From natural catastrophes to man-made disasters, today's environment leaves little doubt to the necessity for mortgage servicers to establish an extensive disaster-recovery plan (DRP). While most have gone to great lengths to develop a comprehensive DRP, some servicers are not holding their vendors to the same stringent requirements.
As the Web continues to enable greater data-sharing capabilities, a DRP should be a main priority for servicers; it is absolutely vital that all parties with access to valuable information have the proper procedures in place to protect irreplaceable data.
Only 6% of companies survive a major catastrophe, according to a 2001 article in Health Management Technology, and given that finding, it would seem that the benefits of having a DRP in place outweigh the risk of not having a plan in place.
Because the return on investment is not immediately seen, it can be difficult to get approval from executive management. Additionally, the New York Goldman Sachs Group Inc. is forecasting losses from the credit crisis to be in the neighborhood of $1.2 trillion. With many already spending millions to comply with federal regulations on data backup and recovery systems, it is easy to see why increased IT spending would not be high on the priority list.
Servicers today are placing greater emphasis on ensuring that their partners also have the appropriate mechanisms in place to protect the integrity of their data. Servicers must require partners to follow corporate governance and be familiar with ISO 1779, which defines appropriate security policies and standard procedures, and other legislation, such as Sarbanes-Oxley.
Servicers must enforce the development of policies that cover configuration management, capacity and financial management in order to clearly understand how IT is structured through their partner's network.
This can be particularly relevant in the default servicing sector, as many vendors have grown quickly without having the proper infrastructure to support that growth. As vendors increase staff and resources to keep up with their growing workload, it is equally important to strengthen their information technology operations. While a large part of IT focuses on technology and backup data centers, vendors must also be willing to invest financially in the development of a DRP.
Depending on the level of protection desired, this can be costly. But when weighed against the financial loss from a disruption in operations, the cost can be worthwhile.
Crafting a DRP
The objectives of any DRP should be to protect the organization, ensure the continuity of operations while minimizing disruption, and prevent financial losses by implementing an expedient recovery. However, it's not sufficient to simply create a committee to develop a plan.
For true success, companies must test the plan with different scenarios to understand and identify potential weaknesses. A full-blown test should be run at least twice a year, while penetration testing should be done monthly.
Particularly for servicers who have vendors that complete work in the field, a cryptographic privacy and authentication program must be used for laptops and mobile devices. If data is lost in the field, vendors must not compromise the integrity of their customers' data.
When putting together the initial framework for a plan, companies must take a granular approach, detailing the precise items that need to be recovered in the event of a disaster. This can include hardware, software and storage assets, and in the case of larger companies, it may need to be done as separate line items for different business units.
The recovery of certain information may be considered immediate, while other information may be considered tertiary to operations and will not need to be recovered with the same level of urgency. Companies must also identify the varying levels of acceptability for data loss and times for recovery. While the loss of any data is really considered unacceptable, there may be more tolerance to the recovery times with some of the more ancillary information.
One area of focus is the technology platform used, as vendors can achieve greater flexibility through their system architecture. Today's technology platforms are increasingly sophisticated, making it much easier to be nimble and react to disaster-type situations. In the .NET platform, which is noted for its reliability and scalability, the architecture is also designed to be secure, with strong authentication features.
Most companies have multiple data lines and redundancy built into their systems, so if their headquarters are affected by a disaster, traffic can be re-routed through the DRP immediately to allow employees and customers to continue working. There should be multiple locations where the information is backed up, ensuring that data can be replicated quickly and securely.
Vendors should consider places that would be likely to have uninterrupted service with 100% availability. This space can also be used for work should there be any prolonged issues with Secure Sockets Layer products that can connect to services in the event that one location is rendered temporarily unusable.
Such a situation can be a compelling reason to either place servers in specified disaster recovery sites or outsource the hosting of those servers. It can be very cost-effective to outsource hosting of the servers, which saves the company money in equipment costs, staff and maintenance costs. According to Forester Research, these costs can run upwards of $70,000 per year.
Maintaining data flow
From a technical standpoint, vendors must focus on keeping data available during a disaster, which means looking into everything from phone lines to cable connections.
From a connection standpoint, Digital Signal Level 3 (DS-3) lines have larger bandwidth and capacity. Typically used in high-volume businesses, DS-3 is a high-speed connection that provides a dedicated, stable and reliable link to the Internet and can support more than 500 computer users at the same time.
If DS-3 proves too costly, another option is collocation facilities, in which users can share lines with others, driving the cost down. For vendors without an in-house IT staff, there are telecommunications brokers that can put a plan in place as it pertains to disaster recovery.
Phone service should also be addressed in a DRP, from rollover of the lines to data backup for voicemails. It is imperative to maintain business communication without the need for new phone numbers or fax numbers. Every number should not be reliant on equipment. Instead, vendors should be able to do a simple re-route to a data center or unaffected location.
When it comes to testing, vendors need the tools to plug in different scenarios to determine how the system is working. After each scenario, the system needs to generate a detailed report of performance in different areas.
These scenarios must be all-encompassing, from a pipe bursting to a chemical terrorist attack. It is easier to make proper adjustments around known disasters, such as a hurricane. However, it is essential to be prepared for anything – even the disasters that may be unpredictable, such as hacking or terrorism.
A DRP must be a living document, as its effectiveness can depend on the consistent evaluation of strategies, including backup procedures, contact information, loss assessment and business resumption measures. A solid DRP addresses responsibilities of the team, backup and recovery strategies, procedures and processes to follow, as well as testing, training and regular evaluation of the plan.
Servicers must hold vendors to a higher standard of DRP business continuity: From technology to testing, it can become paramount to minimizing service disruptions in the event of a disaster.
Allan Martin is CEO of property preservation specialist Mortgage Contracting Services, Tampa, Fla. He can be reached at (813) 387-1100.
