In

DR Plans – Compliant or Recoverable?

When addressing the issue of your disaster recovery plan, the ultimate goal is both.  But if you’re faced with limited resources (time, personnel, and money), and need to decide whether you’ll conduct a test or re-write your existing plan, what should you do?  A successful test demonstrates that you can recover if you have to.  Isn’t that the point of a DR plan?  Why waste limited resources tweaking your plan when the tests validate your recovery capability?

Because if your plan doesn’t follow the FFIEC guidance, you may fail an audit or examination regardless of how many successful tests you’ve conducted.  It may seem like a case of misplaced priorities, but it does make sense.  The March 2006 IT Examination Handbook is (unlike most of the other handbooks) pretty prescriptive in it’s guidance.  It “encourages” financial institutions to adopt a 4-phase process consisting of:

  • Business Impact Analysis
  • Risk Assessment
  • Risk Management
  • Risk Monitoring & Testing

I put “encourages” in quotes, because whenever the FFIEC uses that word what they really mean is that you better have a very very good reason NOT to adopt this process.  In fact, since 12/07 the FDIC has made the Business Impact Analysis mandatory, and recent audits have faulted plans for not having a Risk Assessment.  So the first reason you should focus on bringing your plan into alignment with current regulatory guidance is to avoid audit and examination deficiencies.  You may never experience an actual emergency severe enough to activate your plan, but you are virtually guaranteed to have it audited and examined, and repeatedly so.

But the most important reason to focus on having a compliant plan is that the prescribed process actually makes sense.  Each phase specified in the Handbook flows logically to the next phase, with the end result being a comprehensive program that:

  1. Identifies and prioritizes all critical business process and their inter-dependencies (Phase 1)
  2. Identifies threats to those processes (Phase 2)
  3. Develops recovery procedures in the event the threats affect the processes (Phase 3), and
  4. Tests all assumptions to validate all previous phases (Phase 4)

Unless you’ve completed Phases 1 & 2, how do you know your test results are valid, i.e. that you are recovering the processes that are most important to you?  If you haven’t done the analysis and assessment steps, you really don’t know.

So, complaint AND recoverable is the goal, but if the question is compliant OR recoverable, you should always opt for compliant.  Because if compliant is done correctly, recoverable will be the result.

Print Friendly, PDF & Email

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

1 reply added

  1. Pingback: Looking back – 2010 compliance hits & misses : FFIEC Guru

    […] Disaster Recovery – hit.  Both auditors and examiners are finding fault with DR plans that do not strictly conform to the FFIEC guidance.  Specifically, they must contain a business impact analysis, risk assessment, risk management and testing sections, and in that order.  A non-compliant plan that may even be able to demonstrate (through testing) recoverability will still be written up.  (More here.) […]

Leave your comment