TOPICS

Thursday, November 10, 2016

Elements of a Disaster Recovery Plan

QUESTION
Our compliance department has been tasked with developing a disaster recovery plan. Banking departments of several states are expecting us to ratify such a plan. However, we are not sure about what goes into this plan. What are the essential elements of a disaster recovery plan?

ANSWER
Although there is some variation to the features of a disaster recovery plan, we have found that there are constituent elements that are typical of this document. Sometimes “disaster recovery” is also referred to as “business continuity.” At the most rudimentary level, this plan sets forth the procedures to be followed in the event of an emergency or other disruption of a financial institution’s normal business activities. The goal is to be able to continue or to resume any operations as soon as possible with minimal disturbance to internal and external parties and certainly to recover any documentation and data required to be maintained by applicable laws and regulations.

In our development of disaster recovery plans for our clients as well as the review of their existing policies and procedures involving such aspects as information security, cybersecurity, and other features of information technology, we have found that there are several salient elements of a disaster recovery plan. I will provide them here, with the caution that the list is not meant to be comprehensive, and, to be sure, other elements may be appropriate based on an institutions size, risk profile, and complexity.

Essential Elements of a Disaster Recovery Plan
  1. Identify documents, data, facilities, infrastructure, personnel and competencies essential to the continued operations of the financial institution.
  2. Identify supervisory personnel who are in the chain-of-command for implementing each aspect of the disaster recovery plan and the emergency contacts required to notified. These individuals must be given authorization to make key decisions in carrying out the plan’s requirements.
  3. Devise a plan to communicate with the following persons in the event of an emergency or other disruption: (a) Board of Directors; (b) Senior Management; (c) employees; (d) consumers; (e) affiliates; (f) media; (g) investors; (h) regulatory authorities; (i) data, communications and infrastructure providers and other vendors; and, (j) disaster recovery specialists and other persons involved in recovering documentation and data. 
  4. Ratify procedures for, and maintenance of, back-up facilities, systems, infrastructure, alternative staffing and other resources to achieve the timely recovery of data and documentation and to resume operations as soon as reasonably possible. We recommend that the resuming of operations be expected to occur within the next business day.
  5. Maintain back-up facilities, systems, infrastructure and alternative staffing arrangements in one or more areas that are geographically separate from the financial institution’s primary facilities, systems, infrastructure and personnel.
  6. Back up or copy, with sufficient frequency, documents and data considered essential to operations or to fulfill regulatory obligations, and store information off-site in either hard-copy or electronic format.
  7. Identify potential business interruptions encountered by third parties that are necessary to the financial institution’s continued operations and devise a plan to minimize the impact of such disruptions.
  8. Ensure that copies of the disaster recovery plan are placed at all accessible off-site locations, such as branches.
  9. Train, and periodically drill, affected employees and support systems on applicable components of the disaster recovery plan.
  10. Review and revise the disaster recovery plan at least annually or upon any material change to the financial institution. Any deficiencies or corrective actions must be documented.
  11. Test the plan at least annually by qualified, independent internal personnel or a qualified third party service capable of performing a risk assessment. The testing date should be documented, such documentation describing the nature and scope of the testing, any deficiencies found, any corrective actions taken, and the dates on which corrective actions were taken. I strongly recommend testing a disaster recovery plan at least once every three years by a qualified third party service.
  12. Keep detailed records of all activity involving the implementation of the disaster recovery plan and maintain such information in a form that may be made available promptly, upon request, to representatives of regulatory and enforcement authorities, Federal agencies, prudential regulators, and state banking departments.
Jonathan Foxx
Managing Director
Lenders Compliance Group