Post-Sandy: Lessons LearnedHow Careful Planning Helped Ensure Business Continuity
Organizations - entire communities - will be learning lessons from Superstorm Sandy for years to come. But one community bank's story speaks to the power of business continuity preparation, which in this case helped avert catastrophe.
Frank Sorrentino, CEO of North Jersey Community Bank, an $882 million community institution based in Englewood Cliffs, NJ, says flooding, major tree damage and power outages brought on by Hurricane Sandy ravaged the areas his bank serves, impacting individuals and small businesses alike.
But years of careful and consistent disaster planning ensured this community bank was able to maintain operations.
Sorrentino's key words of advice: "Don't wait for an event like Sandy."
"Being proactive is very important and we've learned a lot of lessons," Sorrentino says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
NJCB has always been a big proponent of having a disaster recovery policy in effect, Sorrentino says. "These were things that the bank prepared for over its lifetime, [preparing] for any type of cataclysmic event or non-normal type of an event; and, clearly, Sandy was one of those events," he says.
The bank's plan includes duplicate operation centers and telecommunication systems, as well as multiple avenues for communications, including redundant phone systems and social media.
"We were able to actually communicate to our clients," Sorrentino says.
"We did have certain branches lose power and we had to get temporary generators for those locations, and so there may have been a few hours that we were out," he says. "But being able to communicate to our client-base which locations those were, what their operating hours were going to be and what capabilities we had was very, very helpful."
Disaster preparedness can't be successful without that level of planning, Sorrentino says. "When you spend the time, make the investment, create the systems, create the process and procedure, the actual implementation is actually pretty easy," he says.
During this interview, Sorrentino discusses:
- Why disaster recovery planning must be regularly tested, reviewed and updated;
- How vetting vendors and third parties for adequate disaster-recovery planning can ensure operations are maintained and uninterrupted;
- Why the reliance on social media as a primary communication tool is something to embrace on a daily basis, not just during times of distress.
Sorrentino in 2005 helped found North Jersey Community Bank. The bank has eight branches throughout New Jersey, serving primarily commercial customers.
TRACY KITTEN: Tell us about Sandy's impact in your area?
SORRENTINO: The storm was devastating here in our market area and all the markets that we serve. We're in the Greater New York metropolitan area, so counties like Hudson County were affected dramatically. That would be Jersey City and Hoboken. Those are the towns that you see on the news. There was a lot of tree damage in some of the older communities: power lines down and interruption in telephone service. The garden variety issues that you saw with Sandy affected us dramatically. We did not represent a lot of the shore communities, where homes were completely destroyed, but, just as devastating, we had a lot of flooding and other types of wind-related damage in our markets.
Issues for Businesses
KITTEN: Your bank primarily serves small businesses. How were those businesses impacted by Sandy and what were some of their primary financial needs?
SORRENTINO: There were two issues that occurred. The first issue was the obvious one - the storm forced businesses to either remain closed or not conduct business, whether it was a restaurant, law firm or any type of small businesses that you would look at. That was the direct impact of the storm. But there was an indirect impact, in that even the businesses that could get open couldn't access a lot of their financial institutions. They couldn't access their mail. They couldn't get money in the door. They couldn't get wires out. They couldn't pay people. There was a whole other secondary, or derivative, type of exposure that they faced, and that's where a bank like ours really stood out; we were able to service our clients' needs even in the height of the storm.
Disaster Recovery Efforts
KITTEN: Your bank has eight branches. Were disaster recovery efforts implemented at all of those branches?
SORRENTINO: We have always been a big proponent of having a proactive and sophisticated disaster-recovery policy in effect, and the planning for that goes back to our inception back in 2005. These were not things that we did just prior to the storm. These were things that the bank prepared for over its lifetime, to prepare for any type of cataclysmic event or non-normal type of an event, and, clearly, Sandy was one of those events. [This included] things like having duplicate operation centers and having duplicate phone systems; having duplicate, triplicate and even more ways of connecting to the Internet and connecting to our data processors; having multiple types of phone systems to be able to communicate, whether land lines are down or cell lines are down; and multiple vendors. The list goes on and on and on.
We were able to keep the bank open, service our clients, both physically and electronically, and we were able to communicate, which we were told was one of the best things that we were able to do. We were able to actually communicate to our clients, whether it [was] through telephone, e-mail or even the use of social media. We were able to let our clients know what was happening and where it was happening. We did have certain branches lose power and we had to get temporary generators for those locations, and so there may have been a few hours that we were out. But being able to communicate to our client-base which locations those were, what their operating hours were going to be and what capabilities we had was very, very helpful.
KITTEN: What can you tell me about some of these duplicated phone systems and operating systems?
SORRENTINO: We made a conscious decision a number of years ago to have two completely replicated operation centers. One is here in our headquarters in Englewood Cliffs and the other is in one of our other locations, where we have standby generators and we have completely mirrored systems. Everything that's in one is in the other. That, by itself, was a big leg-up over a lot of our competing institutions, and allowed us to remain open, from an electronic standpoint, to be able to access our systems. Having duplicate phone systems and triplicate phone systems allowed us also to communicate. These were things that we put in place many years ago. They've been utilized in a number of these different storms that we've had.
KITTEN: How far away is this back-up site?
