Although disaster recovery programs are used by most credit unions, many do not provide enough protection for the credit union or its members and are not fully compliant with FFIEC guidelines.
Employing the following tips will ensure that your credit union is prepared for any unforeseen disasters or outages and enhance its regulatory compliance.
Review Your Business Impact Analysis
Review your credit union’s Business Impact Analysis (BIA) to ensure it meets FFIEC guidelines.
- Maximum allowable downtimes for IT systems and business processes. FFIEC guidelines require credit unions to put each IT system and business process into one of five categories, including critical, urgent, important, normal and nonessential processes. Each category has a maximum allowable downtime in which the credit union has to be able to recover each IT system or business process after a disaster has occurred. Critical processes must be recovered within minutes to hours, urgent processes must be recovered within 24 hours, important processes must be recovered within 72 hours, normal processes must be recovered within seven days and nonessential processes must be recovered within 30 days.
- Assess the potential impact of business disruptions that could occur as a result of disasters or outages. Proactively knowing the impact of business disruptions can help reduce the costs of recovery.
- List action steps required to recover critical IT systems and business processes. Following this process will allow you to determine the resources needed for recovery and ensure that you have a plan of action to follow after a crisis or outage has occurred.
- Set recovery time objectives for key IT systems and business processes. This will permit you to measure your test results after the testing phase.
Test Your Disaster Recovery Plan
Testing your credit union’s ability to recover critical IT systems and business processes enable you to evaluate the effectiveness of your disaster recovery program. Credit unions should conduct recovery tests at least once per year. The testing process has four phases, which include planning, preparation, execution and reporting.
- Planning. This phase includes developing a testing plan that identifies the IT systems and business processes to be restored and identifies the personnel who will execute the recovery plan.
- Preparation. This phase includes scheduling the test and identifying any resources needed to support a successful recovery test.
- Execution. The execution phase is the actual disaster recovery test. This should include simulating mock disasters or outages that might occur. For example, you may want to simulate situations that involve the restoration of damaged loan files or documents or how to protect employees from contaminated financial records, cash or contents of safe deposit boxes. This phase usually takes one or two days to complete.
- Reporting. During this phase you combine test results into a report so that you can identify any potential barriers to recovery and address issues or failures discovered during the test.
Analyze Test Results
After conducting the test, review the results to determine what worked correctly, what went wrong or not as expected, what areas can be improved and what adjustments need to be made to your disaster recovery plan.
Test results could show a missed recovery time objective and may also reveal that employees need further training in order to carry out tasks within the disaster recovery plan. Many recovery problems can be avoided by conducting consistent updates to IT systems and using data from the disaster recovery test to update the recovery plan.
As technology and regulatory requirements change more rapidly, credit unions that want to stay in compliance and ensure their institutions are fully protected should continuously reevaluate the effectiveness of their disaster recovery programs. Reviewing your disaster recovery program once or twice a year will reduce risk to your institution and enhance its regulatory compliance.
- IT-Lifeline Disaster Recovery Whitepaper
- FFIEC Guidelines for Business Continuity Planning
- FFIEC Disaster Recovery Testing Policy