Disaster Recovery Planning for Banks & Credit Unions

Financial institutions must develop a disaster recovery (DR) plan to regain critical systems and resume normal operations following unforeseen incidents from wildfires to everyday power outages.

After a natural or man-made disaster, time is of the essence. Banks and credit unions require a well-defined DR plan to protect and preserve sensitive and vital data. Responding to incidents quickly, whether a cyber breach or tsunami, reduces downtime and minimizes an FI’s financial, operational, and reputational damage.

In this post, we’ll dive deep into disaster recovery planning. What is the relationship between DR and business continuity planning? What are the essential elements of a bank disaster recovery plan? How much data backup does your financial institution need?

Keep reading to learn more about safeguarding your institution’s infrastructure, data, and systems from disasters.

Table of Contents 

• The Keys to Building a Disaster Recovery Plan
• Understanding Your Operational Assets
• Business Impact Analysis, RTO and RPO
• The Difference Between a Disaster Recovery Plan and a Business Continuity Plan
• Steps to Take in Developing a Disaster Recovery Plan
• Leveraging Technology as a Solution in Disaster Plans

The Keys to Building a Disaster Recovery Plan

The FFEIC IT Examination Handbook explains that a financial institution’s disaster recovery plan should address a wide range of potentially adverse events. At the same time, a DR plan should be function-based rather than incident-based.

For example, your recovery plan should focus on backup contingencies for losing an asset, such as a critical system, and not whether that asset is lost due to a data center fire. In short, for disaster recovery, it doesn’t really matter what the threat. What matters is how you prepare for and respond to it.

Understanding Your Operational Assets

The first step in a disaster recovery plan is understanding the assets vital to your financial institution’s operations.

DR plans should focus on your FI’s IT systems and physical infrastructure. Your financial institution likely relies on an integrated network of technology systems and structures critical to operations. These include:

• Hardware: The computers, mobile phones, and other devices employees use regularly 
• Software: Banking applications used by both FI employees and customers, such as digital banking platforms and loan servicing software 
• Cloud Applications: Critical, cloud-based applications. Your DR plan will need to leverage your vendor management program’s resiliency information.
• Network and Internet: Secure Internet access, APIs, external connections, and electronic data interchange.

Once you thoroughly inventory your technology, systems, and critical applications, you can label them as mission critical, essential, necessary, or non-essential. For example, wires and ACH payment processing systems are mission critical for most financial institutions, whereas your employee Intranet may be non-essential.

Defining your mission critical systems brings your DR plan into focus.

Business Impact Analysis, RTO and RPO

A Business Impact Analysis (BIA) is essential to disaster recovery plans at banks and credit unions. BIAs help pinpoint the costs associated with disruptions, such as lost revenue, replacing hardware and other equipment, additional employee wages, and profit losses.

After finalizing a BIA, financial institutions will understand the budget needed to safeguard against these losses. A business impact analysis also lays the foundation for disaster recovery efforts by determining Maximum Allowable Downtime (MTD), Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO).

MTD refers to the maximum allowable downtime your FI’s specific systems, processes, and applications may be down before your institution experiences significant harm while your RTO indicates an acceptable level of downtime.

An RPO stipulates the longest allowable timeframe for data loss. For instance, if your financial institution’s RPO is four hours for a critical system, then data backups must be made every four hours. Systems with high transaction volumes and/or critical nature of data require more sophisticated data replication strategies and technology effectively reducing RPO to a value of near zero.

Your financial institution must set recovery objectives based on your determined by MTD, RTO and RPO for critical systems. This is likely the most essential element of any disaster recovery plan.

Related: Is your FI Ready for the Next Disaster? 5 Questions to Find Out 

The Difference Between a Disaster Recovery Plan and a Business Continuity Plan

Disaster recovery planning and business continuity planning (BCP) are often viewed as two sides of the same coin. Business continuity planning focuses on how to resume normal business operations after you ensure that your people are safe and critical systems are functioning.

Business continuity planning emphasizes maintaining operations during disruptions, while disaster recovery focuses on quickly restoring IT infrastructure and data following an unforeseen event or crisis. BCP is about keeping a financial institution afloat and serving consumers during particularly challenging times, while DR is about returning to normal as quickly as possible.

Related: Business Continuity vs. Disaster Recovery: Understanding the Difference.

Steps to Take in Developing a Disaster Recovery Plan

To review, the first three steps in developing a disaster recovery plan are listed are:

• Determining whether assets and systems are mission critical, essential, necessary, or non-essential so you can set priorities 
• Crafting a Business Impact Analysis (BIA) 
• Calculating your, MTD, RTO and RPO and setting recovery objectives

These are the most critical steps in your DR plan but are not the only ones. As a financial institution, you must also:

1. Establish an activation process: You need to know when and how to take action. Identify specific situations through tabletop exercises to decide what will be done and by whom following a disaster. 
2. Develop a process for notification: You need to establish policies for notifying key stakeholders and recovery personnel in the event of a disaster. Simply ensuring you have updated contact information can make a big difference in disaster response. 
3. Form a designated response team: Does your entire IT department need to be on hand during your disaster recovery efforts? Having people milling around at your institution can hamper effective recovery. Deciding who needs to be involved and their designated roles beforehand streamlines disaster recovery efforts. 
4. Test Your DR Plan: Regular testing familiarizes your team with your DR plan. Financial institutions may run disaster simulations or full-scale tests in which response teams are tasked with recovering failed systems. 
5. Review and Update Your Plan: Maintaining a robust disaster recovery plan isn’t a once-and-done process. Financial institutions must consistently update their DR plans. 

Related: 9 Steps to an Effective Tabletop BCP

Leveraging Technology as a Solution in Disaster Plans

Many financial institutions discover that they lack the resources to manually create, test, refine, and update their DR plans. What if your FI could rely on a business continuity platform that saved you time and money in disaster planning and business continuity?

Ncontinuity offers financial institutions an unparalleled disaster readiness solution that closes the RTO gap, enabling your institution’s systems to get up and running faster following an incident.

Learn more about business continuity management.