2023 IT Examiner School

Internal Use Only

Key Points (continued) To assess the adequacy and effectiveness of a Licensee's plan, assess:

Management Support

Risk Management Strategies

Business Impact Analysis

Backup Location

Risk Monitoring/ Testing

Training

Update the Plan

Internal Use Only

Conclusions: Things to Remember • Disaster recovery is the technology part of business continuity management • A business continuity plan must include a business impact analysis to identify critical infrastructure, applications, and processes, prioritize recovery actions, and establish recovery time objectives and recovery point objectives • Pandemic Plans- what to do when a serious situation arises that impacts the local, regional, state, and/or national level that greatly impacts licensee’s operations, e.g., COVID 19 • Plans must be regularly reviewed and updated • Testing should occur at least annually, and include all personnel involved in the administration and execution of the plan • FIs should attempt full interruption tests periodically (not necessarily annually) to provide assurance that recovery is possible