Although disaster recovery programs are used by most creditunions, many do not provide enough protection for the credit unionor its members and are not fully compliant with FFIECguidelines.

|

Employing the following tips will ensure that your credit unionis prepared for any unforeseen disasters or outages and enhance itsregulatory compliance.

|

Review Your Business Impact Analysis

|

Review your credit union's Business Impact Analysis (BIA) toensure it meets FFIEC guidelines.

  • Maximum allowable downtimes for IT systems and businessprocesses. FFIEC guidelines require credit unions to puteach IT system and business process into one of five categories,including critical, urgent, important, normal and nonessentialprocesses. Each category has a maximum allowable downtime in whichthe credit union has to be able to recover each IT system orbusiness process after a disaster has occurred. Critical processesmust be recovered within minutes to hours, urgent processes must berecovered within 24 hours, important processes must be recoveredwithin 72 hours, normal processes must be recovered within sevendays and nonessential processes must be recovered within 30days.
  • Assess the potential impact of business disruptionsthat could occur as a result of disasters or outages.Proactively knowing the impact of business disruptions can helpreduce the costs of recovery.
  • List action steps required to recover critical ITsystems and business processes. Following this processwill allow you to determine the resources needed for recovery andensure that you have a plan of action to follow after a crisis oroutage has occurred.
  • Set recovery time objectives for key IT systems andbusiness processes. This will permit you to measure yourtest results after the testing phase.

Test Your Disaster Recovery Plan

|

Testing your credit union's ability to recover critical ITsystems and business processes enable you to evaluate theeffectiveness of your disaster recovery program. Credit unionsshould conduct recovery tests at least once per year. The testingprocess has four phases, which include planning, preparation,execution and reporting.

  1. Planning. This phase includes developing atesting plan that identifies the IT systems and business processesto be restored and identifies the personnel who will execute therecovery plan.
  2. Preparation. This phase includes schedulingthe test and identifying any resources needed to support asuccessful recovery test.
  3. Execution. The execution phase is the actualdisaster recovery test. This should include simulating mockdisasters or outages that might occur. For example, you may want tosimulate situations that involve the restoration of damaged loanfiles or documents or how to protect employees from contaminatedfinancial records, cash or contents of safe deposit boxes. Thisphase usually takes one or two days to complete.
  4. Reporting. During this phase you combine testresults into a report so that you can identify any potentialbarriers to recovery and address issues or failures discoveredduring the test.

Analyze Test Results

|

After conducting the test, review the results to determine whatworked correctly, what went wrong or not as expected, what areascan be improved and what adjustments need to be made to yourdisaster recovery plan.

|

Test results could show a missed recovery time objective and mayalso reveal that employees need further training in order to carryout tasks within the disaster recovery plan. Many recovery problemscan be avoided by conducting consistent updates to IT systems andusing data from the disaster recovery test to update the recoveryplan.

|

As technology and regulatory requirements change more rapidly,credit unions that want to stay in compliance and ensure theirinstitutions are fully protected should continuously reevaluate theeffectiveness of their disaster recovery programs. Reviewing yourdisaster recovery program once or twice a year will reduce risk toyour institution and enhance its regulatory compliance.

|

Additional resources:

Matt Gerber is CEO ofIT-Lifeline in Spokane,Wash.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

  • Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including Law.com and GlobeSt.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.