Have an IT audit for your financial institution coming up? Or need some guidance on your disaster recovery plan? The Garland Group is here to help! The following is a list of our most common disaster recovery findings for financial institutions of all sizes. We use the FFIEC guidelines and our many years of information technology experience to come up with these recommendations and make your business operational as soon as possible after a disaster.
Our most common finding would have to be TESTING. Alternate locations for core processing, network (Citrix, Windows 2003, etc.) and telecommunications should be tested at least annually for operability and connectivity to alternate branches. For example, connections to the network and the core should be available from an alternate branch or location if your main site is unavailable. While these critical functions should be tested annually, other functions should be tested as soon as they are implemented. For instance, if you have an agreement with another bank to use their wire transfer system in an emergency, this should be tested close to the time of the agreement. Why have an agreement with someone, if you are not 100% percent sure it will work when you need it to?
Next, financial institutions should list maximum downtime allowable and data loss for important functions. This will help you decide what is mission critical and in devising a Business Impact Analysis. For some institutions, 5 minutes without telecommunications and Internet would be unacceptable. These businesses need automatic failover solutions, but if up to 4 hours are acceptable to be without telecommunications, these organizations could set up a different location to have phone calls forwarded to. Furthermore if you want ATM’s to be your customer’s first alternative to tellers, be sure these are operational quickly in a disaster. Listing maximum downtime allowable will help you with this next very common finding…..
The Information Technology Steering Committee should prioritize each department, business unit, business process, and application as to their importance in functionality of the bank. This process should be conducted annually to let the Information Technology department know which servers and systems to shut down in case of an emergency or limited power. Sometimes, if critical processes and applications are identified your customers may never know you had a disaster. Ultimately, this is the goal, seamless interruptions to the customer!
Many common findings are due to a lack of updating the Business Continuity Plan itself. In almost every audit we have findings dealing with updating vendor contact information, employee functions/responsibilities and new disaster recovery techniques. This is where disaster recovery software helps and when the contact at your local service provider changes, you can update it once which replicates these changes throughout the plan. Don’t forget to give updates to the plan to everyone who has a Disaster Recovery Plan.
Now, all you have to do is make sure you have a good plan in place to recover all business processes, especially the mission critical operations. Once you have redundancy for critical functions, (and it is TESTED) just sit back and wait for a disaster so you can put your newly renovated plan into action!
