Regulating disaster recovery

Internal Auditor, Dec, 1997 by William DiMartini, Pat McAnally

Most companies think of the risks associated with business contingency planning in terms of the havoc wreaked by natural disasters. The possibility that computer systems could be damaged, that data may be lost, and that operations might be interrupted by Mother Nature gets all the attention. Few internal auditors realize, however, that the risk factors associated with simply not having contingency plans in place can be just as cosily and damaging to the organization as the effects of any storm.

For example, not all internal auditors are aware of the costs that can result from non-compliance with laws and regulations governing disaster recovery planning. Just as an organization is picking up the pieces of a shattered infrastructure, it may find itself in hot water with the relevant authorities for failing to plan. Companies and their executives may face fines and even negligence lawsuits.

External factors exist beyond the law, as well. Disaster recovery planning is increasingly a condition of doing business with others. Some voluntary associations require applicants for accreditation to maintain contingency plans, and organizations are more and more concerned about the presence of such plans among their suppliers and business partners.

The disaster recovery plan is, therefore, quickly becoming an item on the audit checklists of regulatory bodies and potential business partners, and it should be found on the internal auditor's checklist, as well. Many of the requirements described in the following section can provide a starting point for ensuring that the company is in compliance with applicable disaster recovery planning regulations and requirements. While most are applicable only in the U.S. and within certain industries, knowledge of these requirements will give internal auditors in any business environment a checklist for auditing disaster planning efforts.

BANKING AND FINANCE

For more than 20 years, banking and finance has been the most regulated industry in the area of disaster recovery planning. Federal regulations now cover everything from basic planning to specific goals for Year 2000 compliance.

In 1989, the U.S. Federal Financial Institutions Examination Council (FFIEC) mandated an institution-wide emphasis on contingency planning. All banks were required to maintain, exercise, and certify in writing that programs were in place.

A 1996 FFIEC guideline also requires risk management of distributed computing systems, which was not addressed in the earlier regulation. Examiners may review each financial institution's client/server systems, especially if they host mission-critical applications like funds transfer, branch automation, general ledger reporting, security portfolio accounting, and customer relationship management. This provision applies to the independent service providers hired by the banks, as well, and it reiterates that disaster planning for client/server is just as important as it is for the mainframe.

In July of this year, the FFIEC issued a preemptory statement requiring comprehensive business resumption and contingency plans for all financial institutions under the governance of The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. The statement, FIL-68-97 firmly placed responsibility on the Board of Directors for ensuring that such plans had been implemented, leaving them open to liability if the financial institution isn't prepared when disaster strikes.

STOCK MARKETS

In 1991, the U.S. Government Accounting Office (GAO) reviewed the level or systems security and controls in six stock markets: the American Stock Exchange, the National Association of Securities Dealers, the New York Stock Exchange, the Midwest Stock Exchange, the Pacific Stock Exchange, and the Philadelphia Stock Exchange. With the exclusion of the NASD, all were cited for systems security problems and control weaknesses. Four of the six did not have documented business recovery plans, while three of the six lacked backup computer capability.

The GAO's subsequent report instructed the stock markets to take corrective action and to keep the SEC apprised of "the market risks associated with any outstanding weaknesses that are not corrected." This audit took place before the Chicago flood of 1991 and the World Trade Center bombing of 1993, both of which impacted the stock merchants.

CLEARING HOUSE BANKS

In June 1991, the New York Clearing House Association recommended that all Clearing House banks, which daily send a combined average of $20 billion or more in wire transfers around the globe, develop contingency plans that would bring them to fully recovered operational status by the beginning of the next banking day. In addition, the Expected Funds Availability Act, which requires ATM operators to establish deadlines for making funds available to customers, and the Electronic Fund Transfer Act established a maximum "outage window" for these organizations. The 1987 acts stipulate, without regard to the expense involved, that electronic direct deposits must be available on the same day they are received, and that other wire transfers must be accessible by the next business day.