Business Continuity Plan - Spiceworks
ANY BANK
DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN
Emergency Plans
Disaster Recovery
Contingency Planning
DATE LAST CHANGED
BOARD OF DIRECTORS APPROVAL
OVERVIEW 3
DRBCP PLANNING AND REVIEW 3
CHAIN OF COMMAND 4
DISASTER DR TEAM 4
ACTIVATION 5
NOTIFICATION 5
INTERDEPENDENCIES AND GEOGRAPHICAL CONCERNS 7
DRBCP RECOVERY OUTLINE 8
PANDEMIC FLU 9
BUSINESS IMPACT ANALYSIS 10
CORE SERVICES 16
Core Data Services 16
Item Processing 17
ACH 17
Fedline Advantage and Fed for the Web 17
REGULATORY NOTIFICATION: 19
TECHNICAL DISASTERS 19
Computer Virus, Disk crash, etc. 19
EMERGENCY TRAINING 19
SECURITY ARRANGEMENTS 19
REDUCED WORK FORCE CONSIDERATIONS 19
INSURANCE COVERAGE 20
DISTRIBUTION RECORD 20
TESTING 21
Testing Procedures 21
Security System 21
Appendix A: Emergency Telephone Numbers 22
Appendix B: Master Vendor Listing 25
Appendix C: List of Employees 26
Appendix E: Board of Directors 28
Appendix F: Contingency agreements with processing providers 29
Appendix G: Management Succession 30
Appendix H: Attachments 31
Appendix I: Key & Combination List 32
Appendix J: Emergency Evacuation Procedures 33
Appendix K: Disaster Telephone Answering Script 34
Appendix L: Any Bank Incoming Line Numbers 35
Appendix M: Startup, Shutdown, and End of Day Procedures 36
Appendix N: Detailed Directions to the SunGuard Disaster Recovery Hot Site: 39
Appendix O: Risk Assessment: 41
Appendix P: Floor Plan Drawings with Utility Shutoff Locations for each Bank: 43
Appendix Q: Specific Task Requirements of this Policy 44
OVERVIEW
The objective of Any Bank Disaster Recovery and Business Continuity Plan (DRBCP) is to minimize financial loss to the Bank and to continue to provide service to our customers, remain in compliance with applicable laws and regulations, and reduce damage to the Bank. Additionally, an overall objective of this plan will be to maintain, resume, and recover the business, not just recover the technology.
Business continuity planning is the process for Any Bank to ensure the maintenance and recovery of operations and customer services when confronted with adverse events. Events include natural disasters, technological failures, human error or terrorism. New business practices, technological changes, and increased terrorism concerns have created greater awareness and increased the need for an effective DRBCP. The DRBCP will also include a business impact analysis and risk assessment.
This DRBCP will address interdependencies, both market and geography based, the potential for wide-area disasters impacting an entire region, the loss or inaccessibility of staff, and recovery times. We anticipate that the amount of requested services will not decrease during a disruption, and in fact, service requests will probably increase. This plan is the basic structure of a disaster recovery effort. The procedures outlined will serve as starting points and are subject to modification to suit the need or situation.
DRBCP PLANNING AND REVIEW
Any Bank Senior Management and Board of Directors have the overall responsibility for identifying, assessing, prioritizing, managing, and controlling risks. Disaster Recovery and Business Continuity planning responsibilities are fulfilled by setting policy, prioritizing critical business functions, allocating sufficient resources and personnel, reviewing DRBCP test results, and ensuring maintenance of a current plan.
Any Bank’s Information Technology Committee is responsible for the development and coordination of the DRBCP. While the Committee may recommend prioritization, it is ultimately the responsibility of the Any Bank’s Board of Directors and Senior Management to prioritize critical business processes and establishing plans to meet business requirements.
This DRBCP and its associated annual test will be subjected to an independent audit and will be reviewed by the Information Technology Steering Committee and Board of Directors on an annual basis. The DRBCP will be tested to the maximum extent possible. The annual review is a minimum requirement. The DRBCP should be a "living document" as new technology changes the Bank’s recovery needs.
CHAIN OF COMMAND
The chain of command set forth is to assure authority and control is passed effectively during a disaster. The chain of command is as follows:
1. __________ .................................................................... President/Chief Executive Officer
2. __________ .................................................................... Senior Vice-President/Operations
3. __________ .................................................................... Senior VP/Business Operations
4.
DISASTER DR TEAM
The Disaster Recovery (DR) Team will be responsible for implementing the DRBCP and making changes to keep the plan operational. The members of the DR Team are as follows:
1. Any, Chairman DR Team Leader/Spokesperson
2. Any, Secretary Disaster Recovery Coordinator
3. ____________ Security Coordinator
4. ____________ Member
5. ____________ Member
6. ____________.............................. EDP/IT Coordinator
The DR Team is assembled at the first indication of serious interruption of business. The DR Team leader will call for implementation of the plan after consulting with the members of the DR Team and evaluating the situation. The Team Leader then notifies the Board of Directors to inform them of the status and progress on a continual basis.
The responsibilities of the DR Team are as follows:
1. Make sure the Bank is secure.
2. Evaluate the disaster situation.
3. Implement the recovery plan.
4. Inform Any Bank Board of Directors.
5. Authorize special assignments.
6. Approve expenditures.
ACTIVATION
1. The activation of the DRBCP is determined by the amount of time estimated to effect normal day-to-day operations. This plan will normally be activated not later than 12 hours after the contingency or emergency.
2. The DR Team must consider immediately a need to activate the plan if normal operations cannot be resumed in a timely manner.
3. Once a disaster has occurred and affected normal operations, the DR Team will be assembled and a decision to implement the DRBCP will be considered.
4. If for any reason the Bank President cannot be contacted, the decision will be shifted to the next available person listed in the Chain of Command.
5. The DR Team may terminate this procedure when normal operations return.
NOTIFICATION
1. A rapid notification is critical to the security of Any Bank. The first person to discover the disaster should notify the President who then will assemble the DR Team, if necessary.
2. The assembly of the rest of the employees only occurs after the DR Team agrees that the problem cannot be corrected in a short period of time. However, there are exceptions to this rule and all participants are expected to use discretionary judgment in making the decision to assemble all the employees.
3. Where the damage assessment proves so severe that recovery within 12 hours appears to be a remote possibility, the call for employee assembly is justified. The Bank’s emergency notification list (not comprehensive but a guideline) is outlined below. Contact numbers are contained in the appendices of this document.
a. Notify Regulatory Authorities
b. Notify Sungard Disaster Recovery Services
c. Notify ATT (data communications)
d. Notify Network Support Contractor
4. The person responsible for Overall Command of Any Bank Disaster Recovery Team (normally the bank president) will be the spokesperson and notify the media as to the situation and begin the process of handling the press and media requests. It should be stressed to all personnel that ONLY the spokesperson will give information and interviews to the media.
