The interagency Federal Financial Institutions Examination Council (FFIEC) on March 26, 1997, adopted a revised policy statement on Corporate Business Resumption and Contingency Planning. The policy statement is attached. The revised statement continues to emphasize the importance of business recovery planning and explains the goals associated with an effective business resumption and contingency plan. Revisions to the policy statement acknowledge the increased use of distributed computer environments and increased reliance on external service providers for mission-critical bank activities. A financial institution's Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented. The revision was conducted as part of the combined agency Community Development and Regulatory Improvement Act (CDRIA) effort to streamline agency regulations and written policies to improve efficiency, reduce unnecessary costs, eliminate unwarranted constraints on credit availability, and remove duplicative requirements. Contingency plans are evaluated by examiners during regular supervisory reviews of the institution. For more information, please contact your Division of Supervision Regional Office.
Attachment (below) Distribution: FDIC-Supervised Banks (Commercial and Savings) NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, N.W., Room 100, Washington, D.C., 20434 ((703) 562-2200 or 800-276-6003).
(ATTACHMENT) CORPORATE BUSINESS RESUMPTION AND CONTINGENCY PLANNING To: Chief Executive Officers of all Federally Supervised Financial Institutions, Senior Management of each FFIEC Agency, and all Examining Personnel PURPOSE This statement emphasizes to the board of Directors and senior management of each financial institution the importance of corporate business resumption and information systems contingency planning functions. This includes planning for the recovery of critical information systems processing and operations supported by external service providers. This statement also addresses issues that management should consider when developing a viable contingency plan. BACKGROUND Information systems technology has evolved into a critical facet of the corporate structure of financial institutions. Transaction processing and business applications are no longer restricted to mainframe computer environments. The use of distributed platforms (including mid-range computers, client/server technology, and local and wide area networks) for mission-critical business functions expands the scope of contingency planning. Corporate and customer services throughout financial institutions are now more dependent on direct access to information and accounts. This includes contemporary financial delivery systems and services such as PC-banking, corporate cash management, and Internet promotion. These services represent key transactional, strategic, and reputational issues for the financial institutions. Often these services depend on a combination of internal and external information processing services. Outsourcing arrangements and other technology alliances involve unique considerations which also expand the boundaries of contingency planning. Business recovery planners must recognize this new environment and the risks it may pose to the financial institution. The importance of these operations and service units requires effective business recovery planning from a corporate-wide perspective. DEFINITION Contingency planning is the process of identifying critical information systems and business functions and developing plans to enable those systems and functions to be resumed in the event of a disruption. The process includes testing the recovery plans to ensure they are effective. During the testing process management should also verify that business unit plans complement the information system plans. GOALS The goal of an effective contingency plan and recovery process is to facilitate and expedite the resumption of business after a disruption of vital information systems and operations. The principle objectives are to:
It is important for both financial institutions and their service bureaus to regularly assess risks associated with the loss or extended disruption of business operations and to evaluate their vulnerability to those risks. To achieve contingency planning and business resumption goals and objectives, senior management should ensure that:
POLICY The board of Directors and senior management of each financial institution is responsible for:
Furthermore, if the financial institution receives information processing from a service bureau, senior management also has a responsibility to:
Please refer to the FFIEC Information Systems Examination Handbook for specific guidance on developing an organization-wide contingency plan. Revised: March 1997
1 This concern refers to situations where service bureaus are contracted to process core applications or critical business lines. This is especially important to the Fedwire software application when the service provider is not affiliated with the institution through at least 80 percent common ownership. The institution must be able to continue its operations for these functional business lines if the service provider arrangement is terminated. |