Jim Devlin Comptroller of the Currency

1

Jim DevlinComptroller of the Currency

September 11, 2008American Bankers Association Offices

Business Continuity Planning / Regulatory Relief Working Group

2

FFIEC Information TechnologyExamination Handbook

Audit Business Continuity

Planning Development and

Acquisition E-Banking Fed Line Information Security 080911

Management Operations Outsourcing Technology

Services Retail Payment Systems Supervision of TSPs

Wholesale Payment Systems

FDIC, FRB, NCUA, OCC, OTS

Guidance and Examination Procedures Examiners Financial Institutions Technology Service Providers

12 Booklets in Series

3

The "FFIEC InfoBase" concept was developed by the Task Force on Examiner Education to provide field examiners in financial institution regulatory agencies with a quick source of introductory training and basic information. The long-term goal of the InfoBase is to provide just-in-time training for new regulations and for other topics of specific concern to examiners in FFIEC's five member agencies.

080911

FFIEC BCP Booklet Revision

http://www.ffiec.gov/ffiecinfobase/index.html

4

080911


The new edition rescinds and replaces the previous Business Continuity Planning Booklet issued in March 2003.

The BCP booklet was revised to reflect technological and regulatory changes with a focus on management’s responsibilities regarding oversight of the continuity planning process for business operations.

While significant revisions were made, the focus continues to be based on an enterprise-wide, process-oriented approach that considers: technology, business operations, testing, and communication strategies that are critical to business continuity planning for the entire business, instead of just the information technology department.

5

6


080911

Risk Monitoring and Testing BIA and Risk Assessment Roles and Responsibilities Business Continuity Testing Life Cycle In-house versus Serviced Testing

Appendix: Testing Program – Governance and Attributes Critical Infrastructure Expectations

Appendix: BIA Process

Lessons Learned from Hurricanes Katrina / Rita

Crisis Management Incident Response Remote Access Communication Notification Standards Internal and External Threats

Appendix: Pandemic Planning

Appendix: Interdependencies

Focus: Enterprise-wide, process-oriented BCP

Appendix: Examination Procedures

7


080911

Risk Monitoring and Testing Principles of Business Continuity Testing Program

BIA and Risk Assessment Roles and responsibilities Business Continuity Testing Life Cycle – policy, strategies, planning, plan review, methods, execution and documentation, evaluation, assessment, reporting results, updating the plan

In-house versus Serviced Testing Activities Understand provider’s capabilities Assess provider’s recovery capabilities Participate in recovery testing activities Review provider’s capabilities at least annually

8


080911

Risk Monitoring and Testing (continued)

New Appendix:H: Testing Program – Governance

and Attributes Governance Testing Strategy Test Planning

Critical Infrastructure Considerations / Expectations

Testing criteria for “Core” and “Significant” firms are now consistent with the Interagency Paper on Sound Practices to Strengthen the Resilience of the US Financial System.

9

080911


Business Impact Analysis Process (Appendix F)

Resulted from recommendation from small-medium institutions for additional examples

Business Impact Analysis Goals

Cyclical Steps in the Process1. Gathering information2. Performing a vulnerability assessment3. Analyzing the information4. Documenting the results / Presenting the

recommendation

10

11


080911

Lessons Learned: Hurricanes Katrina / Rita Other Policies, Standards and Process

Crisis Management Incident response Remote Access Notification Standards

Internal and External Threats (Appendix C) Customers Employees Electronic Payment Systems Affiliates, vendors and service providers

Interdependencies (Appendix E)

12080911


Interdependencies (Appendix E)

Telecommunication systems

Liquidity needs

Vendor due diligence

Internal systems and business processes

13

080911


Examination Procedures (Appendix A)

Revised to address Expanded Risk Monitoring and Testing New Pandemic Planning

Tier 1 versus Tier 2 objectives

Designed to assist Examiners Not intended as an Audit Guide Use will differ by Agency

14

15


080911

Pandemic Planning (Appendix D) Continues Enterprise-wide concept

Identical to FFIEC December 2007 Guidance

Five critical elements that each plan should address:1. Preventive program2. Documented response strategy3. Comprehensive framework to continue critical

operations4. Testing program5. Oversight program

16

17

Private Sector / Public Sector Regulatory Clarity

Discussions

080911

Follow-Up to Roundtable on Pandemic Planning Focused on Banking Sector Regulatory Relief

Initial Meeting - March 26, 2008

1. Regulatory Relief vs. Regulatory Clarity2. Public Sector Regulatory Relief Abilities3. Private Sector Regulatory Relief Expectations4. Agreement on Action / Follow-Up Items

Discussion of FFIEC Agency Pandemic Plans Development of Prioritized list of Anticipated

Regulatory Relief needs Consideration of the Issuance of an FFIEC

document based on existing OTS and FFIEC documents

18

Private Sector / Public Sector Regulatory Clarity

Discussions

080911

Follow-Up Meeting - May 21, 2008

1. Discussion of Agency Pandemic Plans2. Discussion of FFIEC “Pandemic Protocols”3. Agreement on Action / Follow-Up Items

+ 2-4 Weeks: Development of Prioritized list of anticipated regulatory relief needs

+ 3-6 weeks: Consideration of the Issuance of an FFIEC document based on existing OTS and FFIEC documents

And then came summer, and the West Coast fires and the Mid West floods …… ;-)

19

080722


Jim DevlinSpecial Advisor for Operational Risk

(202) 874-5013 / (202) 359-6590 (cell)[email protected]

Gracias !

Obrigado !

Merci !

Danke !

Thank You !