FFIEC: An Introduction to BCM’s Gold Standard


Most business continuity professionals think of FFIEC as a business continuity management standard that is only relevant to financial institutions. However, many other types of organizations would benefit from adopting this set of demanding and comprehensive BC guidelines.

Related on MHA Consulting: Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now

Introducing FFIEC

The FFIEC standard is named after the organization that developed it, the Federal Financial Institutions Examination Council (FFIEC). This group is made up of representatives of the Federal Reserve System, Federal Deposit Insurance Corporation, and other financial agencies.  

The FFIEC guidelines (as the standard is referred to) are contained in a series of booklets or handbooks published by the group. The guidelines’ purpose is to make sure banks and other financial institutions can continue to operate even if they are hit with a disruption.   

As you know, FFIEC is one of many standards that organizations can align with to strengthen their BCM programs. Other well-regarded business continuity standards include the BCI Good Practice Guidelines, ISO 22301, NIST 800, and NFPA 1600.  

All of these standards can help organizations become more resilient, but of the five mentioned, the FFIEC guidelines are widely regarded as the toughest and best.  

The Gold Standard

FFIEC is often referred to as the gold standard of BCM standards. The most aggressive standard in the U.S. marketplace, it has greater governance, risk assessment, business impact analysis, planning, testing, and maintenance requirements than any other standard.   

FFIEC’s requirements are very stringent due to the critical role financial institutions play in the economy. It is also comprehensive, covering all phases of the BCM program lifecycle, including risk assessment, business impact analysis, crisis management, cyber response, strategy development, plan development, testing, and maintenance. Its focus on continuous improvement helps ensure that organizations are always prepared to respond to disruptions and minimize their impact.  

Not Just for Banks

FFIEC was developed for financial institutions, but its principles and standards are applicable to any company that wants to maintain a high state of resiliency, regardless of industry. By adhering to the FFIEC guidelines, any company can implement best practices for risk management, cybersecurity, data protection, and business continuity planning.  

The FFIEC standard can be found here, and it’s completely free.  

By now you might be asking whether your organization would benefit from adopting FFIEC. 

The answer depends on how big and complex your company is, what industry it’s in, and how damaging it would be if your business processes were knocked out for an extended period by a disruption. It also depends on how committed you and your colleagues are to achieving true excellence in your BC program.  

Smaller companies, educational institutions, construction firms, and many government agencies—these types of organizations tend to have more of a cushion before delays cause serious problems. They should pick a standard and try to align with it, but it probably shouldn’t be FFIEC. (As I’ve written elsewhere, I especially like NFPA 1600.) 

Companies that need to be able to demonstrate a high level of recovery capability and competency—and where outages of even a couple of hours have the potential to cause serious impacts to the organization’s revenue, reputation, and stakeholders—would likely benefit greatly from learning about FFIEC and trying to meet its requirements.  

This is true even if they are unable to reach full alignment with the standard. FFIEC is so rigorous, attaining even 70 percent compliance would bring most organizations a substantial gain in resilience.  

Generally speaking, adopting FFIEC makes a lot of sense for organizations in the logistics, manufacturing, pharmaceutical, healthcare, and insurance industries, as well as some tech companies and utilities. This is due to the tight deadlines, extreme time sensitivity, and critical nature of these industries, qualities they share with the financial institutions the standard was originally designed to protect.  

Getting Help with FFIEC 

The decision of whether to adopt FFIEC or any standard is challenging. So is the process of coming into alignment with the chosen standard.  

How does a company go about deciding on a standard and working toward compliance? 

All of the BC standards are abundantly documented and explained by the organizations that created them. Visit the links above to access their web sites. (You can also click here to read a blog I wrote introducing the five leading standards.)  

Every reputable BCM consulting firm can advise clients on which standard makes the most sense for them. MHA has a lot of experience in this area and would be glad to talk with organizations that would like advice on how to proceed. 

In addition, business continuity software can be of great help in helping organizations come into compliance with the FFIEC guidelines or any other leading standard. For example, MHA’s Compliance Confidence tool (part of our BCMMETRICS software suite) guides users through their chosen standard, giving step by step by advice on what they need to do to approach compliance. To learn more about Compliance Confidence or arrange a demonstration, click here


Schedule a No-Obligation Compliance Consultation

Going for the Gold 

FFIEC is the gold standard of business continuity standards. Originally intended for use by financial institutions, it is a very robust standard that covers all phases of the BCM lifecycle and has greater governance, risk assessment, business impact analysis, planning, testing, and maintenance requirements than any other standard.   

For smaller organizations or those in less time-sensitive industries, following FFIEC would likely be excessive. However, organizations that require a high level of recovery capability and competency in the event of a disruption—or which simply want to achieve true excellence in their BCM program—FFIEC is worth its weight in gold.  

Interested companies are invited to contact MHA to seek strategic advice on standards from a consultant or learn more about BCMMETRICS and Compliance Confidence. 

Further Reading 

Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.

Leave a Reply

Your email address will not be published. Required fields are marked *

Business continuity consulting for today’s leading companies.

Follow Us

© 2024 · MHA Consulting. All Rights Reserved.

Learn from the Best

Get insights from almost 30 years of BCM experience straight to your inbox.

We won’t spam or give your email away.

  • Who We Are
  • What We Do
  • Blog