The document outlines a disaster recovery policy for a financial institution. It states that the safety of customers and employees is the top priority during any business interruption. It also aims to protect the institution's assets and resume normal operations as quickly as possible. An updated disaster recovery plan addresses emergencies that can disrupt operations and impact customer service. The plan guides response to various disasters and assigns responsibilities to managers to coordinate recovery efforts and resume business functions.
1. Disaster Recovery Policy - Page 1 of 5
DISASTER RECOVERY POLICY
For Community Banks and Credit Unions
One of many free banking policies available
https://control.continuity.net/featured_documents
In the event of any disaster or business interruption, it is the policy of [The
Financial Institution] that the safety and protection of customers and employees
is paramount. Additionally, all prudent steps shall be taken to protect the assets
of [The Financial Institution] and to resume all normal business operations as
rapidly as possible. A disaster recovery plan, updated annually, addresses
emergencies that have disruptive effects on institution operations, and negatively
impact the institution's ability to provide adequate levels of service to its
customers. All contingency plans will conform to the standard format as
supported by the disaster recovery planning process. [The Financial Institution]
agrees to demonstrate that all service providers who currently provide critical
support services to the institution have adequate recovery/continuity plans for
their respective products and services. There are three major concerns with
every business interruption.
1. Safety and protection of employees and customers
2. Protection of bank assets
3. Normalizing operations
www.continuity.net
2. Disaster Recovery Policy - Page 2 of 5
Disaster Recovery Policy
In the event of any disaster or business interruption, it is the policy of Institution
that the safety and protection of customers and employees is paramount.
Additionally, all prudent steps shall be taken to protect the assets of the
institution and to resume all normal business operations as rapidly as possible. A
disaster recovery plan, updated annually, addresses emergencies that have
disruptive effects on institution operations, and negatively impact the institution's
ability to provide adequate levels of service to its customers. All contingency
plans will conform to the standard format as supported by the disaster recovery
planning process. The Institution agrees to demonstrate that all service providers
who currently provide critical support services to the institution have adequate
recovery/continuity plans for their respective products and services. There are
three major concerns with every business interruption.
4. Safety and protection of employees and customers
5. Protection of bank assets
6. Normalizing operations
The disaster recovery plan guides managers and employees in the management
of responses to various disasters that may occur in the course of business
operations. The term disaster refers to any event that results in a disruption in
the ability to provide normal services. A disaster may range in scope and
duration from relatively minor, such as a temporary power outage, to a
catastrophic event that interrupts service for a long period of time. Regardless of
the magnitude of the business interruption, it must be managed.
For example, in the event of a power outage, various external and internal staff
may support the efforts to normalize business. The power company may have
their own set of procedures and activities. However, the IT Manager must
provide overall management of the event for items such as:
• Communication with employees, management, customers or members,
and media
• Decide the feasibility, timing and steps to get back to business as usual
• Coordination of other support resources as needed
• Determination of decision to reopen locations
Responsibility
The IT Manager is responsible for the prevention/risk management efforts and
emergency response phase of disaster recovery management. The Technology
Committee may be called upon to help manage and respond in the event of a
business interruption, but the group does not generally assume responsibility for
www.continuity.net
3. Disaster Recovery Policy - Page 3 of 5
management of disaster recovery.
PROCEDURES
1. IT Manager must name/update the Technology Committee (If responsible for
disaster recovery) or Disaster Recovery Team once per year.
2. The IT Manager is responsible for the annual update of the Institution's
Business Impact Analysis as part of the disaster recovery plan update
process.
3. All disaster recovery contact list must include a phone number for each
contact and all contact information must be updated annually.
4. Designated managers, after having performed a business impact analysis of
their department’s responsibilities, will compile a disaster recovery plan for
the various functions under their direct supervision.
5. Completed plans are to be submitted to the Technology Committee for
approval before submission to the Board of Directors for the final approval.
6. The recovery plans will be maintained at current levels of readiness and will
be periodically tested under the direction of the Disaster Recovery
Coordinator.
7. Test results are to be reviewed and used as the basis for improving plan
contents and recovery strategies.
8. Testing of planning assumptions will be coordinated by IT Manager with all
relevant support departments (e.g. IT,compliance, data processing), 3rd party
service providers, and contingency planning hot-site facilities.
9. Annual 3rd party Vendor review must include their disaster recovery plan
review.
10. Critical system restoration procedures must be tested and updated annually
11. A critcal service provider’s ability to provide continuing services will be
evaluated by the IT Manager whenever new contracts are awarded.
12. All significant modifications to the Disaster Recovery Plan and testing results
will be presented to the Board of Directors on an annual basis.
13. All employees must attest to reading and understanding critical parts of the
disaster recovery plan annually.
14. IT Manager is responsible for Employee Training. Employees should be
trained on the Disaster Recovery Plan, and should have critical parts of the
plan available to them, both at work and at home. They should understand
what actions the bank will take to normalize business after a disaster.
• Communication procedures (calling tree)
www.continuity.net
4. Disaster Recovery Policy - Page 4 of 5
• Alternate location designation
• How to determine safety and locations of customer/members and
employees at time of the emergency
• Evacuation procedures
• Damage assessment
• Decisions to close
www.continuity.net
5. Disaster Recovery Policy - Page 5 of 5
Readiness Checklist-Disaster Recovery Policy Appendix
The following checklist should be used as a guide to help the institution
determine its “readiness” for managing a disaster.
1. Does your plan account for an alternate site for processing work?
2. Know alternate location for meeting or work
3. Know the packages of critical documents required and located off-site so
that they can be reproduced quickly if necessary
4. Confirm that necessary back-up information stored off-site (vital
documents, core banking, network data)
5. Update listing of essential forms, equipment and supplies that will be
needed at each location
6. Know where such business essentials can be obtained at the time of an
emergency
7. Know the call tree (tip: schedule a periodic review)
8. Know insurance coverage for various events
9. Know police/fire contact procedures
10. Know the key internal personnel and review their assigned roles in various
events
11. Train entire staff on procedures
12. Keep updated copies of Disaster Recovery Plans at the office and at
home (off-site)
www.continuity.net