It's hard to imagine every possible situation that could cause a disaster that would affect your operations. So planning for every contingency is unrealistic. If a disaster occurs, your environment will be chaotic with or without a plan. But having that organized disaster and business continuity plan ahead of time will prep staff to help ease through the chaos with a smoother and more predictable response. Credit Union Times reiterates the need for disaster planning that is compliant with FFIEC guidelines by offering the following tips that we're sharing today.
Review Your Business Impact Analysis
Review your credit union’s Business Impact Analysis (BIA) to ensure it meets FFIEC guidelines:
- Maximum allowable downtimes for IT systems and business processes. FFIEC guidelines require credit unions to put each IT system and business process into one of five categories, including critical, urgent, important, normal and nonessential processes. Each category has a maximum allowable downtime in which the credit union has to be able to recover each IT system or business process after a disaster has occurred. Critical processes must be recovered within minutes to hours, urgent processes must be recovered within 24 hours, important processes must be recovered within 72 hours, normal processes must be recovered within seven days and nonessential processes must be recovered within 30 days.
- Assess the potential impact of business disruptions that could occur as a result of disasters or outages. Proactively knowing the impact of business disruptions can help reduce the costs of recovery.
- List action steps required to recover critical IT systems and business processes. Following this process will allow you to determine the resources needed for recovery and ensure that you have a plan of action to follow after a crisis or outage has occurred.
- Set recovery time objectives for key IT systems and business processes. This will permit you to measure your test results after the testing phase.
Test Your Disaster Recovery Plan
Testing your credit union’s ability to recover critical IT systems and business processes enable you to evaluate the effectiveness of your disaster recovery program. Credit unions should conduct recovery tests at least once per year. The testing process has four phases, which include planning, preparation, execution and reporting.
Planning. This phase includes developing a testing plan that identifies the IT systems and business processes to be restored and identifies the personnel who will execute the recovery plan.
Preparation. This phase includes scheduling the test and identifying any resources needed to support a successful recovery test.
Execution. The execution phase is the actual disaster recovery test. This should include simulating mock disasters or outages that might occur. For example, you may want to simulate situations that involve the restoration of damaged loan files or documents or how to protect employees from contaminated financial records, cash or contents of safe deposit boxes. This phase usually takes one or two days to complete.
Reporting. During this phase you combine test results into a report so that you can identify any potential barriers to recovery and address issues or failures discovered during the test,
Analyze Test Results
After conducting the test, review the results to determine what worked correctly, what went wrong or not as expected, what areas can be improved and what adjustments need to be made to your disaster recovery plan.
Test results could show a missed recovery time objective and may also reveal that employees need further training in order to carry out tasks within the disaster recovery plan. Many recovery problems can be avoided by conducting consistent updates to IT systems and using data from the disaster recovery test to update the recovery plan.
As technology and regulatory requirements change more rapidly, credit unions that want to stay in compliance and ensure their institutions are fully protected should continuously reevaluate the effectiveness of their disaster recovery programs. Reviewing your disaster recovery program once or twice a year will reduce risk to your institution and enhance its regulatory compliance.
The Core is Crucial to DRP's
A disaster recovery plan affords the opportunity to organize thoughts and actions by combining the proper documentation mixed with the proper training and staff knowledge. Having the right core processor can help you plan proactively to ensure system failures and outages are a rare occurrence by actively measuring data thresholds, processing load limits, and even providing on-site disaster tests.