5. If local law enforcement and fire departments are not on the scene, the need for notifications is pertinent. Call the local police at once to secure the area.
6. Following the disaster, the media can be used effectively to convey important messages to our customers and extreme care should be taken in responding to reporter’s questions.
7. The information provided should be honest, factual, and presented in a positive manner to alleviate customer fears. The spokesperson should make notes before talking with the media.
8. The Bank President (or the next available person in the chain of command) will notify all regulatory agencies within 12 hours of declaring the emergency or contingency.
9. The following are some concerns of the processed banks and customers following a disaster and should be included in remarks to the media:
a. State when the Bank will re-open (if known).
b. Give locations of alternate sites.
c. Give hours Any Bank will be in operation during the emergency period.
d. Use discretion when reporting on personal injuries, deferring these reports to medical and law enforcement officials for that information.
Persons in charge of handling the media or customer requests will need definite guidelines as to the media being allowed in the off-site or reciprocal locations. Personnel in these locations will be under a certain amount of stress and should not be subjected to visitors in the area who may disrupt their work.
INTERDEPENDENCIES AND GEOGRAPHICAL CONCERNS
Any Bank’s management understands that the current regional economic environment requires dependency on many vendors. The effects of a major disaster or contingency at a key vendor site may have widespread effects for Any, Arkansas. A copy of the DRBCP, Emergency Supply List and 3-days worth of materials will be kept at Any Bank’s alternate processing site located at the North Branch in Any, Arkansas
|Vendor |Primary Location |Major Contingency Procedure |Documentation |Purpose |
|Information Technology |Lincoln, Nebraska |Provide Hot Site for Information |This agreement should be tested annually |Core Banking System |
|Inc | |Technology Inc Banking System Data & |with the results documented in the | |
| | |Item Processing. |Information Technology Committee and Board| |
| | | |of Director’s minutes. | |
|Elan (Shazam) |Johnston, Iowa |Move to alternate site in Atlanta, GA|Results of annual testing should be |ATMs & Debit Cards |
| | | |provided to the Bank. Results should also| |
| | | |be made a part of the vendor’s file for | |
| | | |the Bank’s annual vendor review. | |
|Federal Reserve |Little Rock, AR |Arrangements for moving cash orders |Agreement with FRB and ABB |Cash Letter |
| | |and receipt as well as cash letter to| |Cash Ordering |
| | |the Federal Reserve Bank in Dallas, | | |
| | |TX | | |
DRBCP RECOVERY OUTLINE
STEP 1: Key management learns of a contingency or disaster.
STEP 2: The DR Team is formed. The leader of the DR Team will decide the location(s) where the team will be formed, taking into consideration the current disaster. Team notification will be accomplished via home telephone, cell phone, or runner. The course of action will be decided and implemented.
STEP 3: Contingency Plan has been invoked. The person responsible for Overall Command (or the next person in the chain of command) will handle media, regulatory notifications and communications. Key areas for media notification include local radio, television, and newspaper. Initial restoration of the core services (see below) is covered with an agreement with Name of your Data Processor Software to provide emergency data processing at their hot site in city, State. . One ANY Bank employee will go to City, State with backup media to restore the system. Proof work will also be sent electronically or carried to item processing company’s hot site for item processing. Remote deposit capture items will be retrieved electronically and processed at the hot site.
STEP 4: Any Bank data processing personnel are concurrently working to move operations to the branch Bank building in __________ or gain delivery of a temporary building from MPA Systems, procure and install data lines, get telephone communications installed, etc. Additionally, data processing personnel will handle bank PC setup (telnet, etc) and communications between the Data Processing Company emergency sites. Primary disaster locations for each Bank location are listed below.
|LOCATION |CONTINGENCY LOCATION |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
If the emergency or disaster affects the contingency location, Bank management will procure temporary building space in the nearest unaffected area/region.
STEP 5: Data processing personnel will be using insurance funds to procure a replacement server for Name of Your Banking System software. The replacement server will be placed at the temporary building or other alternate site. Network connectivity and PCs will be ordered and installed using the Bank's service provider.
STEP 6: Employee Internet access and other secondary banking activities will need to be coordinated.
STEP 7: New building construction should be started as soon as practical.
PANDEMIC FLU
The CDC estimates that a "medium-level" pandemic flu may cause up to 207,000 deaths in the United States, with another 725,000 hospitalizations and 20-47 million people being sick, with an economic impact in the range of $71 - $166 billion. A pandemic flu could easily leave 25-30% of the workforce ill for an extended period.
The latest version of the flu believed to have pandemic potential is the avian H5N1 strain. This strain has infected approximately 100 people since 1997, with half of those infected dying. It has also caused the greatest number and most severe outbreaks among poultry in history. Large numbers of wild birds are dying from this extremely deadly strain. Although the strain does not jump easily from avian to human at this time, experts fear that it could evolve into a strain that spreads as easily as the normal flu.
Unlike most disaster scenarios, with pandemic flu, the Bank’s main concern is not the loss of equipment or operations facilities, but instead the people necessary to make it all work. The enclosed items are part of the Bank plan to prepare for a pandemic that could leave the Bank without 30% of the workforce for weeks or months.
• Determine the impact that long-term illnesses will have on operations and update the plan accordingly. This is included in the Business Impact portion of the plan.
• Appoint an emergency response team with defined roles and responsibilities. This is included in the Bank’s disaster response team and emergency chain of command.
• Identify critical functions and essential employees required to continue normal operations by location. This is identified in this plan in the employee succession plan.
• Cross train employees from multiple locations with minimal face-to-face contact to be able to fill these essential roles. This is part of the risk mitigation controls for a potential Pandemic flu outbreak. Cross training exercises will be conducted at least annually and documented.
• Determine what functions could be conducted remotely and provide for secure access in the event of a pandemic. VPN Access is part of our mitigation controls for key employees.
• Review personnel policies for sick leave compensation and guidelines for when employees are allowed to return to work after a pandemic illness.
• Have posters and other material available to educate employees on proper hygiene in the event of virus outbreaks.
• Collaborate with local and national authorities to participate in the planning process and to be more aware of potential threats.
• The bank will notify the (city) Department of Health, Red Cross, and/or the CDC of suspected pandemic illness. The bank will monitor news sources and sites such as who.int and to track possible pandemic outbreaks and levels of infection. The CDC information number is 1-800-CDC-INFO.
• Communications with key/critical vendors will be accomplished using the emergency list of phone numbers in the appendix of this policy. Bank employees will continue to update this plan with secondary vendor numbers.
