No place for complacency in disaster recovery compliance

From a pure business survivability standpoint, it’s crucial to have Disaster Recovery Plans in place and test on a regular basis. Afterall, according to a recent study, 90% of businesses that do not have a Disaster Recovery Plan (DRP) fail. However, Credit unions are not immune to this threat due in part to tightening FFIEC scrutiny on Business Continuity Plans, thus they have a leg up over other sectors. The majority of businesses aren’t faced with regulatory compliance that credit unions face, which is partly why the same study found that roughly 1 out of 3 businesses do not have a DRP in place, despite the inherent risks of neglecting this. The absence of DRP is simply not an option for credit unions. Compliance guidelines, examinations, and audits are in place to protect credit unions from meeting the same fate.

This pressure from the FFIEC for a comprehensive plan within credit unions has focused many examinations on backup and recovery compliance. There are maximum allowable downtimes for IT systems and business processes. The FFIEC guidelines require credit unions to put each IT system and business process into one of five categories: critical, urgent, important, normal, and nonessential processes. Each category has a maximum allowable downtime in which the credit union should be able to recover each IT system or business process after a disaster has occurred:

  • Critical processes must be recovered within minutes to hours
  • Urgent processes must be recovered within 24 hours

 

continue reading »