OCC Bulletin 2019-57 | November 14, 2019

FFIEC Information Technology Examination Handbook: Revised Business Continuity Management Booklet

To

Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

The Federal Financial Institutions Examination Council (FFIEC) revised the "Business Continuity Management" booklet, one of a series of booklets that make up the FFIEC Information Technology Examination Handbook (IT Handbook). The revised "Business Continuity Management" booklet provides information for examiners to assess the adequacy of a bank's risk management related to the availability of critical financial products and services. The revised booklet replaces the "Business Continuity Planning" booklet issued in February 2015 and rescinds OCC Bulletin 2015-9, "FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet."

Note for Community Banks

This booklet applies to the OCC's supervision of all national banks and federal savings associations (collectively, banks). Community banks should maintain effective business resilience and continuity commensurate with their operational complexities.

Highlights

This booklet describes the following:

Principles and practices for information technology and operations for safety and soundness, consumer protection, and compliance with applicable laws and regulations.
Principles to help examiners determine whether management adequately manages risks related to the availability of critical financial products and services.
Business continuity management governance and its related components, including resilience strategies and plan development; training and awareness; exercises and tests; maintenance and improvement; and reporting to the board of directors.

Background

Business continuity management is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services. Disruptions such as cyber events, natural disasters, or man-made events can interrupt a bank's operations and can have a broader impact on the financial sector. The focus of business continuity management should be on more than just the planning process to recover operations after an event. It also should include the continued maintenance of systems and controls for the resilience and continuity of operations. Resilience incorporates proactive measures to mitigate disruptive events and evaluate a bank's recovery capabilities. A bank's business continuity management program should align with its strategic goals and objectives. The focus of this revised booklet is on enterprise-wide, process-oriented approaches that consider technology, business operations, testing, and communication strategies critical to the continuity of the entire business. Management should incorporate business continuity into the risk management life cycle of a bank's systems, processes, and operations.

Further Information

Please contact Kevin Greenfield, Director for Bank Information Technology, at (202) 649-6340.

Grovetta N. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy