Elements of a Disaster Recovery Plan – NMP Skip to main content

Elements of a Disaster Recovery Plan

Jonathan Foxx
Nov 11, 2016

Question: Our compliance department has been tasked with developing a disaster recovery plan. Banking departments of several states are expecting us to ratify such a plan. However, we are not sure about what goes into this plan. What are the essential elements of a disaster recovery plan?

Although there is some variation to the features of a disaster recovery plan, we have found that there are constituent elements that are typical of this document. Sometimes “disaster recovery” is also referred to as “business continuity.” At the most rudimentary level, this plan sets forth the procedures to be followed in the event of an emergency or other disruption of a financial institution’s normal business activities. The goal is to be able to continue or to resume any operations as soon as possible with minimal disturbance to internal and external parties and certainly to recover any documentation and data required to be maintained by applicable laws and regulations.

In our development of disaster recovery plans for our clients as well as the review of their existing policies and procedures involving such aspects as information security, cybersecurity, and other features of information technology, we have found that there are several salient elements of a disaster recovery plan. I will provide them here, with the caution that the list is not meant to be comprehensive, and, to be sure, other elements may be appropriate based on an institutions size, risk profile, and complexity.

Essential Elements of a Disaster Recovery Plan
1. Identify documents, data, facilities, infrastructure, personnel and competencies essential to the continued operations of the financial institution.

2. Identify supervisory personnel who are in the chain-of-command for implementing each aspect of the disaster recovery plan and the emergency contacts required to notified. These individuals must be given authorization to make key decisions in carrying out the plan’s requirements.

3. Devise a plan to communicate with the following persons in the event of an emergency or other disruption: (a) Board of Directors; (b) Senior Management; (c) employees; (d) consumers; (e) affiliates; (f) media; (g) investors; (h) regulatory authorities; (i) data, communications and infrastructure providers and other vendors; and, (j) disaster recovery specialists and other persons involved in recovering documentation and data.

4. Ratify procedures for, and maintenance of, back-up facilities, systems, infrastructure, alternative staffing and other resources to achieve the timely recovery of data and documentation and to resume operations as soon as reasonably possible. We recommend that the resuming of operations be expected to occur within the next business day.

5. Maintain back-up facilities, systems, infrastructure and alternative staffing arrangements in one or more areas that are geographically separate from the financial institution’s primary facilities, systems, infrastructure and personnel.

6. Back up or copy, with sufficient frequency, documents and data considered essential to operations or to fulfill regulatory obligations, and store information off-site in either hard-copy or electronic format.

7. Identify potential business interruptions encountered by third parties that are necessary to the financial institution’s continued operations and devise a plan to minimize the impact of such disruptions.

8. Ensure that copies of the disaster recovery plan are placed at all accessible off-site locations, such as branches.

9. Train, and periodically drill, affected employees and support systems on applicable components of the disaster recovery plan.

10. Review and revise the disaster recovery plan at least annually or upon any material change to the financial institution. Any deficiencies or corrective actions must be documented.

11. Test the plan at least annually by qualified, independent internal personnel or a qualified third party service capable of performing a risk assessment. The testing date should be documented, such documentation describing the nature and scope of the testing, any deficiencies found, any corrective actions taken, and the dates on which corrective actions were taken. I strongly recommend testing a disaster recovery plan at least once every three years by a qualified third party service.

12. Keep detailed records of all activity involving the implementation of the disaster recovery plan and maintain such information in a form that may be made available promptly, upon request, to representatives of regulatory and enforcement authorities, Federal agencies, prudential regulators, and state banking departments.

Jonathan Foxx is managing director of Lenders Compliance Group, the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in outsourced mortgage compliance and offering a suite of services in residential mortgage banking for banks and non-banks. If you would like to contact him, please e-mail [email protected].

Nov 11, 2016
CFPB Alters Threshold For Exempting Loans From Special Appraisal Requirements

The 2022 threshold for exempting loans from special appraisal requirements for higher-priced mortgage loans will increase from $27,200 to $28,500. 

Regulation and Compliance
Dec 02, 2021
Regulatory Review, Reformatted

The progress made to date with NMLS modernization

Regulation and Compliance
Dec 01, 2021
November Surprise: Fed May Accelerate Tapering

Chairman Powell tells Congress of concerns about inflation, COVID-19 variant’s effect on recovery.

Regulation and Compliance
Dec 01, 2021
FHFA's 2022 Conforming Loan Limit Maxes Out At Nearly $1M

Baseline limit for Fannie, Freddie increases to $647,200, but for 'high-cost areas' loan ceiling set at $970,800 for single-family homes.

Regulation and Compliance
Dec 01, 2021
Regulators Are Back In The Saddle

There’s not only a new sherriff in town, it’s a whole gang of them.

Regulation and Compliance
Nov 29, 2021
CFPB Seeks Insight On Creating A Fairer Mortgage Market

The Consumer Financial Protection Bureau has been actively looking to create a fairer mortgage market, free of discriminatory engagements. To do so, it issued a Request for Information to seek input on rules implementing the Home Mortgage Disclosure Act.

Regulation and Compliance
Nov 17, 2021