Spring World 2015

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 27, Issue 4

Full Contents Now Available!

DRJ Blogs

A short description about your blog

Oct 23

Disaster Recovery Compliance for Credit Unions– Impact, Testing and Analysis

Posted by: Adnan Raja in DRJ Blogs

Tagged in: Untagged 

Adnan Raja

 A disaster recovery plan protects a business's IT infrastructure and allows this infrastructure to recover quickly during a disaster. A recovery plan specifies the steps that a business needs to perform during a disaster and is typically kept in written form and in a secure environment. A DRP covers natural disasters such as hurricanes or earthquakes that physically damage the infrastructure or impair the ability of personnel to take appropriate action. It can also protect a business from man-made disasters such as acts of terrorism or equipment failures.

DRPs are becoming more common in business due to their increasing reliance on information technology. Government regulations for some business sectors also require businesses to maintain DRPs. For example, the regulatory body for financial institutions in the United States is the Federal Financial Institutions Examination Council. Credit Union Times provides tips for credit unions to comply with FFIEC guidelines, including an impact review, testing and analysis of the DRP. The Sarbanes-Oxley Act of 2002, or SOX 2002, also provides specific guidance for the DRPs of financial institutions.

Impact Review

The first step in assessing the impact that a disaster will have on a credit union is to ensure that its Business Impact Analysis complies with FFIEC guidelines. This review must include a determination of the maximum downtime that's allowable for the credit union's IT systems and other business processes. You must also establish the priority of these processes by classifying them as nonessential, normal, important, urgent or critical. Each of these categories will have a specific maximum allowable downtime, typically 30 days for nonessential processes, seven days for normal processes, three days for important processes, one day for urgent processes, and hours or minutes for critical processes.

It's important to assess the disruption that a specific disaster could cause to a business, which is needed to reduce the recovery costs after a disaster. You also need to specify the steps needed to recover business processes so that you can determine the resources you will need for the recovery. Specific objectives for the recovery times of each process will allow you to measure the success of the DRP during the testing phase.


The testing process allows you to measure the ability of your DRP to recover from a disaster. Credit unions should perform this test at least once each year, which consists of the following phases:

  • Planning
  • Preparation
  • Execution
  • Reporting

The planning phase of a DRP test consists of identifying the business process that will need to be restored after a disaster. It also needs to identify the personnel who will perform each step in the DRP. The preparation phase involves identifying the resources that will be required for the test and scheduling the test. The execution phase is the actual test, which typically requires a day or two to complete. It should consist of disaster simulations, such as a power outage, which requires files to be restored. The execution phase of a DRP test may also include other actions such as protecting employees from contaminated materials during a simulated biological or chemical attack. You will develop a single report from the test results during the reporting phase. This phase allows you to identify and address the greatest barriers to a rapid recovery after a disaster.


The analysis of a DRP involves reviewing the test results to assess what went wrong during the testing phase, generally for the purpose of making the appropriate adjustments to the DRP. The primary goal of the test results is to identify the processes that you were unable to recover within the desired time frame. It may also show issues such as the requirement to perform regular updates to IT resources, especially those needed to execute the DRP. The analysis phase may also reveal other shortcomings such as the need to provide employees with additional training. The analysis of the DRP allows you to adjust your plan and ensure that everything is in line with protocols and the needs of your business.

Sarbanes-Oxley Act

SOX 2002 increases the accuracy of corporate reporting, primarily for the purpose of protecting investors in securities. It generally increases the responsibility of managers in financial institutions to enforce controls over operations. SOX 2002 requires managers to provide personal assurances that the required controls are in place, rather than relying upon staff members to enforce these controls.


Credit unions will experience an increasing need to remain in compliance with FFIEC guidelines regarding disaster recovery as technology continues to advance. This requirement includes regularly evaluating the DRP's effectiveness and ensuring that the credit union is adequately protected from disasters. Credit unions should typically review their DRPs at least once each year.


Hassan Sultan is a partner at Reckenen, which provides compliance and assurance services to privately held companies.