Is your FI Ready for the Next Disaster? Answer these 5 Questions to Find Out
No one likes to think about disasters and disruptions. We want to believe that things won’t go wrong and that everything will turn out just as we hope. But as the news constantly reminds us, hope is not a plan.
In just the past month we’ve seen the destruction of Hurricane Ida in Louisiana and the Northeast, wildfires in California, and severe storms and flooding in Tennessee. The number of COVID-19 cases is surging, straining medical resources in many states. And the recent 20th anniversary of the terrorist attacks reminds us that the world can change in an instant.
When we think on these types of events, we’re often drawn to the heroes who step up to help others. From first responders to medical professionals to those who welcome the displaced into their homes, there are always people and organizations who are there to help.
Your financial institution is probably one of those organizations. When people experience a disaster or major disruption, they rely on their financial institutions to be there. Whether it’s accessing funds, checking an account balance, taking out a loan, or transferring money to a friend or family member in distress, having full access to banking services is more than just piece of mind—it’s often a lifeline.
Is your financial institution prepared to fill that role?
September is National Preparedness Month, a time to raise awareness about the importance of preparing for disasters and emergencies that could happen any time. The 2021 theme is “Prepare to Protect. Preparing for disasters is protecting everyone you love.”
For everyday Americans, it means having a plan to communicate during a disaster, having adequate and updated supply kits, and checking to make sure they are adequately insured—among other preparations. For your FI, it means ensuring your business continuity plans (BCPs) and disaster recovery plans are up to date.
With that in mind, ask yourself these 5 questions to determine if your institution is prepared to help its community in the event of a disaster.
1. Do we have a disaster recovery plan included in our BCP? A disaster recovery plan is the part of a BCP that outlines what needs to be done immediately after a disaster to recovery from the event. While the BCP looks at your FI as a whole, a disaster recovery plan focuses on a specific type of event such as an inaccessible building or an offline data center.
2. When was the last time we updated our BCP? Lots of things can render an BCP outdated. A reorganization, a new vendor, an updated risk assessment, a new employee, or a new product and service can all impact your BCP. For example, BCPs assign individuals with specific roles and responsibilities. What happens when a staff member leaves or their role shifts? If the BCP isn’t adjusted accordingly, the answer is a big hole. Make sure that your FI updates the BCP every time there is a significant change—or even just if an employee joins or exits the FI. If you plan to update the plan on a time basis, for example quarterly, make sure all significant changes are assessed for their impact on the plan.
3. Is staff trained on their BCP roles? It’s not enough to have correct information in a BCP—staff with assigned roles and responsibilities needs to be made aware of them so they are prepared. Staff needs to be trained on the BCP when onboarded and any time there is a change that impacts their role or responsibility. Even if there hasn’t been a change, if it’s been a while, staff should be retrained. You don’t want staff to be caught off guard by their duties during a disaster. There will already be enough disruption and uncertainty.
4. When was the last time we tested our BCP? The best way to determine whether or not a plan is effective is to test it. Afterwards, you should dissect the results to understand what went well and what didn’t. That gives you an opportunity to uncover and address weaknesses—or gives you confidence that your FI is prepared to manage a disaster.
5. Are our vendors’ BCPs satisfactory? Third-party vendor management guidance says that financial institutions should review vendors’ business continuity plans as part of their due diligence and ongoing monitoring. That’s because the failure of a critical vendor can have a far-reaching impact on an FI’s ability to provide products and services. Not only should your FI review critical vendors’ BCPs and test results, but it should also adjust the FIs BCP accordingly. If your FI decides a vendor presents a significant BCP risk, you should include mitigation controls in your own BCP—whether it’s additional due diligence or an alternate vendor.
No one can predict when disaster will come, but we can all prepare. Use these five questions to prepare to protect your staff, your customers and members, and your institution.
Topics: Risk & Compliance