CISO Interviews: Roger Batsel, Republic Bank, on Business Continuity/Disaster Recovery
Roger Batsel, SVP, Managing Director of Information Systems at Republic Bank, Louisville, KY., says it's time to separate duties: Let IT handle system outages, and put business continuity planning in the hands of the business folks.
In this exclusive interview, Batsel discusses the positive impact this novel approach has had on his bank.
KAREN MURPHY:Hello and welcome to today's Podcast brought to you by Information Security Media Group. I'm your host Karyn Murphy, and I am speaking today with Roger Batsel, Senior Vice President, Managing Director of Information Systems at Republic Bank.
When it comes to business continuity, Roger is a self-proclaimed zealot, and he is here to share his thoughts on the subject. Welcome, Roger.
ROGER BATSEL: Thank you, Karyn.
MURPHY: Well, I thought we would begin, Roger, if you could just give a real quick overview of your institution.
BATSEL: Sure. Republic Bank is headquartered in Louisville, KY., and we have approximately 42 banking centers. I say approximately in that we are adding a couple more this summer. And we are a little over $3 billion dollars in assets, and we cover the Indiana, Kentucky and Florida markets and in our primary markets with the Louisville metro area, as well as Lexington, Kentucky. We are strongly focused on mortgage lending, and we are expanding our presence in commercial lending as well. One thing that makes Republic Bank unique is that we also are into a variety of nontraditional banking products as well.
MURPHY: Interesting. Thanks very much; that will help kind of set the stage for our listeners.
MURPHY: Now I understand that Republic Bank has made some radical changes in the area of business continuity. What do you feel is most remarkable about what you have done?
BATSEL: Well, approximately two years ago, Republic Bank made a conscious decision -- I should say management made a conscious decision t-- o take a careful look at its disaster recovery and business continuity planning efforts. During our 2006 FDIC examinations, we received some suggestions about improving the robustness and detail in our business continuity planning. And so that was about the time that I took over management of the Information Systems group for the bank, and I took a careful look at what exactly was disaster recovery. What was that going to mean in Republic Bank, and what did we mean by business continuity planning? And I really set a direction for the bank, and it has proven to be a very sound decision, I believe, where the IS department would have a very strong focus on disaster recovery, which in our usage really means systems recovery.
That business continuity planning is very much a business responsibility, and our bank again, as it is for most banks, is involved in a lot of operational detail. So we made an effort to pull the business continuity program, both its redevelopment and its stewardship, out of the IT department. IT clearly is a strong component to the BCP program; however, it is not the driver of the program, and we were able to find a good home for it.
In our bank we have a Chief Risk Officer, which oversees our audit and compliance functions, and we've put the program development with a dedicated staff member that oversees that program underneath the Risk Officer. This is important for many reasons -- governance reasons as well as improving the overall quality of the BCP program in that it is business sponsored and not a technical endeavor solely driven by the IT department.
MURPHY: That's very interesting. Now, how do you feel the changes have kind of impacted your business?
BATSEL: Well, some of the immediate challenges that really came out are expressed during our BCP steering committee meetings. As with most programs, it has a steering committee, and we meet on roughly a monthly basis, and the director of the BCP program sets an agenda which allows us to do refinements on our business impact analysis and all the various components that folks are familiar with that need to be in the BCP program.
The immediate changes I've seen is that it is a wonderful opportunity for IT -- one of the most critical suppliers to the operation and business areas in our bank -- to really inform our internal customers on what and what are not their capabilities. It is always good to clarify, for example, recovery times and also many of the details that are often overlooked with IT is solely running the BCP program and to bring that out in a venue where it is not a lot of technical folks around. These are representatives and directors and even some executive-level representation that reach more lines of business, the lending functions, deposit functions, as well as our traditional and nontraditional banking product groups. So immediately we've seen that they are more informed. They begin to understand their systems better because they are also tasked with truly understanding what systems they need to have in place on, say, the first day that we are in a disaster mode of recovery.
MURPHY: That's great. It sounds like a great plan in place, and it kind of brings me to think about something else. Information Security Media Group did a State of Banking Information Security survey a little while back, and one of the things that came out of it was that institutions aren't necessarily doing a great job testing and communicating their business continuity and disaster recovery plans. How do you approach that? How are you doing in that respect?
