Disaster Recovery Plans and the Community Bank
Beavers-Moss, Deborah, The RMA Journal
The assertion in the first sentence of this article seems proven by this fact: of 11 contacts provided to the author, six did not respond at all and three declined to participate. The editor invites you to read this article and respond by e-mail to firstname.lastname@example.org with any additions or disagreements.
Here's a sobering thought: They may deny it, but few community banks have a comprehensive disaster recovery plan in place. Beyond the f:act that such inaction isn't very prudent, the result can be a major lapse in service to both consumer and business customers. Few industries have smooth rides back after disaster strikes, but banking might represent the longest haul. Why? Because where money is concerned, emotions often run the show. In a nutshell, unless people have access to their money, they become very nervous.
Despite multiple disasters over the past decade, many banks still sit back and hope for the best--which could be where the real problems begin. The best choice in the long run is to take action and get involved in disaster recovery planning. So let's examine a few hard definitions, explore regulatory policy, and speak to a few experts on the topic.
The Core of Disaster Recovery Planning
First American Bank, headquartered in Byron, Texas, has improved its disaster recovery efforts over the past few years. "Our disaster recovery plan has become more formal since 9/11," says Sonny Lyles, who works in business continuity at the bank. Unfortunately, First American Bank is the exception, not the rule.
For obvious reasons, the banks that really "get it" are those that have suffered the most because of disasters. Stable, reputable institutions that have experienced that instant vulnerability--and survived--are those most likely to make sure it doesn't happen again. Staying competitive in the industry presents enough of a challenge every day for most community banks; doing so in the face of disaster and without a plan invites problems.
Like most other commitments, a successful disaster recovery plan begins at the top, where it's perceived as a high priority and disseminated accordingly.
The Five Phases of Disaster Recovery
"Business continuity planning is an all-encompassing concept that, at its best, addresses all those issues necessary to guarantee that before, during, and after an event, your business is aware, prepared, and can continue to thrive," says Bob Miano, Chief Information Officer for Agility Recovery Solutions, a premier provider of onsite disaster recovery solutions, headquartered in Ontario, Canada. "Within the parameters of a business continuity plan are many chapters that address various concepts and stages of an overall recovery effort."
Miano believes this is especially true considering that each plan must reflect the size, complexity, and needs of that particular institution and that no single plan is perfect. Each of the five phases in a disaster recovery plan contains a set of critical measures.
1. Risk analysis. Identifying and prioritizing vulnerabilities begins with looking at potential business disruptions based on severity and likelihood of occurrence. Examples include unreliable power grids, incomplete backup procedures, and a single point of knowledge/contact for a critical resource.
Threats range between those with a high probability of occurrence, but low impact to the institution (e.g., power interruptions), to threats with a low probability of occurrence and high impact on the institution (e.g., earthquake, terrorism). A gap analysis can strengthen a risk analysis by comparing the bank's existing plan, if any, to what is necessary to achieve its recovery time objective (RTO) and recovery point objective (RPO). The RTO is the period of time within which systems, applications, or functions must be recovered alter an outage. An RPO is the point in time to which systems and data must be up and running. …