Federal Regulatory Guidance Gets Business Continuity Update

Last week,the Federal Financial Institutions Examination Council (FFIEC) released its first update to businesscontinuity regulations for U.S. financial institutions in fiveyears.

Made upof representatives from the six major U.S. financial regulatory bodies, theFFIEC provides frequent guidance to financial institutions, examiners andtechnology service providers on business and technology practices to minimizerisk to investors and institution customers.

This newest guidance updates theBusiness Continuity Planning Booklet last issued by the FFIEC in March 2003.

The mostvisible change to the guidance is the requirement that all financialinstitutions have a disaster plan in place should a pandemic of any sort breakout. The latest release includes vital information for financialorganizations condensed from the FFIEC?s December 2007 Interagency Statement onPandemic Planning. Included are minimum practices and procedures meant to addresspandemic preparedness.

The FFIECalso advises institutions under its purview that other amendments center aroundbusiness impact analysis and testing requirements. The revision also discussesemerging threats and lessons learned by business continuity managers duringrecent disasters such as Hurricanes Katrina and Rita.

Accordingto a study released by Symantec in October 2007, more than 77 percent ofenterprise CEOs fail to take part in disaster recovery committees.

The changescould also be considered a wake-up call to leadership at institutions thatdepend on a patchwork of siloed-inside and outsourced- services to make up itsoverall business continuity strategy.

This latest iteration of the FFIECguidance emphasizes the need for board and executive leadership to maintain anenterprise-wide business continuity approach across an organization. It alsofirmly places responsibility on institution leadership to closely oversee businesscontinuity planning even if systems are provided by a third-party serviceprovider.

The goal,states the guidance, is to ensure that financial institutions are embedding businesscontinuity throughout the business framework and not just within IT.

?Becausefinancial institutions play a crucial role in the overall economy, disruptionsin service should be minimized in order to maintain public trust and confidencein the financial system,? the new guidance states. ?As such, financialinstitution management should incorporate business continuity considerationsinto the overall design of their business model to proactively mitigate therisk of service disruptions.?