Approved: 1/22/2019

Last Modified: 12/23/2019

Sturgis Bank & Trust Company

Business Continuity
And
Disaster Recovery Policy
Approved: 1/22/2019
Last Modified: 12/23/2019

Contents
Purpose...........................................................................................................................................3
Introduction....................................................................................................................................3
Chain of Command........................................................................................................................3
Scope..............................................................................................................................................4
Recovery Strategies...........................................................................................................4
Plan Activation..................................................................................................................6
Enforcement......................................................................................................................7
Staffing Resources.............................................................................................................8
Teams.............................................................................................................................................9
Executive Management Team.........................................................................................10
Business Resumption Management Team.......................................................................11
Accounting Resumption Team........................................................................................12
Customer Service Resumption Team...............................................................................12
Lending Resumption Team..............................................................................................13
Operations Resumption Team.........................................................................................13
Trust Resumption Team..................................................................................................13
Human Resources Resumption Team..............................................................................13
Facilities Resumption Team............................................................................................13
Physical Security Team...................................................................................................14
Safety Procedures.........................................................................................................................14
Testing..........................................................................................................................................16
General Test Objectives and Strategies...........................................................................17
Development of Test Plans..............................................................................................17
Test Types.......................................................................................................................17
Disaster Recovery Plan.................................................................................................................19
Emergency Services.....................................................................................................................21
Backup Structure..........................................................................................................................21
Reference Documents...................................................................................................................22
Approved: 1/22/2019
Last Modified: 12/23/2019

Purpose

The purpose of this policy is to:

1. Protect the Bank’s assets and those of its customers

2. Minimize the loss of customer and public confidence
3. Facilitate the prompt resumption of operations

All employees of Sturgis Bank & Trust Company, herein referenced to as the “Bank”, must comply
with the terms of this policy immediately.

Introduction
This policy consists of the information and procedures required to enable rapid response and recovery
from an emergency or disaster which would prohibit business units from processing critical business
functions using normal processing methods. Successful recovery operations depend on:

1. Completing and maintaining an up-to-date version of this policy and other related
documentation.
2. Training assigned personnel on various aspects of this policy (business recovery teams) and
other contingency plans.
3. Performing comprehensive tests of the plans mentioned in this policy.
4. Modifying this policy and other contingency plans as a result of the tests.
5. Performing adequate cross-training to reduce reliance on key personnel.

Contingency and disaster recovery plans are both critical and essential to the Bank’s ability to mitigate
risks from both internal and external sources to resume business operations and activities in the event
of an emergency or disaster.

This policy is to be tested annually to ensure that the outlined contingency plans are feasible and
address all facets of the Bank’s operations. With the same respect, this policy and other contingency
plans are to be continually updated to current standards to reflect accurate and complete information
regarding personnel, emergency services, evacuation plans, mobilization capabilities, and Bank data
or equipment, etc.

NOTE: The information contained within this policy is confidential, and is intended for the strict use
by the Board of Directors, Senior Management, and other designated personnel to ensure the success
of recovery plans.

Chain of Command

In the event of a disaster and the President of the Bank cannot be located or is unable to perform his or
her duties, then the authority and duties of this position will be assumed by the following person(s) in
the order of succession:

1. Executive Vice President

2. Senior Vice President
3. First Vice President

The Board of Directors should be kept informed at all times of the current chain of command.

Anyone having business with the Bank may accept a certification by any succeeding officer or
Approved: 1/22/2019
Last Modified: 12/23/2019

director acting as President. This authority is void when the President can resume his or her
responsibilities.

All officers of the Bank shall be familiar with the order of succession. All officers shall also be
familiar with the processes for recovery and reconstruction of Bank records, providing emergency
banking services to customers, extending credit and approving loans, and relocating facilities.
Officers of the Bank shall be provided a list that contains the names, addresses, and emergency
telephone numbers of persons on the succession list above them, as well as other personnel. The
person whose name appears nearer to the top is to be in command until someone whose name appears
above his or her’s supersedes that individual’s authority if revoked by instruction from the Board of
Directors.

Scope

This policy applies to all critical business unit operations and functions of the Bank, in addition to
procedures for disaster recovery and business resumption. It does not include, however, operations
outside of this area, nor specific technical procedures required by technical personnel to correct or fix
systems that failed because of an emergency or disaster.

This policy applies to:

1. Bank employees.
2. Information in all forms, including oral, written, and electronic.
3. Physical and logical (non-physical) protection.
4. All modes of information processing, including, but not limited to, manual methods,
hardware and software networks, other devices and information disposal techniques.
5. Information used by the Bank which originates outside including, but not limited to, vendors,
contractors, customers, regulators, other enterprises and the public domain.
6. The Bank’s information resources used by, shared by, or in the custody of others.

NOTE: This policy is not intended to be a procedures manual of how to perform all departmental
functions. It includes only those critical business functions required to ensure successful recovery from an
emergency or disaster.

