Federal Regulatory Guidance Gets Business Continuity Update

The Federal Financial Institutions Examination Council updates guidelines for disaster recovery preparedness and looks beyond IT for ensuring business continuity.

Last week, the Federal Financial Institutions Examination Council (FFIEC) released its first update to business continuity regulations for U.S. financial institutions in five years.

Made up of representatives from the six major U.S. financial regulatory bodies, the FFIEC provides frequent guidance to financial institutions, examiners and technology service providers on business and technology practices to minimize risk to investors and institution customers.

This newest guidance updates the Business Continuity Planning Booklet last issued by the FFIEC in March 2003.

The most visible change to the guidance is the requirement that all financial institutions have a disaster plan in place should a pandemic of any sort break out. The latest release includes vital information for financial organizations condensed from the FFIEC’s December 2007 Interagency Statement on Pandemic Planning. Included are minimum practices and procedures meant to address pandemic preparedness.

The FFIEC also advises institutions under its purview that other amendments center around business impact analysis and testing requirements. The revision also discusses emerging threats and lessons learned by business continuity managers during recent disasters such as Hurricanes Katrina and Rita.

According to a study released by Symantec in October 2007, more than 77 percent of enterprise CEOs fail to take part in disaster recovery committees.

The changes could also be considered a wake-up call to leadership at institutions that depend on a patchwork of siloed-inside and outsourced- services to make up its overall business continuity strategy.

This latest iteration of the FFIEC guidance emphasizes the need for board and executive leadership to maintain an enterprise-wide business continuity approach across an organization. It also firmly places responsibility on institution leadership to closely oversee business continuity planning even if systems are provided by a third-party service provider.

The goal, states the guidance, is to ensure that financial institutions are embedding business continuity throughout the business framework and not just within IT.

“Because financial institutions play a crucial role in the overall economy, disruptions in service should be minimized in order to maintain public trust and confidence in the financial system,” the new guidance states. “As such, financial institution management should incorporate business continuity considerations into the overall design of their business model to proactively mitigate the risk of service disruptions.”