Bank Precautions to Help Maintain the Workforce:
• Review key personnel succession to make sure you have identified critical and non-critical daily duties and replacement personnel.
• Consider setting up secure remote connections (i.e. VPN, etc.) so employees can work from home if necessary.
• Employees should cover their mouth and nose with tissues (World Health Organization does not recommend cloth handkerchiefs) when you sneeze or cough. Make sure tissues are disposed of promptly and properly. Make a supply of surgical masks available at the drive-ups, teller lines, or other places where employees interface directly with customers.
• Employees should frequently washing hand with soap and water. Hand washing should last 20 seconds with hot water. Keep an ample supply of anti-bacterial soap in public areas of the Bank.
• Encourage employees to stay home if they are sick
• Employees should see a physician if illness continues.
Pandemic Outbreak Strategy:
The 6 Phase Levels to the WHO Pandemic Alert System:
Level 1: 'Inter-Pandemic Phase'
- There is Low Risk of Human Cases
No bank action is required at this phase.
Level 2: 'Inter-Pandemic Phase'
- There is Higher Risk of Human Cases
The bank will continue with regular normal monitoring of WHO and CDC sites.
Level 3: 'Pandemic Alert'
- No or Very Limited Human-to-Human Transmission
The bank will remind employees of steps to take reduce pandemic risk such as hand washing, symptoms of the pandemic, etc.
Level 4: 'Pandemic Alert'
- Evidence of Increased Human-to-Human Transmission
The bank will continue to remind employees of steps to take maintain the workforce. Supply levels of soap, tissues, masks, etc. are verified. Cross training and succession charts are reviewed and personnel are briefed on alternate responsibilities. Alternative methods to work from home or other locations (VPN) are reviewed to ensure operability.
Level 5: 'Pandemic Alert'
- Evidence of Significant Human-to-Human Transmission
The bank is on high alert to monitor employees and customers for symptoms of the pandemic illness. Employees are taking protective steps to reduce the chance of pandemic spreading in the workforce. Reduced work force considerations may be a consideration. Some branch locations will consider minimizing customer interaction and may only operate drive-up or use surgical masks for person to person contact.
Level 6: 'Pandemic'
- Efficient and Sustained Human-to-Human Transmission
The bank may need to consider closing lower traffic locations and will definitely minimize lobby traffic to the maximum extent possible. Sick employees or those with sick family members are encouraged to work from home using VPNs or other methods.
In summary, our preparation for and response to a pandemic influenza epidemic will be to cross train our personnel so that we will have at least three people qualified for each core Bank function. Secondly, we will use remote employee access such as VPN and surgical masks to minimize employee contact. Finally, we will minimize employee customer interaction by providing customer service through ATM and drive up instead of in the Bank lobby.
BUSINESS IMPACT ANALYSIS
One of the most important steps in accomplishing a complete DRBCP is the development of Business Impact Analysis (BIA). The BIA should identify the potential impact of events on business processes and customers. The BIA will cover all departments and business functions and should estimate allowable downtime and levels of acceptable loss in data, operations, and finance.
Business Priority:
3=Bank must have this resource to conduct bank operations.
2=Bank should have this resource to conduct bank operations
1=Bank would like to have this resource to conduct bank operations however workarounds are available.
Business Impact:
3=Bank can conduct operations without this item for no more than 3 days.
2=Bank can conduct operations without this item for no more than 10 days.
1=Bank can conduct operations without this item for no more than 30 days.
The business impact score is obtained by multiplying the business priority times the business impact.
|Department or Area |Business |Risk and Recovery |Parameters |Business Impact |Personnel Required |Business Impact |
| |Priority | | | | |Score |
|Data Operations Core |3 |Risk Item: |Maximum allowable downtime=3 days.|3=Non-availability of the host |A minimum of 3 personnel to |9 |
|Banking System, | |Information Technology Inc Host System - | |system will prevent current |operate item and data | |
|(Information Technology Inc| |System Hardware of Software Failure, | |access to customer and management|processing operations at | |
|Banking System) | |Virus or Trojan. Fire, Water, or |Losses of up to $5,000 per day may|information. Customer service |alternate and temporary | |
| | |Electrical Damage. Physical theft or |occur due to manual posting errors|operations will be slower. |locations. | |
| | |damage. |and backlogs. Reputational damage| | | |
| | | |may occur due to the inability to | | | |
| | |Recovery: |service customers quickly and | | | |
| | |Any Bank contingency agreement with |accurately. | | | |
| | |Sungard Disaster Recovery. will be | | | | |
| | |implemented. Data is restored to the | | | | |
| | |system from tape. | | | | |
|Telephone Equipment |3 |Risk Item: |Maximum Downtime=1 Business Day |3=Loss of communications between |No additional personnel, but |9 |
| | |The Bank could lose telephone | |banks and Any Bank will |coordination and payment of | |
| | |communications. |Loss of customer and business |effectively shut down data |local communication providers| |
| | | |communications. |operations. |may be necessary. | |
| | |Recovery: | | | | |
| | |Interim use of cellular technology and |Financial losses could be as much | | | |
| | |couriers until telephone service can be |as $1,500 per day per location. | | | |
| | |restored. | | | | |
|Customer Data Availability |2 |Risk: |Maximum Downtime= 3 days |2=Frustrated customers and |No additional personnel |4 |
| | |Inability for banks to answer questions | |employees due to inability to |required; however, customer | |
| | |for customers and ANY Bank to answer |Extended inability to provide |access customer data may cause |service and personnel will | |
| | |information requests. |customer information could cause |loss of customer accounts and |have a 10-15% increase of | |
| | | |employee and customer issues. |loss of customer goodwill. |workload due to customer and | |
| | |Recovery: | | |management inquiries. | |
| | |Returning electronic systems to |Financial losses could exceed | | | |
| | |operability such as the Information |$5,000 or more if we are unable to| | | |
| | |Technology Inc host system. |provide customer data during | | | |
| | | |critical customer financial | | | |
| | | |transactions. | | | |
|Network Operations |2 |Risk: |Maximum downtime=3 days |2=Loss of PC and server |Budget for additional hours |4 |
| | |Loss of PC networks includes the | |operations will severely limit |(possible overtime) of | |
| | |inability to access the Internet and the |Loss of employee efficiencies and |customer support and efficient |contract network | |
| | |Information Technology Inc system. |quick response to Bank questions. |data center operations. |administration. | |
| | | | | | | |
| | |Recovery: |Financial loss of $500-$800 per | | | |
| | |The Bank has a SLA with their vendor to |day per location in lost time and | | | |
| | |have PC systems restored in 3-5 days. PC|inefficient operations. | | | |
| | |images are stored on tape backup and can | | | | |
| | |be restored to the new PC. | | | | |
|Internet Access |2 |Risk: |Allowable down time: 7 business |2=No e-mail, Fedline Advantage, |No additional personnel |4 |