Recovery Strategies
The Bank has assessed the benefits, costs and risks of business continuity strategies for each core
business process and infrastructure component through a BIA. Each continuity strategy is capable of
meeting minimum acceptable output requirements for each core business process.

The Bank has researched various recovery strategies. Based on employing contingency and recovery
strategies on an overall plan, consisting of scenarios describing the loss of facilities, public utility services,
critical computer services and/or services provided by external service relationships/trading partners or
both facilities and services and determined that the following approach to recovery efforts will best fit its
needs by:

1. Using the existing branch office network for alternate facility space, as required.
2. Utilizing geographically disbursed facilities for alternate occupational space. These sites include:
Approved: 1/22/2019
Last Modified: 12/23/2019

A. Bronson Banking Center

863 West Chicago Road
Bronson, MI 49028
(517) 369-7322 (p)
(517) 369-2347 (f)

B. Centreville Banking Center

158 W. Main
PO Box 126
Centreville, MI 49032
(269) 467-8525 (p)
(269) 467 4180 (f)

C. Climax Banking Center

125 N. Main Street
PO Box 247
Climax, MI 49034
(269) 746-4256 (p)
(269) 746-4180 (f)

D. Colon Banking Center

110 South Blackstone Avenue
PO Box 606
Colon, MI 49040
(269) 432-3229 (p)
(269) 432-2971 (f)

E. Main Office
113 Chicago Rd
Sturgis, MI 49091
(269) 651-9345 (p)
(269) 651-5512 (f)

Maplecrest Banking Center

1501 E. Chicago Rd
Sturgis, MI 49091
(269) 651-5609 (f)

South Haven Banking Center

08253 M-140
PO Box 425
South Haven, MI 49090
(269) 637-8444 (p)
(269) 637-5560 (f)

South Haven Banking Center (Downtown)

365 Center St
South Haven, MI 49090
(269) 637-6644 (p)
(269) 637-6645 (f)
Approved: 1/22/2019
Last Modified: 12/23/2019

South Centreville Rd. Banking Center

1001 S. Centerville Rd.
Sturgis, MI 49091
(269) 651-9379 (p)
(269) 651-1514(f)

Three Rivers Banking Center

115 North Main Street
Three Rivers, MI 49093
(269) 273-8481 (p)
(269) 273-1732 (f)

White Pigeon Banking Center

122 West Chicago Road
PO Box 355
White Pigeon, MI 49099
(269) 483-9668 (p)
(269) 483-2725 (f)

Bangor Banking Center

232 W. Monroe St.
Bangor, MI 49013
(269) 427-7941 (p)
(269) 427-5313 (f)

Plan Activation

A. Notification Procedures. Upon receiving notification of an emergency or disaster, the Executive

Management team leader will contact the members of the Management Resumption Team. The
Management Resumption Team will meet at the Disaster Recovery Command Center. The Disaster
Recovery Command Center location will be as follows, in the order of availability:
1) Main Office Board Room
2) South Centerville Rd. Banking Center
3) White Pigeon Banking Center
4) TBD by Executive Management Team.

To begin implementation of the Bank’s contingency plan(s), the Management Resumption Team
leader should determine the level of seriousness of the event. To aid in determining the response
required, three levels of events have been identified for consideration:

1. Most Serious
1. Extended loss of critical business system - hardware or software failure(s).
2. Extended loss of utilities or general use of a facility.
3. Significant impact to many customers (Event mitigation is expected to require
more than 24 hours).

2. Moderately Serious
1. Limited loss of critical business system - hardware or software failure(s).
2. Limited loss of utilities or use of a facility.
3. Significant impact to a limited number of customers - event mitigation is expected to
be accomplished within 24 hours.
Approved: 1/22/2019
Last Modified: 12/23/2019

3. Inconvenient

1. Minor loss of utilities or use of a facility.

2. Minor impact to a limited number of customers and agents - event mitigation is
expected to be accomplished within eight (8) hours.
3. Minor loss of critical business system - hardware or software failure(s).

Communication
The Bank must be ready with an effective crisis communications program if an actual crisis should occur.
Lack of communications or inaccurate communications can immediately turn a small crisis into a major
disaster, specifically in the area of customer relations. It is vitally important for Senior Management,
officers and employees to know ahead of time what communications channels are to be followed. There
should be no questions as to who will make the major decisions, who will act as liaison with the
community, and who will handle internal communications and technical needs.

The Executive Management Team leader will notify all Management Resumption Team Members on
a need-to-know basis. Information to be supplied may include:

1. General description of the event.

2. Level of event.
3. Potential short and long term impact of the event.
4. The location of the Disaster Recovery Command Center.
5. The immediate action required.
6. Estimated resumption time.
7. Notify all affected Team Managers of plan(s) activation and have them report
to the Disaster Recovery Command Center.
8. Notify the alternate site(s), if necessary.
9. Log in Team Managers and Members as they report.
10. Determine appropriate levels of internal communications and external
communications based upon communication policies.
11. Dispatch the Team Managers for activation of their individual team plans.

