• Regulators have updated Contingency Planning guidance since 9-11.  Financial institutions should ensure that Disaster Recovery and contingency include any new requirements.
  
• Financial institutions should compare federal and state regulatory requirements to ensure more stringent requirements are adequately addressed.
  
• Review existing plans to ensure natural area, building complex and terrorist events are considered.
  
• Make sure plans include consideration for Federal, State and Local government mandated extension and requirements, which can help mitigate risk of loss from legal actions.
  
• The terrorist plan should identify key, predefined locations for employees to enable headcount and safeguard against bio or chemical activities.  Plans should include provisions for several days.
  
• Most plans consider average downtime to be 3-5 days in event of natural disaster.  Terrorist events or mass catastrophe typically result in 11 – 14 days of downtime or inaccessibility to buildings, to include unavailability of 30% to 45% of staff.
  
• Important lists and procedures for evacuation or safety precautions should be posted to employee boards.
  
• Experts recommend two, coordinated plans that address institutional planning and Information Technology/Security Planning.
  
• Desktop training is the most efficient and effective means to educate staff.  Draft scenarios are available.
  
• Vendor contracts should indicate how they will contribute to recovery efforts, in terms of equipment and support.  This service should be included in the contingency plan to avoid redundant efforts and additional costs.
  
• Always prepare an “after event” action report to aid in dealing with member, employee or other form of litigation.
  
• Ensure the contingency plan has a media plan, which should allow for succession in PR responsibilities or legal help in cases where senior managers are not available.
  

Common Planning Mistakes or Omissions

• Plans do not account for widespread regional catastrophes, often impairing recovery due to reciprocal agreements with branches or other financial institutions in close proximity.
  
• Plans underestimate the number of employees who are not available for recovery efforts. Generally, only 33% of your staff will be available in the case of a terrorist attack at or around your site.
  
• Insufficient consideration for the various types of terrorist attacks that could occur.
  
• In the case of mass casualty or destruction, always factor in street crime resulting from chaos.
  
• Plans do not include establishing communications and relationships with local law or public safety authorities prior to the event.
  
• Staff training is one of the weakest elements of the Contingency Planning process.  The plan should include training for the Board, critical committees, employees and critical vendors.
  
• Lines of succession are typically not well defined, listing only two or three individuals.
  
• Plans should extend succession lines, not only for senior levels but within each business line, listing several levels of staff.