Devising Plan B: What to do when (and before) disaster strikes

Cyber attacks. Natural disasters. Fires. The list of natural and man-made disasters that can cripple your operations is a long one. And then there are the third-party service providers you rely on; what if disaster strikes one of them?

Too many banks prepare a business continuity/disaster recovery plan that collects dust on a shelf or ignores critical components. Plans aren’t tested or updated. They fail to plan for certain contingencies, such as a CEO who’s unavailable when disaster strikes.

Federal and state agencies require a written business continuity and disaster recover plan. Smart business requires something more: a thorough plan that takes every contingency into account and is tested and updated regularly.

Avoiding common mistakes

An insufficient or outdated plan can turn a disaster into an even larger headache. According to the American Management Association, “About 50% of businesses that suffer from a major disaster without a disaster recovery plan in place, never re-open for business.” These are ten key areas where many plans fall short:

  1. Relegating disaster recovery to IT.

    Because information technology is so critical to day-to-day operations, and because many of the most common disasters are cyber attacks, banks often write a plan designed to restore IT systems. But a fire in a branch, widespread flooding, or a third-party processor that goes offline without warning isn’t an IT issue: it’s a company issue.
  2. Relying on a Plan B.

    The foundation of a business continuity plan is a Plan B. But it should also include plans C, D, and E. What if the executive who’s supposed to manage Plan B is unavailable? What if Plan B relies on outdated information or unavailable resources? It’s easy to plan too little; it’s almost impossible to plan too much.
  3. Not designating responsibilities.

    A business continuity team should manage and implement the plan, and each member of that team should have specific responsibilities (with backup if the primary person is unavailable). That team should either include top executives or have direct access to top executives, not only when disaster strikes, but all of the time.
  4. Forgetting to update.

    A business continuity plan requires regular updates. A plan with out-of-date personnel or vendor listings is of little value when disaster strikes. Tracking down key personnel takes time you don’t have in a crisis. Plans should be updated whenever operations or personnel change, with a high-level review at least quarterly.
  5. Skipping the testing.

    The only way to know that a plan works is to test it regularly. Start off with a tabletop exercise; then, build your team’s capabilities by training and testing. Combine announced and unannounced tests of different types. Plug the holes in your plan during a test; don’t discover them in a crisis.
  6. Not setting priorities.

    In a disaster, once your employees are safe, what are your top priorities? Which functions must be operational within minutes or hours? Which can wait? Access to funds and protection of customer information is critical. If it’s 10 days before payday, payroll operations can wait. Look at operations, regulatory requirements, and public relations, and then set priorities.
  7. Overlooking third parties.

    Regulators and customers hold you responsible for every aspect of your operations, whether you manage them in-house or outsource to a third party. What if an out-of-state third party suffers a flood or fire, while your facilities are unaffected? Do you have a strategy for assisting or replacing a third party? Again, look at priorities: the inability to process college loans for a day is annoying; the inability to process transfers from major brokerage houses could be far more serious.
  8. Turning inward rather than outward.

    When disaster strikes, the world (or at least your part of it) is watching. How will you keep customers and the media informed? Who is your spokesperson? Who is working with that person to ensure the correct messages are communicated? In a disaster, lack of information creates a vacuum that will be filled with rumors and speculation. An outward-facing communications plan can help prevent a small disaster from becoming a larger one.
  9. Forgetting the staff.

    Some staffers may have little or nothing to do with disaster recovery. But every staffer should know about the recovery plan and his or her role, even if that role is as simple as “log onto the intranet or contact your supervisor to see if you should report to work.” Keeping employees informed reduces anxiety, boosts productivity, and reduces confusion when disaster strikes.
  10. Confusing risk management with disaster recovery.

    Risk management is a strategy designed to predict and mitigate loss. Disaster recovery is designed to return operations to normal, or near normal, as quickly and efficiently as possible. Reducing loss is one thing. Remaining in business is a different one.

Penalties of procrastination

Failure to create and maintain a comprehensive business continuity plan can have regulatory and financial consequences far beyond the disaster itself. Since 9/11, federal and state regulators have been much more concerned about how financial institutions plan for disaster, particularly when a disaster is widespread. From the Expedited Funds Availability Act to BASEL II and the Federal Financial Institutions Examination Council, agencies and regulators have raised the requirements and penalties.

Regulatory penalties can include:

  • Memorandum of Understanding.

    This will obligate the bank and its directors to solve the problems or correct the deficiencies regulators have identified in a disaster recovery plan within a certain amount of time.
  • Consent Order or Formal Agreement.

    If deficiencies aren’t corrected, or the regulatory agency doesn’t believe a bank is making a strong effort to correct problems in a timely fashion, regulators can issue a public document that shines a spotlight on those deficiencies.
  • Fines, suspensions, and shutdowns.

    Don’t let failing to adequately plan for a disaster lead to an even bigger disaster.

Best practices

Whether produced internally or with outside help, a business continuity plan should follow this process:

  • Program initiation.

    Ensure that all leaders are on board with developing, implementing, and managing a plan; and that they understand its scope and importance.
  • Risk assessment.

    Ask critical questions, such as, what risks have we experienced historically? What have other banks experienced? In a cyber-attack, which functions would be impacted? What resources would be needed to get things back up and running? Develop a business impact analysis, and use it to establish clear disaster recovery objectives.
  • Recovery structure.

    Work backward from the recovery objectives to assign responsibilities and backups, develop a communications plan (both internal and external), and ensure  your plan covers every objective.
  • Testing and maintenance.

    As mentioned earlier, an untested plan is a document of wishful thinking. An out-of-date plan isn’t much better.
  • Periodic review.

    The business continuity team should review and modify the plan as needed; we recommend at least a quarterly review.

A business continuity plan can be a valuable tool that goes far beyond penalty avoidance. It can help you pinpoint areas of vulnerability, set operational priorities, and emphasize the need for teamwork and responsibility.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.

Team reviews data analytics for organization
Next up

Managing risk for third party relationships: Office of the Comptroller guidance