Home » Publications & Resources » Article Library » 2007-08 » BCP Considerations That Slip Through the Cracks

Publications & Resources

April/May 2007
Focus: Risk Assessment & Disaster Planning

BCP Considerations That Slip Through the Cracks

By Patrick W. Johnson

Business Continuity and Disaster Recovery Plans (BC/DR Plans) are proving to be more critical to a bank’s operation due to the recent spate of disasters (power, environmental, terrorism) and stricter regulatory compliance examinations. The primary goals of a BC/DR Plan remain the same: Ensure the safety of your employees and maintain/recover critical functions.

According to FFIEC mandates, a viable BCP must be function-based and provide pre-approved strategies, policies, and procedures regarding preparation, prevention, and response to any disaster event. In my experience of working with hundreds of community banking institutions across the United States , a BC/DR Plan that “passes regulatory muster” does not necessarily take into consideration some very critical core tenets. Let me explain my point. Having a plan that is compliant with regulatory expectations (one that contains all the policies and phone numbers that a five inch three-ring binder can hold) is nothing more than a shell if it doesn’t take into account the human element. The availability to recover resources needed for off-line operations is woefully inadequate in the practical sense. Here I share with you three simple and effective elements that greatly augment a plan, but unfortunately are considerations that frequently slip through the cracks.

The first and most important resource for recovery is the employee. Employee availability is essential for obvious reasons, yet few institutions provide employees with any assistance or guidance regarding their personal disaster plans. If employees have difficulty coping or stabilizing their personal situation after a disaster (home, health, family, etc.), chances are they will not be willing to assist the bank with recovery. Commonly, most plans fail to educate employees on when and where to show up for tasking after a disaster. Financial Institutions should provide employees with resources to promote personal disaster awareness and preparation, as well as establish return-to-work policies. Simply put: If employees do not show up, your bank will not recover.

Next, help employees with the Disaster Recovery Road Rules by providing them with a simple list of do’s and don’ts. A simple set of Golden Rules that provide general guidance during disaster will help eliminate preventable issues. For example:

Human safety is first and foremost. Upon detection of an emergency or incident, notify any Manager. Dial 911 immediately if there is ANY danger to human safety or property.

Call the bank emergency hotline at 1-800-111-1111 or log onto the website for information @ www.mybank.com/emergencynotification.

When an alarm sounds, evacuate to the closest, SAFE pre-determined rendezvous location for your specific facility.

Remain calm. To perform safely and effectively for your department, it is your responsibility to perform exactly what your team leader asks of you in a timely manner and report back when completed for further tasking. Only perform those tasks assigned to you.

Rendezvous at the “ Main Street ” branch (primary) or the “Broadway” branch (alternate) if your facility is incapacitated.

Do not leave the premises without proper authorization. If you must, leave word with at least two other employees (mangers preferred) of your department, state your reason for leaving, and expected time of return. Use the buddy system. Try not to go anywhere alone in an emergency situation. Always let others know where you will be.

No employee may talk to the media, ever. Refer all questions to the Media Team (Team Manager: SVP/COO).

Document EVERYTHING (activities, phone calls, issues, developments, etc.) during disaster and give regular status reports to your Departmental or Recovery Team Manager.

Finally, maintain functionality while in manual mode (e.g. power outage). Many plans have excellent alternate (manual) procedures in place, but don’t have the necessary resources readily available to quickly perform the alternate procedures. For example, a pre-staged plastic box (a.k.a. the BCP Box) roughly two-feet-by-three-feet square in size (you can get these at any hardware store) can contain the supplies and materials necessary to perform manual operations. The BCP Box items may include departmental forms, special calculators, rubber stamps, customer forms, documented operating procedures, ledgers for manual tracking, cash in/out forms, office supplies, and the list goes on. No sensitive information should be in the box. The BCP Box should be duplicated and stored at the primary and alternate sites at a minimum, ensuring that critical functions can be efficiently recovered manually with little or no downtime.

The bottom line is that little things can have a big impact in designing a plan that is “compliant” vs. a plan that is practical, viable and will actually work when needed. One may stave off examiners with a sizeable BCP documentation program; however, disaster recovery and business continuity requires a level of cohesiveness and preparedness that the pen alone cannot provide.

Patrick W. Johnson, CBCP is senior program manager for the Compushare, Inc. Risk and Compliance Group in South Coast Metro, Calif. He can be reached at 714-427-1016.

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.

© 2012 Western Independent Bankers, All Rights Reserved.