FFIEC Risk and Relationship Series: Addressing Business Continuity Requirements


In this session, we will explore the changing focus of Business Continuity Management (BCM), and the governance structures and processes required in financial services. We will take a look at the transformation of risk management processes in a modern financial enterprise and explore an Application Relationship Management demonstration taking us through risk assessments by identifying critical business functions, interdependencies and assessing impact. 

Watch the webinar to learn more and view the full demonstration, or read the excerpt below.

Watch the full webinar to learn more: 


Addressing Business Continuity Requirements

BCM and Cyber Security are closely related. Not only is Cyber Resilience (the ability to withstand cyber attacks) a core component of BCM, but the same tools and techniques can be applied to both preventing successful cyber attacks and planning for other Business Continuity challenges such as the Business Impact Analysis (BIA). When it comes to building resilience, the ability to understand your business functions, and manage them proactively on a continuous basis is paramount. As a wise man once said “you can’t protect what you can’t see”.

In recent years, the speed of IT transformation, cloud operational models, and business velocity have required us to look at business continuity differently. However, the move away from the static, manual approach to planning  a continuous process is only truly possible with technologies that can continuously monitor and assess your application deployments. In other words, technologies that provide “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions” are critical. 

In this first session on BCM we will be focusing heavily on 2 key areas of the Business Impact analysis (BIA):

Identification of Critical Business Functions

Organizations are first required to identify their Critical Business functions. Those critical business functions now include systematically, institutionally and societally important functions (such as providing an ATM service to a community). In order to achieve this, you must understand and inventory the components that provide these functions in order to understand their risks and ensure that the necessary operational measures and controls are applied. In a world where applications and infrastructure are often changing, we will explore a system that continuously provides the following capabilities:

  • Identify applications
  • Produce DFDs
  • Analyze components and their properties
  • Understand where components or risk changes

Interdependency Analysis

 Historically, Business Continuity practices have focused on critical business functions and applications. Planning and testing has revolved around single applications. However, in the real world, organizations have found that while the primary application might recover itself, the applications and services upon which it is dependent fail to do so when a failure occurs. In fact, we have found that many interdependencies are not well understood, forming organically over the years in increasingly interconnected API and service-driven architectures. The huge risk of interdependency failure has been recognized as a priority within modern Business Impact Analysis (BIA) requirements and we will explore a system that continuously provides the following capabilities:

  • Identify dependencies
  • Produce DFDs with interdependencies
  • Be alerted immediately that dependencies change
  • Assess RTO and RPO risk
  • Identify SPOFs
  • Assess infrastructure dependency risk (for example, a Datacenter)

In the next session, Business Continuity Management: Part Two, we will continue the discussion with impact assessments, implementation guidance including resilience and communications for business continuity strategies, and the plan for preparing for events.

To learn more about the changing focus of BCM, Governance and Risk Management Assessments, view the full session on demand here.

The Risk and Relationship Series Agenda

Over the coming weeks, we will step through several aspects of the FFIEC’s requirements, and also explore their global counterpart’s views. This series will also include topic-relevant demonstrations of a continuous data-driven approach solution called Continuous Application Relationship Management (CARM), using the vArmour Application Controller. 

The series topics are as follows:

  1. FFIEC IT Risk Management
  2. Business Continuity Management: Governance & Risk Management
  3. Business Continuity Management: Assessing Impact
  4. Assessing Cyber Risk with the Cyber Assessment Tool (CAT)
  5. Controls – Network Controls and How to Build Dynamic Inventory
  6. Controls – Change Management, Assurance and Testing
  7. Controls – Remote Access
  8. Controls – Cloud Computing
  9. Security in a Cloud Computing Environment

If there are any aspects of Operational or Cyber Resilience you would like to see covered in this series, please get in touch with me at vcomm@varmour.com.


Read More
April 2, 2024
What the Financial Services and Markets Act means for Technology Resilience
Read More
December 13, 2023
Decoding DORA ICT Risk Management Requirements: Step 3 - Executing Business Impact Analysis and Risk Assessments
Read More
December 6, 2023
Decoding DORA ICT Risk Management Requirements: Step 2 - Mapping your Business Functions and their Dependencies

Timothy Eades

Chief Executive Officer