| | |Bank could lose Internet access. |days. |Fed for the Web, credit |required. | |
| | | | |reporting, check ordering, etc. | | |
| | |Recovery: |No Internet access for email, | | | |
| | |Use local dial-up for emergency use. |Fedline Advantage, Fed for the | | | |
| | |Internet equipment is under maintenance |Web, etc. | | | |
| | |contract. | | | | |
| | | |Financial losses of $200 per day | | | |
| | | |could occur for inaccurate credit | | | |
| | | |reporting, loss of bond sales, | | | |
| | | |e-mail communications missed. | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
|Fedline Advantage |3 |Risk Item: |Allowable down time: 1 business |3=Inability to receive ACH |1 Fedline Advantage operator |9 |
|Operations | |Loss of Fedline Advantage capabilities |day |transactions, wires, returns, and|(can be a person with other | |
| | |causing the loss of ACH transactions, | |payments. |duties). | |
| | |wire transfer, etc. |Loss of customer confidence as | | | |
| | | |many Bank customers are dependent | | | |
| | |Recovery: |on ACH payments and accesses. | | | |
| | |The Bank will coordinate with a local |Financial losses could be over | | | |
| | |bank and the Federal Reserve to find an |$1,500 per day. | | | |
| | |alternate site until the hardware can be | | | | |
| | |replaced. Procurement of new Fedline | | | | |
| | |Advantage hardware will take one to two | | | | |
| | |days. | | | | |
|Telecommunications |3 |Risk: |High degree of risk regarding |3=Inaccurate or non-existent |Customer service will require|9 |
|(leased-line data circuits)| |Loss of communications. |fraud and inaccurate balancing. |daily statements, reports, and |at least a 25% increase in | |
| | | | |customer transaction files. Slow|workload. | |
| | |Recovery: |Financial loss could be as much as|transaction processing as | | |
| | |The Bank will use manual processing and |$700-$1,000 per day at each |employees adapt to manual | | |
| | |work\reports will be transported via |location. |procedures. | | |
| | |courier until the data circuits are | | | | |
| | |restored. Close relationships with | | | | |
| | |communication representatives will help | | | | |
| | |in re-establishment of data circuits. | | | | |
|Facilities |3 |Risk: |Maximum allowable down time= 1 |3=Inability to service customers |3-4 People to help move data |9 |
| | |Loss of major infrastructures. |business day. |effectively. |center operations to North | |
| | | | | |Main Branch or coordinate | |
| | |Recovery: |Loss of visible structure may | |delivery and setup of | |
| | |Initially, use the alternate operating |cause loss of customer confidence | |temporary building. Media | |
| | |site with possible support from alternate|and increase the chances of | |spokesperson to let public | |
| | |item processing locations. Move to |customer panic. Financial losses | |know where banking services | |
| | |North Main Branch or consider the use of |could be as high as $4,000 per | |are being offered. | |
| | |a temporary facility from MPA contract. |day. | | | |
| | |. | | | | |
|Item Processing Equipment |2 |Risk: |Maximum Allowable down time=2 |2=Slow customer service and |Increase of 10% in data |4 |
| | |Items cannot be encoded or sorted. |business days |inaccurate statements and |service personnel work | |
| | | | |ledgers. |requirements. | |
| | |Recovery: |Inaccurate processing due to | | | |
| | |Contractual agreement with Sungard |manual procedures and manual | | | |
| | |Disaster Recovery will allow the |bookkeeping. | | | |
| | |replacement delivery of hardware within | | | | |
| | |72 hours. Interim item processing work |Financial losses could be | | | |
| | |will be done at location, city, state. |$1,000-$1,500 per day. | | | |
|Bank Employees |3 |The Bank could have as much as 40% of the|Maximum allowable downtime=3 days.|2=The Bank must have personnel |Minimum of 5 per main branch |6 |
| | |workforce out for 2-3 months during a Flu| |cross-trained to provide core |that operates as the data | |
| | |Pandemic. | |banking functions for deposit and|center. This is the minimum | |
| | | |Losses of up to $3,000 per day may|ACH transactions available within|number of people required to | |
| | | |occur due to manual posting |24 hours. |accomplish teller, drive-up, | |
| | | |errors, employee unfamiliarity | |processing, and ACH | |
| | | |with tasks, and backlogs. | |activities at each open | |
| | | |Reputational damage may occur due | |location. | |
| | | |to the inability to service | | | |
| | | |customers quickly and accurately. | | | |
While this list compiles many of the main possibilities that could face Data processing personnel, it is not intended to be all inclusive of the types of disasters that we anticipate.
CORE SERVICES
The main concern in a disaster should be to resume the core data processing and customer service operations as soon as possible. This section will document the activities that are considered core activities.
Core Data Services
The number one core service for Any Bank is Sungard Disaster Recovery services. Should a major disaster strike the center and disable the data services department, The Any Bank personnel should immediately determine the nature of the disaster, expected interruption of service and possible causes of future interruption.
Bank personnel should be advised that the emergency plan is in effect and that their help may be required to re-start the system. (Overtime may be required.)
If the primary data services facility is inoperable, the emergency operating location will be the hot site of Sungard Disaster Recovery Services in Scottsdale, AZ. Item processing operations will also be accomplished at the Sungard Hot Site. The DR Team will direct the staff to their alternate duty assignments at the alternate data processing location.
Network Recovery
Bank operations will be dependent on employees being able to access network resources. Key areas of network recovery and the Bank plan are outlined below:
|CRITICAL NETWORK RESOURCE |RECOVERY METHOD/PLAN |
|Data Center Building |Sungard DR Trailer at or near the main Bank site. Use of BRANCHNAME branch to |
| |house tellers, CSR, and drive up. Utilization of branch offices as alternate |
| |customer service. |
|Premier Server |Replacement Premier server hardware comes with Sungard trailer, data restored |
| |from tape backups stored off site from main Bank. |
|Item Processing |Replacement Premier item processing scanner comes with Sungard DR trailer and |
| |interfaces with Premier server. |
|Image and Report Server (Director) |Replacement server comes with Sungard DR trailer and interfaces with Premier |
| |server. Data is restored from Bank tape backups. |
|Data Communications from branch locations to the data center. |Majority of processed banks have been moved to the The MPLS network will allow |
| |for on-the-fly rerouting of traffic to the new site. Connectivity will |
| |initially be to the temporary building to allow access by branch banks. |
| |Initial network communications will be via printed trial balances. Bank |
| |employees will record transactions and balance cash drawers manually. |
|Data Equipment (Routers, Firewalls, Switches, etc.) |All network equipment will be under service contract or insurance agreement, |
| |which will allow for replacement within 72 hours. Manual processing will be in|
| |effect until equipment is in place. |
|Personal Computers |Bank contract network support provider (COMPANYNAME) has agreed to provide the |
| |initial stock of PCs 15-20, and then restock more computers as needed within |
| |the next 5-7 days. |
Item Processing
Item processing will be done at the hot site location, Sungard Disaster Recovery Services in ________________. Management will schedule the appropriate work force.
ACH
Fedline Advantage and Fed for the Web
Fedline Advantage is used for the processing of ACH transactions and wire transfer operations. Fedline Advantage uses a VPN device to connect from the Bank network to the Federal Reserve Bank network. If the Fedline Advantage device experiences hardware or software failure, the Bank has an agreement with the FRB for a replacement device. If the device is requested prior to 10:00 am, a replacement will be received on the same business day. If the device is requested after 10:00 am, the replacement will be received within 24 hours. The Bank has a back up analog telephone line to use if the Internet connection is inoperative. Finally, if the Bank building is destroyed, the President will contact the Federal Reserve Bank and change the receiving institution to one of the correspondent partners or a “buddy bank” that is not affected by the disaster.
Fed for the Web is the FRB processing program that can be used to transfer the Bank’s cash letter, make cash orders, purchase bonds, and make TTL transactions. This program is dependent upon a digital certificate that identifies each user. The Bank backs up the digital certificate to removable media (floppy, USB drive, etc.) and the media is stored with the Bank’s disaster supplies. This allows the Bank to reload the certificate on any PC with Internet access.
Should there be a major catastrophe affecting the Bank's ability to receive this type of activity (ACH and wire transfer), the President will contact the Federal Reserve Bank and change the receiving institution to one of the correspondent partners or a “buddy bank” that is not affected by the disaster. Should there not be an unaffected correspondent or buddy bank, the President should consider contacting the nearest large bank to open an account that can handle these types of activity.
Electronic Banking
Electronic banking is a much higher priority during certain disaster scenarios. Any Bank Internet banking services are provided by Fiserv. Employees will able to access Internet banking accounts and services through alternate Internet access points as described below. Check Free bill payment services should be unaffected and current bill pay customers will continue to be able to pay bills online.
Internet Access
In the event of a disaster, the Internet access capabilities of the Bank are considered to be a core activity. An alternate Internet access point will be established at one of the Bank branches or processed banks to service needs such as ACH, Fed for the Web, Credit Reports, Internet banking etc.
Alternate Bank Location
An alternate Bank location or backup site has been established at the North Branch in Any, Arkansas. This location is owned and maintained by Any Bank.
NATURAL DISASTERS
Fire
All personnel should evacuate the building immediately unless conditions permit employees to:
1. Contact the Vice President of Operations who will investigate smoke or fire and contact fire department.
2. Secure all cash teller drawers placing cash money bin in vault. Each teller will be responsible for securing his/her area.
3. The VP Loans and Teller supervisor will be responsible for locking the vault and giving each teller his/her responsibilities for securing the teller area.
4. All employees are to secure their area by placing all documents in their filing cabinets. They should secure their area before leaving.
5. The loan department should secure all loan documents before leaving.
6. The data services department should secure their area by placing all checks and confidential information in the vault. The department supervisor should make sure that the department is secure prior to leaving. In addition, if time allows, the data service department shall properly power down the computer equipment and shut off power to the data processing equipment.
7. All other personnel will secure their work areas prior to leaving the building.
8. The drive-in locations will secure their cash drawers and vault as if close of day.
9. A list of emergency numbers is listed in Appendix A.
Severe Storm, Tornado or Power Outage
1. Vice President of Operations will notify all work personnel.
2. Secure work area and work station as if close of workday. All monies should be placed in vault and all filing cabinets secured and locked. If unable to leave, the vault area is the most secure area of the Bank. All personnel on the top floor should descend to the lower floor.
3. In case of severe storm, turn computers off and leave off until Vice President of Operations gives the all clear.
4. If there is a power outage, all officers will secure their work area and immediately proceed to the lobby area to remain until the office closes or power is restored.
5. A list of emergency numbers is listed in the appendix.
Earthquake
1. Move immediately to a safe area (i.e., support archway, against an inside wall, under heavy furniture, such as a desk or table). Move away from windows.
2. Sweaters, jackets, or coats should be pulled over the head to protect the face, or protect the face by interlocking fingers behind the head and pulling the elbows down to side of the face.
3. Remain calm; do not panic.
4. When the ground stops shaking:
a. Secure the teller area.
b. Check for injuries and help those in need.
c. Do not use telephone unless there is a severe injury.
d. Do not smoke until it has been determined that there are no gas leaks.
e. Fires should be extinguished with fire extinguishers or smothered.
f. Turn off main gas valve, water valve, and electricity.
g. A head count will be conducted and search teams organized if necessary.
h. Evacuate building making sure all monies are secure before leaving. All files, cabinets, and desks should also be locked and secure.
i. A list of emergency numbers is listed in appendix.
REGULATORY NOTIFICATION:
The CEO or Bank President will make notification of all regulatory agencies within 12 hours of declaring the emergency or contingency.
TECHNICAL DISASTERS
Computer Virus, Disk crash, etc.
In the event of a computer virus, Any Bank will implement the response plan listed in the Information Technology Operations Policy (ITOP) and Customer Information Security Policy (CISP). Should it be deemed necessary to implement the full DRBCP because of a virus, the balance of the unaffected systems should be shut down in order to minimize further virus damage.
Additionally, all other types of disasters such as a denial of service attack, system compromise by hackers, data storm, etc., are covered in the e-banking section of the ITOP.
EMERGENCY TRAINING
The employees that are trained for the operations functions of the Bank should be kept in constant contact within the event of a natural disaster. Should management deem it necessary, these employees should be available for extended periods of work and potential travel to off-site processing centers. For this reason, the management of the Bank should consider having these employees refined to a group of personnel that can be mobilized quickly and efficiently.
SECURITY ARRANGEMENTS
With the destruction of the Bank, a complete security analysis will have to be done on the proposed alternate site. The Security Officer and Any Bank senior management should act proactively in their assessment of the security features in considering which alternate site to choose.
REDUCED WORK FORCE AND WORK FORCE SUCCESSION CONSIDERATIONS
While it is considered absolutely necessary to have a completely competent workforce to run the Bank and data center in the case of a disaster, Any Bank management considers it appropriate to consider which positions could be eliminated in the case of a disaster. If necessary, employees that hold peripheral positions would be used to replace employees that might be missing due to the anticipated disaster.
|Current Positions |Essential |Eliminate in Disaster |Successor |
|President/CEO |X | |EVP then SVP |
|Executive Assistant/Audit & Information Security |X | |VP Bookkeeping then Bank Compliance |
|Manager | | |Officer |
|Senior Vice President/CSR Manager |X | |Head Teller, then Assistant Head Teller|
|VP/Head of Bookkeeping/Security Officer |X | |AVP Bookkeeping then Compliance Officer|
|Vice President/Head of Consumer Lending | | |AVP Lending |
|Assistant Vice President/Finance Officer |X | |Senior Loan Officer |
|Head Teller/Loan Teller | | |Largest Branch Manager |
|Systems Operator/EDP Assistant |X | |AVP Bookkeeping |
|Proof Operator/Assistant Systems Operator | |X |Branch Proof Operator |
|Customer Service Representatives | |X |Head Teller |
|Tellers |X | |Branch Tellers |
|Loan Officers | |X |Branch Loan Officers |
This listing of reductions denotes the positions that can be eliminated in the case of a major disaster. It is anticipated that under no circumstances should the listed positions be vacated, unless it is impossible to keep them filled and not cover the functions that are considered to be vital to the operation of the Bank.
Should it be determined that this reduction in workforce be in place longer than three days, the Board of Directors’ approval should be obtained before the end of the third working day. This approval should be documented in writing if at all possible.
INSURANCE COVERAGE
Any Bank management has purchased and maintains adequate insurance coverage for the facilities, operations and the equipment of the Bank. All insurance contact information is contained in the appendices of this document.
DISTRIBUTION RECORD
This section lists who among the Any Bank personnel has a copy of this DRBCP. It is to be distributed to the following personnel:
Title
------------------------
President/ CEO
Senior Vice President - Operations
VP/Head of Consumer Lending
AVP/Finance Officer
Systems Operator/EDP Assistant
These managers are directed to maintain a copy of this Plan both at the Bank and in a safe place in their homes. This will help insure that at least one copy of this plan will survive a disaster.
TESTING
Management will decide what functions, systems, or processes are going to be tested. Management will also decide what constitutes a successful test. The objective of the test should be to ensure that the DRBCP is accurate, relevant, and operable under adverse conditions. A good testing plan should not jeopardize normal business operations and should gradually increase in complexity, level of participation, functions, and physical locations involved. The test should also demonstrate a variety of management and response under simulated crisis conditions. It should uncover DRBCP inadequacies.
The test should also include the validation of critical services, evaluate transaction volume, evaluate interrelationships among different business functions, and ensure strategies are properly related to use of facilities and other outages.
The test of the plan will vary according to Any Bank employees’ experience level. As a minimum, the annual test will consist of an orientation/walk-through to ensure critical personnel are familiar with the DRBCP. Subsequent tests will involve a tabletop test. This test should be more involved than the walk-through and should evaluate specific response capabilities. The test may include some mobilization, scripts, and simulations and should focus on decision-making and demonstration of knowledge and skills. At least annually, the each Bank location will test and document the ability of teller and CSR personnel to process and balance transactions manually.
The maximum number of personnel involved in the implementation of the DRBCP should participate in the test. Personnel rotation during the test will help Any Bank prepare for the loss of key personnel. Management should report test results and problem resolutions to the Bank Board. The test report should include an assessment that test objectives were completed, corrective action plans to address problems, proposed DRBCP modifications, and recommendations for future tests.
Lastly, the audit department or other independent party will directly observe the test of the DRBCP.
Testing Procedures
The Bank will test all of its vital core systems on the off-site system at least once each year. Operations personnel will perform the test using the backup information from the day before and process the information directly on the mainframe at the SunGuard Disaster Recovery site in Scottsdale, AZ.
Should the system not perform as it should, the test routine should be investigated and re-run as many times as it takes to get the routine correct.
Security System
The Bank should test periodically (at least annually) the readiness of the security system. The Security Officer should retain the appropriate documentation of this test in a permanent file.
Appendix A: Emergency Telephone Numbers
Airlines
Flights may need to be made to Lincoln, Nebraska.
Reservations can be made through or
Fire Department
ANY 911 or (870)
Hazen 911 or (870)
Dewitt 911 or (870)
Des Arc 911 or (870)
Devalls Bluff 911 or (870)
Police
ANY 911 or (870)
Hazen 911 or (870)
Dewitt 911 or (870)
Des Arc 911 or (870)
Devalls Bluff 911 or (870)
Arkansas County Sheriffs Department (Augusta) 911 or (870)
Arkansas State Police (Forrest City) 911 or (870)633-1454
Federal Bureau of Investigation (Little Rock) 911 or (501)221-9100
Federal Bureau of Investigation (Jonesboro) 911 or (870)932-0700
Ambulance Service
Any 911 or (870)
Hazen 911 or (870)
Dewitt 911 or (870)
Des Arc 911 or (870)
Devalls Bluff 911 or (870)
Hospitals
Any Memorial Hospital ANY (870)
Baptist Medical Center LR (501)227-2000
Baptist Memorial Medical Center NLR (501)771-3000
Doctor's Hospital LR (501)661-4000
University Hospital of Arkansas LR (501)686-7000
Veterans Administration Hospital LR (501)661-1202
Telephone
CenturyTel (Installation & Service) (800)201-4102
CenturyTel (Repair Service Reporting) (800)824-2877
Electricity
Entergy (800)968-8243
Any City Light, Water, & Gas Office (870)
Gas
Reliant (800)992-7552
Reliant (after hours) (800)844-7440
Water
Any Waterworks (870)
Insurance
St. Paul (800)787-2851
Newspaper
Daily Leader (870)
Arkansas Democrat Gazette (800)482-1121
Television Station
KTHV-TV 11 CBS (Main) (501)376-1111
KTHV-TV 11 CBS (News Tip Line) (888)848-6397
KARK 4 NBC (501)340-4444
KATV 7 ABC (Main) (501)324-7777
KATV 7 ABC (News Tip Line) (501)324-7760
WHBQ-TV FOX13 (901)320-1313
Radio Stations
Arkansas Radio Network (501)401-0200
KFIN 107.9 FM (Jonesboro) (870)932-1079
KWCK 99.9 FM (Searcy) (501)268-7123
KKSY 107.1 FM (Bald Knob) (501)268-7123
KAPZ 710 AM (Bald Knob) (501)268-0596
Correspondent Banks
Arkansas Bankers Bank (501)371-0535
Simmons First National Bank (870)541-1000
SunTrust (615)748-4000
First Tennessee (901)523-4444
JP Morgan Chase (888)294-3318
Regions (615)244-4015
Regulatory Agencies
Arkansas State Bank Department (Little Rock) (501)324-9019
Federal Deposit Insurance Corp (Memphis) (901)685-1603
Federal Reserve (St. Louis) (314)444-8444
Fed Phone Cash Service (866)821-0329
Bank Trade Associations
Arkansas bankers Association (Little Rock) (501)376-3741
Arkansas Independent Bankers Association (Little Rock) (501)525-1634
Poison Control Center (800)376-4766
Arkansas Poison Control Center (800)222-1222
University Hospital of Arkansas (501)686-6416
Spill or leak of hazardous material
Chemtrec 800-424-9300
CHEMTREC is a 24-hour reference and response service operated as a public service by the Chemical Manufacturers Association to provide information and/or assistance to those involved in or responding to chemical or hazardous materials emergencies.
