Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.

Updated FFIEC IT Examination Handbook - Business Continuity Management Booklet

Information Technology / Cybersecurity
November 14, 2019

Summary:

The Federal Financial Institutions Examination Council (FFIEC) issued the Business Continuity Management (BCM) booklet, which is part of the FFIEC Information Technology Examination Handbook . The booklet replaces the Business Continuity Planning booklet issued in February 2015.

Statement of Applicability to Institutions under $1 Billion in Total Assets: This Financial Institution Letter (FIL) applies to all FDIC-supervised financial institutions.

Highlights:


  • The BCM booklet describes principles and practices for managing business continuity. The booklet also helps examiners determine whether management adequately addresses risks related to the availability of critical financial products and services.
  • The booklet also contains updated procedures to help examiners evaluate the adequacy of an entity's business continuity management program.
  • The change from business continuity planning to business continuity management reflects the expanded role information technology (IT) plays in supporting business operations and meeting customer expectations.
  • The booklet focuses on assessing an entity's resilience through an enterprise risk management (ERM) perspective that considers technology, business operations, communication strategies, training, testing, maintenance, and improvement — issues critical to business continuity. The degree of maturity, integration and documentation between the BCM and ERM processes should be assessed commensurate with the entity's size, complexity, and risk profile.
  • The incorporation of industry principles and frameworks provides examiners with a durable means to assess business continuity management. The changes do not impose new requirements on examined entities.

Distribution:

  • FDIC-supervised financial institutions and their service providers

Suggested Routing:

  • Chief Executive Officer
  • Chief Information Officer
  • Chief Information Security Officer

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).

FIL-71-2019
Attachment(s)
FFIEC Information Technology Examination Handbook
Contact(s)
Henry Jumonville, Sr. Examination Specialist (IT, (202) 898-3676

Last Updated: November 14, 2019