Disaster Preparedness: Can Your Credit Union Weather the Next Big Storm?

“Spring has sprung” and so has the likelihood of experiencing severe weather events. Just a quick look at weather.gov as I was writing this blog post revealed the risk of severe thunderstorms and flash flooding throughout one region of the U.S., the possibility of tornadoes in several states, and an elevated risk of wildfires in yet another area of the country.

The National Credit Union Administration (NCUA) expects federally insured credit unions (FICUs) to have disaster recovery and business resumption contingency plans in place to address all types of operational disruptions, from short-term power outages to natural disasters that have the potential to physically destroy the credit union’s premises. The question is: how prepared is your credit union to respond to the next unforeseen catastrophic event?

According to NCUA’s many risk alerts and guidance letters on the subject, a credit union’s disaster preparedness program should:

  • Be commensurate with the institution’s complexity of operations;
  • Minimize interruptions of service to members and maintain member confidence in times of emergency; and
  • Be reviewed at least annually and address changes in the credit union’s operations.

NCUA’s Catastrophic Act Preparedness Guidelines (Part 749, Appendix B) provide recommendations for developing (and maintaining) a disaster recovery program, with the oversight and approval of the credit union’s board of directors. The program should include the following elements:

A business impact analysis to evaluate potential threats. After evaluating the credit union’s exposure to a full range of possible disasters, management and/or the disaster recovery team should consider the cost, duration, and impact of critical service/system disruptions on the credit union’s operations or financial condition. For example, how will the credit union handle a power outage that lasts for several days? What would the credit union do if it’s main and/or branch office facilities were not available for an extended period of time?

A risk assessment to determine critical systems (buildings, hardware, software, power sources, telecommunications, etc.) and necessary resources (financial, personnel, etc.) Credit unions should prioritize the risks to critical systems/services and develop contingency plans accordingly.

A written plan addressing:

  • Individuals with authority to enact the plan (e.g., senior management, disaster recovery team members);
  • Preservation and ability to restore vital records (per NCUA’s Part 749);
  • A method for restoring of vital member services through identification of alternate operating location(s) or mediums to provide services, such as telephone centers, shared service centers, agreements with other credit unions, or other appropriate methods;
  • Communication methods for employees and members (also vendors, bonding company, and any business partners, as necessary);
  • Notification of regulators (i.e., catastrophic act report required by NCUA’s Part 748.1(b));
  • Training and documentation of training to ensure all employees and volunteer officials are aware of procedures to follow in the event of destruction of vital records or loss of vital member services; and
  • Testing procedures, including a means for documenting the testing results.

Internal controls for reviewing the plan at least annually and for revising the plan as circumstances warrant, for example, to address changes in the credit union’s operations; and

Annual testing. To ensure the contingency plans actually work, a credit union should test (i.e., validate) the plan at least annually or when a significant change takes place. The test should determine if the credit union could recover to an acceptable level of business within the timeframe stated in the disaster recovery plan.

Examples of testing methods include, but are not limited to, simulations, role-play, walk-throughs, and alternate site reviews. Disaster drills should include all critical functions and areas of the credit union. The credit union should document the test and maintain work papers to demonstrate that responsible staff tested all critical functions and areas of the institution.

Per NCUA’s risk alert on disaster planning and response, consider the following when reviewing your efforts to PREPARE for the next potential disaster:

Planning – Ensuring Financial Services to Members

Resources – Allocation of Sufficient Equipment and Facilities

Evaluation – Testing of Contingencies for All Critical Systems

People – Maintaining Readiness of Staff and Officials

Alliances – Established Relationships with Other Organizations

Review – Updating Internal Plans for Effectiveness

Experience – Incorporate Lessons Learned

Please see the following resources for more information:

NCUA Disaster and Hurricane Information

FFIEC Business Continuity Management Infobase

Ready.gov

FEMA.gov