DR/BCP Scrutiny – UPDATED
Auditors (and some FDIC examiners) are scrutinizing disaster recovery plans more closely, specifically looking to verify that the plan structure adheres to FFIEC guidance. We’ve definitely seen this regarding the Business Impact Analysis and the Risk Assessment; the first 2 phases specified by the guidance.
UPDATE: At least one regulator (OTS) is demanding that all Recovery Time Objectives (RTO’s) be based on an methodical analysis of the tolerance for downtime for each process, and NOT simply a subjective value.