FFIEC Business Continuity Management: What Examiners Actually Look For (and How to Prepare)

TL;DR

• The FFIEC’s Business Continuity Management (BCM) booklet — revised November 2019 — shifted from “planning” to “management,” signaling that examiners expect a living, tested, board-governed program, not a binder on a shelf.
• The booklet is organized around a lifecycle: governance → BIA → risk assessment → strategies and plans → testing and exercises → maintenance and improvement.
• Third-party resilience is woven throughout — not bolted on as an appendix. If your critical vendor’s BCP is untested, that’s your finding.

---

Your BCP exists. It’s a 47-page document someone wrote three years ago. It lives in SharePoint. Nobody’s opened it since the last exam.

Sound familiar? It should — because this is the single most common finding examiners write up under the FFIEC’s Business Continuity Management framework. Not that you don’t have a plan. That you don’t manage one.

In November 2019, the FFIEC replaced its “Business Continuity Planning” booklet with the Business Continuity Management booklet — part of the IT Examination Handbook that applies to every institution supervised by the OCC, FDIC, Federal Reserve, NCUA, and state banking regulators. The name change wasn’t cosmetic. It reflected a fundamental shift in examiner expectations: from “do you have a plan?” to “do you have a program that actually works?”

Here’s what the booklet actually requires, what examiners look for during an IT exam, and how to avoid the findings that land in your next report of examination.

What Changed: From Planning to Management

The 2019 revision condensed the booklet from 135 pages to 85, but the reduction in page count didn’t mean a reduction in expectations. The FFIEC made three significant structural changes:

Change	What It Means
Renamed from “BCP” to “BCM”	Business continuity is an ongoing management discipline, not a one-time planning exercise
Third-party content integrated throughout	Vendor resilience isn’t an afterthought appendix — it’s embedded in governance, testing, and risk assessment sections
Operational resilience emphasis added	New focus on resilience measures, maximum tolerable downtime (MTD), and the ability to deliver critical services under stress

The old booklet’s Appendices C through J — which covered everything from pandemic planning to third-party oversight — were folded directly into the body of the booklet. That’s not reorganization for aesthetics. It means examiners now evaluate these topics as core BCM components, not supplementary considerations.

As the FFIEC’s November 2019 press release stated, the updated booklet helps examiners evaluate whether entities “have prepared their operations to avoid disruptions and recover services.” The emphasis is on avoiding disruptions — not just recovering from them.

The BCM Lifecycle: What the Booklet Covers

The FFIEC BCM booklet is organized around a lifecycle approach. Examiners evaluate each phase, and weaknesses in any one area can trigger findings. Here’s the full lifecycle:

1. BCM Governance

What the booklet expects: Board and senior management oversight of the BCM program. The board should approve the BCM policy, review testing results, and ensure adequate resources.

What examiners look for:

• A board-approved BCM policy with defined scope, roles, and responsibilities
• Regular board reporting on BCM program status, testing results, and identified gaps
• Designated BCM coordinator or team with clear authority
• BCM integrated into the institution’s enterprise risk management framework

Common finding: The board approved the BCP three years ago and hasn’t seen a testing report since. The BCM coordinator is also the BSA officer, IT manager, and facilities coordinator — with no dedicated time for continuity management.

Who owns this: At most community banks, BCM governance sits with the COO or a designated BCM Committee. At mid-size institutions, you’ll typically see a dedicated Business Continuity Manager or a resilience function within operational risk. Regardless of size, the board needs to see BCM reporting at least annually — and examiners will check the board minutes.

2. Business Impact Analysis (BIA)

What the booklet expects: Identification of critical business functions, dependencies (systems, vendors, people, data), and recovery objectives (RTO and RPO) for each.

What examiners look for:

• BIA covers all critical business lines and supporting functions
• Each critical function has defined RTO, RPO, and maximum tolerable downtime (MTD)
• Dependencies mapped: technology systems, key personnel, third-party providers, data feeds, facilities
• BIA updated within the last 12 months (or after significant changes)
• Financial and operational impact quantified for different disruption durations

Common finding: The BIA lists “core banking system” and “email” as critical systems but doesn’t map upstream and downstream dependencies. The RTO is listed as “4 hours” for everything — no differentiation by criticality tier, no explanation of how that number was derived, and no validation that the DR environment can actually achieve 4 hours.

The MTD concept is important here. The 2019 booklet defines maximum tolerable downtime as “the total amount of time the system owner or authorizing official is willing to accept for a business process disruption, including all impact considerations.” This aligns with the Bank of England’s “impact tolerance” concept in operational resilience — and signals where U.S. regulators are heading.

For a detailed walkthrough on building a BIA, see our guide: How to Conduct a Business Impact Analysis.

3. Risk Assessment

What the booklet expects: Identification and assessment of threats that could disrupt critical business functions. The BCM risk assessment should consider the likelihood, velocity (speed of onset), and impact of different threat categories.

