When addressing the issue of your disaster recovery plan, the ultimate goal is both. But if you’re faced with limited resources (time, personnel, and money), and need to decide whether you’ll conduct a test or re-write your existing plan, what should you do? A successful test demonstrates that you can recover if you have to. Isn’t that the point of a DR plan? Why waste limited resources tweaking your plan when the tests validate your recovery capability?
Because if your plan doesn’t follow the FFIEC guidance, you may fail an audit or examination regardless of how many successful tests you’ve conducted. It may seem like a case of misplaced priorities, but it does make sense. The March 2006 IT Examination Handbook is (unlike most of the other handbooks) pretty prescriptive in it’s guidance. It “encourages” financial institutions to adopt a 4-phase process consisting of:
- Business Impact Analysis
- Risk Assessment
- Risk Management
- Risk Monitoring & Testing
I put “encourages” in quotes, because whenever the FFIEC uses that word what they really mean is that you better have a very very good reason NOT to adopt this process. In fact, since 12/07 the FDIC has made the Business Impact Analysis mandatory, and recent audits have faulted plans for not having a Risk Assessment. So the first reason you should focus on bringing your plan into alignment with current regulatory guidance is to avoid audit and examination deficiencies. You may never experience an actual emergency severe enough to activate your plan, but you are virtually guaranteed to have it audited and examined, and repeatedly so.
But the most important reason to focus on having a compliant plan is that the prescribed process actually makes sense. Each phase specified in the Handbook flows logically to the next phase, with the end result being a comprehensive program that:
- Identifies and prioritizes all critical business process and their inter-dependencies (Phase 1)
- Identifies threats to those processes (Phase 2)
- Develops recovery procedures in the event the threats affect the processes (Phase 3), and
- Tests all assumptions to validate all previous phases (Phase 4)
Unless you’ve completed Phases 1 & 2, how do you know your test results are valid, i.e. that you are recovering the processes that are most important to you? If you haven’t done the analysis and assessment steps, you really don’t know.
So, complaint AND recoverable is the goal, but if the question is compliant OR recoverable, you should always opt for compliant. Because if compliant is done correctly, recoverable will be the result.