Enforcement

Changes to this policy require approval by the Board of Directors of the Bank. Changes in operating
procedures, standards, guidelines and technologies, provided they are consistent with this policy, may
be authorized by the First Vice President.

The Board of Directors has the authority to approve this policy, and annually approves the merit
thereafter. Senior management is responsible for ensuring the directives are implemented and
administered in compliance with the approved policy.

The primary responsibility for enforcement of this policy and its operating procedures rests with the
President and the Bank’s employees.

Policy Distribution

Generally, this policy is to be distributed by Senior Management to all officers of the Bank. In
addition, a copy of this policy may also be distributed to any person or organizational element that
may become involved in its implementation. A current copy of this policy is to be filed and
maintained in the following areas:
Approved: 1/22/2019
Last Modified: 12/23/2019

1. The vault in all branch locations.

2. Intranet
3. The Bank’s policy manual

Staffing Resources
Appropriate and key staff members must be available to address emergency or disaster situations in a
timely manner. Inability to consult with or to apply key staff members to resolving problems will hinder
the Bank’s business resumption efforts, and may increase damages through the selection of improper
resolution methods. Therefore, branch and department managers are to ensure that adequate staff is
maintained always by carefully planning vacation schedules and absences.

Communication
Communications to the following external parties will be handled using the following considerations:

1. Customers. The President will work closely with the members of the Executive Management
Team to determine the most appropriate form of communication regarding any emergency or
disaster. Potential forms of communication that could be used include:

a. Personal letters.
b. Newspaper advertisements.
c. Radio or TV advertisements.
d. Internet Website
e. Posting signs

All communication will be geared to help customers understand the event and to assure them of the
safety of the organization.

All telephone requests and concerns from customers related to an emergency or disaster should be
directed to the Banking Center Manager.

2. Regulatory Agencies. The President will work closely with the Compliance Officer to
determine the type of communication that may be required with regulatory agencies.
Emergencies or disasters that affect business or transactions will require timely
communications to the following regulatory agencies:

a. State of Michigan (OFIS)

b. FDIC
c. Federal Reserve

If an event affects the timely processing of any of the above information, the affected business unit
will be asked to provide a detailed account of the nature of the problem, the anticipated resolution and
the estimated time frame until recovery. The President will determine the most appropriate method of
communication and will contact the necessary regulatory agencies directly. Under no circumstance
should the business unit correspond directly with the regulatory agency.

3. News Media. The President is responsible for all public statements regarding emergencies
and disasters, and the recovery efforts of the Bank. All other employees are instructed not to
give statements to the media.
Approved: 1/22/2019
Last Modified: 12/23/2019

The Executive Management Team will assess the event and its impact on public and media relations.
Following this assessment, the President is to work with the Executive Management Team to
determine the most appropriate method of communication. This could include a press release, a press
conference or other types of radio, newspaper or television communication. Information provided to
the media will be on a need to know basis and may include the following:

a. Description of the emergency or disaster.

b. Immediate and long-term effect on customers and staff.
c. Approximate time frame in which key business operations affected will be fully
recovered.
d. Assurance that customer assets are protected, the event is being addressed and the
event is under control.

The assigned media contact is to be prepared to address the following questions for the media during a
personal contact interview or press conference:

a. What caused the event?

b. Are customer funds safe and available?
c. Will the Bank suffer any irreparable financial damage as a result of the event?

A record of media contacts/interviews should be maintained to provide documentation of questions

asked and responses given in the event of errors in the reporting of the event by the media. The
Executive Management Team will monitor both print and broadcast coverage of the emergency or
disaster. If there are any factual errors reported, the assigned media contact will notify the media at
once.

4. Public Relations. Public relations, announcements and media contact representatives

include:

a. President
b. Marketing Manager

Teams
The Board of Directors have designated the following entities and/or individuals to govern and
administer the Bank’s Business Continuity program. A “team” approach is used; therefore, this plan
is structured so that each team is a separate section. The teams are: 1) Executive Management Team,
2) Management Resumption Team, 3) Accounting Resumption Team, 4) Lending Resumption Team,
5) Trust Resumption Team, 6) Customer Service Resumption Team, 7) Operations Resumption Team,
8) Physical Security Resumption Team, 9) Human Resources Resumption Team, 10) Facilities
Resumption Team

General Team Responsibilities

1. Identify the category and scope of the emergency.

2. Identify services required and place the appropriate calls to needed service
providers/vendors.

Information to each service provider is to include:

a. Name of the organization or unit requiring service.
b. Location where service is required.
c. Telephone number for location where service is required.
d. Description of the problem
Approved: 1/22/2019
Last Modified: 12/23/2019

e. Name of person to contact at location requiring service.

f. Request for instructions if alternative action can or should be taken before service
unit is available.
g. Time schedule for invoking additional procedures within recovery plan.
h. Request for estimate for service availability.

