Learn how FFIEC’s Appendix J relates to your vendor risk management program, four key elements of business continuity planning that you should address when contracting with a third party service provider and our recommendations to best incorporate Appendix J into your vendor risk management program.
Hello everyone and thank you for joining me today for our Third Party Thursday podcast. I’m Lisa-Mae Hill, an Information Security Specialist here at Venminder. Today’s topic is a quick dive into FFIEC’s Appendix J and how it relates to your vendor risk management program.
First, let's understand what Appendix J is. Appendix J was released by the FFIEC in 2015 as a revision to the Business Continuity Planning Booklet which is part of the FFIEC Information Technology Examination Handbook. The overall purpose of Appendix J is to strengthen the resilience of outsourced technology services.
So how does this all relate to your vendor risk management program? Well, the Appendix J guidance states:
“as part of its due diligence, a financial institution should assess the effectiveness of a third party service provider’s business continuity program, with particular emphasis on recovery capabilities and capacity. Furthermore, the financial institution should review the third party service provider’s BCP program and its alignment with the financial institution’s own program, including an evaluation of the third party service provider’s BPC testing strategy and results to ensure they meet the financial institution’s requirements and promote resilience.”
So, in other words, it's your job to make sure your vendors have a strong resiliency plan that works for you and your vendors.
Appendix J provides insight around four key elements of business continuity planning that you should address when contracting with a third party service provider. This is to ensure the relationship is strengthening the resilience of technology services. These include:
Here are our recommendations to best incorporate Appendix J into your vendor management program:
I hope you found this podcast helpful. Again, I’m Lisa-Mae Hill at Venminder. If you haven’t already done so, please subscribe to our Third Party Thursday series.