Compushare

 
Compliant Technology Management Solutions for Financial Institutions
The Compushare Compass - financial direction you can count on
July 2009

We've updated The Compass to compliment our new website design!

See what else is new by visiting us on the web.


Meet Experts of The Compass at the Following Events:

2009 Calendar of Upcoming Events

09|20 FMS East Coast Regional Conference, Baltimore, MD



Archive Download

Download a printable PDF to share with colleagues or access The Compass archives:

» The Compass, July 2009 - Download (PDF)

» The Compass - Archives


Sign up to receive The Compass monthly.

Not already on our mailing list? Our monthly newsletter will help you keep abreast of industry and regulatory developments for the financial industry. Sign up now!


Contact us!

We are constantly working to improve The Compass and appreciate your feedback! Send your comments to: education@compushare.com


Rate this article!

Click here. Your response will take less than 1 minute!

The Importance of DR Planning and Testing
by Brandon O'Donoghue, CBCP
Risk & Compliance Engagement Manager
Compushare, Inc.

Disaster Recovery (DR): “Planning and implementation of procedures and facilities for use when essential systems are not available for a period long enough to have a significant impact on the business...”

Through my many years of experience as a Risk and Compliance consultant for financial institutions, I can wager that many of you browsing through this article may follow a similar train of thought: "Sure, I know the meaning of DR, and my institution has a plan in place to respond to incidents that has been approved by the regulators.  When the time comes (and it will), my team knows to pull the plan out and follow protocol."  The reality is that, although you may feel that you have a “good plan” in place, disasters never pan out as “planned.”  Only through the exercise of proper testing can you explore the unknowns and ensure that you are adequately prepared to meet the responsibility of steering the institution in the right direction in order to ensure safety and continuity for your employees and customers.

The purpose of today's discussion is not focused on the fact that regulators are paying closer attention than ever to Business Continuity and Disaster Recovery plans – we are already well aware of that fact.  Institutions are now being called upon more than ever to demonstrate that their plans in place have been thoroughly tested and put through duress.  Today I offer my expertise as a reminder of why it is a crucial necessity to plan, and furthermore to test your recovery plans.

There exists a preconception that disasters are limited to major events brought on by large-scale earthquakes, hurricanes and terrorist attacks.  These are the incidents that gain notoriety through news headlines and bulletins. Though large-scale disasters most certainly take place, it is the smaller disasters, such as a fire in the building, missing/corrupted data, power outage, or staff illness, that tend to occur with much greater regularity and higher probability.  These events can disrupt critical business processes for hours, days or weeks.  In today's society, where banks and most other businesses operate in time-critical, service-oriented markets, an interruption of this nature could be a fatal blow to the institution.

The need to plan for DR
Unfortunately, we do not know what the future holds when it comes to disasters. Your DR plan can only truly be put to the ultimate test during an actual disaster. However, careful planning and thorough testing may mean the difference between a temporary, inconvenient disruption and forever closing your doors.  Successful incident management requires a quality plan built specifically for your institution, with regular updates and testing of various scenarios.  Planning for a disaster not only readies the business for an event, it also benefits the institution in several areas:

  • Improved Technology: IT Systems and networks must be designed to support recoverability.  Designing a robust network and systems that are consistent with each other leads to improved IT systems that are well documented and easily managed.
  • Fewer Disruptions: Along with improved technology, IT systems and networks tend to be more stable when the institution properly implements and manages a good DR program.  When changes to the environment are made to meet recovery objectives, updates that previously caused outages are less frequent.
  • Business Processes: Constantly updating various business processes to perform at optimal levels helps improve these procedures.
  • Higher Quality Services: The time spent on improving processes and technologies will improve services, both internally for employees and to vendors and customers.
  • Competitive Advantages: Having a good DR plan sets you apart from your competitors.  Ensuring high availability and reliability of services during a disaster, when others around you are scrambling for help, sustains business and improves customer confidence.