3. Identify if security considerations are part of the emergency.

4. Ensure the safety and security of all customers and staff upon evacuation from affected
areas.
5. Establish and maintain control of access to affected areas or contact appropriate private
and/or public safety security forces to perform control functions.
6. Identify critical areas requiring special security control such as valuable records, equipment
and cash or securities.
7. Draft an on-going security program until emergency condition is corrected or all valuable
items are removed and area is secured from unauthorized access.
8. Identify all customers and staff members receiving injuries during an emergency, if
applicable.
9. Determine the extent of injuries and number of people injured and notify the Management
Resumption Team as to the scope of emergency services required (e.g., ambulance,
paramedics, emergency room, etc.), if applicable.

Team Manager Responsibilities

Team Managers are responsible for coordinating all recovery activities that fall under their areas to
include, but not limited to their listed responsibilities within this policy in order to reestablish
processing and service to acceptable levels within the shortest possible time frame. Team managers
will:

1. Serve as the prime decision-maker for situations not included in this or other policies.
2. Activate recovery team members as needed depending upon the disaster circumstances.
3. Direct the members of their team.
4. Create additional recovery positions as needed to assist in recovery activities.
5. Track the actual progress/completion of recovery activities against the expected sequence of
recovery events (i.e., function as a project manager for the recovery process).
6. Work closely with all Team Managers to ensure the highest degree of customer service
possible.
7. Assign team members to the specific responsibilities detailed for each team.
8. Educate and cross-train team members in special and critical skills which can have a
significant impact on the success of the recovery efforts.

Executive Management Team

Responsibilities
1. Evaluating the situation and making the decision to put all or part of the BCP\DR Plan into
effect.
2. Receipt of initial emergency or disaster notification.
3. Assisting in the selection and establishment of the Disaster Recovery Command
Center. Determining the extent/level of an emergency or disaster.
4. Activating the Bank’s contingency plan(s).
5. Document and monitoring business resumption activities.
6. Providing managerial direction to all Team Managers.
7. Establishment of the Disaster Recovery Command Center
8. Work with the other members of the team and other departments to determine the
Approved: 1/22/2019
Last Modified: 12/23/2019

information to be communicated.
9. Determine the method or medium of communication to be used; and
10. Determine the audience that should receive it.

The Disaster Recovery Command Center facility is to have adequate meeting space, telephone facilities,
fax machines and supplies required to direct the resumption process. The location of the Disaster Recover
Command Center will be the following, in order of availability.
1. Main office Board Room
2. South Centerville Rd. Banking Center (Branch 5)
3. White Pigeon Banking Center
4. TBD by the Executive Management Team

The following issues are to be considered to provide additional security:

Locating the primary or secondary site in a different power grid than the affected branch.
Locating the primary or secondary site using a different telephone central office switch.
Locating the primary or secondary site at other owned or leased facilities, local businesses or hotels.

Members
1. President – Team Manager
2. Chief Financial Officer
3. Executive Vice President
4. All senior officers

Business Resumption Management Team

All teams (including technical resources working on any technical event mitigation) are to report to
the Management Resumption Team. The time basis for reporting will be determined by the
Management Resumption Team and will be communicated to the resumption teams during the initial
event notification process.

Responsibilities
1. The Business Resumption Management Team is responsible for the oversight and
management of the Business Continuity and Disaster Recovery Plan functions while the plan
is in effect.
2. Assessing the appropriate response to any emergency event affecting the
organization. Coordinating the business recovery process.
3. Activating the Bank’s Contingency plan(s). Monitor the business recovery process.
4. Providing managerial direction.
5. Monitoring and controlling all disaster-related expenses.
6. Ensuring that all appropriate corporate policies related to business continuity are followed.
7. Overseeing internal and external communications and public relations
issues. Establishing the Disaster Recovery Command Center.
8. Monitoring resumption efforts.

Members
a. Operations Officer – Team Manager
b. Information Technology Coordinator
c. Retail Loan Officer
d. Trust Officer
e. Chief Financial Officer
f. Branch Administrator
Approved: 1/22/2019
Last Modified: 12/23/2019

The team manager is to prepare an initial assessment report, including but not limited to:
1. Date/time reported.
2. Name of person placing the initial alert or notification.
3. General description of the event.
4. External support requirements.
5. Impact level (high, medium or low) and estimated recovery time for:
6. Utilities/Services
7. Hardware
8. Software
9. External Trading Partners
10. Service Based Relationships

Preparation of the report will help determine:

1. The impact of the emergency or disaster on Bank personnel and customers.
2. The extent of recovery and resumption efforts required.
3. The need for relocation by department.
4. The need for an alternate processing site and facilities.
5. The need to notify other Resumption Teams to implement their procedures.

