Corporate Business Resumption and Contingency Planning
FIL-68-97 July 14, 1997
CHIEF EXECUTIVE OFFICER
FFIEC's Revised Policy Statement on Corporate
Business Resumption and Contingency Planning
The interagency Federal Financial Institutions Examination Council (FFIEC) on March 26, 1997, adopted a revised policy statement on Corporate Business Resumption and Contingency Planning. The policy statement is attached.
The revised statement continues to emphasize the importance of business recovery planning and explains the goals associated with an effective business resumption and contingency plan. Revisions to the policy statement acknowledge the increased use of distributed computer environments and increased reliance on external service providers for mission-critical bank activities. A financial institution's Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented.
The revision was conducted as part of the combined agency Community Development and Regulatory Improvement Act (CDRIA) effort to streamline agency regulations and written policies to improve efficiency, reduce unnecessary costs, eliminate unwarranted constraints on credit availability, and remove duplicative requirements.
Contingency plans are evaluated by examiners during regular supervisory reviews of the institution. For more information, please contact your Division of Supervision Regional Office.
Nicholas J. Ketcha Jr.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, N.W., Room 100, Washington, D.C., 20434 ((703) 562-2200 or 800-276-6003).
CORPORATE BUSINESS RESUMPTION AND CONTINGENCY PLANNING
To: Chief Executive Officers of all Federally Supervised Financial Institutions, Senior Management of each FFIEC Agency, and all Examining Personnel
This statement emphasizes to the board of Directors and senior management of each financial institution the importance of corporate business resumption and information systems contingency planning functions. This includes planning for the recovery of critical information systems processing and operations supported by external service providers. This statement also addresses issues that management should consider when developing a viable contingency plan.
Information systems technology has evolved into a critical facet of the corporate structure of financial institutions. Transaction processing and business applications are no longer restricted to mainframe computer environments. The use of distributed platforms (including mid-range computers, client/server technology, and local and wide area networks) for mission-critical business functions expands the scope of contingency planning.
Corporate and customer services throughout financial institutions are now more dependent on direct access to information and accounts. This includes contemporary financial delivery systems and services such as PC-banking, corporate cash management, and Internet promotion. These services represent key transactional, strategic, and reputational issues for the financial institutions. Often these services depend on a combination of internal and external information processing services. Outsourcing arrangements and other technology alliances involve unique considerations which also expand the boundaries of contingency planning.
Business recovery planners must recognize this new environment and the risks it may pose to the financial institution. The importance of these operations and service units requires effective business recovery planning from a corporate-wide perspective.
Contingency planning is the process of identifying critical information systems and business functions and developing plans to enable those systems and functions to be resumed in the event of a disruption. The process includes testing the recovery plans to ensure they are effective. During the testing process management should also verify that business unit plans complement the information system plans.
The goal of an effective contingency plan and recovery process is to facilitate and expedite the resumption of business after a disruption of vital information systems and operations. The principle objectives are to:
Minimize disruptions of service to the institution and its customers.
Ensure timely resumption of operations.
Limit losses to earnings and capital.
It is important for both financial institutions and their service bureaus to regularly assess risks associated with the loss or extended disruption of business operations and to evaluate their vulnerability to those risks. To achieve contingency planning and business resumption goals and objectives, senior management should ensure that:
Contingency plans are comprehensive and address all of the critical functions and operations in an institution. This includes assessing the response capability of key disaster recovery service vendors (e.g., the vendor(s) providing alternate processing sites; storage and transportation of back-up media between the storage vendor, alternate processing site and the institution).
An effective business resumption and contingency plan has been coordinated with their information processing and service providers.1
Contingency plans are thoroughly tested at least annually.
Test results and recommendations from such testing are reviewed.
Appropriate corrective actions are implemented.
The board of Directors and senior management of each financial institution is responsible for:
Establishing policies and procedures, and assigning responsibilities to ensure that comprehensive corporate business resumption, contingency planning, and testing takes place.
Annually reviewing the adequacy of the institution's business recovery and contingency plans and test results.
Documenting such reviews and approvals in the board minutes.
Furthermore, if the financial institution receives information processing from a service bureau, senior management also has a responsibility to:
Evaluate the adequacy of contingency planning and testing for its service bureau.
Ensure that the institution's contingency plan is compatible with that of its service bureau.
Please refer to the FFIEC Information Systems Examination Handbook for specific guidance on developing an organization-wide contingency plan.