Choose Your Own Adventure: Responding to a (Jurassic) Financial Institution Disaster
It’s surprisingly quiet for a Tuesday morning. Your inbox is miraculously clear. There are no voicemails to follow up on. You might actually cross an item off that to-do list that’s been looming over you for the past nine months. But first, you decide to drink a cup of coffee and read a little news.
You glaze over the usual headlines until something draws your eye. The island of Isla Nubar, home of the Jurassic World theme park, is being destroyed by a volcanic eruption. Scientists are scrambling to relocate the remaining dinosaurs to a facility in Florida until a more permanent solution can be found.
“How are they going to move those dinosaurs?” you wonder in passing, envisioning the equipment that must be needed to house such strong, large animals. Your attention shifts to your to-do list and your plans to look into a mobile banking vendor. You go to open your file on vendors, when you get an error message when trying to open the drive. The files aren’t available.
Just then your phone buzzes with an alert. Biologists transporting the dinosaurs ignored a weather advisory and attempted to bring the dinosaurs in during a strong electrical storm. The strong winds briefly knocked out power, allowing several large dinosaurs to escape. They are now on the loose in Tampa as the storm rages. Authorities are encouraging residents to seek shelter immediately.
That’s when you remember that your core processor has a data processing and storage center in Tampa.
What should you do next?Freak out and call your contact at the core processor.
Stay calm and investigate the problem with your file drive.
A) Freak out and call your contact at the core processor.
A. Freak out and call your contact at the core processor.
You pick up the phone and dial your contact. A message from the telephone company comes over the line informing you that all lines in the Tampa area are down. That can’t be good.
You hang up and prepare to send an email when your inbox, cell phone, and desk phone begin to buzz and ring non-stop. Users can’t get their data. Customers can’t access their accounts. It’s a mess and everyone wants to know how long it will be before systems are restored.
You turn on the news and discover that the dinosaurs are running loose in Tampa, wreaking all sorts of havoc. Between the heavy winds and several genetically modified Indominus rexes running amok, the city is in bad shape. You notice a familiar logo on a demolished building in the background on the screen. It’s your core processor. That explains the outage.
Hoping everyone is okay, you pull up your vendor agreement to look up recovery time objectives (RTOs) and recovery point objectives (RPOs) so that you can let everyone know the maximum expected outage.
You vendor due diligence research ensured that your core vendor has business resiliency plans, including a backup center. The agreement guarantees that services will be restored within 12 hours in the event of an outage. It’s inconvenient, but not the end of the world.
It’s a good thing your core vendor has a backup center. At least they used to, but that was back when you signed the contract three years ago. What about today?
Have you continually monitored your vendor?
It’s a good thing you’ve been proactively monitoring your vendor. Thanks to that thorough due diligence, you know that your core vendor has a back-up center in Tulsa as part of its business resiliency plan.
According to audit results, your core processor last tested its business continuity plans three months ago and all systems were a go to promptly transfer functions to the Tulsa center.
In a short period of time, systems will become operational again.
In the meantime, what do you want to do?Sit back and wait for systems to be restored.
Deply your client communications and public relations plan.
E. Sit back and wait for systems to be restored.
The outage gave you quite a scare, but it looks like services will be restored soon. Everyone is so busy watching dinosaur news coverage, it’s a perfect time to put your nose to the grindstone and attack some tasks with minimal interruptions.
Except now your customers are angry. They have bills to pay and transactions to make and have no idea when they will be able to do so.
On Twitter, a user named @DinoFanatic rages against your institution, saying that you are the reason he’s missing out on the dinosaur event of a lifetime. His credit card won’t work and now he can’t book a plane ticket to Florida or rent a car.
Others join in the complaint fest, sharing that they can’t buy groceries or pay for the services they just enjoyed because your network is down. @SnarkyGriswold complains that your bank’s systems are as old and ill-equipped for modern life as the dinosaurs destroying Tampa. Burn.
The CEO storms into your office wondering why you haven’t done anything to reach out to the public and let them know what’s happening. It should have been part of your disaster recovery plan, he tells you with a pointed look.
