You have been granted access to this page through First Click Free. Subsequent use of TabbFORUM will require logging in. If you don't have an account, registration is free.


  • Rail_thumb_owen

    The Evolution of CCAR Only Adds Stress

    The Federal Reserve’s bank stress test – or Comprehensive Capital Analysis and Review process – increasingly is focused on qualitative requirements, such as data governance and ...
  • Rail_thumb_lansing

    KYC: The Other Counterparty Risk

    It’s time to redefine “KYC.” In the past, firms’ know-your-counterparty efforts have focused on meeting compliance requirements, resulting in ad hoc solutions to each new ...
  • Rail_thumb_goldstein

    LEIs: A Panacea for Market Risk?

    Dodd-Frank mandated the creation of Legal Entity Identifiers, or LEIs, to identify institutions participating in financial transactions, particularly in the swaps and derivatives markets, and help ...

More Video | Podcasts

Mastering Risk

05 December 2013

6 Disaster Recovery Best Practices as Defined by Regulators

Recent guidelines from regulators can help firms improve their business continuity and disaster recovery practices.

Earlier this year the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC) and the Financial Industry Regulatory Authority (FINRA) provided guidance on their views of effective business continuity (BC) and disaster recovery (DR) practices, which included:

  • Preparation for widespread disruption;
  • Planning for alternative locations;
  • Telecommunications services and technology;
  • Communication plans;
  • Regulatory and compliance considerations; and
  • Reviewing and testing.

Using this framework, here are some tips on putting these guidelines into practice.

1. Preparing for widespread disruptions

Geographical diversity and infrastructure resiliency are at the heart of any effective DR plan. But beyond ensuring that a firm’s infrastructure – whether on-site or in a cloud – is built to withstand regional disruptions, it is important to ensure human resources are available should a widespread disruption occur. When evaluating a DR service provider, for example, firms should understand if the provider can support a multi-client activation and can mobilize resources from other regions if its primary site is impacted.

[Related: “The Cloud of the Future”]

2. Alternate locations: To hot site, or not to hot site?

A DR strategy should include remote access to a DR environment that replicates a firm’s primary environment and enables employees to remain operational and productive in the event of an outage. For most, a physical hot site location is not necessary; however, some firms are most comfortable having their teams all in one place to continue critical business functions, such as trading.

3. Remote access technology

There are three commonly used technologies for remote access: virtual private network (VPN), Citrix and Outlook Web Access (OWA).

  • VPN technologies work by connecting a remote computer to a user’s primary computer, allowing someone to “remote desktop” and run all of the applications that live on his work computer’s server.
  • With a Citrix server, you can log into a website via any computer and get access to the applications that live on the Citrix server in your office.
  • For those who use Microsoft Outlook for email, Outlook Web App (OWA) provides Web access to email, contacts and calendars.

Whichever remote access technology or combination of technologies a firm decides to employ, the key is ensuring employees know how to properly use them and test them prior to a disaster.

Another consideration to keep in mind is licensing of remote access technology. SSL VPN and Citrix are both licensed by concurrent users, so as your firm adds new employees and users, remember to add licenses accordingly. Unfortunately, some firms don’t realize they need more licenses until a disaster hits and employees are unable to connect.

4. Communication plans

Communication is vital during a disaster or incident. As part of the BC planning process, firms should outline procedures for communicating with employees as well as external business partners (e.g., regulators, exchanges, emergency officials, etc.). They must also identify the individuals within the organization (names and titles) who are responsible for initiating the emergency procedures outlined in the BC planning.

For employee communications, be prepared to outline work expectations and how information will be disseminated. For partners, know how to reach them and set guidelines on the frequency with which they can expect updates on post-recovery status.

5. Review and testing

Testing is an essential component of any effective DR and BC planning strategy and should include systems as well as employees. As part of the process, firms should conduct a full BC planning test at least annually to validate that critical functions can operate regardless of location. Employees should also complete annual BC planning training.

In addition to training, employees should validate that they can work remotely and access the systems necessary to continue their functions. Firms should also ensure their infrastructure can accommodate telecommuting for all employees.

6. Looking at service providers

Just as regulators are reviewing the contingency plans of investment firms, you too should understand the precautions your service providers have in place. Ask to review their disaster recovery and business continuity plans as well as corporate policies around information security.

Mary Beth Hamilton is vice president of marketing for Eze Castle Integration.

Spotlight-white-trans For more stories in the Mastering Risk Spotlight Series click here.

Comments | Post a Comment

1 Comment to "6 Disaster Recovery Best Practices as Defined by Regulators":
  • Missing

    06 August 2014

    Natural calamities like hurricane and floods sometimes are unpredictable. Due to this calamity, our way of living ruined and therefore we’re back to zero. However, there is agency that is willing to help us but in some point these agency bring worry in our life. FEMA has not always made friends, this March they started requesting repayment of $21 million from citizens. If his efforts fail, a lot of people could need personal loans to help pay off the money.

You must log in to comment.