Skip to content

FFIEC Policy Statement

by Dana Turner

Subject: Interagency Policy On Contingency Planning For Financial Institutions
To: Chief Executive Officers of all Federally Supervised Financial Institutions, Senior Management of each FFIEC Agency, and all Examining Personnel

The purpose of this policy statement is to alert the Board of Directors and management of each financial institution to the need for contingency planning for their institution. This includes both institutions that provide their own information processing service and those that receive processing from service companies. The policy statement also addresses issues that should be considered when developing a viable contingency plan.

Contingency planning is the process of identifying risks from disruption of operations and services. The objectives are to:

  • minimize disruptions of service to the institution and its customers,
  • minimize financial loss, and,
  • ensure a timely resumption of operations in the event of a disaster.

These strategies are the same for institutions with in-house data centers and those using service bureaus.

In recent years, information technology has expanded rapidly throughout the corporate structure of financial institutions. It includes operations such as central computer processing, distributed processing, end user computing, local area networking, and nationwide telecommunications. These operations often represent critical services to institutions and their customers. The loss or extended disruption of these business operations poses substantial risk of financial loss and could lead to the failure of an institution. As a result, contingency planning now requires an institution-wide emphasis, as opposed merely focusing on centralized computer operations.

Additionally, there are many service bureaus that provide information processing services to multiple financial institutions. The disruption of the processing capabilities of one of these service bureaus could impact a considerable number of institutions. Accordingly, contingency planning by financial institution servicers is equally important.

Many financial institutions and servicer bureaus have not sufficiently addressed the risks associated with the loss or extended disruption of business operations. More specifically:

  • Many contingency plans do not address all of the critical functions throughout the institution
  • Many serviced institutions have not established or coordinated contingency planning efforts with their service bureaus.
  • Many service bureaus have not established contingency plans.
  • Many contingency plans have not been adequately tested.

The board of directors and senior management of financial institutions are responsible for:

  • Establishing policies, procedures and responsibilities for comprehensive contingency planning
  • Reviewing and approving the institution's contingency plans annually, documenting such reviews in board minutes.

If the institution receives information processing from a service bureau, management also must:

  • Evaluate the adequacy of contingency plans for its service bureau.
  • Ensure that the institutions contingency plan is compatible with its service bureau's.

The appendix to this policy statement provides an example of a process that management may consider in developing contingency plans. It is a brief outline and is not all encompassing. Each financial institution needs to assess its own risks and develop strategies accordingly. This planning process needs to address each critical system and operation, whether performed on site, at a user location, or by another company.

Contingency Planning Process
I. Obtain commitment from senior management to develop the plan.
II. Establish a management group to oversee development and implementation of the plan.
III. Perform a risk assessment.

  • Consider possible threats such as:
    • natural - fires, flood, earthquakes, ...
    • technical - hardware/software failure, power disruption,
    • communications interference, ...
    • human - riots, strikes, disgruntled employee, ...
  • Assess impacts from loss of information and services:
    • financial condition
    • competitive position,
    • customer confidence
    • legal/regulatory requirements.
  • Analyze costs to minimize exposures.

IV. Evaluate critical needs.

  • functional operations
  • key personnel
  • information
  • processing systems
  • documentation
  • vital records
  • policies/procedures

V. Establish priorities for recovery based on critical needs.

VI. Determine strategies to recover.

  • facilities
  • hardware
  • software
  • communications
  • data files
  • customer services
  • user operations
  • MIS
  • nd-user systems
  • other processing operations.

VII. Obtain written backup agreements/contracts.

  • facilities
  • hardware
  • software
  • vendors
  • suppliers
  • disaster recovery services
  • reciprocal agreements

VIII. Organize and document a written plan.

  • Assign responsibilities.
    • management
    • personnel
    • teams
    • vendors
  • Document strategies and procedures to recover.
    • procedures to execute the plan
    • priorities for critical vs. non-critical functions
    • site relocation (short-term)
    • site restoration (long-term)
    • required resources
    • human
    • financial
    • technical (hardware/software)
    • data
    • facilities
    • administrative
    • vendor support

IX. Establish criteria for testing and maintenance of plans.

  • Determine conditions and frequency for testing:
    • batch systems
    • on-line systems
    • communications networks
    • user operations
    • end-user systems
  • Evaluate results of tests.
  • Establish procedures to revise and maintain the plan.
  • Provide training for personnel involved in the plan's execution

