Disaster preparedness is one of the most important elements of effective information systems management for a credit union of any size.
Although a credit union's ability to withstand large (and small) catastrophic events has always been relevant, there has never been more emphasis on disaster recovery (DR) as a practice. Ask an industry expert and you'll learn this is primarily due to two factors: One, an ever-growing reliance on data, information, technology and the Internet; and two, oddly enough, Hurricane Katrina.
In recent years, a credit union's reliance on information technology has grown exponentially. Think of how we rely on technology today that we didn't just five or ten years ago. To service the needs of our membership we lean on our ability to quickly and efficiently access not just core processor data but many sources of information and databases that support our roles. Beyond the core processor, credit unions rely on e-mail and voice communications, web portals, lending platforms, payment and processing services, ATM connectivity, CRM and MCIF systems, file and document imaging services-the list goes on and on.
The 'Menial' Disaster
While Hurricane Katrina contributed largely to the increased emphasis on DR, it wasn't the only reason regulating bodies started to highlight the need for credit unions to urgently improve their DR capabilities. Large catastrophes aside, more often you will be affected by more menial "disasters" such as power failures or connectivity issues. Luckily there are a host of qualified service providers that can assess your individual needs and make recommendations for policy and procedural changes as well as technology improvements.
Although there is no way to truly disaster-proof your environment, solid planning and preparedness can reduce the likelihood of a simple or severe disaster creating downtime for you or your membership.
Here are five basic concepts to consider when designing your credit union's IT disaster recovery plan:
1. Start with a comprehensive risk analysis: Prepared credit unions have a deep understanding of their systems both technically and functionally. Technically you must have detailed documentation of all aspects of information systems including network configuration, platforms and line of business applications. Start with the application environment by taking an inventory of software, dependents and their criticality to maintaining member service. Since access to these applications is vital to maintaining member service, it is important to complete a detailed situation analysis.
2. Think: "If this happens, then what?" For example, if Internet connectivity is disrupted, how does it affect ATM connectivity or access to core processors? Does it impact everyone or just the branch environment? If a lone event can cause disruption to a critical function, it is a single point of failure. Comprehensive risk analysis aims to minimize single points of failure. Some credit unions seek to eliminate single points of failure altogether, while in some cases it is enough to identify the single point of failure and institute a failover strategy.
3. Don't forget non-core processor systems. There is a tendency for credit unions to focus so pointedly on their core processor that they lose sight of other systems they rely on. While the core processor is the most important system in any financial institution, it's crucial to maintain accessibility to such ancillary systems as: document management, lending platforms, communication systems, CRM and MCIF systems, etc. Don't forget these systems when considering your disaster preparedness strategy.
4. Don't misjudge your dependency on the human aspect of IT. Maintaining uptime of critical systems is important; however, what would happen if your IT team, often a single individual, were to disappear? Does your credit union have the detailed documentation in place necessary to maintain and move forward? Does your credit union rely on a single person to manage critical systems? If so, this can be a security and preparedness risk.
In addition, on the topic of the human aspect of IT, does your frontline staff have a good understanding of backup procedures and how to communicate to a member when systems are temporarily down? Training is important here. Also, consider working with your IT staff or provider to draft a comprehensive set of documentation including credentials, systems configurations, emergency procedures, etc. Store this in a safe, accessible place even in a disaster situation-that's when you'll need it most.
5. Get a solid, actionable testing procedure in place and follow through. Once your credit union has solid disaster preparedness policies and procedures in place it is important to conduct regularly scheduled testing. Consider monthly, quarterly, semiannual or annual testing procedures. Document the results of tests and resulting action items. Too often credit unions take daily backups and rarely (if ever) complete a test restore to ensure their backup data is actually usable in a disaster situation. Typical testing activities include backup battery testing, generator failover and runtime analysis, test restore of backup data, backup Internet connectivity and failover functionality, testing of alternate access to core processor systems, etc.
A Mock Disaster
Consider a regularly scheduled mock disaster with your team.
Consider new technologies: virtualization, remote backups and wireless functionality. There are countless new technologies today that weren't available or were not cost effective just two or three years ago. Consider virtualization, this technology can not only reduce the size of your server environment but can also greatly reduce restoration time in a disaster scenario. Oftentimes a critical server can be virtualized and replicated, making rapid restoration possible and reducing downtime when disaster strikes. Remote data backups are another technology that has minimized many credit unions' dependency on tape-based backups, increased data security and reduced costs. New wireless functionality can provide Internet connectivity to an entire credit union or branch office in an Internet outage situation. This technology uses a router equipped with a cellular receiver that can utilize a wireless carrier to stream Internet to the financial institution. These are just three new technologies-there are more available and more coming down the pike. Consult a credit union IT professional for more ideas.
Matthew Wilhelm is managing partner with Encompass Group, Cleveland, Ohio.