What examiners look for:

• Comprehensive threat identification: natural disasters, cyberattacks, pandemics, utility failures, third-party failures, key-person dependencies
• Risk assessment methodology that evaluates likelihood and impact
• Consideration of threat velocity — a ransomware attack hits differently than a hurricane because there’s no lead time
• Geographic concentration risk (are your primary and backup sites in the same flood zone?)
• Risk assessment updated to reflect the current threat landscape

Common finding: The risk assessment was written in 2018 and still lists “Y2K” as a threat category but doesn’t mention ransomware, supply chain attacks, or cloud provider outages. The likelihood ratings haven’t been recalibrated since COVID-19 demonstrated that “unlikely” scenarios actually happen.

4. Business Continuity Strategies and Plans

What the booklet expects: Documented strategies for maintaining and recovering critical business functions, including a Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), and Crisis Management Plan.

What examiners look for:

• Recovery strategies aligned with BIA-defined RTO/RPO targets
• BCP that includes communication protocols, alternate processing procedures, and resource requirements
• DRP with system-level recovery procedures, backup strategies, and failover architecture
• Crisis communication plan covering all stakeholder groups: customers, regulators, employees, partners
• Plans that are version-controlled, accessible during a disruption, and not stored exclusively on the systems they’re supposed to recover

Common finding: The BCP is 90 pages of copy-pasted policy language with no operational procedures. When asked “what does the wire transfer team actually do on day one of a disruption?” nobody can answer without reading the whole document. The DRP references server names that were decommissioned two years ago.

For more on the BCP vs. DRP distinction, see: Business Continuity vs. Disaster Recovery: What’s the Difference.

5. Training, Exercises, and Testing

What the booklet expects: Regular testing that validates recovery capabilities and identifies gaps. The booklet describes escalating test types based on organizational maturity.

Test Type	Effort	Realism	Best For
Checklist review	Low	Low	Validating plan completeness
Walkthrough/tabletop	Low-Medium	Medium	Identifying gaps in procedures and decision-making
Simulation	Medium-High	High	Testing coordination across teams and functions
Full-scale exercise	High	Very High	Validating end-to-end recovery capabilities

What examiners look for:

• Documented testing program with a defined annual cadence
• Tests that exercise actual recovery procedures — not just “we discussed the plan in a meeting”
• Testing results documented with identified gaps and remediation action plans
• Evidence that gaps found in testing were actually fixed before the next test cycle
• Third-party service providers included in testing where they support critical functions
• Board or senior management receives testing results and gap analysis

Common finding: The institution ran a tabletop exercise 18 months ago. The exercise identified 12 gaps. Three have been remediated. Nobody tracked the other nine. The next exercise is “planned for Q3” — but Q3 was two quarters ago.

6. Third-Party Resilience

This is where the 2019 revision made the biggest structural change. In the old booklet, third-party considerations lived in Appendix J (“Strengthening the Resilience of Outsourced Technology Services”). Now they’re integrated throughout every section.

What examiners look for:

• Critical third-party providers identified and mapped to the BIA
• Third-party BCPs reviewed during due diligence and ongoing monitoring
• Contractual requirements for RTO commitments, testing evidence, incident notification timeframes
• Evidence that the institution has participated in or reviewed third-party BCP tests
• Concentration risk assessed — what happens if one provider supports multiple critical functions?
• Substitutability analysis — how quickly can you switch to an alternate provider?

Common finding: The institution relies on a single core processor for deposit operations, lending, and GL — but has never reviewed the vendor’s BCP test results. The contract requires “commercially reasonable” recovery efforts but doesn’t define specific RTO or notification commitments. When asked about the vendor’s backup strategy, the relationship manager says “they told us they have one.”

This matters more than ever. Acting Comptroller Michael Hsu stated in 2024 that the OCC is “exploring baseline operational resilience requirements for large banks with critical operations, including third-party service providers.” The direction is clear: your vendor’s resilience is your resilience.

What Examiners Look For: The Examination Procedures

The BCM booklet includes Appendix A: Examination Procedures — a detailed checklist examiners use during IT examinations. The key examination objectives include:

1. Governance adequacy — Does the board oversee BCM? Is there a designated BCM function?
2. BIA completeness — Are critical functions identified with recovery objectives and dependencies?
3. Risk assessment currency — Is the risk assessment current and comprehensive?
4. Plan adequacy — Do plans contain actionable procedures aligned to recovery objectives?
5. Testing effectiveness — Has testing validated recovery capabilities? Were gaps remediated?
6. Third-party oversight — Are critical vendor BCPs reviewed, tested, and contractually enforceable?
7. Version control — Are BCM documents maintained with appropriate version control and change tracking?

Examiners verify that “management documents, tracks, and resolves any changes when updating the BCP and the exercise and testing program(s)” and that “management maintains appropriate version control of key BCM documents.”

The Operational Resilience Shift: Where This Is Heading

The 2019 BCM booklet was a bridge between traditional business continuity planning and the emerging operational resilience framework. Here’s why that matters for how you build your program today.

In October 2020, the Fed, OCC, and FDIC jointly issued SR 20-24: “Sound Practices to Strengthen Operational Resilience” — an interagency paper targeting large, complex firms. While technically guidance (not a rule), it signals the direction for all supervised institutions. The paper integrates concepts from operational risk management, business continuity management, third-party risk management, cybersecurity, and recovery planning into a unified resilience framework.