X. Present the contingency plan to senior management and the Board for review and approval.

(Note: Additional guidelines in this area are available in Chapter 10 of the 1996 FFIEC IS Examination Handbook). Also, many materials on contingency/disaster recovery planning have been published by trade associations, accounting firms, and the disaster recovery industry. These can be valuable guides to comprehensive contingency planning.
SR 97-15 (SPE)
May 2, 1997
Subject: Corporate Business Resumption and Contingency Planning

The FFIEC has issued an updated policy statement on "Corporate Business Resumption and Contingency Planning" (SP-5) for financial institutions, as of March 1997. The policy statement recognizes that information systems technology has evolved into a critical facet of the corporate structure of financial institutions, and emphasizes that the directors and management of financial institutions need to address the inherent risks associated with the loss or disruption of these services to themselves and their customers. It also addresses various issues and responsibilities relating to the development and implementation of business resumption and contingency plans.

Corporate Business Resumption And Contingency Planning (SP-5)
To: Chief Executive Officers of all Federally Supervised Financial Institutions, Senior Management of each FFIEC Agency, and all Examining Personnel

This statement emphasizes to the board of directors and senior management of each financial institution the importance of corporate business resumption and information systems contingency planning functions. This includes planning for the recovery of critical information systems processing and operations supported by external service providers. This statement also addresses issues that management should consider when developing a viable contingency plan.

Information systems technology has evolved into a critical facet of the corporate structure of financial institutions. Transaction processing and business applications are no longer restricted to mainframe computer environments. The use of distributed platforms (including mid-range computers, client/server technology, and local and wide area networks) for mission-critical business functions expands the scope of contingency planning.

Corporate and customer services throughout financial institutions are now more dependent on direct access to information and accounts. This includes contemporary financial delivery systems and services such as PC-banking, corporate cash management, and Internet promotion. These services represent key transactional, strategic, and reputational issues for the financial institutions. Often these services depend on a combination of internal and external information processing services. Outsourcing arrangements and other technology alliances involve unique considerations which also expand the boundaries of contingency planning.

Business recovery planners must recognize this new environment and the risks it may pose to the financial institution. The importance of these operations and service units requires effective business recovery planning from a corporate-wide perspective.

Contingency planning is the process of identifying critical information systems and business functions and developing plans to enable those systems and functions to be resumed in the event of a disruption. The process includes testing the recovery plans to ensure they are effective. During the testing process management should also verify that business unit plans complement the information system plans.

The goal of an effective contingency plan and recovery process is to facilitate and expedite the resumption of business after a disruption of vital information systems and operations. The principle objectives are to:

  • Minimize disruptions of service to the institution and its customers;
  • Ensure timely resumption of operations; and
  • Limit losses to earnings and capital.

It is important for both financial institutions and their service bureaus to regularly assess risks associated with the loss or extended disruption of business operations and to evaluate their vulnerability to those risks. To achieve contingency planning and business resumption goals and objectives, senior management should ensure that:

  • Contingency plans are comprehensive and address all of the critical functions and operations in an institution. This includes assessing the response capability of key disaster recovery service vendors (e.g., the vendor(s) providing alternate processing sites; storage and transportation of back-up media between the storage vendor, alternate processing site and the institution).;
  • An effective business resumption and contingency plan has been coordinated with their information processing and service providers;
  • Contingency plans are thoroughly tested at least annually;
  • Test results and recommendations from such testing are reviewed; and
  • Appropriate corrective actions are implemented.

The board of directors and senior management of each financial institution is responsible for:

  • Establishing policies and procedures, and assigning responsibilities to ensure that comprehensive corporate business resumption, contingency planning, and testing takes place;
  • Annually reviewing the adequacy of the institution's business recovery and contingency plans and test results; and
  • Documenting such reviews and approvals in the board minutes.

Furthermore, if the financial institution receives information processing from a service bureau, senior management also has a responsibility to:

  • Evaluate the adequacy of contingency planning and testing for its service bureau; and
  • Ensure that the institution's contingency plan is compatible with that of its service bureau.

Please refer to the FFIEC Information Systems Examination Handbook for specific guidance on developing an organization-wide contingency plan.

Revised: March 1997
Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision

? Security Education Systems 1983 - 2001

First published on 01/01/2001

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics