|
DISASTER
RECOVERY
JOURNAL
P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet
www.drj.com
E-mail drj@drj.com
PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com
SENIOR EDITOR
Janette Ballman
janette@drj.com
MANAGING EDITOR
Jon Seals
jon@drj.com
COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com
ADVERTISING
Robert Arnold
bob@drj.com
_____________
Corporate
President/CEO
Richard L. Arnold, CBCP
richard@drj.com
Vice
President
Robert Arnold
bob@drj.com
CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com
CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com
CIRCULATION
Laura Baugh
laurab@drj.com
EXECUTIVE
COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant
INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk
Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au
Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881
Brazil:
Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55
11 3666-9506
conc2000@uol.com.br
www.drms.com.br
|
|
Click
Here for a Printable Version
Bank Regulations
Regulatory
Scrutiny of Item Processing Increases Disaster Recovery Planning
By J. R. DAVIS
During the past year, in response to
heightened concerns about security in general, many banks have put disaster
recovery planning at the forefront of their agendas. Those that have
not already done so can expect increased scrutiny from state and federal
regulators. But planning should be more comprehensive than merely dusting
off old plans that have already been put in place.
Whether banks use outside consultants or internal managers, many are
currently re-examining every aspect of their disaster recovery plans,
including the assumptions upon which the plans are based, and looking
more closely at the options they have to choose from, not only to keep
their major data processing systems running in case of business interruption
(the focus of many articles relating to banking as well as other industries),
but in regard to what might seem a routine part of normal banking operations,
namely item processing.
Item Processing Should Be A Central
Part Of Disaster Recovery Planning
Item processing includes the sorting and proofing of checks, the preparation
of cash letters, inclearings processing, and data transmission. But
while it may seem less critical than data processing, it provides the
sum of the basic raw data that the data processing system uses and is
essential to the successful operation of any bank.
Furthermore, a disruption at any bank could threaten the integrity and
continuity of the entire banking system, which is why state and federal
regulators and the Federal Financial Institutions Examination Council
(FFIEC) are looking more closely at the risk management of outsourced
technology services.
The following reviews many of the choices regional, local, and community
banks have for item processing back-up and provides a checklist of item
processing disaster recovery planning that may assist bank management
to upgrade their plans at this period of higher than normal risk awareness.
Money Center Banks vs. Local,
Community Banks
Money center banks that handle high volumes of checks on a daily basis
and must process and return NSF checks without fail, may find it necessary
to establish a fully functioning item processing disaster recovery site
of their own with completely redundant equipment, systems, and transmission
capabilities. Or they may need a contract with a large volume, outside
supplier to satisfy themselves and the appropriate bank authorities
that they are prepared for any eventuality.
Smaller banks, such as local and community banks in small towns or rural
areas, have more options, partly because of the smaller volume of checks
they handle and also because they may feel more comfortable knowing
their own local clientele and their customers’ “normal”
banking habits (fewer instances of fraud and irregularities).
But whether banks are located in rural communities or urban centers,
they must consider the pros and cons of each option before staking their
ongoing operations on a back-up plan that may seem reasonable and economical
now but will have unintended consequences in a variety of unforeseen
situations.
Let’s take a look at a few example scenarios related to some of
the options.
Reciprocal Agreements
Reciprocal agreements are a common practice in the banking community.
Bank A establishes a reciprocal agreement with Bank B, located in a
neighboring town. The agreement allows each to use the other’s
item processing facility in the case of an interruption of business.
It’s an inexpensive arrangement that provides an easy and normally
acceptable solution to compliance with disaster recovery planning requirements.
Of course, the management at Bank A realizes they won’t be able
to do their own work until after Bank B finishes its normal item processing
routines every evening – a minor concern, perhaps.
Of even greater concern, however, Bank A uses somewhat different systems
than Bank B, so while the facility at Bank B is available when Bank
A finds itself under 12 feet of flood water in the spring, it takes
over a week for the systems people from Bank A to jerry-rig Bank B’s
equipment and transmission software, so that they will send the appropriate
information to Bank A’s data processing center.
Reciprocal agreements are economical but beware of systems incompatibility.
Internal Hot Sites
Internal hot sites are another alternative for smaller banks. By using
older proofing and sorting equipment, a collection of prior generation
data processing equipment, and an alternative data transmission system
set up in an offsite facility, Bank C has provided what management considers
an adequate back-up capability. After all, the older equipment is already
paid for, and though it may require a return to earlier routines for
bank personnel, it won’t take long for some of the more experienced
people to get back into the swing of things.
But what if the disaster that befalls Bank C is accompanied by a flu
outbreak of epidemic proportions? The only people left standing to operate
the older equipment and systems have never used them before and must
function in a disaster mode, with reduced headcount, and no one to instruct
them on the older procedures.
Older back-up equipment may not function properly unless it is tested
frequently and all appropriate staff is trained to use it.
Outsourcing Options
Outsourcing options, of course, come in a variety of shapes, sizes,
and costs. For instance, some smaller banks already outsource their
primary item processing operations and rely on the vendor to provide
for disaster recovery planning. Outsourced item processors sometimes
set up reciprocal deals with their competitors in a similar arrangement
to those described above.
Or banks may contract directly with a primary item processor as a back-up
facility for a small monthly fee. Of course, any efficiently managed
item processing facility will likely be fully utilized, or nearly so,
otherwise their equipment is sitting idle.
