Mon, Oct 23, 2017
Hurricanes Harvey, Irma and Maria, as well as the wildfires in California, serve as a harsh reminder of the importance of disaster preparedness – for both institutions and individuals. Federally-insured credit unions (FICUs) are required to have disaster recovery and business resumption contingency plans in place to address all types of operational disruptions, from short-term power outages to natural disasters that have the potential to physically destroy the credit union’s premises. The question is: how prepared is your credit union to respond to the next unforeseen catastrophic event?
According to NCUA’s many risk alerts and guidance letters on the subject, a credit union’s disaster preparedness program should:
- Be commensurate with the institution’s complexity of operations;
- Minimize interruptions of service to members and maintain member confidence in times of emergency; and
- Be reviewed at least annually, and address changes in the credit union’s operations.
NCUA’s Catastrophic Act Preparedness Guidelines (Part 749, Appendix B) provide recommendations for developing (and maintaining) a disaster recovery program, with the oversight and approval of the credit union’s board of directors. The program should include the following elements:
A business impact analysis to evaluate potential threats. After evaluating the credit union’s exposure to a full range of possible disasters, management and/or the disaster recovery team should consider the cost, duration, and impact of critical service/system disruptions on the credit union’s operations or financial condition. For example, how will the credit union handle a power outage that disrupts all electronic forms of payments for several days? What would the credit union do if it’s main and/or branch office facilities are not available for an extended period of time?
A risk assessment to determine critical systems (buildings, hardware, software, power sources, telecommunications, etc.) and necessary resources (financial, personnel, etc.) Credit unions should prioritize the risks to critical systems/services and develop contingency plans accordingly.
A written plan addressing:
- Individuals with authority to enact the plan (e.g., senior management, disaster recovery team members);
- Preservation and ability to restore vital records (per NCUA’s Part 749);
- A method for restoring of vital member services through identification of alternate operating location(s) or mediums to provide services, such as telephone centers, shared service centers, agreements with other credit unions, or other appropriate methods;
- Communication methods for employees and members (also vendors, bonding company, and any business partners, as necessary);
- Notification of regulators (i.e., catastrophic act report required by NCUA’s Part 748);
- Training and documentation of training to ensure all employees and volunteer officials are aware of procedures to follow in the event of destruction of vital records or loss of vital member services; and
- Testing procedures, including a means for documenting the testing results.
Internal controls for reviewing the plan at least annually and for revising the plan as circumstances warrant, for example, to address changes in the credit union’s operations; and
Annual testing. To ensure the contingency plans actually work, a credit union should test (i.e., validate) the plan at least annually or when a significant change takes place. The test should determine if the credit union could recover to an acceptable level of business within the time-frame stated in the disaster recovery plan. Examples of testing methods include, but are not limited to, simulations, role-play, walk-throughs, and alternate site reviews. Disaster drills should include all critical functions and areas of the credit union. The credit union should document the test and maintain work papers to demonstrate that responsible staff tested all critical functions and areas of the institution.
Source: CUNA Comp Blog