BCP Considerations That Slip Through the Cracks

Business continuity and disaster recovery plans are proving to be more critical to a bank’s operation due to the recent spate of disasters (power, environmental, terrorism) and stricter regulatory compliance examinations. The primary goals of a BC and DR plan remain the same: Ensure the safety of your employees and maintain and recover critical functions. 

According to FFIEC mandates, a viable BCP must be function-based and provide pre-approved strategies, policies and procedures regarding preparation, prevention and response to any disaster event. In my experience of working with hundreds of community banking institutions across the United States, a BC and DR plan that “passes regulatory muster” does not necessarily take into consideration some very critical core tenets. Let me explain my point: Having a plan that is compliant with regulatory expectations (one that contains all the policies and phone numbers that a five-inch three-ring binder can hold) is nothing more than a shell if it doesn’t take into account the human element. The availability to recover resources needed for offline operations is woefully inadequate in the practical sense. Here I share with you three simple and effective elements that greatly augment a plan, but unfortunately are considerations that frequently slip through the cracks.

The first and most important resource for recovery is the employee. Employee availability is essential for obvious reasons, yet few institutions provide employees with any assistance or guidance regarding their personal disaster plans. If employees have difficulty coping or stabilizing their personal situations after a disaster (home, health, family, etc.), chances are they will not be willing to assist the bank with recovery. Commonly, most plans fail to educate employees on when and where to show up for tasking after a disaster. Financial institutions should provide employees with resources to promote personal disaster awareness and preparation, as well as establish return-to-work policies. Simply put: If employees do not show up, your bank will not recover.

Next, help employees with the disaster recovery road rules by providing them with a simple list of dos and don’ts. A simple set of golden rules that provide general guidance during disaster will help eliminate preventable issues. For example:

• Human safety is first and foremost. Upon detection of an emergency or incident, notify any manager. Dial 911 immediately if there is ANY danger to human safety or property.
  
• Call the bank emergency hotline at 800-111-1111 or log onto the website for information at www.mybank.com/emergencynotification.
  
• When an alarm sounds, evacuate to the closest, SAFE pre-determined rendezvous location for your specific facility.
  
• Remain calm. To perform safely and effectively for your department, it is your responsibility to perform exactly what your team leader asks of you in a timely manner and report back when completed for further tasking. Only perform those tasks assigned to you.
  
• Rendezvous at the Main Street branch (primary) or the Broadway branch (alternate) if your facility is incapacitated.
  
• Do not leave the premises without proper authorization. If you must, leave word with at least two other employees (managers preferred) of your department, state your reason for leaving and expected time of return. Use the buddy system. Try not to go anywhere alone in an emergency situation. Always let others know where you will be.
  
• No employee may talk to the media, ever. Refer all questions to the media team (team manager: senior vice president or chief operating officer).
  
• Document everything (activities, phone calls, issues, developments, etc.) during a disaster and give regular status reports to your departmental or recovery team manager.

Finally, maintain functionality while in manual mode (e.g. power outage). Many plans have excellent alternate (manual) procedures in place, but don’t have the necessary resources readily available to quickly perform the alternate procedures. For example, a pre-staged plastic box (a.k.a. the BCP box) roughly two feet by three feet in size (you can get these at any hardware store) can contain the supplies and materials necessary to perform manual operations. The BCP box items may include departmental forms, special calculators, rubber stamps, customer forms, documented operating procedures, ledgers for manual tracking, cash in/out forms, office supplies and the list goes on. No sensitive information should be in the box. The BCP box should be duplicated and stored at the primary and alternate sites at a minimum, ensuring critical functions can be efficiently recovered manually with little or no downtime.

The bottom line is that little things can have a big impact in designing a plan that is “compliant” versus a plan that is practical, viable and will actually work when needed. One may stave off examiners with a sizeable BCP documentation program; however, disaster recovery and business continuity requires a level of cohesiveness and preparedness that the pen alone cannot provide.  

Patrick W. Johnson, CBCP, is senior program manager for the Compushare Inc. Risk and Compliance Group in South Coast Metro, Calif. He can be reached at
714-427-1016.

Copyright April-May 2007 Western Banking (BankNews Publications)