Information to be monitored by the Management Resumption Team includes:

1. Progress being made regarding processing using the temporary operating procedures.
2. Significant issues being encountered by the resumption teams which require management
review and approval.
3. Request for additional expenditures beyond those outlined in the Bank’s
contingency plan(s). Requests for additional support as needed.

Accounting Resumption Team

The Accounting Resumption Team is responsible for restoring all general ledgers and accounting
functions related to Bank activities.
Responsibilities
1. Managing Liquidity and Investments
2. Tracking, Monitoring, and Reporting Investment Portfolio Quality
3. Maintaining and Adjusting Risk of Investment Portfolio
4. Providing Adequate Funding/Minimum Cost and Risks
5. Processing General Ledger
6. Verifying Correct Posting of Financial Records to General Ledger
7. Posting Manual Entries to General Ledger
8. Maintaining Bank Records of Financial Position

Members
a. Chief Financial Officer – Team Manager
b. Comptroller
c. Accounting clerk

Customer Service Resumption Team

Responsibilities
1. Providing customer communications and transaction support to the Bank’s customers.

The Customer Service Resumption Team consists of the following staff members:
a. Branch Administrator – Team Manager
Approved: 1/22/2019
Last Modified: 12/23/2019

b. Main Office Head Teller

c. Main Office Customer Service Representatives

Lending Resumption Team

Responsibilities
The Lending Resumption Team is responsible for restoring all commercial, real estate and consumer
lending functions related to Bank activities.

Members

a. Senior Vice President of Retail Lending – Team Manager

b. Loan Processing Manager
c. Sr. Vice President of Corporate Lending

Operations Resumption Team

Responsibilities
1. Manage and monitor SCO operations to include mobile deposit and RDC operations
2. Manage and monitor ACH related transactions and processing
3. Processing wires
4. Managing and monitor debit card processing

Members

a. Deposit Operations Supervisor – Team Manager

b. Deposit Operations Clerks

Trust Resumption Team

Responsibilities
1. Restoring, processing and management all trust related activities

Members

a. Trust Officer – Team Manager

b. Trust Operations Manager/Officer

Human Resources Resumption Team

Responsibilities
1. Managing payroll
2. Managing employee benefits
3. Managing employee related concerns and scheduling

Members

a. Human Resources Officer – Team Manager

b. Human Resources Assistant

Facilities Resumption Team

Responsibilities
Approved: 1/22/2019
Last Modified: 12/23/2019

1. Coordinating with utility companies for restoration of services

2. Coordinating and management facility repairs

Members
a. Facilities Manager – Team Manager

Physical Security Team

Responsibilities
1. Establish and maintain security to buildings, vaults, ATMS and bank equipment
2. Ensure customer and employee safety

Members

a. Physical Security Officer – Team Manager

General Safety Procedures

Earthquake

1. Stay inside the building. There are generally more hazards in the streets.
2. Move quickly away from windows, temporary walls, bookcases, hanging light fixtures, or
anything else that could fall.
3. Duck under a sturdy desk or similar piece of furniture, or brace the body against a permanent
wall or under a permanent doorway.

What To Do After an Earthquake

1. Stay where you are until the first aftershock subsides.

2. Before leaving shelter, look all around the area to make sure there is no danger of falling
materials.
3. Listen for instructions from any emergency services.
4. Check for small fires that may have started, and try to extinguish them if this can be
completed safely.
5. Check for injured or trapped people, and inform the Management Resumption Team so they
may be assisted.
6. If possible, clean up spilled flammable liquids (such as cleaning solvents).
7. Avoid touching electrical wires and equipment until utilities have been checked.
8. Avoid smoking or using matches or lighters as there may be gas leaks present.
9. Restrict telephone use to emergencies only.
10. Rely on the Management Resumption Team for instructions regarding evacuation.

Civil Disturbance Safety Procedures

1. Employees are to secure the building, thereby keeping demonstrators away from the offices
and employees.
2. If law enforcement is not present, activate the alarm to notify the police.
3. Allow local law enforcement authorities to handle the
demonstrators. Notify the Management Resumption
Team.
Approved: 1/22/2019
Last Modified: 12/23/2019

What To Do After a Civil Disturbance

Employees are to check the building for damage, photograph the damage (if any), and notify the
Management Resumption Team to facilitate salvage operations.

FIRE SAFETY PROCEDURES

1. The following procedures and precautions are to be included in contingency planning:
2. Fire and evacuation drills.
3. Emergency telephone numbers (fire, police, and ambulance). All employees must be
instructed to report any fire to the fire department.
4. Employees are to be informed of the location of the nearest fire extinguishing equipment and
procedures for using it.
5. Posting of a floor plan or sketch showing stairway and ground floor exits on staff room
bulletin boards, if necessary.
6. Knowing the location and use of first-aid kits and other emergency supplies, as well as the
location of the nearest medical facility.

