FFIEC: An Introduction to BCM’s Gold Standard
Most business continuity professionals think of FFIEC as a BC standard that is only relevant to financial institutions, who are legally to obligated to meet its famously rigorous requirements. However, many non-financial institutions would also benefit from adopting this set of demanding and comprehensive BC guidelines.
Related on MHA Consulting: Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
Introducing FFIEC
The Federal Financial Institutions Examination Council (FFIEC) is a U.S. government body made up of representatives of the Federal Reserve System, Federal Deposit Insurance Corporation, and other financial agencies. It is also the author of a set of principles and guidelines designed to make sure the banks and other financial institutions that are required to follow it can continue to operate even if they are hit with a disruption.
The guidelines, which are contained in a series of booklets or handbooks, are collectively known as the FFIEC standard.
FFIEC is, of course, one of many standards that organizations can adopt and seek to come into alignment with to strengthen their BCM programs. Other well-known standards include those published by the Business Continuity Institute (BCI Good Practice Guidelines), the International Organization for Standardization (ISO 22301), the National Institute of Science and Technology (NIST 800), and the National Fire Protection Association (NFPA 1600).
All of these standards are valuable, well-regarded tools that are capable of helping organizations become more resilient. For organizations that don’t currently adhere to any BC standard (the majority, unfortunately), adopting and aligning with any of the five standards will likely increase their ability to avoid and get through disruptions.
However, of the five, the FFIEC standard is widely regarded as the toughest and best. For this reason, it is often referred to as the Gold Standard of BCM standards.
The Gold Standard
FFIEC is the most aggressive standard in the U.S. marketplace. It has greater governance, risk assessment, business impact analysis, planning, testing, and maintenance requirements than any other standard.
FFIEC’s requirements are very stringent due to the critical role financial institutions play in the economy. It is also comprehensive, covering all phases of the BCM program lifecycle, including risk assessment, business impact analysis, crisis management, cyber response, strategy development, plan development, testing, and maintenance. And its focus on continuous improvement helps ensure that organizations are always prepared to respond to disruptions and minimize their impact.
Not Just for Banks
FFIEC’s primary focus is on financial institutions, but its principles and standards are applicable to any company that wants to maintain a high state of resiliency, regardless of industry. By adhering to the council’s guidelines, companies can implement best practices for risk management, cybersecurity, data protection, and business continuity planning.
The FFIEC standard can be found here, and it’s completely free.
Does trying to meet the rigorous FFIEC standard make sense for every organization? Not even close. For many orgs, following FFIEC would be like going through Navy SEAL training to prepare for a neighborhood fun run. It’s overkill. Such companies would be better off investing those resources elsewhere.
Would your organization benefit from adopting FFIEC?
That depends on how big and complicated it is, what industry it’s in, and how damaging it would be if your business processes were knocked out for an extended period by a disruption. It also depends on how committed you and your colleagues to achieving true excellence in your BC program.
Smaller companies, educational institutions, construction firms, and many government agencies—these types of organizations tend to have more of a cushion before delays cause serious problems. They should pick a standard and try to align with it, but it probably shouldn’t be FFIEC.
However, companies that need to be able to demonstrate a high level of recovery capability and competency—and where outages of even a couple of hours have the potential to cause serious impacts to the organization’s revenue, reputation, and stakeholders—would likely benefit greatly from learning about FFIEC and trying to meet its requirements.
This is true even if they are unable to reach full alignment with the standard. FFIEC is so rigorous, attaining even 70 percent compliance would bring most organizations a substantial gain in resilience.
Generally speaking, adopting FFIEC makes a lot of sense for organizations in the logistics, manufacturing, pharmaceutical, healthcare, and insurance industries, as well as some tech companies and utilities. This is due to the tight deadlines, extreme time sensitivity, and critical nature of these industries, qualities they share with the financial institutions the standard was originally designed to protect.
Going for the Gold
FFIEC is the gold standard of business continuity standards. Originally intended for use by financial institutions, it is a very robust standard that covers all phases of the BCM lifecycle and has greater governance, risk assessment, business impact analysis, planning, testing, and maintenance requirements than any other standard.
For smaller organizations or those in less time-sensitive industries, following FFIEC would likely be excessive. However, organizations that require a high level of recovery capability and competency in the event of a disruption—or which simply want to achieve true excellence in their BCM program—FFIEC is worth its weight in gold.
Further Reading
For more information on business continuity standards and other hot topics in BCM and IT/disaster recovery, check out these recent posts from MHA Consulting:
- Meeting the Standard: The 3 Scenarios Encountered in Complying With BCM Standards
- Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
- Standard Issue: Is Your BCM Standard Making Things Worse?
- A Great Place to Start: The ISO 31000 Risk Management Guidelines
- The Art of Explaining: MHA’s Best Crisis Communications Resources
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
