Disasters abound everywhere. It seems like there is a tornado, hurricane, earthquake, fire, flood or ice storm just around the corner happening somewhere.
Disaster Recovery Plans are lifelines to the continuity of your financial institution. Regardless of asset size and complexity, each Financial Institution must create and manage a Disaster Recovery Plan. When creating or reviewing a Disaster Recovery Plan, there are key components that must be addressed. Disaster Recovery is not limited to your IT department. There are many facets of the Financial Institution’s operations that must be considered as well. Here are a few things to keep in mind as you create, review, or update your institution’s Plan.
The Disaster Recovery Plan is not a stagnant plan. It should be reviewed to determine what updates are required whenever there are key personnel changes; procedural changes; branches opened or closed; mergers or acquisitions; key contact changes as well as vendor changes. Keep material fresh and easily retrievable by staff and the Board alike. Utilize past disaster responses to assist in formulating a plan for your institution.
Work the plan down to the details. While there are obvious items to consider, there are numerous minute details to work through as well. I have listed a few items below to consider when working out the details; however this is not an all-encompassing list.
- Employee and employee family safety. staff, but also in the event you need supplies or cash delivered.
- Disaster Recovery Hotline number for employees to call. Who will update the information on this hotline?
- Designate specific tasks to specific employees. This will ensure the plan is implemented smoothly. Layer the personnel duties to ensure there is adequate backup if the primary staff member is not able to fulfill the responsibility for their task.
- Transportation needs. Consider the transportation needs not only for your institution’s staff, but also in the event you need supplies or cash delivered.
- Emergency Management contacts. Your Institution should have specified contacts with the local emergency management team. This list and relationship should be kept current to enable you to enter the area at the appropriate time. Keep the communication lines open with this team and participate in their drills, attend their meetings and keep up to date on what your local city/county/township is doing to accomplish emergency preparedness.
- Fresh water and food in the event you need to “shelter in place” at one of your locations. Where will you obtain the water and food? Who will you contact to provide this and will they be able to mobilize in order to deliver it to your institution?
- First aid kits.
- Generator needs. In the event there is no electricity available, will you be able to obtain a generator in order to operate? Consider the logistics and fuel needs. Will the company with whom you have contracted have access to the area? If the company is close by and they too are compromised by the disaster do you have a backup plan?
- Building safety. Ensure you have the appropriate contacts to evaluate the building for any safety concerns before allowing staff and the public to enter the building.
- Contact with the regulators. Who is responsible for contacting the regulators and informing them of the situation?
- Contact with the public. Who is responsible for contacting the public and which media outlets will you choose to use?
- Records storage. Where are your records stored? Are they far enough away from the area to avoid the disaster?
- IT issues. Do you have a power supply or internet service? What are your backup plans in order to restore daily functions?
- Office supplies. Consider all types of supplies such as pens, pencils, paper, flashlights, batteries, battery operated radios, disinfectant and cleaning products, soap and other hygiene items.
- Training issues. Prepare by providing additional training for staff in the event you must conduct business using paper items through a manual process.
- Third party vendors. Will you have access to those critical vendors?
Once you have created a plan, the next step is to schedule a Disaster Recovery Drill. Disaster Recovery drills should be conducted at least annually. Be detailed and specific in this drill, ensuring each participant understands his or her own responsibilities. Involve key personnel and include a “real world” situation as the basis for the drill. For example, sometimes my area has ice storms that knock out power and create driving hazards. Using a mock “ice storm” drill would be beneficial to a financial institution located in this area of the country. Your institution will have a smoother path toward a successful recovery when you provide specific details within your plan and staff has the opportunity to be familiar with the plan by participating in a drill.
As you work through the drill, document your observations as well as those of the entire team while the results are fresh on everyone’s mind. At the end of the drill, assess the “fails” and “successes” that occurred. Utilize the documented results as a tool to strengthen your plan and find solutions for the areas that missed the mark. Dusting away the cobwebs and keeping the plan updated and fresh will go a long way in a successful Disaster Recovery Plan for your institution.