Your Disaster Recovery Plan is at the heart of your business continuity efforts. Now is a great time to blow the dust off of your existing plan and make sure it is fully ready to meet the demands of both your current operations and the current business environment. Don't rest on the fact that your IT department has told you they have backup plan upon backup plan. Even a fully effective IT Disaster Recovery Plan is only a means for keeping your computers functioning. What about the rest of your operations? Will you have a roof over your head, staff in place and the ability to take deposits, make loans and allow access to your customer's finances?
You need to roll your sleeves up and continually revise your plan to make sure it anticipates the threats most likely to affect your operations and provides solutions to make certain those threats do not damage your operations or reputation. Such threats include fire, flooding, hurricane, tornado, sabotage, riots, power failure, fraud, theft, equipment failure, pandemic, and others.
One size does not fit all institutions. Some banks will find their most likely threats are small in scope but have a high probability of causing service disruptions. For example, such mundane issues as computer malfunctions, temporary telecommunications interruptions, delayed currency deliveries, or ATM malfunctions can cause serious issues within your operations. Some will find their biggest threats involve terrorism or location "issues" such as being located only within highly secure federal buildings. Either way, you need to be prepared.
Many plans overlook efficacy and communications in their strategies. Sequencing is vital to consider within your plans. There is a direct link between critical systems and providing vital financial services to customers. Once the critical systems are selected, they should be further prioritized to ensure systems are restored in the sequence of greatest priority and to address any interdependencies.
And, never forget your customers. Effective communications should not be left to chance. Planning is key. A key lesson learned from previous disasters is that focusing on "communication" is essential to successfully prepare for and operate during disaster conditions.
Disaster Recover Plans must also recognize the role of outside parties such as vendors, the government and regulators in working through a disaster. Ideally, within the first 24 hours following a disaster, all significant outside parties will be contacted including your regulator. Does your plan include contact information and assign responsibility for such measures?
When was the last time you tested your plan? Your operations have probably changed dramatically over the last several years. From products to facilities and staff to business environment, you are not living in the same world you were 10 years ago. Best practices are to test disaster preparedness and response plans at least annually. This will help ensure the Disaster Recovery Plan adequately addresses all essential functions. Disaster drills should be created that realistically address threats to the bank and involve staff members from a cross-section of the institution. In the event that a third party is used to perform or facilitate tests, they must be knowledgeable in the institution's critical functions and disaster response goals. You should ensure your vendor agreements keep pace with changes in your asset size, complexity of services, and customer base. Test should always be documented and work papers maintained demonstrating that all critical functions and areas have been tested.
The plan should be treated as a "living document" to be updated as changes occur in systems, services, staffing, vendors, and physical locations. Updates should also be made for new and emerging threats (e.g., pandemic flu) and lessons learned from overcoming disasters. After your bank activates part of its plan, an evaluation should be made to document success and note items to improve. When was the last time you did this?
This session will cover:
- Recent Regulatory and Examination Guidance
- Lessons learned since Katrina
- Updated Threat Inventory and Analysis Techniques
- 5 Things You May Have Overlooked in your Current Plan
Who should attend?
This session is designed for executives, senior managers, branch managers, compliance staff, facilities staff, auditors, risk managers, IT and anyone involved in the business continuity and disaster recovery programs at their institution.
- Audit and Internal Controls
- Branches and Frontline
- Business Continuity
- Compliance Management and Auditing
- Operations Compliance
- Risk Management
Disaster Recovery Revisited: 5 Things You May Not Have Considered (for a while)
Questions and Answers