Disaster Recovery (DR) is one of those topics that businesses, including financial institutions, don’t like to talk about with much of a recurring frequency, although recent events show that this topic should be discussed with much greater regularity. Here in my part of the country, there’s a series of TV commercials airing for a regional insurance company that provides auto, home, and life insurance. The 60-second commercials run through a flurry of activities in the character’s life, showing you just how much things can change over a couple of decades, and that hopefully, you have (or the character has) kept all insurance policies up-to-date to stay in sync with all of life’s happenings. And, it just so happens that this insurance company offers an annual review to make sure that their coverage is keeping up with your life.
For a lot of you, your DR program is viewed as insurance. In case something happens, there’s a program in place to bail you out when that bad thing happens. In today’s world, it’s really more of a question of when, not if, that bad thing will happen. (Ransomware, anyone?) But, is your insurance (DR program) potentially as outdated as an insurance policy that hasn’t been examined over the past decade?
Here are some key things that you should really be looking at when it comes to the state of your current DR program:
- Is everything covered? I know FIs today simply can’t fathom not having at least one, if not multiple recovery strategies for their core system, but is that everything? There are likely multiple systems today within your FI that are feeding you mission critical data about your customers. Far too often I see that not every system is included in the FI’s DR program.
- Is everything being tested? If you can give yourself a thumbs-up for #1, way too frequently I see FIs only test core processing. If you have a disaster, and your core is recoverable but nothing else is, how are your customers going to feel? Think about how your customers interact with your data, and make sure you’re testing all of those avenues.
- Is everything tested annually? Okay, so you’ve gotten past #1 and #2. Are you thoroughly testing every single year? We keep very detailed records of our clients’ testing activity, and I can tell you that not everyone tests annually. How do you think your customers, your board, or the regulators feel about that?
- Is everything backed up consistently? In my previous blog post, I talked about special backups, and how problematic those can be in an actual disaster. Almost as bad are inconsistent backups. With all of the interdependencies today between data from different systems, are all of those systems being backed up with the same frequency so that you have a reconcilable recovery point across all of them?
- Do you know where your data is? With each passing week, I see another survey or market estimate that talks about the exploding growth of “the cloud” for data backup and DR. While that is all well and good, remember, there really isn’t a cloud, it’s just someone else’s computer (to quote something I recently saw). If you’re backing up to the cloud, where is your data? How many different places is it kept? How long is it kept for? How quickly can it be recovered? There’s a little more to think about here than just having your data in the cloud.
In order for a DR program to be truly effective, it has to be looked at as more than insurance. The program should be reviewed anytime there is a change that potentially impacts any element of the program, and this doesn’t have to be a technology change. This could be as simple as you’ve decided to make a product you’re already using “more strategic” to your FI. An increase in marketing of a specific product or service should bring more customers to the infrastructure supporting that product. This may require a change to your DR program. And, any change in technology definitely facilities a change.
I suspect the likelihood is very high that you’re driving a car that is covered, and you’re living in a house that is covered. If your money is where you work, I’m sure you hope that your DR program has everything covered as well. If you can’t positively answer all five questions, then it’s time for your DR program to be reviewed.