I know, you were wondering when I would get around to explaining why you need to know this exists!
On May 1, 2018, the House passed the Disaster Reform and
Recovery Act which further emphasizes pre-disaster planning and
programming to mitigate economic and social disaster impacts.
This type of directive trickles down to other agency priorities,
and can be assumed to increase focus on disaster preparedness
for all regulated entities, including banks.
FFIEC Business Continuity Planning
Disruptions in a bank’s service not only effect a customer’s personal recovery after an unplanned event, but they can undermine
public trust and confidence in the financial system as a whole.
The Federal Financial Institutions Examination Council (FFIEC)
states in their introduction to guidance: “Changes in business
processes and technology increased terrorism concerns, recent
catastrophic natural disasters, and the threat of a pandemic have
focused even greater attention on the need for effective business
continuity planning.” Banks are therefore expected to consider
past disasters critically, and proactively mitigate the risk of disruptions in service. This includes addressing the potential for
area-wide disasters that could affect entire regions, and geographic
and market-based interdependencies among other participants
in the financial system and service providers.
The FFIEC publishes the primary pertinent guidance for regulated financial institutions, in regard to what long-time bankers used to call “disaster recovery.” The guidance is found in the
larger FFIEC Information Technology Handbook, in a dedicated
“booklet” on Business Continuity Planning.
The booklet provides specific guidance detailing how management
should develop a comprehensive Business Continuity Plan (BCP)
based on the size and complexity of the institution, and aligning
with the bank’s overall business strategy. This is important in order
to plan to recover and resume operations after an unexpected disaster, and to “ensure the availability of critical financial services.”
Additionally the guide lays out the metrics examiners will use to
evaluate a bank’s BCP, both plan and process, during a Safety and
Soundness Examination. The main goal of the BCP should be to
“…minimize financial losses to the institution, serve customers and
financial markets with minimal disruptions, and mitigate the negative
effects of disruptions on business operations.” For more information
on the booklet, see the sidebar on page 30 entitled FFIEC Information
Technology Handbook’s Booklet on Business Continuity Planning.
Areas of Focus
The FFIEC has taken pains to emphasize that a bank’s recovery
planning is no longer limited to how to overcome an IT failure.
The focus is on ensuring that all regular operations can be restored
as quickly as possible, including having physical offices available
for customers to conduct business. The bank must demonstrate
that it has an appropriate mechanism for the entire bank and has
the wherewithal to maintain ongoing operations and support key
stakeholders when a disruptive event occurs.
Typically, a common BCP theme is to set up alternate facilities
to be used when existing sites are rendered non-functional. It
includes “Cold Sites, Warm Sites, Hot Sites and Mobile Hot Sites,”
where your goal is to make sure the “hot site” is not a “hot mess”
for longer than necessary!
A “cold site” is an empty operational space with the basic facilities needed, like power and communication capabilities. Alternate
facilities are set up within a cold site. The cold site itself does not
have any copies of data or other information or hardware necessary to get up and running. This facility requires additional time
following a disaster for set-up, and may have trouble reaching an
operational level due to a lack of available resources during and
immediately after the crisis.
A “warm site” is a compromise between the relative lack of expenditure and planning for a cold site and the expense and resources
necessary for a full hot site. The warm site will have hardware and
connectivity for data transfer already on site and operational, but
on a fraction of the scale of the normal operation or a hot site.
The warm site may have data readily available, but more often the
warm site will receive the data from another remote backup site.
A “hot site” duplicates the institution’s primary site, with full
systems and complete backups of data. The site is regularly synchronized with the mothership, which means the institution can
relocate to the hot site with minimum loss of normal operations
and in the shortest possible time. The most distinctive item here
is that the hot site production environment is running concurrent
with the main office environment—so there is little to no downtime waiting to recover data. There are international standards
for determining whether or not something is actually a “hot site”
or not—but you get the gist.
Testing must be robust, and it should simulate emergencies that
are a realistic threat to your institution. It should also include some
emergencies that are less likely, but still possible. Institutions should
test low-probability/high-impact disruptions as well as high-proba-bility/low-impact disruptions, on a continuum. You must be able to
demonstrate your ability to continue normal operations—not just
recovering data abilities. Agencies disfavor reciprocal agreements
also. So, this should not be your “go to” solution.
Types of Testing: Testing should include live site testing using
bank staff, back-up data, and alternative means of communication. Testing might be a “functional drill” and/or “full interruption
tests” that execute the bank’s BCP in a setting that closely mimics
a real-world disaster event. A functional drill is a full test of the
plan and includes running operations from an alternate site and
the primary site at the same time, and then comparing the results,
The main goal of the BCP should be to
“…minimize financial losses to the institution, serve
customers and financial markets with minimal
disruptions, and mitigate the negative effects of
disruptions on business operations.”