Disaster Recovery and Business Continuity

Ensuring Member Service in Times of Crisis

Agenda

• Why have a plan?

• Objectives of a plan

• Key ingredients of a plan

• Using a Business Impact Analysis to customize your plan

• CU*Answers’ plan and your responsibilities

Sources of Disaster

• Events can be:– Natural– Technical– Human

Why Have a Plan?

• Because you have to!– NCUA Letter 01-CU-21

• A process of establishing strategies to minimize disruptions of service to the CU and its members, to minimize financial loss, and to ensure timely resumption of operations in the event of a disaster.

Increasing Regulator Scrutiny

• NCUA• OFIS

– Plans should include regional disasters– What happens if you can’t return to

your main site?– Include replacement IT equipment– Include replacement of

communications circuits– Don’t forget your PEOPLE!

Plan Objectives

• Must be written and approved by the board

• Management has analyzed and assessed potential risks and established priorities

• A hot site is available and fully functional in an emergency

• Written agreements exist with hot-site management– Reciprocal agreement with CU

Plan Objectives

• Plan is tested at least annually– Test is documented and reviewed by

management

• Plan is revised as necessary to address changes in operations and resolve problems with testing

• Show that management has implemented protective measures against disruptions

Plan Ingredients

1. Identify Critical Systems and Services

2. Perform a Business Impact Analysis

3. Create a Contingency Plan

4. Validate the Plan (test)

5. Communication of Plan and Events to Staff and Board

Business Impact Analysis

• How can you plan for an event if you don’t know the likely impacts on your business?

• What are the degrees of potential loss and how much should be spent to mitigate those losses?– Loss of communications– Loss of branch/teller line– Loss off access to greater world (ATMs,

Shared Branching, etc.)

CU*Answers’ Plan

• Core system recovery

• Connectivity to the World– ATM Switches, Credit Bureaus,

Shared Branching, etc.– Funds available where your members

are (grocery store, etc.)

• Connectivity to your Branches

CU*Answers’ Plan

• Addresses recovery and resumption of CU*Answers’ core businesses– CU*BASE– CU*@HOME– CU*TALK– CU*SPY

• Recovery of communications lines to credit unions

CU*Answers’ Plan

• Addresses recovery of connections to the world– ATM switch connectivity– FED– Credit Bureaus– Other important third party

relationships

CU*Answers’ Plan

• Two phase plan– Redundant facilities provide business

continuity• 44th Street production center• 28th Street HA site and business offices• High Availability

– Already performing rolls between facilities

• Communications Redundancy– To Credit Unions (coming EOY 2006)– To Third Parties (already underway)– To the Internet (coming EOY 2006)

CU*Answers’ Plan

• Two phase plan– Hot Site relationship provides disaster

recovery• Annual testing • Full iSeries recovery • Recovery of communications to online CUs• Recovery of firewall• Recovery of secure FTP server for critical file

transmissions• This year added testing of recovery of ATM switch

(Metavante)

– Hot Site keeps us going while new production facilities are brought online

CU*Answers’ Plan

• Define plan scope• Define incident levels

– Framework for response and recovery• Disaster Recovery Plan

– The building is gone – what do you do?– Objectives– Synopsis– Staffing considerations– Hot site activation

• Notification and escalation procedures• Team roles and composition• Testing

CU*Answers’ Plan

• Business Recovery Plan– Recovering normal business operations at a

temporary facility– Objectives and scope– Notifications and Escalations– Recovery centers– Team composition and responsibilities

• Business Resumption Plan– Getting back to normal– Insurance– Facilities– Relocation teams

CU*Answers’ Plan

• Does NOT cover recovery of credit union operations occurring as the result of a disaster at the credit union– Loss of facilities– Loss of personnel– Loss of computers– Loss of communications circuits

Your Plan Should Include

• Recovery of operations at alternate site– Communications to CU*Answers at alternate

site– Written agreements with alternate site

providers• Recovery of computers and network

– Local backups• Loss of key personnel• Connectivity to the world

– Be where your members are shopping• Record of test events and results of tests

CU*Answers and WESCO NET Resources

• Getting help:– CU*Answers publishes their disaster

recovery guide and test results on CD-ROM• Use as a template for your own plan• Incorporate our responses into your plan• Provide our plan to your examiner• Contact Dave Wordhouse for a copy

– WESCO Net offers disaster recovery and business continuity planning services for credit unions. Contact Randy Brinks or Joe Couture.