Fire Training

Specific branch or department procedures are to be followed in case of fire. Employees are to be
trained in the following areas:

1. All fires must be reported immediately to the fire department and the branch or department
supervisor or the next person in charge.
2. Calmly assess the situation. It is important to act quickly. If possible, put out the fire with a
fire extinguisher.
3. Alert others. Calmly direct everyone in the immediate area of the fire to a safer location.
Activate the nearest fire alarm.
4. Report all fires, even small ones. Call the fire department, and then notify the Management
Resumption Team and the branch or department supervisor or the next person in charge.
5. Give the person who answers the name, address, and nearest cross-street of the facility, the
exact location of the fire within the building, and its size and type, if possible.
6. Report known injuries so that arrangements can be made to send medical help at the same
time.
7. Evacuate. Unless employees are in immediate danger, it is usually best to wait for
evacuation instructions from the Management Resumption Team.
8. Training must include annual instructions to all staff on fire safety practices, emergency
resources, and methods for evacuation.

Fire Drills and Evacuation

Fire drills that require employees to use the exit stairs and doors will be held . During these drills,
employees are to use specific branch or department exit procedures. Exit via elevators are prohibited
in multi-storied buildings. When joint drills are required with non-Bank tenants, branch or
department management personnel are responsible for coordinating the drill schedule with the
building manager.

EXPLOSION SAFETY PROCEDURES

A sudden blast may be attributed to various causes. In addition to flying debris, the first thing that
occurs in any explosion is that it generates a tremendous amount of dust.

1. Call 911.
2. Provide the operator with the location of the explosion, suspected cause, degree of damage,
Approved: 1/22/2019
Last Modified: 12/23/2019

and whether or not to suspect any fires or injured persons.

3. Is there a chemical odor?
4. Do not hang up the telephone until released by the 911 operator.
5. Evacuate the immediate area and shut all doors.
6. Assign an officer or employee to wait at the elevator lobby to direct the responding
emergency personnel.
7. Evacuate the area per established evacuation routes shown on posted floor plan.
8. Notify the Management Resumption Team and/or emergency response such as law
enforcement or fire department.

WEATHER DISTURBANCES
Tornadoes, Thunderstorms, or Hurricanes

In the event of tornadoes, thunderstorms, or hurricanes, employee are to stay indoors and under no
circumstances should anyone remain near windows or leave the building until the emergency is over.
After the storm, conduct a roll call of all employees and customers to check for any missing persons
or injuries. Assess any damage and look for safety hazards such as fallen power lines or electrical
wires. Photograph any damage and contact the Management Resumption Team to facilitate salvage
operations.

Floods

During the flood, patrol the facility for rising water inside the building. Watch for structural damage
and causes of fire such as short circuits.

After the flood, assess the structural, mechanical, and electrical damage. Look for safety hazards such
as downed power lines, exposed electrical wires, damage to sidewalks, parking lot, and roads. Inspect
the fire protection equipment and restore it to operational capability.

Evacuation Procedures
Various types of emergencies or disasters may require the partial or complete evacuation of one or
more of the
Bank’s facilities. Employees at each location must be familiar with the safest and fastest route to
leave the building or work area in the event of an emergency.

Emergency evacuation and exit routes of floor plans, as mandated by city and county fire codes, are
posted in conspicuous areas throughout all Bank facilities.

All Bank personnel are to evacuate the affected facility and assemble at a primary or secondary
security location when an emergency or disaster occurs during business hours. This location,
determined by branch or department personnel and provided as part of normal staff security training,
is essential to ensure all personnel are accounted for and that no one if left in the building due to
injury.

Testing

The Bank realizes that contingency planning and disaster recovery plans are of no value unless each
portion of the plan is realistically and periodically tested to ensure that established procedures will:

1. Determine the feasibility of the business recovery process.

2. Identify deficiencies in the existing procedures.
3. Identify areas in this policy and other contingency plans that need modification or
enhancement.
Approved: 1/22/2019
Last Modified: 12/23/2019

4. Provide training to the team managers and team members.

5. Ensure the adequacy of procedures relating to the various teams involved in the recovery
process.
6. Demonstrate the ability of the organization to recover.
7. Provide a mechanism for maintaining and updating this policy and other contingency plans.

Some situations may be tested on a frequent basis such as staff and customer evacuation under fire
drill procedures, while other situations will require extensive planning and coordination to test since
they may include movement of equipment, personnel and materials to a back-up contingency site.

The tests described in this section are not static, meaning they are to be maintained in the same manner as
other parts of the Bank’s contingency plans. Additional tests may be designed and executed as the
operations change. Testing based on real world situations such as communication and power outages will
be considered as valid business continuity and disaster recovery test is their outage causes portions of the
business resumption plans to be enacted.

