Business continuity and disaster recovery plans are proving to be more critical to a bank’s operation due to the recent spate of disasters (power, environmental, terrorism) and stricter regulatory compliance examinations. The primary goals of a BC and DR plan remain the same: Ensure the safety of your employees and maintain and recover critical functions.
According to FFIEC mandates, a viable BCP must be function-based and provide pre-approved strategies, policies and procedures regarding preparation, prevention and response to any disaster event. In my experience of working with hundreds of community banking institutions across the United States, a BC and DR plan that “passes regulatory muster” does not necessarily take into consideration some very critical core tenets. Let me explain my point: Having a plan that is compliant with regulatory expectations (one that contains all the policies and phone numbers that a five-inch three-ring binder can hold) is nothing more than a shell if it doesn’t take into account the human element. The availability to recover resources needed for offline operations is woefully inadequate in the practical sense. Here I share with you three simple and effective elements that greatly augment a plan, but unfortunately are considerations that frequently slip through the cracks.
The first and most important resource for recovery is the employee. Employee availability is essential for obvious reasons, yet few institutions provide employees with any assistance or guidance regarding their personal disaster plans. If employees have difficulty coping or stabilizing their personal situations after a disaster (home, health, family, etc.), chances are they will not be willing to assist the bank with recovery. Commonly, most plans fail to educate employees on when and where to show up for tasking after a disaster. Financial institutions should provide employees with resources to promote personal disaster awareness and preparation, as well as establish return-to-work policies. Simply put: If employees do not show up, your bank will not recover.
Next, help employees with the disaster recovery road rules by providing them with a simple list of dos and don’ts. A simple set of golden rules that provide general guidance during disaster will help eliminate preventable issues. For example:
Finally, maintain functionality while in manual mode (e.g. power outage). Many plans have excellent alternate (manual) procedures in place, but don’t have the necessary resources readily available to quickly perform the alternate procedures. For example, a pre-staged plastic box (a.k.a. the BCP box) roughly two feet by three feet in size (you can get these at any hardware store) can contain the supplies and materials necessary to perform manual operations. The BCP box items may include departmental forms, special calculators, rubber stamps, customer forms, documented operating procedures, ledgers for manual tracking, cash in/out forms, office supplies and the list goes on. No sensitive information should be in the box. The BCP box should be duplicated and stored at the primary and alternate sites at a minimum, ensuring critical functions can be efficiently recovered manually with little or no downtime.
The bottom line is that little things can have a big impact in designing a plan that is “compliant” versus a plan that is practical, viable and will actually work when needed. One may stave off examiners with a sizeable BCP documentation program; however, disaster recovery and business continuity requires a level of cohesiveness and preparedness that the pen alone cannot provide.
Patrick W. Johnson, CBCP, is senior program manager for the Compushare Inc. Risk and Compliance Group in South Coast Metro, Calif. He can be reached at
Copyright April-May 2007 Western Banking (BankNews Publications)