MPA Systems, Inc 888-233-1584
MPA Disaster Recovery Facilities Program – In case of a fire, flood, tornado, terrorist act or similar sudden and accidental event, Bank of McCrory will consider a replacement facility from MPA. The following is a list of home phone and nationwide cell phone numbers of representatives. If Bank of McCrory experiences a disaster, call or page one of the following. After normal business hours, call one of these key people:
Kimberly Shaw Home 1-940-458-7904
Cell 1-940-391-4662
Sheila Riddle Home 1-940-458-7217
Cell 1-940-391-1106
Sharon Miller Home 1-940-458-4498
Cell 1-940-395-0637
Bob Holden Home 1-972-966-8806
Pager 1-800-561-4098
Jim Casey Home 1-512-306-0151
Cell 1-940-390-8886
Appendix B: Master Vendor Listing
This listing of vendors is formalized in order to have on record the vendors that normally provide the supplies for the Bank. This list is to be used to replace the supplies in the case of a disaster.
Forms and Statement Supplies
Curtis 1000 (800)392-5835
Cook Sales (800)275-6552
Alexander Printing (800)379-3412
Hardware/Software
Information Technology, Inc (Host System) (800)
NEASEM Business Solutions (Hardware) (870)239-4416
Fedline Advantage Customer Support (800)737-9522
USBancsource (Proof Machine-Supplies) (800)467-1368
Internet connections
Phone & Internet
CenturyTel Communications (800)201-4102
Other
Alarm Systems and Security
Diebold (800)548-4478
Webster (Security) (901)332-2911
HVAC/Electrician/Plumber
______________________ (870)
Courier Company
Velocity Express O52 (501)375-0189
Appendix C: List of Employees
This appendix contains a current listing of employees. This listing will be updated annually. Any interim changes should be done informally, so that an annual review can be done at the Information Technology Committee level.
|Name |Address |Home Phone |Cell Phone |Additional Phone |
| |Directions (if Rural Route) | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
Emergency Backup Telephones
The following is a list of employees that have agreed to let Any Bank use their cell phones for business purposes in case of a Bank emergency.
|Name |Cell Phone Number |
| | |
| | |
| | |
Appendix D: Emergency Supplies
The Bank should retain a stock of emergency supplies. The following listing is considered to be a working inventory of the forms that should be kept both on-hand and in storage at the alternate data site.
Teller tickets - in and out UCC forms
Cash Count Tickets Notice of Action taken forms
TT&L Deposits Deed of trust
GL Debit & Credit Tickets Loan application
Debit your account forms Loan forms
Savings deposit and withdrawal forms ITI transaction code supplement
Cash Memos – Currency & Coins Signature cards
EDP Policy Sysop Daily Procedures
DDA deposit tickets Stop payment forms
Return item forms Collection Forms
Bank envelopes Blank scratch pads
New CD forms Lock box forms
Loan payments Loan debit forms
Loan coupon book order form Credit life certificates
Loan extension forms Trancode supplement list
Appendix E: Board of Directors
The following is a listing of the Board of Directors of the Bank:
Chairman –
Members:
Appendix F: Contingency agreements with processing providers
Information Technology Inc (Core and Item Processing)
Appendix G: Management Succession
The following succession of responsibilities for the management of the Bank has been established in the event of a disaster:
Customer Relations & Press
Overall Command – President/CEO
Plan Coordination, Operations
Data Processing & Network Operations – Senior Vice President - Operations
Plan Coordination, Operations
Retail Operations -
Appendix H: Attachments
• ATM Vendor – ATM Contingency
Appendix I: Key & Combination List
Do not write codes on this list.
Store each code in a sealed envelope labeled accordingly and place it in an off-site safe deposit box with dual control access. Indicate the box number and location of each envelope on this form. In some cases, it may be necessary to store the codes in two secure locations.
Extra Safe Deposit Box keys in Safe Deposit Box #
Door Key Codes stored at ANY (The master key & instructions are stored in the Fire Proof Cabinet in Operations)
Fire Proof Cabinets - -
Vault combination codes:
|LOCATION |SECURE COMBINATION LOCATION |
|Any (Main) | |
|Any (North) | |
| | |
| | |
| | |
| | |
| | |
| | |
Appendix J: Emergency Evacuation Procedures
BANK PROCEDURES:
In the event that a disaster should occur or a warning is received of impending danger sufficient to warrant evacuation of the Bank, the Security Officer, Branch Manager, or Bank President will announce the implementation of evacuation procedures. The supervisor in each area should proceed to see that the following steps are taken in their areas:
LOAN DEPARTMENT:
1. All personnel who have any notes al their desks are to return them to be placed in retardant note files.
2. The loan processor will see that the loan files are properly shut.
3. Each loan assistant will see that all official checks are placed in the vault.
TELLERS:
1. Each teller will remove their cash drawer and proof work and place them in the vault.
2. The teller supervisor will see that all cashier checks, official checks, money orders, collection items, and travelers checks are placed in the vault.
3. The assistant teller supervisor will see that all deposit bags are placed in the vault.
4. Each CSR will see that all necessary items at their desk are placed in the vault.
5. The security officer will see that the vault is closed and locked.
DATA CENTER:
1. Proof operator will end the current run and take unposted work to the evacuation site.
2. Data center manager will power down the servers or provide directions to the nearest operator.
GENERAL:
1. The security officer or branch manager will be responsible for making an announcement that a bank-wide evacuation is in progress.
2. The Security Coordinator, branch manager, or Bank President will see that all items above have been completed and all employees have left the Bank and are en route to the designated evacuation site. He or she will then secure the Bank facility, post the emergency door signs, and meet the employees at the designated evacuation site. Once the employees have gathered, the security officer\branch manager\Bank president will be responsible for determining that all personnel are safe and accounted for.
3. The timing of a telephone call to the proper emergency authorities is to be determined by the Security Officer or Bank President based on the nature and severity of the event.
