Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Home>Real World>FFIEC BCP

FFIEC IT Examination Handbook on
Business Continuity Planning

As noted elsewhere on this site, the FFIEC's IT Handbook on Business Continuity Planning (updated March, 2008) is an excellent, comprehensive document - an all encompassing cookbook for how to create a business continuity plan. However, its broad scope and extensive detail present a significant challenge. How can a US financial institution develop a practical and efficient Business Continuity Planning (BCP) program that is tailored to its specific risk profile, while still meeting the extensive Handbook criteria? The temptation for policy writers is to take the source document and convert it to a policy, section for section, requirement for requirement. If the Handbook states that the first step in the BCP process is performing a Business Impact Assessment, guess what will be the first section in the financial institution's BCP Policy. This approach tends to lead to a policy environment where the focus is more on compliance than on risk. The more productive approach would be for the business to establish its criteria for addressing risk and then incorporate the regulatory compliance requirements into that criteria.

This is where the Simple Risk Model adds value by guiding the business through the process of determining how to effectively implement the requirements into the business' overall approach to risk. As an example, the following compares the major provisions in the Handbook to the approach used in the Simple Risk Model:

FFIEC BCP Handbook
Simple Risk Model
Board of Directors - It is the responsibility of an institution’s board and senior management to ensure that the institution identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process. The Simple Risk Model provides a consistent enterprise-wide approach to identifying, assessing, prioritizing, and reporting risk. As an example, refer to the automated spreadsheet that demonstrates how the Model can be leveraged as an assessment and reporting tool.
BIA - The first step in the BCP process is to conduct a Business Impact Assessment that includes the assessment and prioritization of those business functions and processes that must be recovered. This is primarily the Cost or Impact portion of the Model where the Financial Exposure of the major business processes are assessed and (using an approach as suggested in the spreadsheet) prioritized.
  • Then identify the potential impact of uncontrolled, non-specific events on these business functions and processes.
The Model identifies the Impact of "non-specific events" through the identification of potential losses (Financial Exposure) and integrating the Scope ( Confidentiality, Integrity and Availability) and Type (financial, contract, regulatory, reputation, etc.) of those losses.
  • At the same time, management should never ignore potential risks that are evident in the institution’s particular area. For example, financial institutions may be located in flood-prone areas, near fault lines, or by areas subject to tornados or hurricanes.
As part of the business high level risk assessment, the spreadsheet asks management to identify specific types of External Events that will effect the location assessed along with an estimate of the potential for occurrance over a one year period and the expected losses from such event.
  • In addition to identifying the impact of non-specific events on business functions and processes, the BIA should also consider the impact of legal and regulatory requirements.
These requirements are included as Types of losses within the Impact assessment.
  • The BIA should also estimate the maximum allowable downtime for critical business functions and processes and the acceptable level of losses (data, operations, financial, reputation, and market share) associated with this estimated downtime.
The spreadsheet includes a component that categorizes the potential losses based on the amount of time that the process is unavailable broken down by the Type of losses.
  • When determining a financial institution's critical needs, all functions, processes, and personnel should be analyzed.
This section of the Handbook (page 10) contains an exhaustive (potentially exhausting) set of questions that should be considered. While the Model can not directly answer the questions, it does add perspective. These Handbook questions are actually not part of the Impact portion of the risk equation. They belong in the Vulnerability section as Control issues. Without the Model a business can easily confuse Impact with Controls and apply the Handbook questions at the wrong point of the process.
Risk Assessment - The Risk Assessment is the second step in the business continuity planning process. It should include: There is a potential for significant confusion at this point. How can this step be the "Risk Assessment" when the BIA also assessed risk? The Model minimizes this dilemma by showing that "Risk Assessment" as used by the FFIEC actually refers to the Vulnerability and Threat portion of the risk equation.
  • Evaluating the BIA assumptions using various threat scenarios;
Refer to the spreadsheet for an example of how to approach BCP scenarios (see the Scenarios tab). The Model devotes a specific set of questions to assessing the External Threats in the BCP process. Developing good Threat Scenarios is an art and extremely complicated. The Model approaches this area by focusing on a narrow set of questions in order to minimize confusion and facilitate the process.
  • Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves;
This requirement is far more complex than the Handbook implies. It is relatively easy to assess the importance of a business process or the level of risk from a threat. However, integrating the two can prove daunting. What if there is a high potential for a fire in a datacenter, the datacenter has no fire supression system and the business has determined that it can live with a month long outage of the processes supported by the datcenter? Should the business put in a sprinkler system? There needs to be a function which ties the consequences of a specific Threat and Vulnerability back to the Impact of a process. The spreadsheet provides a solution by identifying the effect of the Threat/Vulnerability (the potential time period for loss of Availability due to fire) and comparing it to the business' assessment of the Impact.
  • Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence; and
The spreadsheet yields a High/Medium/Low rating for each Vulnerability, Threat and Impact. As part of this process the business inputs a "probability" value (number of times per year the event is expected to occur) along with an estimate of the potential loss per event.
  • Performing a “gap analysis” that compares the existing BCP to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution.
The High/Medium/Low ratings are rolled up into an overall Risk rating. The rating is a guide to identifying and prioritizing the key controls and deficiencies for the business and to where control resources should be focused.
Risk Management - the third step in the business continuity
planning process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through the development, implementation, and maintenance of a written, enterprise-wide BCP.
This is the step where the business must decide on how to structure the BCP Policy. The temptation is to just regurgitate the Handbook provisions and be done with it. The better approach is to use the Policy to identify the critical availability risks in the corporation and the controls that can be best utilized to mitigate the risks. The Model is an excellent guide for this decision making process. For example, every BCP should have an emergency call tree that is updated and tested periodically. But how should the Policy approach call trees? How critical are they (i.e. how much resources should be dedicated to them, how frequently should they be tested, etc.)? The Model provides a guide by assessing their value as a Control in mitigating the level of Risk in a process - leading to a prioritization of resources required under a policy.
Risk Monitoring and Testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable. One of the major problems in maintaining a risk management program, whether it be for BCP, Information Security or any other area of Operational Risk, is that once the program is in place people tend to consume most of their time on testing. There needs to be a means of keeping the testing and monitoring portion in perspective and ensuring that assessments and control evaluations are continuosly re-examined. A good place to start is the Operational Risk Framework that is part of the Model. The framework focuses on four stages of the risk management process - Assess, Control, Monitor and Respond. The Framework is based on the concept of continuous process improvement to facilitate the "cyclical" process in the Handbook.

Other Policies, Standards, and Processes within the organization should be integrated into the business continuity planning process including Security Standards; Project Management; Change Control Policies; Data Synchronization Procedures; Crises Management; Incident Response; Remote Access; Employee Training; Notification Standards; Insurance; and Government and Community.

The Model emphasizes that BCP, Information Security and the other areas mentioned to the left are all part of Operational Risk and need to be treated as part of a greater whole, instead of independent, unrelated disciplines. This approach leads to a more efficient risk management process where each of the disciplines is effciently leveraged to yeild an overall assessment and approach to risk.