Disaster Recovery Policy

Transcription

1 Disaster Recovery Policy Organizational Functional Area: Policy for: Executive Division Bank Disaster Recovery Program Board Reviewed: September 14, 2011 Department/Individual Responsible for Maintaining/Updating Procedures: Milad Doueihi REGULATORY RISK ISSUE(S) The regulatory agencies have alerted all financial institutions to the importance of contingency planning for banking operations, including data processing support, by issuing an interagency statement on this topic. While these procedures address many broad issues, management will be responsible for developing specific emergency and disaster recovery plans, which should keep disruption of operations to a minimum. Failure to address these issues may result in significant risks to the organization, including compliance risk, reputation risk, transaction risk, and strategic risk. MAJOR PROCEDURAL ELEMENTS Description of the bank s emergency procedures established to protect personnel and property during emergencies Description of backup considerations Guidelines for disaster recovery planning Standards for testing the disaster recovery plan

2 These areas are covered extensively in the Disaster Recovery Procedural Manual. The Manual is on-site at the Main Bank and copies are distributed on disk to all committee members and also at our Northpoint location, where the Disaster Recovery site resides. OTHER RISK CONSIDERATIONS In addition to banking operations, there are other significant elements to consider, including: External data processing disaster recovery planning Financial institution operational disaster recovery planning Customer service support Affiliate/holding company support (if appropriate) 2

3 STATEMENT OF NEEDS AND PURPOSE The board of directors and senior management of South Side Trust & Savings Bank recognize the need to establish comprehensive emergency and disaster recovery procedures and plans to protect employees during emergencies and to provide for the continuity of operations. Furthermore, the purpose of these procedures is to ensure that the organization is operating under established guidelines to assure the support for the safety and soundness of all financial institution operations as well as the protection of bank staff and assets. It is very important that senior management be informed of all bank disaster recovery plans, procedures, and guidelines. SPECIFIC GOALS Establish overall authority and responsibility in the development, implementation, and maintenance of the disaster recovery program including recovery and business resumption procedures and plans, and related testing. Provide a written reference that can be updated. Document specific planned backup initiatives. Outline strategies for disaster recovery efforts and business resumption. Establish requirements for periodic testing of the adequacy of the recovery plans. ELEMENTS Authority Senior Management will approve the selection of a Disaster Recovery Coordinator who is already an officer of the bank and whose responsibilities will be balanced with that of managing the disaster recovery function. 3

4 To assist the Disaster Recovery Coordinator, management authorizes the Disaster Recovery Coordinator to select a Disaster Recovery Committee to assist in the design, development, drafting, and finalization of a formal disaster recovery program. The Disaster Recovery Committee will assist in the development of the program as well as provide ongoing management of the process, including implementing the program and serving in a leadership role during a disaster. The Disaster Recovery Coordinator will serve as chairperson and primary contact. At least three members of this committee shall be managing officers of the bank and shall also serve as designated Disaster Recovery Committee leaders per the disaster recovery plan. (See Attachment A for a list of committee members.) Responsibility The Disaster Recovery Committee shall be centered on developing a proactive document; it is important that each department or functional area provide input, be encouraged to participate in a forum for discussing contingency planning and disaster recovery issues, and understand the ownership that each department or functional area has in the ultimate program. The Disaster Recovery Committee will meet as needed to accomplish the following: 1. Determine any needed changes to the program and report them to management. 2. Review, discuss, and as appropriate, act upon comments and recommendations provided by various departments. 3. Provide, on no less than an annual basis, a review of the existing program; provide copies of plan revisions for director review; and report on testing efforts and training initiatives. 4. Update, as necessary, procedures to relocate at the off-site location and assure the necessary supplies are in storage at that location. 5. Assure management that all necessary media are backed up and stored off-site to enable reconstruction of all files presently used by the bank. 4

5 Committee members are responsible for ensuring that all employees understand their individual obligations in this regard; the Disaster Recovery Committee must implement guidelines and procedures, and practice to enforce these consistently. South Side Bank management will be required to assist in implementing an ongoing training program to ensure cross-training of employees to reduce or eliminate the threat of loss that arises from the absence of key personnel. The Disaster Recovery Committee must be provided with information on an ongoing basis regarding equipment acquisitions, personnel changes, and off-site preparation in order to update the plan. The committee also will be responsible for establishing long-term goals for their objectives and making sure they are implemented. If the committee follows the guidelines set forth in the policy, it should be able to ensure the bank is operating in a safe manner. During this period, the Disaster Recovery Committee will talk with each department or functional area to: 1. Discuss and recommend needed changes in contingency planning procedures, forms, etc. 2. Provide Senior Management with an annual statement of the disaster recovery program from a department or functional area perspective. The comments will include all areas of concern, including contingency plan testing related to information services, training, location of contingency planning manuals at the bank, and backup site support. Other ongoing responsibilities of the Disaster Recovery Committee include: 1. Continue to provide feedback and reminders to all senior bank management, as necessary, to relocate to the off-site location all critical documents, forms, procedures, data, etc. and to assure the necessary supplies are in storage at that location. 2. Inform respective management teams regarding aspects of the disaster recovery program. 5

6 Services In the event of an area-wide disaster, the bank may offer certain free services to customers and noncustomers to help in the recovery process. Office Locations If one or more offices are severely damaged and not available for banking business within five business days, the Disaster Recovery Coordinator, in cooperation with other team members, will estimate the length of office closure and the timeline for setting up a temporary office, and will evaluate the cost/benefits. Media will be used to redirect customers to other convenient locations. Employee Support The bank will also assist employees to help ease the stress of working through a disaster. This will be assessed at the time of the disaster in accordance with the extent of damage. Training All senior management. managers, and staff are required to receive periodic training regarding disaster recovery procedures within their appropriate location or department. The Branch and/or Department will be responsible for emergency procedures review with their employees at least annually. Risk Management In addressing disaster recovery planning risks, the South Side Bank s senior management must be aware of the potential risks that may arise. Disruption to operations, whether due to internal problems (e.g., a fire) or external problems (e.g., loss of power due to storm damage), impact the organization both in the short term as well as in the future. Different types of emergency and disaster issues should be considered, and appropriate types of planning should be performed. Various risks need to be evaluated. These risks, and their related management techniques include: 6

7 Compliance Risk. Maintaining legal compliance with various appropriate regulations as well as compliance with the organization s emergency and disaster recovery program. Transaction Risk. Impacting earnings or capital due to problems with service or product delivery. Transaction (or operational) risk occurs in the delivery of all products and services. It may be assessed through consideration of all operational aspects including data input, data processing, and data output. People, equipment, forms, data files, and other significant elements of data processing to ensure the restoration of data processing within a short time frame are critical to customers of the organization and the viability of the institution. Strategic Risk. Addressing the potential adverse business impact to the organization, both internally and externally, that may occur if the institution is unable to restore data processing operations and related functions within an acceptable time frame. If the strategic risks related to data processing disaster recovery are not understood, addressed, and managed in terms of preparedness, the institution may not be able in the short term to address the risks and related solutions, resulting in economic and market losses. Reputation Risk. Retaining marketplace confidence by handling customers financial transactions in an appropriate manner and within an acceptable time frame, after a disaster, as well as meeting the emerging needs of the customer base and community are important to protecting the safety and soundness of the institution. Other Risk Considerations After review of internal issues, management has concluded that the following represent procedural considerations that could represent risk to one or more areas of the bank s main office or a branch. Fire / Tornado / Electrical South Side Bank has established various functional area, branch office, and department emergency procedures to provide for the protection of personnel and property during an emergency. The safety of all personnel is first and foremost in any emergency. 7

8 Following the initial review to assure all personnel are safe, the security of the premises, protections of assets and information, and if necessary, removal of any critical, nonreplaceable materials should be considered in an emergency. Emergency phone number for key functional area/branch office/department personnel are maintained in the disaster recovery procedure manual. 8

9 Backup Considerations Disaster recovery planning and procedures for South Side Bank shall include backup plans for key elements within each department/branch and contingency plans or strategies for recovery of operations. The Disaster Recovery Committee has specific responsibilities for developing, implementing, and maintaining the disaster recovery program, including the plan and related disaster recovery procedures. The South Side Bank has made provisions for backup related to hardware, programs, documentation, procedures, and data files. This is described further in the Disaster Recovery Procedures Manual. Standards for Testing Disaster Recovery Plan An annual test of the disaster recovery program is required. Segments of this test process are staged throughout the year to minimize disruption and yet facilitate testing of the disaster recovery program, plan, and procedures. General objectives for the test include determining the overall feasibility of the recovery strategies, verifying compatibility of backup systems and facilities, identifying deficiencies in the plan, providing training for employees involved in disaster recovery, and providing a mechanism for maintaining and updating the plan. Procedures Manual South Side Bank has developed an extensive disaster recovery procedural manual detailing every aspect of a possible disaster. 9

10 Attachment A List of Committee Members Disaster Recovery Committee Members 1. Chief Information Officer 2. Data Processing Officer 3. Deposit Operations Officer 4. Electronic Banking Officer 5. BSA Officer 6. Branch Manager 7. Loan Officer 8. Senior Management 9. Trust Officer 10