Just then services are restored, but it’s too late for you. The board’s faith in you is gone.
F. Deploy your client communications and public relations plan.
With one crisis seemingly averted, you jump into action to make sure customers, employees, and the public are aware that your institution has matters under control.
Referring to your business continuity plan, you deploy your communications and public relations plan. You send out an email and text alerts to all customers making them aware of the outage and the expected recovery time. The message is also shared over Facebook, Twitter and other social media channels.
Staff is informed of the outage and expected recovery and are given a script to explain the problem to customers who call in or email them so they can be confident in the information they are sharing.
Soon systems are restored and you use those same channels to let customers know that systems are restored as promised. Use the opportunity to remind them that your institution has a detailed disaster recovery plan to ensure transparent communications and multi-level plans to correct all sorts of problems because you know how important it is that customers have 24/7 access to the services they rely on. Thank them for their business and patience.
Once things have settled down, you publish a news release about how careful business continuity planning helped your institution weather the dinosaur fiasco. The story is picked up by the media and your institution is held up as an example of a responsible corporate citizens.
Your boss tells everyone who will listen that you are a business continuity a rock star—because you are—and you get promoted at your next review. Congratulations!
You dig through your due diligence documents from three years ago and are relieved to see that your core processor has a back up facility in Tulsa, Oklahoma.
Actually, made that HAD.
You do a quick Google search and discover that its Tulsa facility was closed six months ago and back up operations were moved to Orlando. That’s just 85 miles away. If Google is right and Velociraptors can really move as fast as 40 mph, they could be in town in a little over two hours. Plus, who knows how quickly those flying dinosaurs can travel? Yikes!
You wonder what kind of physical security your core processor has in place. It’s done a great job keeping out hackers so far, but can it withstand a charging Triceratops? Is the staff prepared to man the building to get operations back up and keep them up? The answers are probably in the audit documents the vendor has been sending you.
How do you find them?Dig through piles of unopened envelopes looking for the answers.
Consult your centralized vendor management system. Dig through piles of unopened envelopes looking for the answers.
G. Dig through piles of unopened envelopes looking for the answers.
So many unopened documents and so little time. The storm is spreading across Florida, taking out phone lines and Internet connections, so there’s no way of reaching your processor to find out if the Orlando facility is prepared to deal with a scenario where services outages and a public safety hazard combine in an unprecedented manner.
If only you had been proactive about reviewing due diligence documents and monitoring vendor changes, you would have a better idea what’s in store. Now you can only sit and wonder what’s going to happen to your data and operations. And maybe update your resume.
H. Consult your centralized vendor management system.
That would be a great idea if only you had one, but you don’t.
If you had a centralized vendor management system, it would have reminded you to conduct ongoing due diligence of critical vendors like your core processor to stay up-to-day on its business continuity plans. You’d know exactly what preparations were made and what the plan was.
You wouldn’t be looking up the most recent documents because you would have already reviewed them.
It’s also a reminder that you also should have updated your business continuity plan, including making sure your vendor partners structured their business continuity plans to ensure the continued operation of all critical functions.
Now you can only cross your fingers and hope for the best. There’s no way of knowing what to expect.
B. Investigate why you can’t get into your file drive.
You shrug your shoulders at the news of dinosaurs run amuck and get back to work. This is your day to get things done and nothing is going to stop you.
Plus, you Googled “How fast can a T-rex run?” and found out it’s about 17 mph. With Tampa 200 miles away, it would take at least 11 hours for the king of dinosaurs to make it to your headquarters in Jacksonville. That’s assuming it doesn’t stop to eat or sleep and that no one will notice a 16-ton dinosaur plodding down the street and catch it. There’s nothing to worry about.
You try again to open your files. Success! The network is back on track so you get back to work. Flash forward to the afternoon and the dinosaur problem isn’t contained. Velociraptors have been spotted in Orlando and Gainesville and the public is starting to panic.
The CEO comes into your office asking what the plan is in the event the dinosaurs make it all the way to Jacksonville.
He wants to know what staff should do to prepare.
I. Tell him to send all non-critical staff home.
You consult your function-based business continuity plan and consider all the potential high-level problems you might face like losing a facility or critical staff. While you’ve never considered the impact of a dinosaur infestation, you do have plans to deal with the potential impacts to functions and how to quickly bring them back online.
That means you don’t want all-hands-on-deck crowding a limited space or hourly employees standing around costing money. It’s more important to have the right people who can help get business back on track. You know who is essential to restoring functions and are prepared to call them in.
Fortunately, all your instructions, procedures and rules are centralized so there is no guessing what to do. Consulting your plan, you decide it makes sense to conserve resources and keep only the headquarters manned.
What do you do next?Follow the plan for ensuring continuous IT operations.
M. Determine which critical vendors have exposure to the dinosaur crisis.
As part of your planning, you know which third parties your institution will rely on. This includes regular vendors needed to operate in a business-as-usual environment as well as vendors who may aid in recovery, such as generator providers in the event the dinosaur event results in a widespread outage.
You pull up your centralized vendor management system and search for keywords related to Florida to determine which vendors could be impacted. You discover that while your core processor is at ground zero in Tampa, it has a back-up facility in Tulsa and should be able to make a seamless transition.
Because you took the time to evaluate critical vendors’ business continuity plans, you are confident that operations should continue. You also have back up plans to keep your own systems up and running. Your staff is safe at home with just critical staff and customers have been informed of the institution’s efforts to keep systems up and running.
Congratulations! You are well prepared to deal with a dinosaur invasion even though you never imagined you’d need to be. That’s because you focused on a function-based plan instead of specific scenarios. If you were a dinosaur, you’d be a BCP rex, king of business continuity planning!
N. Follow the plan for ensuring continuous IT operations.
Every department relies on IT to maintain operations making it a top priority. Because of careful planning you know how IT’s recovery time objectives (RTOs) and recovery point objectives (RPOs) will impact other departments, but you’re not particularly worried about the network going down because IT is positioned for success, come Hadrosaurus or T-rex.
You’ve mapped out critical functions and the staff on hand knows what needs to be done. They know which vendors to contact and have a data back up far from the mayhem. They are monitoring the situation to see if a temporary office needs to be set up in an alternative location. Employees and customers are being updated regularly to let them know what’s being done to keep both systems and people safe.
The storm starts to wind down and you hear a commotion outside. Daring to look out the window, you catch of glimpse of animal control tranquilizing a stegosaurus just as he was about to clumsily swing his spiked tail into your building while munching on palmetto tree. You breath a sigh of relief at the narrow miss, grateful you won’t have to worry about structural repairs or finding temporary office space. It would have been a hassle, but you’d have been ready. A good business continuity planner finds a way.
J. Call everyone into the office.
A gargantuan problem requires a gargantuan team. You call everyone into the office to help ensure systems remain running and to answer customer questions.
Employees leave their homes and families during the emergency to lend a hand. You want to believe it’s a real team-building exercise except there’s now too many people with too little to do. Hourly employees are being paid to stand around. Nervous and stressed employees get in the way or spend their time complaining to their coworkers that they are worried about their spouses, children, and pets and how ridiculous it is that they are here instead of at home.
Now they are getting hungry. What do you do?
K. Pull out the emergency supplies you've stockpiled.
Calling in the whole staff may have been overkill, but at least you planned on having everyone there and have enough supplies to last three to five days, including food, water, and blankets.
Fortunately, you’ve been granted a reprieve! The dinosaurs have been caught and it’s now safe to leave the building. Your employees aren’t exactly thrilled they spent the crisis locked up in your branch, but everyone is relieved to be going home.
L. Make a Target run.
You hop in your car and head to Target. Grabbing a parking spot by the door, you get out of the car and grab a cart. As you walk to the automatic doors, you hear a rustling sound in the bushes and a quiet rumble. You turn around, but it’s too late.
A Giganotosaurus emerges from the bushes. His large glistening teeth are the last thing you see before he makes you his dinner.
Topics: Risk & Compliance