BATSEL: Well, in our bank, as we've done for years and I would guess this is a common scenario for banks of our size, but twice a year we do DR testing. And that DR testing is intended to really focus on the most critical of our systems, such as core processing platform, recovery of the mainframe and that type of thing. We are an in-house shop, so we recover through an offsite location, and we've over time expanded the scope of that gradually to include more end-to-end systems by taking a look at other critical things such as our teller platforms and that type of thing. And I think that is a fairly common scenario, but again, looking at the sort of philosophical shift that we've made where we really are putting the thoughts about business continuity, the continuation of operations when you are in a disaster scenario in the hands of the business, we've seen that the standard DR test recovering of main frame is really a technical exercise.
So, what we are seeing now with our BCP program - and, again, this has been structured about seven months, I guess, in this new format -- immediately in our first DR test this year, we expanded the scope to really truly involve a lot of user testing. We had operations folks actually performing the tests and signing off on the testing sheets and returning those for documentation purposes. They took a fairly moderate role in defining what systems were to be included along with the core system recovery this year, and for our second annual test this year that will even be expanded more. In fact, I would venture that the business really ought to entirely define the scope of those systems to be tested.
MURPHY: Well you've obviously put a lot of thought of this whole area of business continuity. From your kind of learned perspective, what you've kind of gone through in the past, what do you feel is the single most important step that banks and credit unions can take to improve their efforts in the area?
BATSEL: Well obviously I'm espousing my particular approach to this, and that is to genuinely think about separating and making the BCP efforts quite distinct from the DR efforts. And then take -- there are a lot of implications to that, and clearly you must get representatives from the lines of business, whether it be operation managers or product teams, or even folks representing the sales and production functions; you've got to get them involved into the BCP efforts.
And I will illustrate this point that for example, certain functions of the bank - say, the processing of loan applications, lending servicing/loan servings or even teller functions -- you know, it is really quite a simplistic answer to say 'Well, if we are in a disaster scenario, we just simply need to bring those systems back up.' I mean folks to feel comfortable to show up for work, to be able to perform teller functions in the banking centers, need to also feel safe, so you have to take into consideration physical security, as well as you will need to be able to move deposit items. So, courier services are also very important, a very critical supplier. You need to have some considerations around facilities, for example if the building needs repairs because of the disaster situation that you are in, your facilities team would need to be engaged.
The point of all of this is to illustrate that your IT group is but one of perhaps several critical vendors that are needed in order to continue operations in a particular disaster scenario, so you have got to be able to communicate that point and make sure that the business is informed of that and make sure they make decisions around continuation of their operations.
I think that if you can communicate and educate the business units on that point. That alone will really propel your BCP efforts, whether or not you choose to pull them out of IT.
MURPHY: Great. Well you are--definitely this is a passion for you. So can you tell me why you've become such a zealot for reform?
BATSEL: Well, sure. About two years ago, again when we had completed an FDIC examination, and we were reviewing the findings and the suggestions and the guidance offered there. And that was a positive examination, so I don't want to miscast it, but we were trying to determine how we were going to refine and improve our BCP efforts. In the fall of that year, 2006, the bank was headquartered in Louisville and was struck by lightning and we had to entirely vacate for about three months, our headquarters. Our data center didn't survive, unfortunately so we were not faced, or a lot of our energies were not focused on traditional DR systems recovery efforts.
Instead, we were focusing very much on the logistics, the things that I have spoken of today, the concerns about our supplier, the couriers and do the couriers know where to go, do you have adequate lighting, are the noise levels during the remediation are the safe for folks to work, security of files and paper information, all of these things, again, things that would not be included in your traditional systems DR planning took precedence. And that was a real education because I think it became clear to our bank that these very critical concerns had to be dealt with by groups that were not IT. And so that really set the stage. I don't think it convinced everyone, but it set the stage and it created the opportunity for us to structure our BCP program outside of IT and get the proper business sponsorship and engagement in it.
MURPHY: Well, that's great. It sounds like your passion has really made a difference for Republic Bank and hopefully for our listeners today.
So on behalf of Information Security Media Group, we thank you so much for your time, Roger, and I hope the audience will tune in for podcasts in the future. Thanks again, Roger.
BATSEL: Thank you, Karyn.