The need to test your DR plan
Having a Business Continuity plan is a compliance necessity, and proper testing is crucial to ensuring true business continuity.  A plan that is not exercised can sometimes be worse than not having a plan at all.  Having a binder filled with vast margins of content might look good on the shelf (or on disk).  However, if there is no desire to test these policies and procedures, there will be little or no evidence that your plan, along with its supporting procedures, will be functional when called upon during a real time disaster.  An institution might be able to talk through recovery strategies on paper and in boardrooms, but only through functional recovery testing will the unscripted questions and gotchas come out of the woodwork.
There must be no substitute for exercising your DR plan.  Exercises are set up to ensure that your recovery team members understand the institution’s plans and recovery procedures along with their designated roles and responsibilities.  Testing ascertains that that the plan is complete and up-to-date, and the proper resources and infrastructure are in place.  There are several benefits to testing your Disaster Recovery process:

  • If/when a disaster occurs, you know that your recovery plan is viable.
  • Testing your IT systems and network aids in the discovery of potential problems and errors, allowing you to resolve these issues before a disaster occurs.
  • Employees and third party vendors are educated in the proper management of disaster recovery situations for the institution.
  • Your DR plan becomes a living document and, as testing occurs, much of the "fluff" will be removed from the plan.
  • Contact lists, calling trees and escalation procedures are dealt with in a controlled manner.
  • The compatibility of data backup and backup facilities is verified.

There are many potential testing exercises that can be performed.  Institutions with relatively new recovery plans should test the basics first, by setting less complicated objectives than an institution that has been conducting functional tests for years.  The following levels of Disaster Recovery scenarios should be considered when testing:

  • A critical file is lost.  Can you restore it in an effective, timely fashion?
  • A server fails.  Can it be replaced or virtualized according to Recovery Time Objectives (RTO)?
  • Your employees cannot physically access the office.  Are remote working capabilities in place?
  • A pandemic strikes the region.  Are remote working capabilities in place and can your business function with limited on-site staff?
  • Your office is struck by fire.  Can your key staff function at an alternate location?
  • A regional disaster occurs.  Can the institution resume business and survive the event?

Conclusion
The importance of planning for, and testing your Disaster Recovery plan plays a key role to surviving unforeseen incidents and events; be it a missing critical file, or an approaching hurricane.  Comprehensive in-house testing can sometimes be an overwhelming task for community financial institutions.  Third parties providers, such as Compushare, can help provide the necessary structure to your testing programs, lend expert insight to findings, and identify weaker areas of the plan.  Our industry seasoned and certified Risk and Compliance Team holds years of experience in the planning, building and testing of viable Business Continuity and Disaster Recovery programs for financial institution clients nationwide.  Our consultants follow a focused approach and proven methodology, yet most importantly build customized plans and testing programs that work within the realm of each client’s unique environment, needs and wants.  Our solutions range from comprehensive Business Continuity and Disaster Recovery programs with the assurance of ongoing consulting, updates, and testing as your institution evolves and grows, to one-time Business Impact Analysis and DR tests.  Mobile Recovery options and Critical Systems Recovery solutions are offered that can help satisfy most recovery strategies.  

Although you are the “go to” person in the institution responsible for compliance and DR planning, you are by no means alone in your efforts.  Through partnering with an experienced provider like Compushare, you can ensure that you stay one step ahead of disaster and two steps ahead of your competition by establishing a robust and comprehensive DR plan, backed by the necessary testing and training of your recovery team.

###

Compushare delivers viable and proven solutions exclusively for community financial institutions including areas of business continuity, disaster recovery and business resumption planning, risk management, and other compliance and technology management programs. Learn more about our approach toward Strategy, Safety, Soundness and Support.

To learn more on how Compushare can assist your institution with business continuity and DR planning and testing, contact your Client Solutions Executive or education@compushare.com.

© 2009 Compushare, Inc. All rights reserved.