Posted by: David Schneier
Audit, audits, backup, bank, bank closing, bank closings, banking, banks, BIA, business, business continuity, business continuity plan, business impact analysis, community bank, disaster recovery, DR, examiners, internal audit, internal controls, ITGC, NCUA, pandemic, Pandemic Planning, policy, procedure, risk assess, risk assessment, risk assessments, risk management, risks
I’ve written similar posts in that past where I start off by apologizing for appearing opportunistic when leveraging a significant news event to generate site content. However when considering roughly one-third of all my clients are dealing with Hurricane Sandy this represents a rare chance to drive home a point.
I’ve personally reviewed and/or audited somewhere close to fifty business continuity/disaster recovery (BCP/DR) plans over the past decade. I’ve also written or edited several of those as well in the past five years since moving into professional services for financial institutions. Furthermore I’ve participated in roughly a half-dozen tests while still working within the infrastructure during the first part of my career. Suffice to say I have at least an informed opinion regarding the viability of any such BCP/DR strategies.
Fundamentally there are a few varieties of BCP/DR plans: Those that are current and viable, those that convince your examiner that it’s current and viable and those that may have been viable years ago but bear no resemblance to your current business profile. And beyond those there’s the worst of BCP/DR realities, the non-existent one. But really in the end what your current state of preparedness comes down to is this – either you’re ready for an event or you’re not. And in the past forty-eight hours that’s been made abundantly clear in the form of how many of my clients affected by Hurricane Sandy have navigated through what’s now clearly one of the worst weather events in my lifetime.
Around noontime yesterday (October 29, 2012) as weather conditions worsened and major metropolitan areas were literally shutting down for business I started checking up on a few clients. The first thing I did was visit the website of every client that my practice has assisted with their BCP/DR strategy – each of them had updated their website to announce that branches in the affected areas were closed. Some had a pop-up window with the update, others had a message displayed in either bright red letters, bold font or both. As a standard design consideration each of them also had phone numbers clearly displayed and when I called a sampling real people answered and were available to assist me. I inquired of a few of them where they were physically located and they were all located remotely and not on site in affected areas (much to their credit they were reluctant to share too much information). The second thing I did was visit the website for a few clients whose BCP/DR plans were tagged during an audit/assessment as either being deficient or missing. The websites were not updated and in all but one case I only learned that they were closed for the day after calling into a branch (one had an 800 number that was redirected to a real person).
Now I know this wasn’t a very deep or meaningful test of anyone’s ability to continue operations in the event of a disaster. But what it did prove is that those institutions who had plans that were current and whose management team knew to rely upon had already thought through the little things that make a difference. Someone knew to update the website, management knew to reroute calls away from unmanned branch locations. I can only assume that the appropriate parties desginated to do so also contacted their regulators to inform them of their closing and that a phone chain was initiated informing staff thus keeping them off the roads and safe. And because an important part of the plan creation/update process is both training and testing stakeholders are able to navigate through the decision tree and take appropriate related steps without having to think through it – one of the biggest challenges confronting management during a crisis. The very best part of having a viable and current plan is that all the thinking has been done in advance and has been reviewed and validated which greatly reduces the chances that something (or someone) will be missed.
Here’s a sanity test: If you didn’t know exactly where to begin the decision-making process or who to engage you’re in need of a new plan. And if you did know but can’t be absolutely certain that others would be able to do the same in your absence, you’re in need of a new plan. One of the rebuttals I’ve heard all too often when identifying a deficient or missing BCP is that management knows what to do should some manner of disaster strike. That may be true but what happens if key people are unavailable or can’t be reached?
Seriously, when something like Hurricane Sandy occurs it’s the best time to consider how you’re institution would fare when navigating such an event. Block off an hour within the next week with your key people, pull out your BCP/DR documentation and try and step through how you’d handle things under similar circumstances. In a very short time you’ll gain a sense of whether or not you’re prepared and if necessary afford you the opportunity to improve.
Trust me on this – you don’t want to be in the middle of a disaster scenario and find out that your plan doesn’t work.