No Place for Complacency in Disaster Recovery Compliance
From a pure business survivability standpoint, it's crucial to have Disaster Recovery Plans in place and test on a regular basis. Afterall, according to a recent study, 90% of businesses that do not have a Disaster Recovery Plan (DRP) fail. However, Credit unions are not immune to this threat due in part to tightening FFIEC scrutiny on Business Continuity Plans, thus they have a leg up over other sectors. The majority of businesses aren't faced with regulatory compliance that credit unions face, which is partly why the same study found that roughly 1 out of 3 businesses do not have a DRP in place, despite the inherent risks of neglecting this. The absence of DRP is simply not an option for credit unions. Compliance guidelines, examinations, and audits are in place to protect credit unions from meeting the same fate.
This pressure from the FFIEC for a comprehensive plan within credit unions has focused many examinations on backup and recovery compliance. There are maximum allowable downtimes for IT systems and business processes. The FFIEC guidelines require credit unions to put each IT system and business process into one of five categories: critical, urgent, important, normal, and nonessential processes. Each category has a maximum allowable downtime in which the credit union should be able to recover each IT system or business process after a disaster has occurred:
- Critical processes must be recovered within minutes to hours
- Urgent processes must be recovered within 24 hours
- Important processes must be recovered within 72 hours
- Normal processes must be recovered within seven days
- Nonessential processes must be recovered within 30 days
Furthermore, according to FFIEC guidlines, "credit unions must go beyond their information systems and develop comprehensive contingency plans for all critical resources." This not only includes your core system but also physical locations, communications, and most importantly, personnel. Your compliance will be contingent upon the assessment of potential impact on business disruptions that could occur as a result of disasters. Proactively knowing the impact of these business disruptions will help reduce the costs of recovery.
Testing and Reporting
Lessons learned from 9/11, Hurricane Katrina, Hurricane Harvey, and countless other disasters on both large and small scale proportions can and will have an immediate impact on the operations of your CU. This is why compliance includes rigorous testing of your Disaster Recovery Plan, and the resulting reporting and documentation that comes from said testing. While annual testing is the required minimum, FLEX encourages its credit union clients to view testing as a continually evolving process.
The method you use to test your disaster recovery does not have to include a full scale shut down of your IT Systems. The NCUA issued guidelines on this as well, offering one of four methods that can be used as acceptable testing measures:
• Orientation/Walk Through – Critical personnel hold a group discussion about the business continuity plan. Critical areas of the plan are clarified and highlighted during the discussion.
• Tabletop/Mini-Drill – A specific event scenario is presented and the instructions in the Business Continuity Plan are applied to it by critical personnel.
• Functional Testing – Personnel are sent to the recovery site and attempt to restore communication and coordinate as established by the Business Continuity Plan.
• Full-Scale Testing – A credit union implements all or portions of its business continuity plan by processing data and transactions using backup media at the recovery site.
The method you choose will impact the effectiveness and confidence you have in your plan. Many credit unions perform a mixture of several different methods throughout the year. Regardless of your method, detailed reporting and documentation of all plans, procedures, testing results, and remedies are critical to present to auditors for compliance. If conducting these tests internally, be sure to document every aspect of the testing process. When selecting a third party to conduct your testing, ensure that reporting and certification letters are a part of your contract. This can be used for auditors requesting documentation concerning the credit union’s disaster protocol.
It all comes down to preparedness. Being prepared for a disaster and being prepared to show your examiner and/or auditor that you are prepared, will deliver both the peace of mind and compliance you need.