Disaster Recovery: Three Key Lessons

February 1, 2007

Disaster Recovery: Three Key Lessons

By Patrick Totty

Disasters occur daily. But human nature dictates that thinking about them doesn't ride high on most credit unions' to-do lists. And given credit unions' myriad other daily concerns, it's easy to see why most credit unions don't dedicate a person or team to business continuity or disaster recovery plans.

That's why vendors selling continuity and recovery software and services tailor their offerings to do a lot of the initial heavy lifting. "We try to make the process as easy as possible," says Brian Turley, president of Strohl Systems, King of Prussia, Pa. "Our online service, PLANet® for Credit Unions, is a relational database that walks credit unions through the process of building and maintaining continuity plans. It's specific for credit unions, including the appropriate methodology and terminology."

With libraries of information built into it, says Turley, clients choose what's applicable to them. "We started with a proven solution many Fortune 1,000 companies have used and customized it so credit unions can meet regulatory requirements for business continuity."

Strohl also offers consulting, where it leads credit union clients through business continuity planning, testing, and maintenance.

What Katrina revealed

Even the most conscientious recovery and continuity plans have limitations--a sad reality underscored by Hurricanes Katrina and Rita. "Katrina dealt some major blows to continuity planning assumptions," says Turley. "First, communications took a huge hit. People didn't anticipate the complete shutdown of the communications infrastructure. They expected to be able to reach staff, members, and key vendors.

"Also, there was no human resources planning," he continues. "Credit unions assumed employees would be available post-storm to aid recovery efforts. However, people were, understandably, focused on their own families and personal situations. Some even moved out of state and left no forwarding addresses or phone numbers."

Mike Retelle, claims manager at CUNA Mutual Group, Madison, Wis., says Hurricane Katrina's "wake-up call was dramatic. It wiped out landlines and cell towers, created widespread destruction, and decimated staffs. It also revealed the extent to which credit unions had built branches in low-lying coastal areas that 20 or 30 years before had no large habitations."


Retelle says the storm altered credit unions' perceptions for two or three months, making them more receptive to his advocacy for disaster planning. "Although Katrina took center stage for a while, it's useful to remember there are all sorts of other disasters credit unions need to plan for: fires, bombs, floods, earthquakes. Unfortunately, tax season and year-end events pushed continuity planning down the list."

Another issue to consider: Regardless of physical damage a credit union suffers, it still must meet its contractual obligations. For example, says Jim O'Dell, CUNA Mutual's manager of risk management services, if a credit union agrees to pay bills or originate time-sensitive automated clearinghouse disbursements for members, it must do so regardless of whether it has the necessary facilities, equipment, or personnel.

Three key lessons

Turley says Hurricane Katrina taught credit unions three major lessons:

1. Establish an order in which you'll try to communicate with people. If phones are out, use a pre-arranged radio commercial that comes on a certain station at a certain time. If there's no radio, put a big sign on the credit union headquarters and branches.

"If bricks and mortar, too, are damaged, drive to employees' houses to hand-deliver updates," he says. "Employees should provide forwarding information before a natural disaster."

2. Arrange to set up shelters for employees and their families with beds, food, medicine, radios, flashlights, clothing, and sanitary facilities. Once employees know their families are taken care of, they can pay attention to work.

3. Share facilities and database services. Set up backup facilities far from affected areas. Even though many credit unions are entering into mutual aid agreements with other credit unions, some are reluctant to do so. Retelle says usually this is because human nature stands in the way.

"Some credit unions adopt a 'go it alone' attitude,' he says. 'Also, it takes a lot of time to develop these alliances.'

Testing guidelines

After creating a continuity plan, test it at least annually, O'Dell advises. Quarterly testing is ideal. "People change positions and roles, and expertise can get lost," he says.

Turley agrees, calling for tests "at least once a year or whenever there's a major change, such as growth or acquisition, or a key person leaves." He notes that aside from testing readiness and revealing flaws, mock disaster tests have another positive effect. "They make people realize 'I do have a role' in disaster readiness."


That awareness makes continuity plan documentation essential. "The head person may not be available when disaster strikes," says Turley. "Clear instructions help staff assume the necessary tasks."

Generally, one person becomes responsible for the business continuity plan, Retelle says. "So when a disaster happens, everyone looks to that one person to have developed and implemented a comprehensive response." The problem is that such high expectations often lead to burnout for this person after a disaster.

O'Dell advises anticipating more than natural disasters. "Say your CEO dies unexpectedly or there's violence in the workplace. If you don't think through your responses before things like this happen, what will happen when they do occur?"

Disasters often bring out the best in people's thinking. Retelle says that after the 1994 earthquake in Northridge, Calif., a police credit union there "had a good disaster plan, down to using partitions to hide the extensive damage to the back office from members doing business in the lobby. Astute handling of a disaster isn't always a matter of the level of destruction but of handling members' perception of the destruction."

Sometimes there's even a silver lining. "Occasionally a disaster will force a credit union to close an unprofitable branch it kept open to avoid angering members," says Retelle.

Hidden surprises

One common mistake is planning for specific scenarios, Turley says. "If you plan for specific disasters, there always will be something you didn't anticipate. The best course is to assume that your business isn't operational and focus on what it will take to recover."

That's why, says Retelle, credit unions should keep in mind this simple definition of disaster: "Anything that has the potential to adversely affect the credit union, its members, or its sponsor."

Business continuity basics

Brian Turley, president of Strohl Systems, King of Prussia, Pa., a Credit Union National Association strategic alliance provider, says business continuity planning is pretty basic. "You plan for people, assets, equipment, and location."

Here's what credit union plans need:

  • Public relations strategy, especially in a man-made disaster, such as the death of a key person or an internal scandal;
  • Recovery and security teams in place;
  • Risk management plan; and
  • Information technology (IT) recovery plan.
IT isn't the focus of planning as it once was, given the availability of mirror sites and virtually instantaneous backup from remote locations. IT recovery still is important, but the focus has switched to ensuring people, facilities, processes, and data all are considered equally, Turley says.

Don't take it all on yourself. "Use proven methodologies, solutions, and services to guide you through the process," Turley says.