Jim Devlin Comptroller of the Currency

• 1.Jim Devlin Comptroller of the Currency September 11, 2008 American Bankers Association Offices Business Continuity Planning / Regulatory Relief Working Group

2. FFIEC Information Technology Examination Handbook

• Audit

• Business Continuity Planning

• Development and Acquisition

• E-Banking

• Fed Line

• Information Security

080911

• Management

• Operations

• Outsourcing Technology Services

• Retail Payment Systems

• Supervision of TSPs

• Wholesale Payment Systems

• FDIC, FRB, NCUA, OCC, OTS

• Guidance and Examination Procedures

• • • • • Examiners

• • • • • Financial Institutions

• • • • • Technology Service Providers

• 12 Booklets in Series

3. The "FFIEC InfoBase" concept was developed by the Task Force on Examiner Education to provide field examiners in financial institution regulatory agencies with a quick source of introductory training and basic information. The long-term goal of the InfoBase is to provide just-in-time training for new regulations and for other topics of specific concern to examiners in FFIEC's five member agencies. 080911 FFIEC BCP Booklet Revision http://www.ffiec.gov/ffiecinfobase/index.html 4. 080911 FFIEC BCP Booklet Revision The new edition rescinds and replaces the previous Business Continuity Planning Booklet issued in March 2003. The BCP booklet was revised to reflect technological and regulatory changes with a focus on managements responsibilities regarding oversight of the continuity planning process for business operations.While significant revisions were made,the focus continues to be based on an enterprise-wide, process-oriented approach that considers:technology, business operations, testing, and communication strategies that are critical to business continuity planning for the entire business,instead of justthe information technology department. 5. 6. FFIEC BCP Booklet Revision 080911

• Risk Monitoring and Testing

• • BIA and Risk Assessment

• • Roles and Responsibilities

• • Business Continuity Testing Life Cycle

• • In-house versus Serviced Testing

• • Appendix:Testing Program

• • Governance and Attributes

• • Critical Infrastructure Expectations

• Appendix:BIA Process

• Lessons Learned from Hurricanes Katrina / Rita

• • Crisis Management

• • Incident Response

• • Remote Access

• • Communication Notification Standards

• • Internal and External Threats

• • Appendix:Pandemic Planning

• • Appendix:Interdependencies

Focus:Enterprise-wide ,process-orientedBCP Appendix:Examination Procedures 7. FFIEC BCP Booklet Revision 080911

• Risk Monitoring and Testing

• • • Principles of Business Continuity Testing Program

• • • • BIA and Risk Assessment

• • • • Roles and responsibilities

• • • • Business Continuity Testing Life Cycle policy, strategies, planning, plan review, methods, execution and documentation, evaluation, assessment, reporting results, updating the plan

• • • In-house versus Serviced Testing Activities

• • • • Understand providers capabilities

• • • • Assess providers recovery capabilities

• • • • Participate in recovery testing activities

• • • • Review providers capabilities at least annually

8. FFIEC BCP Booklet Revision 080911

• Risk Monitoring and Testing(continued)

• • • New Appendix:

• • • H: Testing Program Governance and Attributes

• • • Governance

• • • Testing Strategy

• • • Test Planning

• • • Critical Infrastructure Considerations / Expectations

• • • Testing criteria for Core and Significant firms are now consistent with theInteragency Paper on Sound Practices to Strengthen the Resilience of the US Financial System .

9. 080911 FFIEC BCP Booklet Revision

• Business Impact Analysis Process (Appendix F)

• • • Resulted from recommendation from small-medium institutions for additional examples

• • • Business Impact Analysis Goals

• • • Cyclical Steps in the Process

• • • • Gathering information

• • • • Performing a vulnerability assessment

• • • • Analyzing the information

• • • • Documenting the results / Presenting the recommendation

10. 11. FFIEC BCP Booklet Revision 080911

• Lessons Learned: Hurricanes Katrina / Rita

• • • Other Policies, Standards and Process

• • • • Crisis Management

• • • • Incident response

• • • • Remote Access

• • • • Notification Standards

• • • Internal and External Threats (Appendix C)

• • • • Customers

• • • • Employees

• • • • Electronic Payment Systems

• • • • Affiliates, vendors and service providers

• • • Interdependencies(Appendix E)

12. 080911 FFIEC BCP Booklet Revision

• Interdependencies (Appendix E)

• • • Telecommunication systems

• • • Liquidity needs

• • • Vendor due diligence

• • • Internal systems and business processes

13. 080911 FFIEC BCP Booklet Revision

• Examination Procedures (Appendix A)

• • • Revised to address

• • • • • ExpandedRisk Monitoring and Testing

• • • • • NewPandemic Planning

• • • Tier 1 versus Tier 2 objectives

• • • Designed to assist Examiners

• • • Not intended as an Audit Guide

• • • Use will differ by Agency

14. 15. FFIEC BCP Booklet Revision 080911

• Pandemic Planning (Appendix D)

• • • Continues Enterprise-wide concept

• • • Identicalto FFIEC December 2007 Guidance

• • • Five critical elements that each plan should address:

• • • • Preventive program

• • • • Documented response strategy

• • • • Comprehensive framework to continue critical operations

• • • • Testing program

• • • • Oversight program

16. 17. Private Sector / Public Sector Regulatory Clarity Discussions 080911

• • • Follow-Up toRoundtable on Pandemic Planning

• • • Focused on Banking Sector Regulatory Relief