In February 2026, the Federal Financial Institutions Examination Council updated one of its most-referenced supervisory documents with a change that was quiet in word count and significant in implication: every reference to “reputation risk” was removed from the Business Continuity Management (BCM) booklet in the IT Examination Handbook.

The removal was required by Executive Order 14331, “Guaranteeing Fair Banking for All Americans,” published August 7, 2025, which directed federal banking agencies to base supervisory decisions on neutral, measurable risk criteria. The FFIEC complied by scrubbing reputation risk from examination procedures — including the BCM booklet’s impact analysis framework, which had previously listed reputational harm as one of the potential consequences of a business disruption.

The FFIEC noted the update creates no new requirements. What it does create is a good reason to open the BCM booklet — and for many practitioners, that’s worth doing regardless of the update.

TL;DR

• February 2026: FFIEC removed “reputation risk” from the BCM booklet under Executive Order 14331 — impact analysis should now quantify operational and financial harm, not cite reputational considerations.
• The BCM booklet (renamed from “Business Continuity Planning” in November 2019) governs how examiners assess governance, BIA, risk assessment, BCM strategy, BCP, testing, and board reporting.
• Appendix A contains the specific examination procedures — the closest thing to a pre-exam checklist examiners actually use.
• Examiners verify that RTOs, RPOs, and MTDs from the BIA are validated through actual testing — not just documented in a plan.

What Changed and Why It Matters Practically

Reputation risk wasn’t a major feature of the BCM booklet — it appeared primarily in the risk impact assessment section, where institutions were expected to consider reputational damage alongside financial and operational harms when evaluating the consequences of a prolonged business disruption.

Its removal has two practical implications for practitioners.

First, update your BIA impact categories. If your BIA uses reputation risk as an impact dimension — with a scoring tier for “moderate reputational harm” or “significant public perception risk” — revise it. Translate those concerns into quantified financial impacts: revenue lost per hour of downtime, regulatory penalty exposure from missed notification deadlines, and contractual SLA breach costs with key clients. The underlying concern remains legitimate; the framing needs to become measurable.

Second, don’t overreact. The FFIEC stated explicitly that the February 2026 update creates no new requirements and changes no examination standards. Institutions that had strong BCM programs before the update still have strong programs. The change affects how impact is framed in documentation, not whether you need a BIA, a BCP, or a tested recovery strategy.

Section-by-Section: What the FFIEC BCM Booklet Actually Requires

The BCM booklet is organized into nine sections with an appendix of examination procedures. Here is what each section covers and what examiners specifically assess.

I. Introduction and Scope

Sets the foundation: the booklet applies to FFIEC member agency supervised institutions and service providers. BCM is defined as the process to ensure the availability of critical financial services — covering operations, personnel, technology, and resources. The renamed framing (from “Business Continuity Planning” to “Business Continuity Management”) signals a shift toward ongoing, enterprise-integrated management rather than a plan-on-a-shelf.

II. BCM Governance

Examiners look for evidence that the board and senior management actively oversee the BCM program — not just that a program exists. Specifically:

• A board-approved BCM policy with defined scope and objectives
• Clear accountability: who owns the BCM program and who is responsible for specific components
• Integration with enterprise risk management (ERM), so BCM findings and gaps surface in the institution’s broader risk picture
• Evidence of board-level engagement — BCM is discussed at the board, not only in operational committees

Many programs fail governance review not because the structure doesn’t exist, but because the documentation trail from BCM activities back to board-level awareness is thin. Board meeting minutes are the examiner’s primary evidence source here.

III. Risk Management — BIA and Risk Assessment

This section is typically the most thoroughly examined component. It contains two parallel requirements.

Business Impact Analysis (BIA):

The BIA must identify critical business functions, the resources they depend on, and the impact of disruption over time at varying recovery durations. Critically, the BIA must produce three specific outputs that examiners verify against actual test results:

• Recovery Point Objective (RPO): The point in time before a disruption from which data can be recovered. How much data loss is acceptable — specifically, how old can your most recent clean backup be?
• Recovery Time Objective (RTO): The maximum time a system or process can be offline before the impact on business operations becomes unacceptable.
• Maximum Tolerable Downtime (MTD): The absolute outer limit — the point past which the institution cannot survive the disruption, considering regulatory, financial, and customer obligations.

The RTO-MTD relationship is where many institutions have a gap: RTOs are set without establishing the MTD boundary, which means RTOs can drift upward in practice without a hard constraint. Examiners who read the booklet closely will ask about MTD separately.

Setting defensible RTOs and RPOs — with the methodology for quantifying and documenting them — is covered here.

Risk Assessment:

The risk assessment identifies potential threats and scenarios — natural disasters, cyber incidents, infrastructure failures, workforce disruptions, third-party failures — and assesses their likelihood and potential impact on critical functions. The output feeds directly into BIA prioritization and BCM strategy selection. Examiners expect the risk assessment to have been updated after significant events or organizational changes, not just on an annual schedule.

