On June 30, 2021, the FFIEC issued a new booklet in the FFIEC Information Technology Handbook (FFIEC IT Handbook) series entitled, “Architecture, Infrastructure, and Operations” (AIO). Great, you might say … translation, please?
The Federal Financial Institutions Examination Council (FFIEC) makes available a series of 11 booklets that comprise the IT Handbook. The AIO booklet replaces the former Operations booklet that was issued in 2004 and contains new guidance using a risk-based approach to the architecture, infrastructure, and operations of financial institutions, which have changed significantly over the last 17 years. The new booklet also:
There are 18 objectives listed in the examination procedures work program including (but not limited to):
Admittedly, I haven’t had the attention span to read the entire 164-page document myself. That said, it’s apparent to me that it’s all about governance, risk, and compliance. It’s about effective strategies for management to align IT with their business objectives. It’s about delineating roles and responsibilities. Wouldn’t you know, the first few sections of the FFIEC IT Handbook covers governance, responsibilities, and alignment.
Let’s take a look at the expectations.
They warn that inadequate handling of these guidelines could lead to increased risk in other areas of the financial institution such as credit, liquidity, operational, compliance, and reputation.
Where have we seen this before? Oh right, Business Continuity Management, which is an enterprise-wide activity – not just the IT Department’s sole responsibility. The AIO booklet reinforces that goal of including all stakeholders in the process and not assuming that the IT Department carries this burden on their backs alone.
They further define activities that management should take to provide proper oversight regarding validation, assessment of risks, continuous improvements, and integration between architecture, infrastructure, and operations.
Examples are provided of titles often used to assume responsibility for management functions and activities including roles such as Chief Information Officer (CIO) or Chief Technology Officer (CTO) and how you might choose to divvy up activities to maintain segregation of duties.
There is even an outline of the types of activities that can be delegated to operations personnel such as database administrators, systems analysis, network administrators, etc.
Section II continues to move forward through Policies, Standards, and Procedures; Internal Audit, Independent Reviews, and Certification Processes; Communication; and Board and Senior Management Reporting.
You likely have much of this outlined in your current policies, procedures, and job descriptions. But now is a good time to take stock and align with the expectations covered in this new booklet. First steps could include:
Remember, the booklets do not impose requirements on financial institutions. They are provided to describe principles and practices an examiner will review as they apply to your individual complexity and risk profile, which can only be determined by you, your management team, and your Board of Directors.
Appendix A, the examination procedures work program, outlines the minimum criteria of documents and items examiners will want to review. Reviewing this section first is a quick and effective way to hit key points of the guidance and prioritize those that need to be addressed.
You will find words like resilient, documentation, management, strategic, and business objective alignment; and confidentiality, integrity, and availability (The CIA Triad), with “risk assessment” at the heart of each component.
What is your plan to ensure you are meeting the new FFIEC IT Handbook expectations?
Who We Serve
What We Offer