The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services.

The BCP Booklet contains guidance to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. The booklet also was designed to provide guidance to financial institutions about the implementation of their business continuity planning processes.

The appendix highlights that a financial institution’s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. An effective third-party management program should provide the framework for financial institution management to identify, measure, monitor, and mitigate the risks associated with outsourcing. Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner. The appendix highlights and strengthens the BCP Booklet in four specific areas: •Third-Party Management•Third-Party Capacity•Testing with Third-Party Technology Service Providers•Cyber Resilience

-

The IT Handbook is a collaborative effort of the Information Technology Subcommittee of the FFIEC’s Task Force on Supervision. The Information Technology Subcommittee promotes uniform and effective information on technology-related policies and supervisory programs for financial institutions and their service providers. The IT Handbook is available online at http://ithandbook.ffiec.gov/