IV. BCM Strategies

Examiners assess whether recovery strategies are:

• Evaluated for each critical function (not selected once and never revisited)
• Chosen based on cost, feasibility, and alignment with RTOs from the BIA
• Verified to actually work — “failover to hot site” is insufficient if the hot site hasn’t been tested at peak transaction volumes

Concentration risk is assessed here: single points of failure in critical processes, technology infrastructure, or third-party dependencies. An institution whose payment processing depends entirely on one cloud provider with no documented failover path for that specific service is a concentration risk finding waiting to happen.

V. Business Continuity Plan

The BCP is the documented response framework. Examiners verify it covers:

• Activation criteria: what triggers the plan, who makes the call, and what authority they have
• Roles and responsibilities during an incident, with named backups for all critical positions
• Communication procedures — internal escalation chains, customer notification, and regulatory notification sequences
• IT recovery and disaster recovery procedures with reference to system-specific RTOs and RPOs
• Alternate operating procedures for periods when technology is unavailable (manual workarounds)
• Third-party coordination: which critical vendors are expected to do what, on what timeline

The crisis communication plan is a component that should be embedded in or annexed to the BCP, covering customer communication, media response, and regulatory disclosure. Its absence from the BCP document is a common exam finding.

VI–VIII. Exercise, Testing, and Maintenance

This is where most programs have their largest and most consequential gaps.

The booklet requires that BCM testing validates the objectives established in the BIA — specifically, that the institution can actually recover within its stated RTOs and RPOs. Appendix A is direct about this: examiners check whether test plans address validating RPOs, RTOs, and MTDs, and whether systems can support critical business processes at peak volumes during a recovery scenario.

What examiners look for in testing per Appendix A:

• Does the test plan have stated objectives that align with BIA recovery targets?
• Are test results documented with pass/fail determinations, not just “exercise completed”?
• Are issues identified during testing tracked to remediation with responsible owners and due dates?
• Is there evidence of progression — more rigorous testing over time, not annual tabletops indefinitely?

The most common gap: institutions conduct tabletop exercises annually but haven’t run an actual DR failover in years — or ran one without verifying that the recovered environment could handle realistic transaction volumes. A tabletop that ends with “we think we could recover” is not validation.

Running tabletop exercises that actually reveal gaps — rather than confirm assumptions — is covered here.

Maintenance requirements:

The BIA, risk assessment, and BCP must be reviewed and updated at minimum annually and after significant changes to business processes, technology, or organizational structure. “After significant changes” is not defined with precision, but examiners will ask whether a major product launch, a core banking system migration, a significant acquisition, or a key third-party relationship change triggered a documented BCM review. Document the trigger and the review outcome — not just the annual update date.

IX. Board Reporting

The FFIEC BCM booklet is specific about board reporting content. Written presentations to the board must include:

• The BIA (summary level, not the full document)
• The risk assessment
• The BCP
• Exercise and test results
• Identified issues and remediation status

An examiner will ask to see board meeting minutes evidencing this presentation occurred. A BCM status update buried in a committee report that never reached the full board does not satisfy this requirement. The board presentation must be substantive enough to demonstrate that the board understands the institution’s BCM posture and any material gaps.

What the 2026 Update Changes in Your Documentation

Based on the February 2026 update, review three specific areas:

BIA impact scoring tables: Remove reputation risk as an impact category or dimension. Replace it with quantified financial metrics: revenue per hour of downtime for each critical function, regulatory penalty exposure for notification deadline failures, and contractual breach exposure with material clients. These are defensible, auditable, and measurable. Reputational concerns are real — they just need to be expressed as financial consequences.

Crisis communication plan language: The BCM booklet’s reputation risk removal affects the examination framework, not the underlying regulatory obligations to communicate with customers and regulators during incidents. Your crisis communication plan should still address customer notification timelines (Reg S-P, state breach laws), regulatory notification protocols (36-hour rule, CIRCIA when finalized), and media response procedures. The change is in how examiners score your BCM documentation, not in whether you need the plan.

Program narrative and policy: Review your BCM policy and program description for any language that cites reputation risk as a primary driver or objective of the BCM program. Revising to focus on operational resilience, financial stability, and regulatory compliance alignment is straightforward and makes the program more defensible regardless of the examiner’s lens.

Appendix A: The Pre-Exam Checklist You Should Be Using

Appendix A of the BCM booklet contains the specific examination procedures. These are the questions examiners use when they evaluate your BCM program. Reading it is the most efficient BCM preparation available.

So What?

The February 2026 reputation risk update is a modest change to an important document. The underlying FFIEC BCM framework — BIA, risk assessment, strategy, plan, test, board report — has not changed. What changes is the expectation that impact assessments speak in the language of measurable financial and operational risk, not subjective reputational considerations.

For institutions whose BCM documentation hasn’t been touched since 2022 or 2023, the update is a useful reason to do a full review. The Appendix A examination procedures haven’t changed either, but many programs haven’t been assessed against them with fresh eyes in a while.

The Business Continuity & Disaster Recovery Kit includes BIA templates, BCP frameworks, DR testing protocols, and board presentation templates built to the FFIEC BCM booklet’s structure — pre-mapped to the Appendix A examination procedures so you can see exactly where each document satisfies which examiner requirement.

If the question you’re dreading is “can you show me your test results validating your RTOs,” start there.