OCC 2003-18
OCC Bulletin                                                                      

Subject:     FFIEC Information Technology Examination Handbook                                           
Description: Business Continuity Planning and Supervision of 
             Technology Service Providers Booklets

Date:        May 21, 2003

TO:  Chief Executive Officers of All National Banks, Federal
     Branches and Agencies, Technology Service Providers and
     Software Vendors, Department and Division Heads, and All
     Examining Personnel

The Federal Financial Institutions Examination Council (FFIEC)
has issued updated guidance in two booklets, one on business
continuity planning (BCP), and the other on FFIEC supervision of
technology service providers (TSP).  These booklets are the
second and third in a series that will completely update and
replace the 1996 FFIEC Information Systems (IS) Examination
Handbook.

Specifically, the "BCP Booklet" rescinds chapter 10 of the 1996
FFIEC IS Examination Handbook and OCC Bulletin 97 - 23:  FFIEC
Interagency Statement on Corporate Business Resumption and
Contingency Planning.  The "Supervision of TSPs Booklet" rescinds
chapters two through seven of the 1996 FFIEC IS Examination
Handbook.

Business Continuity Planning Booklet

The banking industry has been a leader in the area of business
continuity planning and preparedness.  Banks' increasing
dependence on third-party service providers and the threat of
terrorism have validated bank efforts and added urgency to the
issue.  Boards of directors should review business continuity
plans at least annually to ensure that plans are consistent with
the bank's business objectives, risk management strategies, and
financial resources.  This booklet complements the sound
practices recently issued in OCC Bulletin 2003-14, applicable to
the largest and most systemically significant financial services
firms, and provides a risk management process for implementation
of those practices.

The "BCP Booklet" emphasizes the importance of making BCP an
enterprise-wide business concern that balances the availability
of people, facilities, and technology.  The booklet describes a
four-part process for managing business continuity based on risk:
(1) business impact analysis, (2) risk assessment, (3) risk
management, and (4) risk monitoring.  Using this process-based
approach, bank management should determine the impact of an
interruption of various services on different business units
within the bank.  Management should assess and prioritize the
risk of losing those services and then implement the appropriate
safeguards to mitigate the likelihood of an event occurring or to
accelerate resumption of services after an event.  To ensure
effective implementation of the safeguards and allow the process
to evolve over time, management must oversee compliance through
self-assessment and testing, evaluate organizational changes,
monitor for new threats, and explore new risk mitigation and
recovery solutions.

The booklet reinforces the expectation that senior management
conduct recovery testing at least annually, and more frequently
if warranted by the operating environment and the criticality of
the applications and business functions.  OCC examiners will use
the booklet's workprogram as expanded examination procedures when
appropriate, based on the risk and complexity of the bank or
technology service provider's operations.

Supervision of Technology Service Providers Booklet

This booklet provides OCC examiners with guidance on the various
aspects of the FFIEC interagency supervision program for TSPs.
Effective interagency coordination and resource sharing allows
the agencies to avoid redundant examinations.  The booklet
introduces a new risk-based approach to select the TSPs for
examination and to determine the frequency of examinations based
on the type of services provided and TSP-specific risk factors.
National banks can provide input into our supervisory process by
communicating service provider concerns to their portfolio
examiners.  OCC examiners can then factor bank-specific issues
into the risk-based strategy.  The OCC encourages banks to
consider findings from FFIEC examinations as part of their
management of outsourcing risk.  However, this booklet
underscores the message that regulatory examinations of TSPs are
not a replacement for effective vendor oversight by the bank.
The FFIEC will provide in-depth guidance to bankers on managing
outsourcing relationships in another booklet on outsourcing later
this year.

The attached FFIEC press release describes the handbook update
process and provides the following link www.ffiec.gov/guides.htm
to electronic versions of both booklets.  To accommodate banks with
limited access to the Internet, the OCC will also include these
booklets in the next release of e-files, the CD-based library of
OCC publications provided to all national banks.  Any bank that
is not able to download the booklets may order printed copies.
Please send your request to the Office of the Comptroller of the
Currency, 250 E Street, SW, Mail Stop 4-8, Washington, DC 20219.
If you need assistance obtaining a copy, please contact the OCC's
Communications Division at (202) 874-4700.

Other questions regarding these booklets should be directed to
your OCC supervisory office or the Bank Technology Division at
(202) 874-5920.



____________________________________
Ralph E. Sharpe
Deputy Comptroller, Technology

Attachment
[http://www.ffiec.gov/press/pr052003.htm]