DATE: April 7, 1997 LETTER NO. 97-CU-3

TO: ALL FEDERALLY INSURED CREDIT UNIONS

SUBJ: CORPORATE BUSINESS RESUMPTION AND CONTINGENCY PLANNING

For your reference, I am enclosing an interagency statement recently released by the Federal Financial Institutions Examination Council (FFIEC) which discusses contingency planning. Guidelines for contingency planning are included and the board of directors of each federally insured credit union should ensure that an appropriate contingency plan is in place and has been adequately tested and monitored.

This interagency statement revises the one issued to all credit unions in Letter to Credit Unions No. 109, dated September 1, 1989. In that Letter, three statements were issued, however, only the one entitled "Interagency Policy on Contingency Planning for Financial Institutions" is revised.

Contingency planning is crucial to the operations of each credit union. Each credit union should have a tested plan in place to ensure the smooth operation of the credit union in the event of a disruption of service for whatever cause. Examiners will continue to review and evaluate these plans at future examinations.

Sincerely,

/S/

Norman E. D'Amours
Chairman

EI

Enclosure

PURPOSE

This statement emphasizes to the board of directors and senior management of each financial institution the importance of corporate business resumption and information systems contingency planning functions. This includes planning for the recovery of critical information systems processing and operations supported by external service providers. This statement also addresses issues that management should consider when developing a viable contingency plan.

BACKGROUND

Information systems technology has evolved into a critical facet of the corporate structure of credit unions. Transaction processing and business applications are no longer restricted to mainframe computer environments. The use of distributed platforms (including mid-range computer, client/server technology, and local and wide area networks) for mission-critical business functions expands the scope of contingency planning.

Corporate and customer services throughout credit unions are now more dependent on direct access to information and accounts. This includes contemporary financial delivery systems and services such as PC-banking, corporate cash management, and Internet promotion. These services represent key transactional, strategic, and reputational issues for the credit union. Often these services depend on a combination of internal and external information processing services. Outsourcing arrangements and other technology alliances involve unique considerations which also expand the boundaries of contingency planning.

Business recovery planners must recognize this new environment and the risks it may pose to the credit union. The importance of these operations and service units requires effective business recovery planning from a corporate-wide perspective.

DEFINITION

Contingency planning is the process of identifying critical information systems and business functions and developing plans to enable those systems and functions to be resumed in the event of a disruption. The process includes testing the recovery plans to ensure they are effective. During the testing process management should also verify that business unit plans complement the information systems plans.

GOALS

The goal of an effective contingency plan and recovery process is to facilitate and expedite the resumption of business after a disruption of vital information systems and operations. The principle objectives are to:

• Minimize disruptions of service to the credit union and its members.

• Ensure timely resumption of operations.

• Limit losses to earnings and capital.

It is important for both credit unions and their service bureaus to regularly assess risks associated with the loss or extended disruption of business operations and to evaluate their vulnerability to those risks. To achieve contingency planning and business resumption goals and objectives, senior management should ensure that:

• Contingency plans are comprehensive and address all of the critical functions and operations in a credit union. This includes assessing the response capability of key disaster recovery service vendors (e.g., the vendor(s) providing alternate processing sites; storage and transportation of back-up media between the storage vendor, alternate processing site and the credit union).

• An effective business resumption and contingency plan has been coordinated with their information processing and service providers.

• Contingency plans are thoroughly tested at least annually.

• Test results and recommendations from such testing are reviewed.

• Appropriate corrective actions are implemented.

POLICY

The board of directors and senior management of each credit union is responsible for:

• Establishing policies and procedures, and assigning responsibilities to ensure that comprehensive corporate business resumption, contingency planning, and testing takes place.

• Annually reviewing the adequacy of the credit union's business recovery and contingency plan and test results.

• Documenting such reviews and approvals in the board minutes.

Furthermore, if the credit union receives information processing from a service bureau, senior management also has a responsibility to:

• Evaluate the adequacy of contingency planning and testing for its service bureau.

• Ensure that the credit union's contingency plan is compatible with that of its service bureau.

Please refer to the FFIEC Information Systems Examination Handbook for specific guidance on developing an organization-wide contingency plan. The Handbook is available on the NCUA website at www.ncua.gov.

Revised: March 1997