By:
Susan F. Pollack
New York
With increased reliance upon technology, increased centralization of processing, and the ongoing risks of disruption from political and/or physical causes, the potential adverse impact of a major shutdown of a financial institution's systems (commonly referred to as a "disaster") has grown exponentially. To make sure that enough senior attention is directed at this risk, the Federal Financial Institutions Examination Council ("FFIEC") noted in its recently updated interagency statement of March 1997, that boards of directors and senior management of every financial institution must understand and be responsible for "corporate business resumption and information systems contingency planning functions." While the regulatory focus on disaster recovery is not new (the 1997 policy replaces the 1989 policy), this restated policy indicates an increased sensitivity and sophistication in this area by the regulators, and is a useful reminder that every financial institution must have thought about and prepared itself for operational disaster.
Specifically, the board of directors and senior management are clearly (and formally) responsible for:
establishing policies and procedures to make sure that a complete plan for disaster recovery exists, is in place and functions effectively;
annually reviewing the adequacy of the institution's disaster recovery plan and test results; and
documenting such reviews and approvals in board minutes.
To the extent, furthermore, that an institution relies on an outside provider for some or all of its information services, the institution must make sure that it can stay in business if the outside vendor's services are not available. In other words, the FFIEC has made clear that its definition of disaster includes not only events of force majeure but also the risk that an outside vendor might not continue its services. This "vendor" risk can occur for a variety of reasons, ranging from the vendor suffering a disaster to a simple contract dispute. To plan for the risk of vendor termination, an institution must understand how it will obtain or deliver substitute services. It must evaluate the sufficiency of the contingency planning of the outside supplier and the vendor's testing of such contingency plans. The financial institution must also make certain that its internal contingency plans are consistent with those of the outside provider.
Practically speaking, contingency planning by a financial institution is a highly complex and challenging ongoing task, which requires a series of thoughtful steps to satisfy the regulatory requirements applicable to it (and meet the standards against which it will be examined):
1. Analysis: The institution must understand and identify in detail what are the critical elements of its operations and its information technology. This analysis must be applied to all facets of transaction processing and to the full range of computer environments. The FFIEC has made clear that this analysis must be applied not only to those systems managed directly by the institution but to those which are provided by third parties.
Contemporary financial delivery systems and services are recognized as including not only the traditional transaction processing (such as cash management and securities services) but also services such as PC-Banking and Internet promotion. From a review of the vulnerabilities of all systems must come a clear and rational prioritization of the importance of recovering the different systems. Obviously, not all systems are critical, but a reasonable standard is those systems that the institution would need to have in operation within 24-48 hours in order to stay in business. Thus, the institution's cash management system, loan reconciliation system, trading information system and the like are critical; the ability to process human resources information is probably not.
An institution, similarly, must under-stand what are the ways in which its information systems might be at risk (e.g., natural disaster, loss of power, hardware or software failure, general strike, etc.) and how broadly (geographically or otherwise) such a risk might spread. Institutions must also recognize that the greater the consolidation of operations, the greater the magnitude of the risk to the institution in the event of a failure. These are the variables that must be considered in preparing the business resumption plans.
2. Preparation of Contingency Plans: Once all the critical systems (and their risks) have been identified and prioritized, the institution must develop a recovery plan for each system, but with clear priorities for the recovery of the most critical systems. For some systems, the institution may choose to establish its own disaster recovery site (i.e., a place owned or operated by the institution that has the capacity of assuming the functions of the systems lost to the disaster.) Others risks can be dealt with by having other suppliers on retainer. For existing outside providers, the same scrutiny must be applied in evaluating their contingency planning.
Certain practical factors have to be applied: A backup system that is subject to the same risks as the institution's operations (same building, same source of power, same risk of flooding or whatever) does not provide very meaningful protection. Similarly, the adequacy of the backup plan for each system may not reflect the ability of all backup systems to operate simultaneously. One of the risks of having separate groups each prepare their own contingency plans is that they frequently fail to coordinate. In this case, each plan may be acceptable, but they may all depend on a single resource which cannot handle the demands of all the groups at the time of need. Having a single officer responsible for overseeing all contingency plans and coordinating them is a practical approach, and one which the FFIEC endorses in the March 1997 policy.
Finally, institutions should remember that disaster planning does not only mean disaster recovery planning (although that is the focus of the FFIEC policy). Some attention must be given to understanding what risks will exist while systems are inoperative, and making certain that procedures are in place to prevent undue exposure. For example, if the credit system is down, the institution has to decide how much appetite (if any) it has for increasing its exposure (or potential exposure) to its customers while it is operating without critical customer information. Is the institution willing to continue effecting funds transfers or clearing checks when it cannot determine account balances? How will it deal with extensions of credit under loans without complete records as to amounts outstanding? What trading restrictions will be put on the trading floor until the systems come up again? In other words, an institution must plan for living with disaster as well as recovering from it.
3. Testing: Like any backup system, an operations system must be tested periodically to ensure that it will function as expected. The frequency of tests will vary with how critical the level of the systems being tested is, and that, too, should be considered and documented. Tests also frequently show deficiencies in contingency plans, and the FFIEC requires prompt corrective action.
Reflecting its view as to the importance of high quality contingency planning on a regular basis, the revised FFIEC policy now states specifically that the board not only must review and approve the institution's contingency planning annually but also must document that review in the board minutes.
Increasingly, global institutions and the integrated global systems supporting these institution are a core part of the financial services business. Yet with globalization, comes increasing risk. As a result, regulators have become far more sensitive to these kinds of risks, and expect the institutions they review to reflect this concern. Risk management today is recognized as far more than just credit controls. And disaster recovery planning, which is part of risk management, cannot be left to the lower levels in management; boards of directors and senior management are responsible for and will clearly be held to (and evaluated on) a high standard in this area.
