity Management Booklet
- Previous Versions of the Booklet: