On September 11, 2001, the terrorist attack destroyed the World Trade Center in New York, which was the most highly concentrated financial area. This attack not only destroyed the twin towers, but also ruined the financial system. Banks located in the World Trade Center went through an unprecedented disaster. The company’s back-up facilities which were too close to the primary facilities were disrupted as the primary facilities. Single points of failure in perceived diverse routing resulted in failed back-up communications systems. Because of the terrorist attacks of 9/11, there is significant increased focus on the disaster recovery plan. (Robert Bronner, 1997) According to Robert Bronner, banks were among the earliest adopters of information technology in the business world. The widely use of information technology in the bank system forced a new industry – the disaster recovery industry. Disaster recovery plan is an important part of bank business continuity plan. It is a processes or set of procedures that help firms prepare for disruptive events.
The goal of the plan is recover and protect a business IT facilities, such as the network, document management system, and core system, in the disruptive events. Those events include both natural disaster such as earthquake and man-made disasters such as power outage. It is impossible that a bank can always avoid disasters, so the disaster recovery plan plays an important role after a bank suffer a disaster. With a careful plan will effetely help the bank to minimize downtime and data loss to ensure some level of organizational stability and an orderly recovery after a disaster will prevail. The Automated Clearinghouse Association was formed by 7 Philadelphia-based banks in the mid-1970s for the sole purpose focus on how to manage bank’s data recovery when bank’s computer systems go down. This group started the disaster recovery industry in 1987 by SunGard Recovery Services.
The Important of Disaster Recovery Plan
The disaster recovery plan is important to the bank, because the benefits it can obtained from the drafting of a disaster recovery plan.
The basic benefits of a disaster recovery plan include (“disaster recovery plan”):
(1) Providing a sense of security
(2) Minimizing risk of delays
(3) Guaranteeing the reliability of standby systems
(4) Providing a standard for testing the plan
(5) Minimizing decision-making during a disaster
(6) Reducing potential legal liabilities
(7) Lowering unnecessarily stressful work environment
Disaster recovery plan is a critical proactive approach to banks. Because the objective of the disaster recovery plan is protect the bank do minimize loss during the disaster, planning is vital to the disaster recovery plan. The type of disaster recovery plan can be variety, but all of them should follow three basic measures (1) preventive measures, (2) detective measures, and (3) corrective measures. The purpose of the first measures is to prevent a disaster from occurring. This measure is focus on identify and reduce risks. Preventive aimed to stop a disaster before happening. These measure try to identify the risks before it happens and reduce the happen ratio. To achieve the prevention purpose, the measures may include keeping data backed up and off site, using surge protectors, installing generators and conducting routine inspections. Detective measures are used to find the presence of any unwanted events among the IT infrastructure. They focus on the unfound new potential threats.
These measures include installing fire alarms, using up-to-date antivirus software, holding employee training sessions, and installing server and network monitoring software. The system which is focus on restores a system after a disaster or otherwise unwanted event takes place is corrective measures. There measures may include keeping critical documents in the Disaster Recovery Plan or securing proper insurance policies, after a “lessons learned” brainstorming session. (“Disaster recovery plan”) Banking industry certainly needs the Disaster Recovery Plan. The research shows that among 170 disasters recoveries, 45 were for banks in the last 10 years. (Robert Bronner, 1997) In 2012, hurricane Sandy highlights the bank’s need for disaster recovery planning. Sandy struck the East Coast of Manhattan, where is the location of Wall Street. Many banks’ headquarter located on the East Coast, such as Citi and Bank of American, were flooded under water. The financial markets in New York City were closed for at least two days cause loss of millions of dollars. Disasters are unexpected and costly, so the planning is critical for the bank to reduce loss from disasters.
Disaster recovery is of particular importance for the banks than other businesses because the huge demand of services during times of community disaster. The average bank is multi-plat formed, with multiple locations and varied operations and computer applications. For example, Chase Bank has over 19,500 ATMS and 5,600 branches across the country. Mergers and acquisitions make the bank facing a more complicated situation. Mergers and acquisitions have caused banks to endure more different kinds of applications. Basically, banks run 20 to 30 critical applications simultaneously. When organizations merger or are acquired, a bank may run 40 to 60, double than before, critical application at the same time. Furthermore, because the bank’s global expanding, the banks operations become more decentralized that expands their reach beyond the back office into satellite locations. Last, banks are still relying heavily on paper.
For example, the bank often needs the copy for its customers’ copy of ID. If a bank suffers a disaster, what would happen to these decentralized operations and manifold applications? What happens to the many paper transactions in branches that have not entered the central system? As soon as the disaster happened, no matter its man-made or natural, despite of its local or nation, it can disrupt critical business operations significantly for weeks and sometimes months. Thorough preparation can shorten recovery time dramatically and keep banking operations ongoing. (Robert Bronner, 1997)
The planning methodology
According to Geoffrey H. Wold of the Disaster Recovery Planning Process, 1997, an integrated plan should include 10 steps
1. Obtain Top Management Commitment
Top management in the bank must support and involved when developing a disaster recovery plan. Managements have the responsibility to supervise the plan developing process and confirm the final disaster recovery planning is effective within the bank. The process of developing the plan should include enough time and adequate material resources. Resources could include both financial considerations and the effort of all personnel involved. This process requires the bank to hire educated managers who has knowledge about disaster recovery. If the top manager doesn’t know about disaster recovery, the final disaster recovery plan, which has the participation of the top manager, can be poor.
2. Establishing a planning committee
After the draft of the disaster recovery plan is finished, the bank need to build a planning committee. The function of the planning committee is overseeing the development and implementation of the disaster recovery plan. The planning should consider all functional areas of the organization and effect represent them. The committee members should include the operations manager and the data processing manager. The employee is the first thing the bank should think about when develops a disaster recovery plan. What employee most concern about? The safety of families and personal property. As long as those two areas are safe, the employee can focus on the safety of the employer and its customers’ property. So when the management making the disaster recovery plans, they should include essentials such as shelter, medical insurance, pension, as well as counseling and information on the disaster recovery plan. The committee should ensure the final disaster recovery plan include a plan to ensure the safety of the employee’s family and property.
3. Perform a risk assessment
Risk analysis and business impact analysis are important parts of planning committee. They should contain the range of possible disasters for natural, technical, and human threats. The committee should analysis every functional area of the organization’s potential consequence and influence associated with different disaster scenarios. Furthermore, the safety of critical document and vital records should be evaluated, too. For example, fire always be considered the greatest threat to an organization, so many banks buy the fire insurance. However, even the flood is infrequently, it still has a chance to happen. One of the reasons the Sandy cost huge loss is many banks located at Wall Street don’t have bought insurance for flood. The disaster recovery plan should consider the “worst case” situation.
4. Establish priorities for processing and operations
Critical needs are the necessary equipment and procedures used to recover the daily operations of a department, such as main facility or computer center when it suffered a disaster. The critical needs for each department within a bank should evaluate the areas include: functional operations, key personnel, information, processing systems, service, documentation, vital records, policies and procedures. Analysis the processing and operations to decide the maximum amount need f time each department of bank can operate without each critical system. To determining the critical needs for a department, the bank can document all the functions performed by every departments.
As soon as the primary functions have been determined, the operations and processes should be ranked in the order of essential, important, and non-essential. (Robert Bronner, 1997) Location is the first critical consideration of a recovery plan. A bank’s recovery plan should include geographically independent relocations sites for every work group. (Robert Bronner, 1997) The consideration of the location include whether it is easy to access to other facilities, Data center professionals may work in an urban area and be more willing to travel or relocate. The recovery locations should be planned both for the data center environment and satellite locations.
5. Determine Recovery Strategies
The researched and evaluated processing alternatives are the most practical alternatives for processing. In order to make an effective recovery strategy, the bank must consider facilities, hardware, software, communications, data files, customer services, user operations, MIS, End-user systems, and other processing operations of the organization. Furthermore, the bank should consider its computer function. Hot sites, warm sites, cold sites, reciprocal agreements, tow data center, consortium arrangement, and vendor supplied equipment are the alternatives for evaluation of the computer function. The third elements should be prepared is the written agreements for the specific recovery. The example of special considerations include: contract duration, termination conditions, testing, costs, special security procedures, notification of system changes, hours of operation, and specific hardware and other equipment required for processing.
6. Perform Data Collection
The basic data collected for disaster recovery plan includes backup position listing, critical telephone numbers, communications inventory, distribution register, variety types of inventory, master call list and vendor list, notification checklist, software and data files backup/retention schedules, temporary location specifications, and materials and documentation. That information are helpful to develop pre0formatted forms to facilitate the data gathering process. According to Robert F Bronne of the banking industry and disaster recovery plan, 1997: the inside data central is no longer enough for the bank, with the expansion of bank, the bank needs the data beyond the inside data center.
The remote of the working group of the remote locations should be part of the entire disaster recovery plan. The equipment and system in the remote locations should be accounted in the recovery plan. What is more, business recovery move advance to restoring and recreating business process. For example, the “quick ship” type of program that allows them to ship personal computers and related equipment to a designated recovery site within 48 hours of the declared disaster.
7. Organize and document a written plan
The disaster plan should be written in a standard form. The plan should include an outline of the plan’s contents. The managements should review and approve the outline. Then, the procedures and the documentation should be written in the plan based on the standard format. It is helpful to create a consistent format and allows for continuing maintenance of the disaster recovery plan. The plan should be used before, during, and after a disaster. It should include methods for maintaining and updating the plan to reflect any significant internal, external or systems changes and structured using a team approach.
8. Develop testing criteria and procedures
After a disaster plan is created, it should be tested and evaluated on a regular basis. The tests will provide the organization with the assurance that all necessary steps are included in the plan. Furthermore, it helps to determining the feasibility and compatibility of backup facilities and procedures, identifying areas in the plan that need modification, providing training to the team managers and team members, demonstrating the ability of the organization to recover, and providing motivation for maintaining and updating the disaster recovery plan.
9. Test the Plan
After testing criteria have been completed, the bank should test the disaster recovery plan. A good bank’s recovery plan doesn’t means it works well in the reality. The test will provide additional information about the continuing steps, reasonable adjustment to the original plan. Each functional department of bank should be tested. The bank’s size and rate of organizational change decide the frequency of testing. Usually, small banks have low frequency of testing; they may do testing once per year. Larger banks have high frequency; they perform exercises two or three times a year or stretch an annual test over several days. There are four main types of tests: checklist test, simulation test, parallel tests, and full interruption tests. The actual disaster is a true test to bank. It is similar to simulation tests, but more authentic than the simulation tests. Banks should document recovery efforts, evaluate results, and refine plans accordingly carefully.
10. Approve the plan.
The last step of making disaster recovery plan is approving the plan. After the written and tested, the plan should be approved by top-management. The top management has responsibility to establishing policies and comprehensive contingency planning. Also, the management should reviewing and approving the contingency plan annually and writes a review paper for the plan. If the information is come from a service bureau, management should evaluate the adequacy of contingency plans for its service bureau and ensure that its contingency plan is compatible with its service bureau’s plan.
With the expansion of financial industry, banks become more sophisticated technology users; the disaster recovery plan will play a more important role in the banking sector. The bank’s disaster recovery plan can help the bank to mining the lost due to an unexpected disaster and recover the bank back to use as soon as possible, but it acquired the bank to plan a disaster recovery plan system and effectively before the disaster happens. An effective disaster plan is made under the strict requirement in operate in planning, assessment, writing, and testing process. Nobody can estimate when the disaster will come, the disaster recovery plan is both a prevention method and insurance to decreasing the potential exposures and recover the organization for the bank.
1. Bronner, Robert F. “Banking Industry and Disaster Recovery Planning.” Banking Industry and Disaster Recovery Planning. N.p., n.d. Web. 17 Nov. 2013. .
2. “Disaster Recovery Plan.” Wikipedia. Wikimedia Foundation, 11 June 2013. Web. 17 Nov. 2013. .
3. Wold, Geoffrey H. “Disaster Recovery Planning Process Part 1 of 3.” Disaster Recovery Planning Process Part 1 of 3. N.p., n.d. Web. 17 Nov. 2013. .