As banks' disaster recovery and business continuity plans have had to expand to cover not only physical facilities such as data centers, branches and ATMs but also digital and virtual presences, including online and mobile banking, they have become increasingly comprehensive -- and complex. Meanwhile, the risks these plans must address also are growing increasingly complex, as banks must prepare for man-made threats, including terrorism and cybercrime, in addition to natural disasters. How have banks' strategies and requirements around disaster planning evolved? What has the industry learned from catastrophes of the past decade, such as 9/11 and Hurricane Katrina? And what are some of the newer technologies that are helping banks prepare?
3 Steps to Improving the Disaster Response
By Steve McCleskey, VP of Business Continuity and Incident Response, Regions Financial (Birmingham, Ala.)
Following every event — including Hurricanes Ivan, Charlie and Katrina — we do a formal lessons-learned exercise and review how we responded, what we did well and where there is room for improvement. Since those events led to changes in regulatory guidelines, we also keep an eye toward what's coming up in terms of regulatory changes and make sure we're ahead of the curve. Our primary focus is to minimize disruptions to our customers.
Following Katrina, we did an extensive lessons-learned exercise, and we came up with three changes to our disaster response. First, we upgraded our command center that we use for catastrophic events. We monitor multiple news and weather sources to get information so we can deploy our response team appropriately.
We also contracted with a weather service provider. There is a tremendous amount of information available on the Internet, but we needed weather information specific to our industry. The provider offers continuous weather monitoring and alerting to different weather conditions. This allows us to make better decisions about resources, as well as about closing or re-opening branches following a catastrophic event.
Finally, we now offer a portable branch facility and portable ATM. We deploy the portable facility if there is catastrophic damage to locations, allowing us to open much more quickly than before. We utilized the portable branch and ATM during Katrina as well as during the April 27, 2011, tornado that tore through Tuscaloosa. The portable branch facility is an RV specifically built-out as a small-scale bank branch, with a generator, teller, customer service functionality and a built-in ATM. The ATM has satellite connectivity into our network and doesn't have to rely on local telecommunications that are often down after an event. We can get the portable branch and ATM deployed within a day and a half of a catastrophic event.
Elevating Disaster Planning Beyond Information Technology
By Kooros Mahmudi, SVP, Marsh Risk Consulting (New York)
Banks' disaster recovery plans have historically been driven by information technology, with a focus on mitigating the isolated loss of specific data center components, applications and/or technology infrastructure. Today — thanks to stricter regulation, greater awareness of business continuity needs at the board level, and the proliferation of distributed and remote data centers — such strategies and requirements are typically driven by business units and go beyond IT. Banks now plan, train and test many disaster scenarios, including the complete loss of primary data centers, long-term loss of primary office space and a high percentage loss of workforce.
The first lesson from past catastrophes: A regional event can profoundly affect public infrastructure and disaster recovery, disrupting utilities, airports, roads and commercial access. Second, while remote personnel may be available as backups following a catastrophic event, they may not have the training, access rights or intimate knowledge needed to do so accurately, effectively and efficiently. Finally, to assure business as usual, bank interdependencies must be fully understood to synchronize transacting, processing and monitoring core processes and technologies -- otherwise, you risk transaction integrity, revenue loss, liquidity crunch, reputational damage and regulatory violations.
Storage area networks can provide high-speed data access and data replication from a primary to a back-up location. Cloud computing and server virtualization also provide continuous data and business processing, while virtual private networks and associated security infrastructure enable remote access by employees. Finally, fiber optic-based network technology provides high-speed transport of data from the primary to a distant back-up data center, ensuring zero to minimal data latency and data loss.
Rethinking Threats In a Dangerous World
By Danne Buchanan, EVP, Head of North America Operations, Fundtech (Jersey City, N.J.)
The world has become a dangerous place, and disaster planning has moved from thinking about how to recover a data center and data to something far more complex. Most worrisome today are the daily threats from individuals or organizations that want to disrupt, disable or attack your company. The likelihood of a denial-of-service attack, hacking or malicious claims using social media appears to be far greater than what we used to think of when planning for disaster recovery.
It seems as if new payment technologies, such as mobile, are coming to the market almost daily. The good news is that people are generally aware of security threats and are thoughtful about combating them. The bad news is that many aren't, and these are the weak links in security that make everyone vulnerable.
The most disheartening aspects of security are the internal threats. A few years ago, who would have imagined that an organization like WikiLeaks could make the claim that it has enough detrimental information to "bring down a big bank"?
Traditional DR and BCP are table stakes today; they're not nearly enough to address the potential threats in the marketplace. We need to anticipate the unimaginable, continuously test our systems and vigilantly educate our personnel. It is doing everything you can to stay ahead of the bad guys.
The meaning and complexity of disaster recovery has grown, and organizations need to understand how to mitigate these risks on an ongoing basis. Engage everyone in the process, educate everyone about the risks and test yourself regularly.
Social Networking, Mobile and Cloud Can Enhance BCP
By Daiji Morita, Senior Consultant, NRI Financial Solutions (Tokyo)
In Japan, the Financial Services Authority demands that banks have robust business continuity plans (BCPs), especially around the settlement process, which could impact users greatly. Regulators are demanding that companies evaluate their BCPs in order to ensure firms are able to respond to longer-term disaster situations, as well as take into consideration a possibility of broader damage and how best to deal with this.
As recently as last year, financial institutions relied on government office scenarios. However, after the earthquake and tsunami disaster, each company reviewed its own risk environment and made an effort to better secure its individual business continuity plan. Still, there is a clear need for street-wide training, including all internal and external organizations associated with operations.
Following last year's tsunami disaster, Japan learned the limit of a scenario-based approach to BCP and found that there is a need to transition to an emergency-level approach. As firms began shifting to this strategy, they started to assign back-up decision makers who could react and generate flexible solutions on the fly. For instance, if something unexpected happens, a predetermined network of decision makers can address each situation case by case.
There is no single key solution that solves all challenges, but utilizing social networking services, mobile and cloud technology could enhance your BCP and minimize the impact disasters may have on your business. More frequently, we see firms increasingly utilize BPO services both in Japan and globally as a preventative measure. The demand for this type of service is not surprising, given the timing of the catastrophes over the past decade.
Peggy Bresnick Kendler has been a writer for 30 years. She has worked as an editor, publicist and school district technology coordinator. During the past decade, Bresnick Kendler has worked for UBM TechWeb on special financialservices technology-centered ... View Full Bio