FFIEC Risk and Relationship Series - Business Continuity Part 1

FFIEC Risk and Relationship Series -
Business Continuity Part 1

In this session, we will explore the changing focus of Business Continuity Management (BCM), and the governance structures and processes required in financial services. We will take a look at the transformation of risk management processes in a modern financial enterprise and explore a Continuous Application Relationship Management demonstration taking us through Risk Assessments by identifying critical business functions, interdependencies and assessing impact. 

Business Continuity Management and Cyber Security are closely related. Not only is Cyber Resilience (the ability to withstand cyber attacks) a core component of Business Continuity Management (BCM), but the same tools and techniques can be applied to both preventing successful cyber attacks and planning for other Business Continuity challenges such as the Business Impact Analysis (BIA). When it comes to building resilience, the ability to understand your business functions, and manage them proactively on a continuous basis is paramount. As a wise man once said “you can’t protect what you can’t see”.

In recent years, the speed of IT transformation, cloud operational models, and business velocity have required us to look at business continuity differently. However, the move away from the static, manual approach to planning  a continuous process is only truly possible with technologies that can continuously monitor and assess your application deployments. In other words, technologies that provide “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions” are critical. 

In this first session on BCM we will be focusing heavily on 2 key areas of the Business Impact analysis (BIA):

Identification of Critical Business Functions

Organizations are first required to identify their Critical Business functions. Those critical business functions now include systematically, institutionally and societally important functions (such as providing an ATM service to a community). In order to achieve this, you must understand and inventory the components that provide these functions in order to understand their risks and ensure that the necessary operational measures and controls are applied. In a world where applications and infrastructure are often changing, we will explore a system that continuously provides the following capabilities:

  • Identify applications
  • Produce DFDs
  • Analyse components and their properties
  • Understand where components or risk changes

Interdependency Analysis

Historically, Business Continuity practices have focused on critical business functions and applications. Planning and testing has revolved around single applications. However, in the real world, organizations have found that while the primary application might recover itself, the applications and services upon which it is dependent fail to do so when a failure occurs. In fact, we have found that many interdependencies are not well understood, forming organically over the years in increasingly interconnected API and service-driven architectures. The huge risk of interdependency failure has been recognized as a priority within modern Business Impact Analysis (BIA) requirements and we will explore a system that continuously provides the following capabilities:

  • Identify dependencies
  • Produce DFDs with interdependencies
  • Be alerted immediately that dependencies change
  • Assess RTO and RPO risk
  • Identify SPOFs
  • Assess infrastructure dependency risk (for example, a Datacenter)


In the next session, Business Continuity Management: Part Two, we will continue the discussion with impact assessments, implementation guidance including resilience and communications for business continuity strategies, and the plan for preparing for events.

To learn more about the changing focus of BCM, Governance and Risk Management Assessments, view the full session on demand here.

The Risk and Relationship Series Agenda

Over the coming weeks, we will step through several aspects of the FFIEC’s requirements, and also explore their global counterpart’s views. This series will also include topic-relevant demonstrations of a continuous data-driven approach solution called Continuous Application Relationship Management (CARM), using the vArmour Application Controller. 

The series topics are as follows:

  1. FFIEC IT Risk Management
  2. Business Continuity Management: Governance & Risk Management
  3. Business Continuity Management: Assessing Impact
  4. Controls – Inventory and Classification, Interconnectivity
  5. Controls – Network Controls and How to Build Dynamic Inventory
  6. Controls – Change Management, Assurance and Testing
  7. Controls – Remote Access
  8. Controls – Cloud Computing
  9. Security in a Cloud Computing Environment

If there are any aspects of Operational or Cyber Resilience you would like to see covered in this series, please get in touch with me at This email address is being protected from spambots. You need JavaScript enabled to view it..