So a difficulty may arise when Bank D calls on the back-up capabilities
of an already fully utilized facility, and Bank D’s item processing
needs turn out to be last in line for processing time and could face
the prospect of significant delays, frequent missed deadlines, and regulatory
action, not to mention Bank D’s employees having to work late
into the night.
Using a primary item processor for disaster recovery may require
a bank to wait hours every evening because normal customers’ work
comes first.
Mobile Hot Sites
Some suppliers of disaster recovery item processing provide mobile item
processing equipment and promise to have it in place within a specified
time frame, often up to three days after notification of a disaster
situation. The cost of maintaining a mobile trailer with similar equipment
and systems to the local or community bank is shared with other banks
in the region that use compatible processing procedures.
But unfortunately when Bank E calls on such a supplier in the event
its item processing center is knocked out by a tornado, the same storm
that flattened the facility has also knocked down the communications
lines that the mobile facility intended to use.
Mobile item processing hot site trailers require communication lines
(which may also be knocked out in a disaster situation) to be an effective
means of backup.
Dedicated Hot Sites
Dedicated hot sites offer an alternative to many of the problems of
other options but require the commitment of bank management to a planning
and implementation process that mirrors the procedures already in place
in the primary item processing operation. The cost of a dedicated item
processing hot site may be higher than some of the other alternatives,
but if properly tested, located within a reasonable distance, and accessible
through a variety of different means of transportation (consider the
recent shut-down of the air transportation system), a dedicated hot
site provides the surest and safest form of protection against the many
unforeseen circumstances that community banks may face.
Dedicated disaster recovery item processing centers (such as the
Davis Bancorp item processing center in Chicago) have equipment and
systems in place and are not already being used for primary item processing
for other customers.
Regulators Are Taking A Closer
Look At Disaster Recovery Planning
Existing federal regulatory guidelines and most state regulators require
banks to provide disaster recovery plans and have them reviewed by bank
management and the board of directors. A recent publication from the
FFIEC states, “The board of directors and senior management are
responsible for understanding and ensuring that effective risk management
practices are in place. As part of this responsibility, the board and
management should assess how the outsourcing arrangement will support
the institution’s objectives and strategic plans and how the service
provider’s relationship will be managed.”
Of course, that same advice should be followed for any outsourcing arrangements,
whether for technology services or for transportation or other processing
services, which are all too often managed and contracted by lower level
bank personnel who do not understand the risks that may be involved.
During normal bank examinations, they also require banks to provide
proof of back-up planning, including agreements or contracts with other
institutions or service providers. But because of increased risk management
concerns, regulators are looking more closely at disaster recovery planning
during the examination process. Therefore, banks should review all aspects
of their current disaster recovery plans and make changes wherever deficiencies
exist.
The following list provides a number of important considerations to
which banks should pay particular attention:
Checklist For Item Processing Disaster Recovery Planning
Equipment and systems compatibility
Does the back-up item processing facility offer the same equipment and
systems used by your bank in its normal operations so that there is
no need to alter, update, or reprogram?
Testing and ongoing maintenance
Does the back-up facility pre-test all equipment and systems to make
sure your bank’s routines and procedures work flawlessly? And
do they test those procedures on a regular and scheduled basis?
Disaster definition
Who defines what qualifies as a disaster? Do you have the right under
your agreement to declare a disaster for any reason, whether it be the
obvious natural occurrences of floods, fires, tornados, etc., or the
unusual problems of equipment, systems, or human failures or incapacitation?
Capacity
Is the back-up facility dedicated to disaster recovery operations, or
is it a primary processor with a relatively small amount of excess capacity?
If the back-up facility is another bank, does it have the capacity to
handle its own and your processing needs in a timely way?
Availability
Is the back-up facility available 24/7/365? Are there any exclusions
to the times when you can declare a disaster and use the site?
Accessibility
Is the back-up facility easily accessible by a variety of transportation
means? Can you get there within a few hours by car or train? If the
air transportation system is shut down, do you have an alternative facility
that is within reach?
Regulatory and audit review
Is the back-up facility open to regulatory and audit review and does
it welcome such visits?
Insurance
Does the back-up facility have appropriate insurance coverage? Will
the service provider supply you with a copy of the policy for review
by your risk management officer? Is the coverage sufficient in case
the facility itself experiences problems? Does the courier service you
or your service provider use have appropriate coverage? (Many couriers
have insufficient coverage to carry sensitive bank documentation.)
Microfilm or imaging back-up
Does the back-up facility provide microfilm or imaging back-up capabilities,
in case documentation is lost or stolen in transit?
Costs
Is the back-up facility priced appropriately? Are all costs included
in the contract? Are there any extra “declaration” or “duration
of disaster” fees?
Only when an item processing disaster recovery facility meets all the
tests outlined above can the management of a bank feel confident that
they have provided for secure business resumption of one of the most
important, but often neglected, aspects of bank operations.
J. R. Davis is president of Davis Bancorp, risk management partner to
the banking community. For more information about the company and its
services, visit www.davishotsite.com. For comments or questions, Davis
may be reached at jdavis@davisbanc.com or at 847-998-9000, ext. 4460.
To comment on this article, go to 1602-09
at www.drj.com/feedback.
©Copyright
2003 Systems Support Inc. All rights reserved. Reproduction in whole
or in part in any form or medium without the express written permission
of System Support Inc. is prohibited.
|
