Business Continuity Management

FFIEC IT Examination Handbook - Business Continuity Booklet

Completion Progress0 / 21 Controls

Track your business continuity and resilience readiness

Overall Completion0%

BCP Program Management

0 of 5 controls verified

Complete

Board-approved BCP policy with annual review requirement

High Risk

BCP program includes governance, risk assessment, and testing framework

High Risk

Business impact analysis (BIA) conducted and updated annually

High Risk

Recovery time objectives (RTOs) and recovery point objectives (RPOs) defined for critical systems

High Risk

BCP coordinator designated with clear responsibilities

Medium Risk

BCP & DR Planning

0 of 6 controls verified

Complete

Documented business continuity plans for all critical business functions

High Risk

Disaster recovery plans address technology infrastructure restoration

High Risk

Plans include communication procedures for employees, customers, vendors, regulators

High Risk

Alternate processing sites identified and contractually secured

High Risk

Data backup and restoration procedures documented and tested

High Risk

Succession planning for key personnel included

Medium Risk

Testing & Maintenance

0 of 5 controls verified

Complete

Annual BCP/DR testing performed with documented results

High Risk

Testing scenarios include various disruption types (technology, facility, personnel)

High Risk

Test results analyzed and plans updated based on findings

High Risk

Backup restoration tested regularly (at least quarterly)

High Risk

Tabletop exercises conducted with management participation

Medium Risk

Operational Resilience

0 of 5 controls verified

Complete

Incident response procedures integrated with BCP

High Risk

Third-party dependencies identified with contingency plans

High Risk

Geographic diversity for critical operations and data centers

High Risk

Communication systems redundancy maintained

Medium Risk

BCP awareness training provided to all staff annually

Medium Risk

Examiner Expectations

Annual Testing Requirement

Examiners expect documented annual BCP/DR testing with results analysis and plan updates. Testing should validate RTOs/RPOs can be met.

Business Impact Analysis

Current BIA identifying critical business functions, dependencies, and acceptable downtime is essential. Must be updated when significant changes occur.

Third-Party Dependencies

Contingency plans must address critical vendor failures. Review vendor BCP capabilities during due diligence and ongoing monitoring.