2019 FFIEC BCP Handbook Updates: Are You Compliant?

In November, the Federal Financial Institutions Examination Council (FFIEC) released a new handbook specific to Business Continuity Planning (BCP). As is typical when new guidance is released, there is some level of panic, uncertainty, and confusion about what must be done in order to remain compliant. Although the handbook has undergone a complete overhaul in its organization, if you’ve been following emerging trends in Enterprise Risk Management (ERM) and were compliant with the components in the previous handbook, you may be in better shape than you think.

FFIEC BCP Handbook Compliance

So, what are some of the most important updates to the FFIEC manual and why were they implemented? Here are some of the key updates proposed in the handbook:

• A new name. The handbook has been renamed from Business Continuity Planning (BCP) to Business Continuity Management (BCM). The change supports the concept of overall executive management and oversight of a company-wide ERM program. It calls for organizations to align their BCM with the organization’s risk appetite, as well as security frameworks such as NIST and COSO. The term also emphasizes a more proactive approach focused on resilience rather than a reactive approach focused on recovery, and validates that business continuity preparedness requires far more than just a document.
• A new format. One of the biggest reasons the FFIEC business continuity handbook may appear to be filled with new requirements is because it looks very different. The handbook has been completely reorganized to remove duplication, eliminate excess appendices, and allow readers to more easily reference the document for audit and examination purposes.
• Several important areas of focus that were previously buried in hard-to-reach areas of the document now have their own dedicated sections. These topics include cybersecurity, communications, maintenance, personnel recovery, and third party/supply chain considerations.
• The “Pandemic” section has been eliminated. However, being inundated with the fear of the bird flu in the early 2000s has not been forgotten. “Pandemic” is still mentioned in the Risk Assessment and Business Impact Analysis (BIA) sections, which remains useful as talk of pandemic emerges again with the recent spread of the Coronavirus. Also, the concepts of “reduction in staff” and “cross training” are incorporated throughout the FFIEC handbook.
• There is new detailed language surrounding what parts of the BCP your Board must review. It includes a written presentation of the Risk Assessment, BIA, testing, and BCP. Although it still does not explicitly state it, this gets closer to answering the question, “What part of the BCP should the Board review?” with the answer being “all of it.”
• When looking at the new FFIEC examination manual, testing is the largest section. Over the years, we have witnessed that examiners are looking well beyond the plan itself and are really looking for proof that the plan can actually work.

Although these updates are not subtle, they’re not overwhelming. The changes were made to increase clarity surrounding business continuity, not pile on anxiety surrounding FFIEC compliance. The question to ask yourself is, have you been keeping abreast of industry trends, best practices, and other regulatory changes regarding ERM? And if so, how well have you incorporated those into your business continuity program? The answers to those questions will definitely correlate to your level of compliance with the new handbook. If you have kept up with the subtle and not-so-subtle shifts in Enterprise Risk Management, you may be in a better position than you think.