Jackie Marshall, SVP, IT Regulatory Compliance
In light of recent catastrophic events, many lessons have been learned by financial institutions about reacting to a disaster and resuming business operations. Planning is critical to disaster recovery because the primary objective is to avoid problems before they occur. Community financial institutions can feel especially challenged without the staff and resources of a larger institution.
When pressed on the status of their DR/BCP most community bankers respond with comments similar to”we have a basic plan, but are in the process of updating it”. Unfortunately, this “process” can take years. Federal and state examiner’s lenient stance for DR/BCP scrutiny is changing. We are now seeing more detail reflected in exam recommendations that emphasize a proactive approach to DR planning with a strong emphasis on testing. An excerpt from a recent write up for a community bank revealed the following:
This DR Plan does not appear to have been tested. During the time between when the policy was approved and the examination date there have been significant changes to the institution’s technological infrastructure and management. As such, the current DR/BCP would likely provide only limited guidance during a recovery event.
This information indicates that a plan on paper is no guarantee for a great plan in action – a recovery plan is only as good as the results of coordinated tests. A good first step to take is to evaluate your institution’s current plan for components outlined in sections IX and X of the FFIEC Statement of Policy SP-5 “Interagency Policy on Contingency Planning for Financial Institutions”. Specifically, the Board and Senior Management are required to:
- Establish criteria for testing and maintenance of plans.
- Determine conditions and frequency for testing.
- Batch systems
- On-line networks
- Communication networks
- User operations
- End user systems
- Address data security objectives during the testing process.
- Evaluate results of tests.
- Establish procedures to revise and maintain the plan.
- Provide training for personnel involved with the plan’s execution.
The key to successful business recovery is what happens long before a disaster strikes. With a realistic recovery plan, properly tested and committed to by senior management, financial institutions can effectively maintain operations while providing for the safety of people and assets.
For more information on effective disaster recovery planning, see the a recent article published on the FDIC’s website: http://www.fdic.gov/regulations/resources/lessons/index.html.