Our Viewpoints

Our Viewpoint

The Evolution of Business Continuity & Disaster Recovery Testing

April 01, 2013

As community banks continue to change in today’s challenging market and economy, assurance programs pertaining to risk and compliance are undergoing more scrutiny than ever before. This is particularly the case when it comes to business continuity (BC) and disaster recovery (DR) testing. This article will examine the evolution of these two key areas and evaluate what it means for your organization.

A brief overview of the timeline below underscores the significant milestones that have shaped the way BC and DR testing have evolved within the financial industry over the years:

  1. 1990 – 2001 (Pre 9/11): Information Technology (IT) departments perform DR data tests and IT manager is responsible and accountable for these activities.
  2. 2001 – 2008 (Post 9/11): BC testing includes all levels of business activities, shifting responsibility from IT Manager to that of C-level authority (CEO/CFO/COO).
  3. 2008 – Present (Post FFIEC BCP Guidelines): Shift in focus pertaining to Emergency Response (ER) testing.

ER testing can take a variety of forms and encompasses both BC and DR testing. There are six types of activities that can be considered:

  • Orientation and Education Sessions - Sessions designed to provide information, answer questions, and identify needs and concerns.
  • Tabletop Exercise - This is a cost effective way to have members of the emergency planning team, as well as key management personnel, meet in a conference room setting to discuss roles and responsibilities in different DR scenarios and identify areas of concern.
  • Walk-through Drill - The emergency planning team and response teams actually perform their emergency response functions and an evaluation is done as to how well team members responded according to the ER  plan.
  • Functional Drills - Designed to test specific functions such as medical response, emergency notifications, and communications procedures, although not necessarily at the same time. The drill is then evaluated by the various participants, and problem areas are identified.
  • Evacuation Drill - Participants walk the evacuation route to a pre-designated area where procedures accounting for all personnel are tested. Participants are asked to make note of potential hazards along the way, and the emergency response plan is modified accordingly.
  • Full-scale Exercise - An emergency is simulated as close to real as possible. Involves management, emergency response personnel, employees, as well as outside groups and agencies that would also be involved in the response.

Practical "hands-on" testing always provides personnel with excellent opportunities to use skills that are taught and to learn new techniques and procedures. For emergency response testing, simulations such as tabletop exercises, drills, and full-scale exercises, are particularly valuable for practicing decision-making skills, tactical techniques, and communications. Moreover, simulations serve to determine deficiencies in planning and procedures that can lead to modifications to the organization’s recovery plan.

Business Continuity/Disaster Recovery: Making it Work for your Bank

In order to steer your organization in the right direction, while remaining compliant when testing, making sense of what to test can be a daunting task. According to the FFIEC BC Handbook released in March, 2008, the objective of a testing program is to ensure that the BC planning process is accurate, relevant, and viable under adverse conditions. It goes on to say that testing should include applications and business functions that were identified during the Business Impact Analysis (BIA), and that testing methods can vary from simple to complex depending on the preparation and resources required. Testing methods include both business recovery and DR exercises.

This statement makes logical sense, but when one looks into a few key words such as "Testing should include applications and business functions"; "Testing methods can vary from simple to complex"; and "Testing methods include both business recovery and DR exercises", how do you know what type of recovery exercise should be performed, and whether it is the most applicable for the organization?

So let's take a deeper look into these statements and start to make sense of it all:

  1. Testing should include applications and business functions
    • Management should clearly define which functions, systems or processes are going to be tested and what will constitute a successful test. The objective of a testing program is to ensure that the BCP remains accurate, relevant and operable under adverse conditions. Testing should include applications and business functions that were identified during the BIA. The BIA determines the recovery point objectives (RPOs) and recovery time objectives (RTOs), which then help determine the appropriate recovery strategy.
  2. Testing methods can vary from simple to complex
    • Tests can be as simple as testing the call tree in one or more plans. Or, the test exercise can involve an integration of multiple business areas, the IT environment and link to outside vendors and customers. The complexity of the tests should vary to ensure that all components of the plan(s) are adequately exercised.
  3. Testing methods include both business recovery and DR exercises
    • Business Recovery: The strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.
    • Disaster Recovery: The strategies and plans for recovering and restoring the organizations technological infra-structure, data and capabilities after a serious interruption. Note: DR is now normally only used in reference to an organization’s IT and telecommunications recovery.

In conclusion, although institutions might view the exercise as being the final process involved with BC planning, D+H looks at this as just the beginning of the cyclical BC planning process. Ongoing validation of risk based findings reduces organizational risk, while improving the institution’s overall BC Program value and increasing confidence in the business’ ability to withstand a disaster event. Your institution needs to ensure it is gathering relevant data, appropriately prioritizing areas of residual risk, selecting optimal exercises, developing a validation schedule, and analyzing exercise results, saving your organization time, resources, and money, allowing you to take today’s preparedness and build on it to protect against the threats and vulnerabilities of both today and tomorrow.

Author

Brandon O’Donoghue
Risk and Compliance Engagement Manager

Brandon O’Donoghue works closely with financial executives and board members providing guidance and direction to clients in the effective creation of business continuity and disaster recovery programs, IT policies and procedures, and IT risk assessments. Prior to joining the team, Brandon developed and managed the Business Continuity and Disaster Recovery Program at Fremont Investment and Loan.