IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

S&D Core Module Procedure 4 – Business Impact Analysis (BIA) Determine whether adequate business impact analyses for all business functions and risk assessments have been completed. Consider the following:  Input from all integral groups (e.g., business line management, risk management, IT, facilities management, and audit) and comprehensiveness of management’s review  Identification of critical business functions and interdependencies across business units’ prioritization of processes, systems, and applications for recovery  Analysis of reasonably foreseeable disruptive events, including: o natural events (e.g., fires, floods, severe weather) o technical events (e.g., communication or power failure) o malicious events (e.g., fraud, theft, cyber-attacks) o international events (e.g., political instability, economic disruptions) o low likelihood/high impact events (e.g., terrorist acts, pandemics)  Reasonableness of key recovery metrics, such as allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), and costs associated with downtime  Inclusion of IT services provided by third-party service providers and vendors in the business impact analyses/risk assessments Click here to enter comments

S&D Core Module Procedure 5 – Business Continuity Plan (BCP) Evaluate the adequacy of the business continuity plan. Consider the following:  Authorities, responsibilities, and relocation strategies

 Communication protocols, event management, and business continuity  Incident response, disaster recovery, and crisis (emergency) management  Liquidity concerns before and after an adverse event  Alternatives for payment systems, facilities and infrastructure, data center(s), and branch relocation during a disaster

Click here to enter comments

S&D Core Module Procedure 6 – Backup Recovery Determine whether the business continuity process includes appropriate recovery operations at the backup location. Consider the following:  Remote access connectivity  Geographic diversity between the backup site and the primary location  Adequacy of backup site hardware, including capacity and compatibility  Sufficient processing time for the anticipated workload based on emergency priorities

Click here to enter comments

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 10 of 17