BCP vs. DR: Key Differences Every Financial Institution Needs to Know
In the wake of a very active hurricane season last year and considering the current volcanic eruptions in Hawaii, financial institutions are well aware of the importance of disaster preparation and the need to be ready for the unexpected. If your financial institution were affected by a natural disaster and your systems went down, how long would it take to get your institution up and running again? Would your organization have the resources in place to restore critical systems quickly and efficiently?
Community banks and credit unions rely on their institution’s business continuity plans (BCP) to guide them through the strategies and protocols needed to minimize downtime and keep operations running smoothly. However, in times of crisis, it is equally important to have a comprehensive disaster recovery (DR) plan in place as well.
You might think, “I have a good Business Continuity Plan in place already, so why do I need a DR plan too?” Business continuity planning refers to strategies and protocols that enable a financial institution to operate during and immediately after a disaster. A bank’s business continuity plan has evolved to become the crucial blueprint for guiding a financial institution through the process of recovering from a business interruption. This plan outlines what needs to happen to ensure that key products and services continue to be delivered in case of a disaster.
On the other hand, disaster recovery refers to having the ability to restore critical data and applications that enable the financial institution to operate normally. The DR is designed to outline what needs to be done immediately after a disaster to begin to recover from the event.
So practically speaking, a BCP informs your business with the steps to be taken to ensure key products and services remain available to customers and members, while a DR outlines the specific steps to be taken to recover the institution’s required technology needs after a disaster. Both are vital to have for any financial institution and are designed to work in tandem. Essentially, the DR plan is a part of the bigger BCP.
There are some differences in how each are structured as well. The BCP consists of a business impact analysis, risk assessment and an overall business continuity strategy; while the DR plan includes evaluating all backups and ensuring any redundant equipment critical to recovery is up-to-date and working. While the plans work together, they can be seen as two separate concepts.
- BCP: A plan to continue business operations
- DR: A plan for accessing required technology and infrastructure after a disaster.
Once the plans are complete, organizations must test to verify the effectiveness, train staff on what to do in a real-life scenario, and identify areas where the plans need to be improved. These plans are different enough that they are often tested separately. A BCP test is often a “table-top test” where a potential disaster and outcome are used to ensure all employees know where to go and what to do. A DR test is usually a more hands on process, where all servers and communications are made unavailable, and the backup technologies are implemented to confirm the institution will be able to function as needed and expected in the correct amount of time or Recovery Time Objective (RTO). The plans should be tested at least once a year; the results of the tests should be thoroughly evaluated; and the plans should be revised based on the results. These are not static documents– the disaster recovery plan and BCP should be updated to meet changes in regulatory expectations as they occur to ensure compliance.
We understand that disaster recovery and business continuity planning are challenging for smaller community banks and credit unions that often lack the staff and resources of larger institutions. At Safe Systems, we have been working with banks and credit unions for more than 25 years to provide the services and assistance necessary to help our customers weather the storm. Our hope is that it isn’t needed, but should it be, our proven experience enables us to provide the services and assistance necessary to ensure our customers are prepared for a disaster and able to quickly recover from one.