Skip to content

The OGO Blog

What Does the FFIEC Say About New Technology Projects?


FFIEC IT Handbook – Development and Acquisition

“Planning without action is futile, action without planning is fatal.” – Anonymous.

Fatal – sounds harsh

you say? Considering today’s complex I.T.  infrastructures I think you’d agree that simply throwing something into your data center without a well-developed project plan not only lacks the type of due diligence expected of your members but also borders on negligence. If you don’t agree, then this post probably isn’t for you. If

however you understand the criticality of strong project skills and want to know how to strengthen your methods, the FFIEC Development and Acquisition booklet describes common project management activities and emphasizes the benefits of using well-structured project management techniques.  The good news is it doesn’t have to be rocket science!

FFIEC AuditOGO INTEL (Our experts weigh in!)

  • The FFIEC defines development and acquisition as “an organization’s ability to identify, acquire, install, and maintain appropriate information technology systems. The process includes the internal development of software applications or systems and the purchase of hardware, software, or services from third parties.” Notice the “AND” in that sentence. Regardless of whether you have a large development team or you rely on 3rd party vendors, the responsibility for mitigating the risks of a particular implementation remains on you!


  • All projects consist of three things – specifications, time and resources (time, money, etc.).  If you don’t have a PMP or otherwise trained project manager on staff, take the time to review the project plan components and build each section into your plan.
  • Don’t skip a section as each one works in conjunction with the others to deliver solid results.
  • Don’t let a project even begin without the plan. I’ve heard it often enough – “we’re too busy to write it down”. Then they’re too busy to have a new project!
  • You normally wouldn’t consider patch management as an acquisition activity but the FFIEC does. And while long written plans are not associated with this administrative function, well-developed procedures are! Key areas to focus on with patch management include testing, backup and back out procedures and assessing the risks of installation.
  • For those institutions with development in-house, the handbook is no substitute for professional expertise. Your staff should clearly understand and follow widely accepted development methodologies such as SDLC. In fact, your documentation requirements should as strict if not more strict than you’d require of a 3rd party vendor.



Credit Union Compliance and Credit Union Risk Management


WANT MORE INFO? Fill out this quick form: