Deborah Ray, CISA (debray@ebicom.net)
Date of program: May 1997

NBC - SYSTEM
CONTINGENCY PLANNING AUDIT
AUDIT PROGRAM 

1.	Review the last audit report and external examinations, and ascertain whether exceptions have been addressed.
2.	Complete the Internal Control Questionnaire to get a general overview of controls in this area.


Policies and Procedures

3.	Verify that the Bank has developed and implemented a disaster recovery plan that meets or exceeds the FFIEC's requirements and that the plan is in written form.  (L-3)  FFIEC

- Determine that the plan has been approved by the board of directors.  (L-3)  FFIEC
- Ensure the board of directors annually reviews and approves the plan and documents the annual review in the board minutes.  (L-3)  FFIEC
- Ensure copies of the plan have been stored off-site with other reserve supplies (L-3)  FFIEC
 
4.	Interview several managerial and staff employees to develop an overview of their attitudes about levels of competency regarding the Bank's disaster recovery plan.  Verify that:

- They know their respective roles involving the plan.
- They are knowledgeable about the types of disasters that may affect the Bank and the community.
- They know to whom they are to report and to what location if the Bank activates the plan.  O-1
 
 
Disaster Recovery Team

5.	Determine if employees at the following levels have been designated to assume control over departments, branches, facilities, and functions during a disaster:

- Chairperson -- a senior officer designated to make or control all disaster recovery decisions made at the executive level and to provide appropriate leadership.
- Coordinator -- a senior officer or operations manager designated to implement all disaster recovery decisions made at the executive level and to provide appropriate coordination efforts.
- Team leaders -- department, branch, facility, and functional managers designated to implement disaster recovery decisions as assigned by the coordinator.
- Vendors -- individuals and companies providing critical and accessory services 
designated to implement specific disaster recovery operations as assigned by the 
coordinator.   (L-3)  FFIEC

6.	Determine whether members of the disaster recovery team have clearly defined and written instructions for performing disaster recovery tasks.  (L-3)  FFIEC

7.	Ensure there is not excessive dependence on any one person.   (O-1)


Line of Succession

8.	Determine if a line of succession (temporary command structure) has been adopted by the board of directors, listing those persons designated to assume control of the Bank during a disaster or the loss of key executives.  Verify that:

- A line of succession is in writing and is certified in the board minutes.
- The document contains the names of persons rather than of employment positions.
- Those persons listed in the document are provided with a copy of the listing.
- Copies of the document are stored at appropriate off-site locations.   (O-1)


Critical Organizational Functions

9.	Verify that the Bank has prioritized all critical and non-critical functions, based on an assessment of the potential impact from loss of information and services to the Bank's financial condition, competitive position, customer confidence, and legal and regulatory requirements.   Verify that this prioritization is maintained as part of the disaster recovery 
plan.   (L-3)  FFIEC

	A.	The following functions are critical to a bank's continuing operations during and a after a disaster.  All others should be considered non-critical.

- Bank administration - leadership and direction
- Bank operations - management and control
- Bank security - personnel, customers, facilities, assets, and records
- Branch operations - basic banking functions
- Public relations - media contact and image protection
- Telecommunications - information flow
- Data processing - assets and records
- Courier services - delivery and transportation
- Office support - documentation and functional support.
 
 
Agreements for Services and Insurance

10.	Verify that written backup agreements and contracts exist for all facilities, hardware, software, vendors, suppliers, disaster recovery services, and reciprocal agreements.  Verify that all agreements are in force, are adequate for the Bank's needs, and are for equipment still in the Bank's possession or for services still utilized by the Bank.  (L-3)  FFIEC

11.	Verify that all insurance and bond coverage is in force, is adequate for the Bank's needs, and is for personnel, facilities, records, equipment, products, and services still employed or retained, owned, maintained, sold, or used by the Bank.  (O-1)


Emergency Response and Notification Policy

12.	Verify that the Bank has designated emergency response notification procedures.  (L-3)  FFIEC

13.	Verify that the Bank has designated persons capable of declaring a disaster and has determined the conditions of such a declaration.  (L-3)  FFIEC

14.	Verify that the manager of each department, branch, facility, and function maintains a current contact listing of all employees supervised, as well as appropriate emergency service agencies, including:

- Home address and telephone numbers
- Business address and telephone numbers
- Other contact persons as appropriate.   (O-1)


Risk Assessment and Recovery Strategies

15.	Determine if the Bank has conducted a risk assessment and prioritized the most likely disasters to affect Bank operations, such as:

- Natural disasters -- fire, flood, earthquakes, hurricanes, etc.
- Technical disasters -- power outage, hardware/software failure, communications 
interference, etc.
- Human-caused disasters -- riot, bomb threat, disgruntled employee, sabotage, etc.  (L-3)  FFIEC

16.	Based on the risk assessment, determine if the Bank has developed strategies and procedures to recover:

- Facilities
- Hardware (mainframe, networks, and stand-alone PCs)
- Software and data files
- Communications
- Customer services
- User operations
- End-user systems
- Other processing operations (L-3)  FFIEC

17.	Verify that the risk assessment and recovery strategies are documented and made part of the disaster recovery plan, and that they are modified when a significant change occurs in one or more of the factors.   (O-1)


Media Relations

18.	Determine if the Bank maintains a press-release policy and whether the contingency plans designate a public relations spokesperson.  (L-3)  FFIEC


Duties and Responsibilities

19.	Determine if the Bank's disaster recovery plan contains duties and responsibilities for all position descriptions.  Verify that duties and responsibilities are appropriate and updated periodically.  (O-1)

Employee Emergency Identification

20.	Determine if the Bank issues photographic identification or other means of identification to appropriate employees to facilitate access to restricted areas on Bank premises.   Interview management and staff to determine how individuals would gain access to their facility if access were restricted by law enforcement personnel.  (O-1)


Evacuation Plan

21.	Verify that a written evacuation  plan exists that contains:

- A designated evacuation route and emergency assembly area, with diagram  (O-1)
- A diagram demonstrating the location of emergency shutoff devices for water, gas, and electrical outlets, and operating instructions for those devices  (O-1)
- Designated employee positions to act as evacuation personnel  (O-1)
- Procedures for rapidly securing the Bank's facilities, assets, and records  (O-1)
- Telephone numbers to notify emergency service agencies  (O-1)
- Emergency notification telephone numbers for all employees  (O-1)

22.	Interview management and staff  to verify that each individual demonstrates proficiency in 
emergency response procedures.  (O-1)


Facility Requirements

23.	Review the most recent report of inspection of security and other devices to verify that the devices have been inspected, tested, and serviced according to an established schedule.  Ensure the location of fire extinguishers at each site has been evaluated by appropriate authorities.   (O-1)

24.	Verify that each unit maintains a current listing of all equipment by make, model, serial number, and location stored. (O-1)


Alternate Sites for Banking Operations

25.	Determine if each department, branch, and facility has both a primary and secondary designated location for recovery efforts, and whether the locations selected are appropriate for the designated use.  Procedures for both site relocation (short-term) and site restoration (long-term) should be documented.  (L-3)  FFIEC


Communication and Transportation

26.	Determine the methods the Bank has designated to provide for communication needs during a disaster, such as public telephone, mobile telephone, fax machine, computer modem, courier service, etc.  Verify that the designated methods are documented in the disaster recovery plan.  (O-1)


27..	Determine the methods the Bank has designated to provide for transportation needs during a disaster, such as personal vehicle, bank-owned vehicle, moving company, courier service, etc.  Verify that these methods are documented in the disaster recovery plan.     (O-1)


Bank and Customer Assets

28.	Review the Bank's procedures to determine what methods the Bank uses to safeguard its paper assets (cash, negotiable documents, original corporate documents, etc.)  Verify that these methods are appropriate and documented in the disaster recovery plan.  (O-1)

29.	Review procedures to determine what methods the Bank uses to safeguard its customers'  paper assets (items held in trust, wills and related documents, titles, grants, and other certificates of ownership). Verify that these methods are appropriate and documented in the disaster recovery plan.  (O-1)


Data Processing

30.	Determine if the Bank has developed strategies to recover the following in the event of a disaster:

- User operations  (O-1)
- Management information systems functions  (O-1)
- End-user systems  (O-1)
- Networks and microcomputers  (O-1)
- Other processing operations  (O-1)

31.	If the Bank receives information from a service bureau, determine that:

- Management has evaluated the adequacy of the service bureau's contingency plans.
- The Bank's plan is compatible with the service bureau's plan.  (L-3)  FFIEC

32.	Verify that the Bank's disaster recovery plan includes a comprehensive plan for data processing.  (L-3)  FFIEC


Documentation of Disaster Response

33.	Verify that the Bank maintains a record keeping mechanism, preferably in the form of a chronological log, to track disaster recovery efforts.  Verify that appropriate employees have been designated to keep a record of disaster recovery efforts.   (O-1)



Testing

34.	Determine if each unit conducts periodic disaster recovery tests.  Preferably, the tests should be conducted:

- Annually
- In a controlled environment
- Involving all critical business units/departments/functions
- Using hypothetical, rather than live situations  (L-3)  FFIEC

35.	Verify that tests include:

- Setting goals in advance.
- Realistic conditions and activity volumes.
- A post-test analysis report and review process that includes a comparison of test results to the original goals.
- Development of a corrective action plan for all problems encountered.  (L-3) 
FFIEC

36.	Determine if each unit conducts a test of the designated evacuation plan, including:

- Physical closure of the building
- Securing of all assets and records
- Safe relocation of employees to the emergency staging area
- Follow-up review  (O-1)

37.	Verify that the results of all tests are documented and forwarded to management for review.  (L-3)  FFIEC


Training

38.	Verify that the Bank provides training for personnel involved in the plan's execution.     (L-3)  FFIEC

39.	Ensure that the Bank's emergency response training includes:

- A general overview of emergency response policies and crisis management 
techniques (O-1)
- Instruction of procedures for notifying personnel of a disaster  (O-1)
- Procedural training for all employees  (O-1)
- Demonstration of the location and operation of emergency shutoff devices for 
electrical, water, and gas devices  (O-1)
- Demonstration of the location and operation of fire extinguishers, first-aid kits, emergency tools, and supplies  (O-1)
- Demonstration of the emergency staging area(s) used for evacuation and assembly  (O-1)
- Basic first-aid techniques  (O-1)

40.	Interview the operations officer and a staff member in each location to determine competency regarding their role during emergency responses and disaster recovery.  (L-3)  FFIEC

41.	Verify that emergency response training is documented and available for review by regulatory agencies, including date and time, location, topic(s) addressed, and instructor.  (O-1)

42.	Ascertain if the Bank's training program includes emergency response training for board members.  Agenda recommended in literature includes:

- A general overview of emergency response policies and crisis management 
techniques
- A presentation by the Bank's legal representative regarding liability issues, both for members personally and for the Bank.  (This presentation should also include an explanation of appropriate regulatory statues.)
- Instruction of procedures for notifying board members and bank personnel of a 
disaster
- Procedural training for board members
- A presentation by management of a synopsis of the Bank's disaster recovery plan, the designation of individuals named in the Bank's line of succession. (O-1)

43.  Review exceptions and recommendations with management.

44.  Complete work papers and prepare report. 


Ref:  CONTPLAN.PGM        May 2, 1997

Total Points:  100

Sources:	FFIEC Interagency Policy on Contingency Planning for Financial Institutions
		FFIEC Information Systems Examination Handbook, Chapter 10