General Test Objectives and Strategies

1. Respond to a mock emergency or disaster.

2. Notify necessary personnel.
3. Assemble necessary business resumption teams.
4. Perform manual temporary operating procedures to the extent possible in order to provide
acceptable levels of customer service until the emergency or disaster is mitigated. Use the
existing branch office network for testing areas, as required.
5. Establish an overall test plan that consists of scenarios describing the loss of facilities, public
utility services, critical computer services and/or services provided by external service
relationships/trading partners or both facilities and services.

It is the responsibility of each team to review the contingency plan(s) and ensure that key materials
and supplies, to include call trees are current and available for their respective area to ensure the Bank
is in compliance with the requirements of the contingency plan(s).

Development of Test Plans

The Management Resumption Team is responsible for the development of the test plans.
Considerations to include in this development are:
1. Purpose of the test.
2. Type of test to be performed (Full, sandbox, departmental, checklist).
3. Timing – time of the day, month and year that the event occurred.
4. Duration of the test.
5. Test participants.
6. Assumptions.
7. Constraints.
8. Test activities.

Various test scenarios are to be planned that identify the type of event, the level of damage, recovery
capability, staff and equipment availability, backup availability, backup resource available, and time
and duration of the test. Test plans are to identify the person responsible and the estimated time
required to perform each action.

Test Types
Checklist Test
Approved: 1/22/2019
Last Modified: 12/23/2019

The purpose of a “Checklist Test” is used to determine:

1. Whether the contingency plan(s) are current;
2. Telephone numbers and team members are current; and
3. Copies of the contingency plan(s) and necessary supplemental documentation are present.

Sand Box Test

The simulation/structured walk-through test is a test that involves a detailed walk-through of the
various components of the Bank’s contingency plan(s) by each team member. The simulation test
should ensure that each team member is familiar with the plan(s) and understands the specific team
responsibilities itemized within the plan(s).

Participants are as follows:

1. Resumption Administrator.
2. All Team Managers and alternates.
3. Other selected personnel as directed by the Resumption Administrator and Team Managers.

Walk-Through Test – Resumption Administrator Responsibilities

Meet with all participants to explain the purpose and scope of the test. The Resumption Administrator
should also discuss the appropriate sections of the contingency plan(s) in detail with the group.
Distribute additional copies of the contingency plan(s) due to revision or the participation of new
members. Describe the test scenario (situation), including:
1. A description of the type of event.
2. The extent of damage to impacted systems and anticipated period of unavailability.
3. The time of day and day of month that the event was reported.
4. The method of discovery of the event.
5. Describe the activation criteria and whether the contingency plan(s) are activated under the
described circumstances.

Full Test
A simulated test follows all the functions of a walk-through test except the steps taken are actually
performed as if a real emergency has taken place.

See the testing schedule maintained by the Information Technology Department for the current testing
schedule.

Injuries and First Aid

Injuries may occur at any time. In most cases injury will require only first aid or minor medical
attention. Most severe injuries require more extensive treatment such as a hospital emergency room.

All employees must be prepared to perform the following basic steps in first aid:

Determine the nature and severity of illness or injury.

Contact the nearest or appropriate emergency facility and provide as much information as possible to
emergency personnel. If warranted, request instructions for emergency treatment.

Provide the location of the injured person or arrange for another staff member to meet the emergency
vehicle outside of the office to assist in locating the injured person.
Approved: 1/22/2019
Last Modified: 12/23/2019

If the injury was attributed to an accident, determine the cause of the accident, if possible, and take
corrective steps to ensure that additional injuries will not occur. The Bank’s HR Officer must be
immediately notified of the incident for further instruction.

Disaster Recovery Plan

General

This section outlines the Disaster Recovery Plan that provides specific recovery planning with respect
to the Bank’s Local Area Network (LAN) and Wide Area Network (WAN) computer facilities,
components and programs.

Plan Description, Authority and Scope

It is essential that the Bank can recover from any disaster to its operation, either from natural or
human causes. It is the responsibility of each supervisor within his or her area of responsibility to
ensure that he or she has a general understanding of this plan in order to protect and restore all
information and resources necessary to resume normal operations following either short or long-term
business disruptions. This disaster recovery plan includes measures to provide effective protection
for, and restoration of, Bank information and computing resources. This policy is limited only to
aspects relating to the operations and reactivation of computer networks, systems, software programs,
and electronic communication for the Bank.

Scope
This Disaster Recovery Plan is a continuously evolving document that identifies the type, location,
function, and priority of information resources and describes information protection recovery standards and
procedures.

Responsibilities
All employees have ultimate responsibility for the protection and security of Bank information for their
respective area of responsibility. and should possess general knowledge of this policy and procedures
contained herein. Supervisors should consult on a regular basis with the Vice President of Information
Technology to ensure that recovery procedures, protection activities and plans meet or exceed their
department requirements.

