Pub. 4 2013 Issue 1

spring 2013 19 Introduction . Every year you are asked about your disaster recovery / business continuity plan by auditors, regulatory examiners and your Board of Directors. Your plan is assessed by these groups as well as senior management, the IT department and user departments. In addition, you typically conduct testing of your plan to identify areas where the plan may need revised and updated for issues that were not anticipated. The bottom line is that you invest significant resources in developing and updating your disaster recovery / business conti- nuity plan with your primary objective being to reduce the risk of having an in- terruption to customer services without timely restoration. Events of 2012. Our region experi- enced two major events during 2012 – the derecho at the end of June and the effects of superstorm Sandy at the end of October that affected our region in early November. We experienced unexpected issues including: • The availability of fuel. • The availability of ice. • Extended electrical outages. • Employees missing work to address personal issues. • Widespread damage from falling trees including damage to homes and businesses. • Accessibility of roads. • Shortage of water. Various other issues were encountered as a result of these events. We ulti- mately came through these issues and in most cases are operating our business as usual. The tendency is to jump back into our business, move forward and consider the events as highly unusual with a very low chance of any similar event occurring again. However, these events can provide you an opportunity to reassess and improve on your disaster recovery / business continuity plan. Performance of your plan. How did your plan hold up during these events? Post Derecho and Superstorm Sandy: What did you learn? By Chris Joseph, CPA, CISA, CRISC, CITP Did the plan work as intended? Did you experience some unexpected issues? In most cases, your plan probably held up pretty well. However, you more than likely encountered some unexpected issues that resulted in some interruption to customer services. Every plan has certain single points of failure . A single point of failure is a component of your overall system that if it fails will stop the entire system. For example, your plan could have included the use of a generator. In this particu- lar case, the generator was powered by diesel fuel. During the derecho, you may have encountered challenges with obtaining the diesel fuel in order to keep the generator operational. Some people were traveling up to 60 to 70 miles in or- der to obtain their fuel. In many places, there were long lines and ultimately the service stations were running out of fuel. With this example, while you had a generator to power your branch location or data center, the generator would cease working upon running out of fuel. How many of you use a service pro- vider to provide critical services to your customers? The service provider could be processing your core processing solution, internet banking or other key services to your customers. Over the past several years, banks have become very dependent on the internet to access their service provider solutions. During any of the events of 2012, did you lose access to your internet service provider? If you did lose access, were you able to access the service provided by the service provider? In most cases, if you did not have a backup plan for this event, you probably did not have access to the solution provided by the service provider. If the solution provided was your core processing solution, you did not have access to critical customer information such as balances and cleared transactions, among others. In this instance, while you may have taken the appropriate measures to maintain power at your branch or data center, losing Q What Did You Learn? — continued on page 20