| |
In
1957 there were 21,432 FDIC insured banking offices in the
United States. During that same year FEMA managed 17 disaster
events. Fifty years later at the end of 2007, the number of
FDIC insured banking offices jumped to 86,150 and the number
of FEMA managed events dramatically increased to 63. As of
May 20, 2008 FEMA had 22 managed events for 2008, which is
a little above average for the past decade, an average of
more than one FEMA managed event per week! It’s hardly a wonder
that the FFIEC recently revised the Business Continuity Planning
IT Examination Handbook to require testing strategies that
demonstrate an institution’s ability to continue normal operations
in a timely fashion. Considering that Illinois is the tenth
highest ranked state for FEMA managed disasters, a comprehensive
tested business continuity plan for your bank is not only
a compliance issue but also a sound business practice to insure
continued service to your customers.
No business
can operate without an office at which to conduct business.
Because of the security requirements that handling currency
demands, not every facility can serve as a backup office.
Coupled with increasing dependence on technology, a facility
without compatible technology and communications provides
very little functionality. As an example, for the last few
years banks have installed branch image capture technology
at an adoption rate beyond anyone’s prediction. Finally
the dream of truncation at bank of first deposit is being
realized by financial institutions of all sizes. However,
branch image capture itself creates requirements that must
be addressed as part of a bank’s business continuity plan
(BCP). Without restoration of this mission critical process,
a bank may not be able to post the day’s transactions or
clear their foreign items. Manual restoration of this function
is all but impossible. A branch image capture system demands
the restoration of not only its own unique technology but
also communications. Consequently, a bank’s facility BCP
must include a process to fully restore both.
The
BCP must test its alternate facility strategy at a level
that was not required in the 2003 version of the Examiners
Handbook. When doing a simple word count using variations
of the word “test” there were 148 mentions in the 2003 Examination
Handbook. In the 127 pages of text in the 2008 Examination
Handbook, “test” was mentioned 656 times! That alone should
be a strong signal that testing is taking a greater prominence
in BCP review than ever before. In fact, two forms of testing,
Table Top Testing and Structured Walk Through are no longer
preferred as test methods. Hurricanes Katrina and Rita exposed
flaws in what was thought to be suitable plans. Experience
now shows that without proper testing, BCPs can easily fail.
|
|
|
Only
through testing, when you are approaching the event without
the possible distraction of your own personal disaster can
a BCP be considered complete.
The current Examination Handbook cites Functional Drill/Parallel
Test and Full Interruption/Full Scale Test as appropriate
test methods. With the adoption of branch image capture, these
methods may be the only ways to insure the continued operation
of this mission critical process. Not all banking functions
need to be tested simultaneously, however with the integration
and interdependency of technology installed at most
financial institutions it may be difficult to test single
functions or applications independently.
A somewhat popular form of continuity planning has been
reciprocal agreements with other financial institutions.
However, the current Examination Handbook states the following
“In the vast majority of cases, reciprocal agreements are
unacceptable because the institution agreeing to provide
back-up has insufficient excess capacity to enable the affected
institution to process its transactions in a timely manner.”
Added to those concerns may be the need for both institutions
to have similar if not identical technology installed, possibly
to the extent of having the same software release level
installed. Since software is often updated on a rolling
release schedule where only a portion of the user base is
upgraded at any one time, controlling software releases
are usually out of the control of the institution. Added
to the complexities of performing a test as indicated previously,
this form of business resumption is simply no longer practical.
Events beyond our control and an increased reliance on
technology have created conditions that did not exist even
five years ago. Don’t fall into a trap and think each year
is the same as the last. Keep abreast of your institution’s
changes and consider business resumption whenever installing
new technology such as branch image capture. It will be
much easier to plan and test for restoration when you experience
change than when you experience a disaster.
Recovery Solutions provides a comprehensive service to fully
restore critical banking funtions within 72 hours of declaration.
An annual LiveSite test for each client by Recovery Solutions
provides proof of regulatory compliance.
For more information, contact
Recovery Solutions
15032 South Des Plaines Street
Plainfield, IL 60544
(815) 577-1999
www.recoverysolutions.com
|
|
|
|
