Embed Size (px)
1
Jim DevlinComptroller of the Currency
September 11, 2008American Bankers Association Offices
Business Continuity Planning / Regulatory Relief Working Group
2
FFIEC Information TechnologyExamination Handbook
Audit Business Continuity
Planning Development and
Acquisition E-Banking Fed Line Information Security 080911
Management Operations Outsourcing Technology
Services Retail Payment Systems Supervision of TSPs
Wholesale Payment Systems
FDIC, FRB, NCUA, OCC, OTS
Guidance and Examination Procedures Examiners Financial Institutions Technology Service Providers
12 Booklets in Series
3
The "FFIEC InfoBase" concept was developed by the Task Force on Examiner Education to provide field examiners in financial institution regulatory agencies with a quick source of introductory training and basic information. The long-term goal of the InfoBase is to provide just-in-time training for new regulations and for other topics of specific concern to examiners in FFIEC's five member agencies.
080911
FFIEC BCP Booklet Revision
http://www.ffiec.gov/ffiecinfobase/index.html
4
080911
FFIEC BCP Booklet Revision
The new edition rescinds and replaces the previous Business Continuity Planning Booklet issued in March 2003.
The BCP booklet was revised to reflect technological and regulatory changes with a focus on management’s responsibilities regarding oversight of the continuity planning process for business operations.
While significant revisions were made, the focus continues to be based on an enterprise-wide, process-oriented approach that considers: technology, business operations, testing, and communication strategies that are critical to business continuity planning for the entire business, instead of just the information technology department.
5
6
FFIEC BCP Booklet Revision
080911
Risk Monitoring and Testing BIA and Risk Assessment Roles and Responsibilities Business Continuity Testing Life Cycle In-house versus Serviced Testing
Appendix: Testing Program – Governance and Attributes Critical Infrastructure Expectations
Appendix: BIA Process
Lessons Learned from Hurricanes Katrina / Rita
Crisis Management Incident Response Remote Access Communication Notification Standards Internal and External Threats
Appendix: Pandemic Planning
Appendix: Interdependencies
Focus: Enterprise-wide, process-oriented BCP
Appendix: Examination Procedures
7
FFIEC BCP Booklet Revision
080911
Risk Monitoring and Testing Principles of Business Continuity Testing Program
BIA and Risk Assessment Roles and responsibilities Business Continuity Testing Life Cycle – policy, strategies, planning, plan review, methods, execution and documentation, evaluation, assessment, reporting results, updating the plan
In-house versus Serviced Testing Activities Understand provider’s capabilities Assess provider’s recovery capabilities Participate in recovery testing activities Review provider’s capabilities at least annually
8
FFIEC BCP Booklet Revision
080911
Risk Monitoring and Testing (continued)
New Appendix:H: Testing Program – Governance
and Attributes Governance Testing Strategy Test Planning
Critical Infrastructure Considerations / Expectations
Testing criteria for “Core” and “Significant” firms are now consistent with the Interagency Paper on Sound Practices to Strengthen the Resilience of the US Financial System.
9
080911
FFIEC BCP Booklet Revision
Business Impact Analysis Process (Appendix F)
Resulted from recommendation from small-medium institutions for additional examples
Business Impact Analysis Goals
Cyclical Steps in the Process1. Gathering information2. Performing a vulnerability assessment3. Analyzing the information4. Documenting the results / Presenting the
recommendation
10
11
FFIEC BCP Booklet Revision
080911
Lessons Learned: Hurricanes Katrina / Rita Other Policies, Standards and Process
Crisis Management Incident response Remote Access Notification Standards
Internal and External Threats (Appendix C) Customers Employees Electronic Payment Systems Affiliates, vendors and service providers
Interdependencies (Appendix E)
12080911
FFIEC BCP Booklet Revision
Interdependencies (Appendix E)
Telecommunication systems
Liquidity needs
Vendor due diligence
Internal systems and business processes
13
080911
FFIEC BCP Booklet Revision
Examination Procedures (Appendix A)
Revised to address Expanded Risk Monitoring and Testing New Pandemic Planning
Tier 1 versus Tier 2 objectives
Designed to assist Examiners Not intended as an Audit Guide Use will differ by Agency
14
15
FFIEC BCP Booklet Revision
080911
Pandemic Planning (Appendix D) Continues Enterprise-wide concept
Identical to FFIEC December 2007 Guidance
Five critical elements that each plan should address:1. Preventive program2. Documented response strategy3. Comprehensive framework to continue critical
operations4. Testing program5. Oversight program
16
17
Private Sector / Public Sector Regulatory Clarity
Discussions
080911
Follow-Up to Roundtable on Pandemic Planning Focused on Banking Sector Regulatory Relief
Initial Meeting - March 26, 2008
1. Regulatory Relief vs. Regulatory Clarity2. Public Sector Regulatory Relief Abilities3. Private Sector Regulatory Relief Expectations4. Agreement on Action / Follow-Up Items
Discussion of FFIEC Agency Pandemic Plans Development of Prioritized list of Anticipated
Regulatory Relief needs Consideration of the Issuance of an FFIEC
document based on existing OTS and FFIEC documents
18
Private Sector / Public Sector Regulatory Clarity
Discussions
080911
Follow-Up Meeting - May 21, 2008
1. Discussion of Agency Pandemic Plans2. Discussion of FFIEC “Pandemic Protocols”3. Agreement on Action / Follow-Up Items
+ 2-4 Weeks: Development of Prioritized list of anticipated regulatory relief needs
+ 3-6 weeks: Consideration of the Issuance of an FFIEC document based on existing OTS and FFIEC documents
And then came summer, and the West Coast fires and the Mid West floods …… ;-)
19
080722
FFIEC BCP Booklet Revision
Jim DevlinSpecial Advisor for Operational Risk
(202) 874-5013 / (202) 359-6590 (cell)[email protected]
Gracias !
Obrigado !
Merci !
Danke !
Thank You !
