Disaster Recovery Planning: What You Don’t Know Can Hurt You
Disaster recovery is a crucial business continuity area that all financial institutions must prepare for, no matter the size of the organization or location. Each year, the U.S. gets hit with multiple tornadoes, hurricanes and other storms that produce damaging winds, rain and flooding. As of July 9th, there were already six weather and climate disaster events with losses exceeding $1 billion each across the United States, according to the National Center for Environmental Information (NCEI). The costs of these events varied, including physical damage to commercial buildings; time element losses like business interruption; and disaster restoration expenses. In addition, many areas of the Southeast are currently preparing for Hurricane Dorian as we speak!
The overall impact of adverse weather can be particularly detrimental to community banks and credit unions that may have fewer disaster recovery resources at their disposal. This highlights the need for all financial institutions to be prepared for potential disasters—whether natural or manmade—so they can implement a smooth recovery. Here are some important aspects about disaster recovery planning that community banks and credit unions should consider:
- Implement Effective Strategies and Tactics
The disaster recovery plan provides detailed instructions to ensure all mission-critical functions can recover in the event of a business interruption. To facilitate effective disaster recovery, bank and credit union personnel must be able to implement specific activities that can restore an institution’s vital support systems after a disaster strikes. These include ensuring all back-ups are up to date and working; implementing uninterruptable power supplies for short-term outages; making sure the server room is secure and all sensitive documentation is protected; and ensuring all employees, vendors, and customers are aware of the proper communication protocols. Without these steps, the institution will not have the resources required to meet its operational needs, which could have a devastating effect on the entire organization.
- Prepare for All Disaster Situations
Disaster recovery often focuses on the prospect of restoring technology and communications after a hurricane, tornado, or other storm. However, disaster preparedness must extend beyond storms, earthquakes, fires, floods, and other natural calamities. Events like electric power outages, hardware failures, security breaches, and human error can also be catastrophic. There are also mundane reasons for needing disaster recovery: A backhoe inadvertently wipes out the internet connection or a water line leak knocks out the server. Not planning broadly enough can cause institutions to miss covering all the bases when the time comes to implement the disaster recovery plan.
- Know What’s at Stake
Disaster recovery planning goes well beyond minimizing the loss of hardware, applications or data. It’s a matter of losing time, money, clients and, in some cases, losing business opportunities or reputation. To minimize downtime and ensure critical business functions recover quickly, it is important to determine the specific Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for both the financial institution and all third-party vendors the institution relies on for critical business functions. The RTO is the amount of time an application can afford to be down without causing significant damage to the business, and the RPO is the allowable data loss. The longer a financial institution’s system is down the more it will suffer, so defining the RTOs and RPOs is an important step to ensure the institution can be up and running in a timely manner.
- Test the Plan
Having a plan on paper is one thing; having a plan that works is another. Financial institutions must test their disaster recovery plan to determine what could go wrong and adjust accordingly. Not knowing if a plan works—until an actual disaster occurs—can be extremely risky. If the plan proves to be insufficient during a real-life scenario, the institution could experience undue damage and expense. Hence, the need for regular testing. The frequency of testing will depend on the size and type of financial institution. Smaller banks and credit unions should test at least once a year; larger institutions or those with a more fluid environment should test more often.
- Update the Plan as Needed
As a part of the overall business continuity planning process, it’s essential for institutions to review and revise their disaster recovery plan to make sure it supports their current technological environment, business needs, and objectives. Updates to the plan should be done whenever an important element (internal or external) in the institution changes. To streamline this process, disaster recovery should be integrated into all business decisions and responsibility should be clearly outlined for each update and area. The importance of the disaster recovery plan should be communicated to the entire organization, which includes the board, senior management, and other stakeholders. The more frequently a disaster recovery plan is updated and the better educated the entire organization is on the plan, the more reliable and useful it will be when a problem arises.
It’s important to stay on top of all disaster recovery processes to make sure the entire financial institution is well-equipped to respond in the event of a disaster. The good news is community banks and credit unions do not have to be knowledgeable about every facet of disaster recovery planning to do this successfully. Instead of worrying about what they don’t know, they can capitalize on third-party recovery services that ensure they have the proper technology and support to recover quickly. Safe Systems, for example, offers a fully managed site recovery solution to support financial institutions of all sizes. Safe Systems’ experts can assist with disaster recovery planning, testing, and execution to safeguard institutions against the impact of a natural disaster and other threats.