The Federal Financial Institutions Examination Council (FFIEC) issued a revised business continuity planning (BCP) booklet, which is part of the FFIEC information technology (IT) examination handbook.

The update consists of the addition of Appendix J, titled “Strengthening the Resilience of Outsourced Technology Services,” that highlights and strengthens the BCP booklet in these areas:

• Third-party management;
• Third-party capacity;
• Testing with third-party technology service providers; and
• Cyber resilience.

The BCP booklet’s guidance assists examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services.

The booklet also provides guidance to financial institutions on implementing their business continuity planning processes.

According to the guidance:

• A credit union’s reliance on third-party service providers to perform or support critical operations doesn’t relieve the institution of its responsibility to ensure those parties conduct outsourced activities in a safe and sound manner;
• An effective third-party management program should provide the framework for the credit union’s management to identify, measure, monitor, and mitigate the risks associated with outsourcing; and
• A credit union should ensure its third-party service providers don’t negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner.

Access the IT Handbook at ithandbook.ffiec.gov.