Designated Evacuation Sites:
|LOCATION |EMERGENCY EVACUATION SITE |
| | |
| | |
Appendix K: Disaster Telephone Answering Script
TO: The Valued Customers of Any Bank
RE:
As you may know, we have suffered a disaster in our banking community. Our main building has been _________ (destroyed, damaged, etc.) by the recent ________ (tornado, fire, earthquake, etc).
We want you to know that your money is safe, secure, and available. We will continue to provide you all cash and deposit services that you require. Although this is a certainly a setback, we have planned and tested for this type of contingency many times. Full services will be available very soon. We are prepared to completely overcome this contingency without interrupting our service to you.
Please stay tuned to the local radio and television stations as we continue to provide updated information, post service locations and our extended hours to provide community banking services to our customers.
Sincerely,
President
Any Bank
Appendix L: Any Bank Incoming Line Numbers
CenturyTel® provides all communications outside the Bank including voice, fax, and computer, through the following lines:
Appendix M: Startup, Shutdown, and End of Day Procedures
Startup Procedures
SHUTDOWN PROCEDURES
END OF DAY PROCEDURES
DO NOT PROCEED WITH THESE INSTRUCTIONS UNTIL YOU HAVE COMPLETED ALL OF YOUR PROOF OF DEPOSIT WORK, ENTERED ALL NEW ACCOUNTS, AND HAVE DONE ANY NECESSARY FILE MAINTENANCE.
Appendix N: Detailed Directions to the SunGuard Disaster Recovery Hot Site:
From: Any, Arkansas 72101 US To: Little Rock National Airport
1 Airport Rd
Little Rock, AR
72202-4404 US
Appendix O: Risk Assessment:
|BANK BUSINESS SYSTEM OR |DISASTER OR CONTINGENCY|DISASTER OR CONTINGENCY|IMPACT |CONTROLS AND OTHER RISK MITIGATION FACTORS|CONTROL FACTOR |TOTAL DISASTER |
|DEPARTMENT | |PROBABILITY | | |RATING |RISK RATING |
|Data Center |Loss of data center due|2 |4 |Employee training procedures on where to |0.25 |1.50 |
| |to fire, earthquake, or| | |go during inclement or dangerous weather | | |
| |tornado. | | |should help limit injury and loss of life.| | |
| | | | |DR Plan provides for a contract with | | |
| | | | |SunGard Data Recovery Services to provide | | |
| | | | |a "bank in a trailer". The Bank has | | |
| | | | |tested and stored off site data backups to| | |
| | | | |recover to the SunGard server. | | |
|Data Communications |Loss of data |3 |4 |Alternate data routing using MPLS for |0.5 |3.50 |
| |communications circuits| | |processed banks helps mitigate loss of | | |
| |due to inclement | | |data paths. Maintenance contracts with | | |
| |weather such as | | |24-hour replacement on critical network | | |
| |lightning, tornado, | | |equipment. Network IDS/IPS and firewalls | | |
| |earthquake, or security| | |are used to minimize data security | | |
| |breach | | |breaches. | | |
|Key computer and data |Loss of key computer |2 |3 |Replacement PCs maintained at Bank |0.25 |1.25 |
|processing systems - Premier |systems due to a | | |locations, up to date antivirus/ | | |
|Server, Director, Imaging |security breach, virus | | |antispyware, firewalls, and user | | |
|Equipment, Item Processing |outbreak, loss of | | |education. Employee training on manual | | |
|Equipment, Firewalls, Network|electrical power, or | | |Bank operations including balancing and | | |
|Switches, Internet Access |malware infection | | |other transactions. Service contracts on | | |
|Equipment, etc. | | | |all key/critical network equipment. | | |
| | | | |Backup internet connection at alternate | | |
| | | | |location. | | |
|Key Bank Leadership and |Loss of key personnel |1.8 |4 |Employee training and awareness to help |0.5 |2.90 |
|Employees |due to disease outbreak| | |reduce the spread of contagious disase. | | |
| |or pandemic such as | | |Bank procedures to handle customer service| | |
| |bird flu | | |with mimimal interaction between employees| | |
| | | | |and infected personnel. Integrated | | |
| | | | |efforts between local and regional health | | |
| | | | |and medical departments and the Bank. | | |
|Telephone Equipment |Loss of telephone |1.8 |3 |Service contracts on telephone systems, |0.25 |1.20 |
| |systems due to security| | |backup list of cellular devices and PDAs | | |
| |breach, virus outbreak,| | |to be used in an emergency. | | |
| |loss of electrical | | | | | |
| |power, or malware | | | | | |
| |infection | | | | | |
Appendix P: Floor Plan Drawings with Utility Shutoff Locations for each Bank:
Appendix Q: Specific Task Requirements of this Policy
SCHEDULED TASKS REQUIRED BY THIS POLICY. THE COMPLETION OF EACH TASK SHOULD BE FORMALLY DOCUMENTED IN COMMITTEE AND BOARD MINUTES.
|TASK |FREQUENCY |RESPONSIBLE PERSON OR COMMITTEE |DATE ACCOMPLISHED |
|Review, revise, and approve of |Annually |ITPC and Board of Directors | |
|this policy. | | | |
|Perform and document a complete |Annually |ITPC and Board of Directors. | |
|test of the bank’s DR and BCP | | | |
|plan annually. This test should| | | |
|ensure the involvement of key | | | |
|bank personnel and be as | | | |
|realistic as possible. | | | |
|Review and approve the bank’s |Annually |ITPC | |
|BCP and DR risk assessment. | | | |
|Test the bank’s alternate item |Annually |ITPC and Board of Directors. | |
|and data processing procedures. | | | |
|Results should be documented. | | | |
|Review and inventory the bank’s |Annually | ITPC and Board of Directors. | |
|disaster and business continuity| | | |
|supplies. | | | |
|Review and update employee list.|Semiannually |ITPC | |
|Review and update home and cell |Semiannually |ITPC | |
|phone list. | | | |
|Review and update listing of |Annually or more often as |ITPC and Board of Directors | |
|Board Members. |required. | | |
|Review and update building |Annually or more often if a |ITPC | |
|evacuation procedures. |substantial building or | | |
| |operations change is made. | | |
|Review and update the bank’s |Annually |ITPC | |
|list of critical vendors. | | | |
|Review and test manual |Annually |ITPC | |
|operations | | | |
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- small business marketing plan pdf
- free business marketing plan template
- small business marketing plan sample
- small business marketing plan outline
- small business marketing plan template
- small business marketing plan examples
- business pro plan free
- business marketing plan template word
- startup business financial plan template
- business continuity plan doc
- business continuity plan template
- business continuity plan template word