NCUA requires that your Board of Directors be involved with your DR/BCP. But because of the inherent “living” nature of DR/BCP, it can be confusing as to what should be presented. Much of the information that is contained in a DR/BCP is operational in nature – procedures and processes for recovery and vendor and employee contact lists to name a few. These things are dynamic and will constantly be changing throughout the year so it wouldn’t make much sense to focus on that type of data when you are presenting to your board. So what do you present?
Remember your board has oversight and strategic responsibility over your Credit Union. You will want to focus on the strategies involved in developing the plan, the methodology, and the progress-to-date. The Board’s Oversight is defined clearly in the FFIEC Requirements. When you are presenting, emphasis should be made on the fact that the plan is a part of a “living” program in which your entire Credit Union is involved in updating and exercising the plan. Once you’ve covered the basics, focus on these top 5 areas:
- If you use a software site, logon, and explain how the site is accessed at the time of a disaster (if software isn’t used, explain the details of your manual instead using similar guidelines)
- We assume that the Internet is accessible.
- Those items “needed” can be printed or stored locally for access.
- Briefly demonstrate how the site is used at time of disaster
- Emergency Response Team = human health and safety
- Crisis Management Team = evaluation, decision, escalation, communication, assigning authority, and incident management
- Department Teams = action items based on their individual response plans
- The purpose of the software is to prepare, train, and support staff for team actions at the time of disaster
- Present Risk and BIA outcomes
- Risk = top risk items and what has been done/planned to mitigate
- Business Impact Analysis (BIA) = Critical/vital business processes and what has been done/planned to include them in the Disaster Recovery test
- Finally, present a summary of the past year’s Disaster Recovery/Business Continuity event schedule and what is scheduled for next year
For more information on how you can improve your business continuity program and meet your RTO/RPO , contact us today.