The OCC has since signaled it’s developing formal operational resilience requirements. In 2024, Acting Comptroller Hsu outlined five baseline requirements the OCC is exploring:

1. Clear definitions for identifying critical activities and core business lines
2. Defined tolerances for disruption (impact tolerances)
3. Required testing and validation of resilience capabilities
4. Third-party risk management expectations integrated with resilience
5. Clear communication expectations among stakeholders

If this sounds like an evolution of the FFIEC BCM booklet — it is. Institutions that build strong BCM programs today are building the foundation for whatever operational resilience requirements come next.

90-Day Exam Prep Roadmap

If you have an IT exam coming up and your BCM program needs work, here’s a realistic timeline:

Days 1–30: Foundation

Deliverable	Owner	Notes
Update or create BIA for all critical functions	BCM Coordinator + Business Line Managers	Include RTO, RPO, MTD, and dependency mapping
Update risk assessment with current threats	BCM Coordinator + IT/InfoSec	Add ransomware, cloud outage, supply chain scenarios
Review and update BCM policy	BCM Committee	Ensure board approval and documented governance structure
Inventory critical third-party providers	BCM Coordinator + Vendor Manager	Map to BIA critical functions

Days 31–60: Plans and Procedures

Deliverable	Owner	Notes
Update BCP with actionable recovery procedures	BCM Coordinator + Department Heads	Each critical function needs step-by-step procedures, not policy language
Update DRP with current system inventory	IT/DR Team	Validate server names, configurations, backup schedules
Update crisis communication plan	BCM Coordinator + Communications	Templates for customers, regulators, employees, partners
Request and review critical vendor BCP test results	Vendor Manager	Document review findings; flag vendors without evidence

Days 61–90: Test and Document

Deliverable	Owner	Notes
Conduct tabletop exercise (minimum)	BCM Coordinator as facilitator	Use a realistic scenario; document findings
Create gap remediation tracker	BCM Coordinator	Track every finding with owner, due date, and status
Prepare board reporting package	BCM Coordinator	Testing results, gap summary, remediation timeline
Compile exam-ready BCM documentation binder	BCM Coordinator	Policy, BIA, risk assessment, plans, testing evidence, vendor reviews

So What?

The FFIEC BCM booklet isn’t just another regulatory document to check off. It’s the framework examiners use to determine whether your institution can actually deliver critical services when something goes wrong — whether that’s a ransomware attack, a vendor outage, or the next event nobody predicted.

The shift from “planning” to “management” isn’t semantic. It means examiners expect evidence of an active, tested, governed program — not a document.

The Citibank consent order in October 2020 — which included a $400 million civil money penalty from the OCC for risk management, data governance, and internal control failures — showed what happens when governance and risk management programs exist on paper but not in practice. And in July 2024, the OCC assessed an additional $75 million penalty against Citibank for violating the original 2020 order. The message is clear: regulators don’t just want to see the plan — they’ll come back to verify you executed it.

Across the Atlantic, TSB Bank learned the same lesson the hard way. In December 2022, the FCA and PRA fined TSB £48.65 million for operational risk management and governance failures related to a botched IT migration that locked 1.9 million customers out of their accounts for weeks. The total cost to TSB exceeded £330 million. The core failure wasn’t technical — it was inadequate testing, poor governance of outsourced technology services, and insufficient resilience planning. Every one of those failures maps directly to BCM booklet requirements.

Build the program now. Test it. Govern it. The exam is coming — and increasingly, so is the regulation that turns guidance into rules.

---

Need a head start? The Business Continuity & Disaster Recovery Kit includes BIA templates, BCP/DRP frameworks, crisis communication templates, a tabletop exercise facilitator guide, and an RTO/RPO worksheet — all designed against FFIEC BCM requirements. Skip the blank page.

---

FAQ

What is the difference between the FFIEC BCP booklet and the BCM booklet?

They’re the same booklet — the FFIEC renamed it in November 2019. The “Business Continuity Planning” booklet (last updated February 2015) was replaced by the “Business Continuity Management” booklet. The name change reflects a shift from one-time planning to ongoing program management, with added emphasis on operational resilience, third-party oversight integrated throughout (rather than in appendices), and alignment with NIST and ISO frameworks.

How often should a bank update its Business Impact Analysis under FFIEC guidance?

The FFIEC BCM booklet doesn’t specify an exact frequency, but examiners expect the BIA to be current — meaning updated at least annually or whenever there are significant changes to business operations, technology, key personnel, or third-party relationships. If you underwent a core conversion, added a new business line, or changed critical vendors in the past year, your BIA should reflect those changes.

Does the FFIEC BCM booklet apply to credit unions and fintechs?

The FFIEC BCM booklet directly applies to institutions supervised by FFIEC member agencies: the OCC, FDIC, Federal Reserve, NCUA, and state banking regulators. This includes banks, savings associations, credit unions, and their technology service providers. Fintechs that partner with banks may be subject to BCM expectations indirectly — through their bank partner’s third-party risk management program and contractual requirements.