The Bank’s Technology Steering Committee is responsible for assisting the President in the
development and administration of this plan in addition to:

1. Identifying areas of weakness and exposure, whether physical, procedural, internal or

external, and advice the President of prudent corrective and mitigation measures.
2. Conducting periodic recovery exercises from time to time.
3. Administering information protection and security functions consistent with rapidly changing
technology. Ensuring that effective information protection procedures are in place for all
electronic platform applications or systems, including mainframes, LANs and WANs.
4. Developing and conducting training programs from time to time as assigned for designated
Bank personnel in recovery principals, development, maintenance, and testing of business
resumption plans and information protection and security procedures.
5. Ensuring that adequate protection and recovery measures are integrated into new Bank
business functions and that these measures remain throughout the functions’ life-cycles.
Approved: 1/22/2019
Last Modified: 12/23/2019

Contracted Vendor Assistance

The Information Technology department is responsible for performing the various installation tasks of
cabling, hardware, software, applications reinstallation, restoration of backups and testing in
conjunction with the Bank’s contractual computer service engineers and/or other local vendors.
Special care should be taken to ensure the safety of the backup media and the order of the restoration
process.

Installation Sequence
Installation of hardware, depending on what is damaged, will generally proceed in the following
order:

1. Cabling.
2. Hubs and routers.
3. Server with backup hardware.
4. Teller terminals.
5. Workstations
6. Printers.

Software installation will follow the priority order listed above unless otherwise directed by the ITSC
or other member(s) of Bank management.

Network Software Standards - Business Applications

The following table is a list of standard business applications:

1. Integrated Teller
2. Business Process Manger
3. Microsoft Office 365
4. MortgageBot
5. LaserPro
6. Internet Explorer
7. Adobe PDF Viewer
8. Most recent version of Java

Network/Operating System Applications

The following table is a list of standard network or operating system (all hardware should be Pentium
4 3ghz or higher with a minimum of 2GB of RAM, 80GB hard drive):
Windows 7 (Workstation)
Windows Server 2012 R2 (Server)

Network Configurations and Backups

Restoration of the Wide Area Network (WAN), Core connectivity and Internet access is necessary to
continue the Bank’s main functions. The bank’s data processor is to be contacted immediately to
begin the process of reconnecting data processing services if the automatic failover configures on the
service providers core router fails. The following is a detailed description of components necessary to
facilitate this:

Wide Area Network Connection

Type of data line connection:
Approved: 1/22/2019
Last Modified: 12/23/2019

Primary:100 MB Fiber (Frontier)

Backup: 6mb w/3mb CIR (Fiserv Connection Located at Climax)
Type of router: Fortinet
IT Action: Reconfigure router hop rates to use backup as a primary connection.

Internet
Primary: 300MB Cable (Charter)
Backup: 100MB (Frontier)
Backup 2: 6mb w/3mb CIR (Fiserv Connection Located at Climax)
IT Action: Reconfigure router hop rates to use backup as a primary connection.

Core Connectivity
Primary: 100MB Fiber (Frontier) hand off to 12MB AT&T MPLS Cloud connection
Backup: 6MB AT&T connection located at the Climax branch
IT Action: Automatic failover configured

Fedline Restoration Procedures

The functions of the Fedline computer system and components can be performed manually by
contacting: Federal Reserve Bank
230 South LaSalle Street
Chicago, Illinois 60604
(312) 322-5322

While functions are being performed manually, the number to contact to replace the missing or
damaged Fedline computer is (888) 372-2446

Emergency Services
Location Fire Police
Bangor (269) 427-8980 (269) 427-5801
Bronson (517) 369-9083 (517) 369-6475
Centreville (269) 467-6871 (269) 467-6871
Climax (269) 383-8821 911

Three Rivers (269) 278-1235 (269) 278-3755

South Haven (269) 637-5151 (269) 637-5151
Sturgis (269) 651-3231 (269) 659-7272
White Pigeon (269) 483-7109 (269) 483-9414

Backup Structure
For specific backup procedures refer to the backup operation procedures maintained by the Information
Technology department.
1. Schedule:
Days: M-Fri
Time: 6:00 PM
What: Full server backups

2. Media:
a Main Office will maintain a near line backup device that backs up all main office servers and
runs a recovery job to make an automated backup copy of the nearline backup device nightly
Approved: 1/22/2019
Last Modified: 12/23/2019

to the Bank’s cloud storage.

b Branches: Will maintain a backup rotation schedule that maintains a new backup Mon-Fri

Reference Documents
Backup Procedures
BCP Test Results Form
Business Impact Analysis
Incident Response Program
Information Technology Risk Assessment
Pandemic Illness Response Plan
Business Continuity Testing Schedule