FDIC Examination - Disaster Recovery

Is the FDIC emphasizing more on Disaster Recovery during examinations more? My CEO is freaking out cus he went to a conference and some guy told him they were.

Can you say Swine Flu or Hurricane Ike or wild fires in CA???

No hurricane damage or wild fires likely where i live, i guess what i was asking is if anyone has been through an FDIC exam recently where Disaster Recovery was emphasized more than in past exams?

We just finished an FDIC exam and I would have to answer yes to your question. Make sure you have a plan in place, a risk assessment done and that your plan has been tested. Make sure your policy and assessment are board approved and that your IT committee or other board approved committee is aware of your plan and the results of your testing.

In the last 10 months, S&S and Compliance exams... neither group said boo about DR.

"In the last 10 months, S&S and Compliance exams... neither group said boo about DR."

That is because it is part of the IT exam.

Yes, DR/BR is a hot topic with most examining bodies right now.

We are making sure our audit clients have a Business Impact Analysis, Risk Assessment, Pandemic Plan (as part of DR plan), and that they address alternative sources of cash.

The western portion of our state, just across the river from where you are, suffered an incredible ice storm in January. Two days later I had to call 30 banks in that area. Only 4 of them answered the phone. Their contingency plans got a real test. Some were proud. Some were embarrassed.

The value of thoughtful testing was summed up by the banker who told me about their new state of the art back up branch (complete with diesel generator) that seamlessly absorbed all bank operations. The only exception being the fact that their was no water pressure and the modern commodes did not have tanks that could be filled manually. They could not flush the toilets.

Think about everything...

Just make sure you're testing your plan, fully!

Our S&S and compliance exam also ended in the last 8 months - which included IT - nothing mentioned.

Definitely Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) are getting increasing attention from examiners.
Make sure your BCP is in place, is supported by a Business Impact Analysis (BIA), the plan has all the elements (including pandemic flu preparedness/response), it has been approved by the board, appropriate dissemination of the BCP/training of staff has been done, the DRP has been tested and results documented and shared with senior management.

Every OCC exam we have focuses on this. We test annually, and living in hurricane central, we have had to deploy it on more than 1 occassion. We also notify the OCC when we have deployed for contingency purposes - it is a courtesy move on our part but it lets them make a "note" in our file that not only have we tested but deployed and worked.

I recommend making sure the testing you do is correlated to the results of your Business Impact Analysis. For example, if wire transfers are a critical function at your institution, make sure you test those recovery plans accordingly. The days of just testing your core system are over. . .

Whether or not your BCP is being looked at will most likely depend on the region, the agency, and the examination. Reviewing the BCP is a key part of the IT examination and the responses I am getting from many institutions across the country is it was a main focus, I am also seeing more criticisms in examination reports. But again, like with any other area - it is going to depend on the agency and the examiners focus and will very likely be all over the board. Better to be prepared than risk not having a comprehensive plan in place that includes a good BIA and testing plan. The two areas I see cited the most.