SORRENTINO: It's not really that far away, but it's on a different power-grid. It's in a different phone network. It's within our market area, so the geography wasn't what helped us here. It was just being on a completely different power-grid, completely different phone-grid, just being different. In Englewood Cliffs, we had lots of issues with trees; with our other location that wasn't an issue there. Clearly, the thought process of having duplicate systems in an event like this was a big plus.
KITTEN:Was ATM access and getting cash to some of those locations an issue?
SORRENTINO: Part of our electronic network would include the ATM networks, so, certainly, they were impacted; but they were, for the most part, up and running all during the time of the storm and in the aftermath.
Role of Social Media
KITTEN: Do you think social media was the primary way you were communicating with a lot of your customers?
SORRENTINO: I wouldn't say it was the primary way, but it was another avenue that we utilized that we found very successful. The interesting thing about social media is you can't wake up tomorrow and say, "OK, I'm going to start to communicate via Twitter, Facebook or any of the social media sites." You have to build the followers. You have to build the database of people that are utilizing social media. For that database that we created and communicated with on a regular basis, that became very important to us. As we went through the storm, there were people that could not get at their e-mail and could not get their phones working, but they could check their Twitter account, and so they were able to then see what was happening. And more importantly, we were able to engage in a two-way conversation via social media, which is another important tool we use for certain clients. Some clients were very comfortable, and it may have been the only way for them to communicate with us.
KITTEN: How did you put disaster-recovery strategies into action once the storm hit?
SORRENTINO: Actually, that's the easier part. Once you have spent the time, effort and money to develop the systems that you're going to employ in the event of an emergency - and by the way, nobody wants to do those things because we just don't like to think about them. When you spent the time, made the investment, created the systems, created the process and procedure, the actual implementation of it was actually pretty easy. People knew where they were supposed to go. Our team members knew when they were supposed to get together. They knew how to communicate. They were well-versed in if they can't get through on the phone what to do next. Everyone had our emergency response team's cell phones, e-mail addresses, cloud-based e-mail addresses, social media handles if necessary, and so at that point it's just checking boxes off a checklist and it makes it a lot easier, calmer and more successful when you're following something you've practiced, thought about and made the proper investments in.
Updating, Testing the Plan
KITTEN: Can you tell us when the plan was last updated and how often do you test it?
SORRENTINO: I don't want to say daily, but we talk about and think about disaster recovery all the time. It's not something we dust off once a year and say, "What do you think here?" As every technology changes, as we encounter even the most minor issues, we constantly tweak and think about our disaster recovery to come up with ways in which to improve what we think is a pretty good plan on an ongoing and constant basis.
KITTEN: I'm assuming the testing probably just takes place along the way as well?
SORRENTINO: We do regular testing of our systems. It could be overnight or over weekends, constantly testing our capability to respond.
KITTEN: I also wanted to ask about third-party providers that you work with. How were they impacted by this storm and did that adversely effect you in any way?
SORRENTINO: That's part of our thought process as well, what happens to our third-party providers. Even the simple ones like the telephone companies or the mobile phone companies were adversely impacted by this storm, and that's why we just don't say, "At this time everyone is going to join a conference call." What if the conference call service is down? You have to think about all the eventualities and we have to think about who those vendors are. We do inquire what their back-up systems could be and what their disaster recovery model is. We try to understand best practices. There are actually vendors we won't use because we don't feel comfortable about their ability to react in a disaster.
KITTEN: Do you rely on any cloud services?
SORRENTINO: I would say "yes," there are cloud services that we employ. I think they're an important part of our systems, but they were negatively impacted here as well. If all you did was depend upon the cloud and you thought that was your disaster recovery solution, you were rudely awakened in this storm because you couldn't get at the cloud. I think it's a combination of cloud and non-cloud to be able to function, even the ability to do things manually and write things down on a tabular spreadsheet were some of the things that we needed to do in order to be able to service our clients. I don't think there's a simple answer here in just saying go to the cloud, because in this particular storm the cloud was down.
KITTEN:What changes do you think need to be made to your disaster recovery planning?
SORRENTINO: It's interesting. After every one of these types of events - and clearly Sandy was the worst - our team sits down and does a post-mortem. We sit down and say, "What did we do well here? What worked? What didn't work? How would we react to this in the future? What are we happy with? What are we unhappy with?"
Clearly post-Hurricane Sandy there are things that we will change to be able to better accommodate our clients in even a disaster of this magnitude. What exactly those things are today I'm not at liberty to talk about, but there will be additional infrastructure spending and investment to be able to weather pretty much any type of event like Sandy in the future.
KITTEN:What advice could you offer to other institutions?
SORRENTINO: The advice I would have given them before Sandy would be don't wait for an event like Sandy. I think right now many institutions are just concerned or worried about getting through this and putting everything back together and then moving forward. But I think being proactive is very important here and we've learned a lot of lessons here. I think most institutions can look back and learn lessons about what they did or didn't do in preparation of this. And I'm not speaking about direct preparation for this particular storm. I'm just talking about preparation in general because it costs money. It costs a lot of money to maintain duplicate systems and what not. But when you need them, you've got to have them and take this stuff very seriously. Your customers are depending upon you. That takes a lot of thought. It takes a lot of proactive thinking. Think proactively. Think about what you can do and put the customer first.