The Board’s Role in Information Technology

Phil Faulkner, EMC’s group manager for the banking industry, spoke with Bank Director about what role the board plays in information technology.

What is the board’s responsibility regarding the protection of the bank’s information and systems?
Executives and board members have a legal obligation to protect their banks from potential disruptions. By not supporting or developing an appropriate IT strategy, executives can be sued and held accountable for inaction. It’s important to realize that in today’s high technology world, deposits are now bits of information within a computer versus hard currency in the bank vault. In effect, the data stored in bank computers today is just as valuable as cash, and requires the same level of protection. Consider the language found in chapter 10 of the Federal Financial Institutions Examination Council (FFIEC) Handbook:

“The board of directors and senior management are responsible for establishing policies, procedures, and responsibilities for organization-wide contingency planning. The institution’s contingency plan should address all critical services and operations which are provided by internal departments and external sources. The plan should be a coordinated effort with the objectives of minimizing disruptions of service to the institution and its customers, minimizing financial losses, and ensuring a timely resumption of operations in the event of a disaster.”

To uphold its duty to safeguard deposit information, senior management must oversee the work of the IT department and make sure that the traditional rules of protecting the physical security of deposits are being applied to the protection of IT “virtual assets.” Directors should follow up with management to make sure that the proper procedures are in place and are being followed. FFIEC bank examiners are now diving deeper into IT infrastructure and are highlighting deficiencies in annual examinations. These reports and any deficiencies are presented to the board for resolution.

Specifically, the bank’s—and therefore the board’s—responsibility for information concerning customer assets includes security, privacy, business continuance, and fraud protection. The Basel II Accord proposes that banks measure the protection of information assets through risk assessment. The accord pushes for lower capital reserve requirements based on documented plans for IT infrastructures that address operational risk and utilize more information to measure credit risk. Thus directors need to ensure that their bank remains competitive by employing an integrated IT system that helps identify and manage risk.

What are the keys to ensuring the bank has an adequate disaster recovery/business continuity plan?
Our current research shows that banks are reevaluating their disaster recovery spending, which typically accounts for 3% to 5% of the overall IT budget. Post-Sept. 11, most banks have added an executive-level position known as the business continuance planning executive. In addition to this executive position, many banks are establishing a separate budget item around overall business resumption plans for all bank functions.

Sept. 11 attacks have shown that the duplication of business-critical data and processes in widely dispersed facilities with dedicated teams of personnel provides a robust framework for disaster recovery and business continuity. These capabilities need sophisticated automation and remotely accessible centralized management across the entire bank. After all, the bank’s most critical business issue is its ability to continue operations, regardless of circumstances.

It should be noted, however, that most businesses plan for the 1% chance of a disaster versus looking at the real issues that cause downtime within an IT environment. (Figure 1 shows that 87% of downtime is caused by “planned occurrences,” such as backups and data warehouse loads.)

What kind of periodic testing results should be provided to board members regarding the institution’s disaster recovery/ business continuity plan?
The best-practices rule for testing calls for, at minimum, a full, companywide test once a year and an IT full-recovery test once a quarter, or after a major system upgrade. Consistent, full-scale testing of critical systems is required at least quarterly. Many firms are looking toward the Basel II requirements that focus on risk management, specifically for operational risk, which covers business continuity. In the new regulations, the IT business recovery plan review is now a large component of the bank examination.

What are the most important types of information that should be covered under a bank’s disaster recovery/business continuity plan, and what are some of the most commonly overlooked areas?
In the past, banks have protected transactional data and preserved a copy of that data, often on tape from the previous day’s end-of-day. This “production” data was thought to be critical to resume operations; however, under the proposed business continuity rules from the interagency white paper, all information will be critical. The proposed rules require that businesses resume operations in less than four hours, therefore recovery from tape will not work. (Figures 2 and 3 reflect the rules of thumb when deciding what data to protect.) Most banks find that to resume operations, almost all data is required, as it is interconnected.

The most overlooked areas in business continuity planning include second-site facilities support; transportation to the second site; management of the second site for more than five to seven days; and the “return home” strategy after the disaster. Materials most often overlooked include the customer support material (in paper format) for loans and payments that may not be required upon immediate resumption but will be necessary in the days following a disaster to keep customers on board.

How should the board evaluate its disaster recovery service providers? Have banks addressed disaster recovery differently over the past year in the wake of the Sept. 11 events?
Service providers enable the outsourcing of parts of the business continuity solution and should be viewed as an extension of bank resources, but ultimately the bank is responsible for meeting the regulatory requirements of business continuity. Prior to Sept. 11, banks that employed service providers used the service contract and the auditor’s check mark that the bank conducted testing once a year as proof that they had a business continuity plan. This was considered acceptable by bank examiners. It must be made clear, however, that a contract with a service provider does not transfer the business continuance planning and liability associated with a disaster to the third-party provider—that is still a bank issue.

There have been numerous conferences held and white papers written on the lessons learned during and after the attacks of Sept. 11. Many companies have studied the techniques of the firms that successfully recovered from the impact of the attacks, including those of the Depository Trust & Clearing Corporation, New York Stock Exchange, Commerzbank, and Deutsche Bank. Almost every bank’s management team has sat down with its IT staff or provider and, at minimum, assessed its disaster recovery plan and assigned a method of risk measurement. And most firms have created the executive-level business continuity planning/risk management position mentioned earlier. The box below contains a summation of the lessons learned from the Sept. 11 terrorist attacks. |BD|

© Board Member Inc. All Rights Reserved