1. Moves emphasis away from business continuity planning (BCP) to business continuity management (BCM)
The 2015 FFIEC document spoke of systems recovery, whereas the new booklet emphasizes the continuity of operations throughout the overall entity: technology, operations, testing and communication, focusing on the "continued maintenance of systems and controls for the resilience of operations."
2. Provides a repeatable process for identifying critical business functions
The new document provides a clear, repeatable process for identifying critical business functions and analyzing their interdependencies internally and externally (also known as “mapping”). It also says that entities should understand how a disruption of these functions could affect markets and the entity’s larger community.
3. Introduces the term “maximum tolerable downtime”
The FFIEC booklet directs entities to determine how much disruption they can tolerate—including data loss as well as downtime. It also clarifies how entities should establish their targets for post-cyber-event systems recovery and data restoration, advising organizations to be realistic: “Establishing realistic RTOs (recovery time objectives) assists management in determining a critical path and hierarchy for recovery. For example, a process with a shorter RTO that is dependent upon on a process with a longer RTO may indicate a gap that should be analyzed further,” the document states. The concept appears similar to the BoE discussion paper’s “impact tolerances.”
4. Emphasizes need for more meaningful testing
Conducting tabletop exercises is no longer enough: the FFIEC guidance instructs examiners to also look for integrated tests of technology and business functions using multiple, complex and threat-intelligence-driven scenarios with event simulations.
5. Allows more flexibility in testing
While yearly testing of BCP/DR plans has long been the norm, the 2019 FFIEC booklet affords a multi-year testing schedule where appropriate—a change enabled in part by more robust testing. While high-priority business functions might still need annual testing, those deemed less critical could be tested every two or three years, for example. This change recognizes the burden that undifferentiated yearly testing can place on financial institutions, and lets them use periodic tests to build maturity over time.
6. Refers to entities, not just “financial institutions”
Again, this change is subtle, but the language of the FFIEC document now encompasses non-financial organizations such as cloud service providers, establishing that, if they provide services to financial institutions, they must follow the same rules.
7. Expands the role of Business Impact Analysis (BIA)
The new booklet expands the role of BIA from merely identifying risk to also maintaining business continuity with continuous systems monitoring, which can help to ensure that changes in business operations are always accounted for. It also calls for continually improving resilience processes by using metrics to analyze the effects of every disruption and to determine whether recovery objectives are reasonable.
8. Spells out resilience duties of management and boards
The new guidance is clear on the duties and functions of management and the board of directors. “The board and senior management should set the ‘tone at the top’ and consider the entity’s entire operations, including functions performed by affiliates and third-party service providers, when managing business continuity,” the document advises.