FFIEC has issued guidance on pandemic planning, entitled Interagency Statement on Pandemic Planning (“Guidance”). This issuance is meant to heighten the response of financial institutions to the coronavirus pandemic. The Guidance identifies actions that financial institutions should take to minimize the potential adverse effects of a pandemic. Specifically, the institution’s business continuity plan (BCP) should address pandemics and provide for a preventive program, a documented strategy scaled to the stages of a pandemic outbreak, a comprehensive framework to ensure the continuance of critical operations, a testing program and an oversight program to ensure that the plan is reviewed and updated.
We have been notifying you on how to protect your companies, customers, employees,
families, and communities HERE. Please review those articles and act
accordingly.
If you want to discuss your specific pandemic preparation requirements, please contact us at compliance@lenderscompliancegroup.com.
We believe that Disaster Recovery and Business Continuity should
be combined, but, as the Guidance states “pandemic planning activities should
involve senior business management from all functional, business and product
areas, including administrative, human resources, legal, IT support functions,
and key product lines.”
The pandemic segment of the BCP must be "sufficiently flexible to
address a wide range of possible effects that could result from a pandemic," and
also be reflective of the institution’s size, complexity, and business
activities.
Our position is that there are two types of BCPs: standard and enhanced.
The standard version lacks due diligence and independent risk assessment but does provide a basic outline to follow to ensure business continuity.
The enhanced version is preferred by regulators because it contains due diligence and independent risk assessment. The enhanced version is obviously preferable to the standard version, because it provides specific due diligence, auditing done by subject matter experts, and leads to an independent risk assessment. The risk assessment reveals strengths and weaknesses further provides actionable recommendations. The standard version is less expensive to draft than the latter, but can be used as a baseline to ensure that your company is taking some affirmative actions to contain the spread of the coronavirus.
The standard version lacks due diligence and independent risk assessment but does provide a basic outline to follow to ensure business continuity.
The enhanced version is preferred by regulators because it contains due diligence and independent risk assessment. The enhanced version is obviously preferable to the standard version, because it provides specific due diligence, auditing done by subject matter experts, and leads to an independent risk assessment. The risk assessment reveals strengths and weaknesses further provides actionable recommendations. The standard version is less expensive to draft than the latter, but can be used as a baseline to ensure that your company is taking some affirmative actions to contain the spread of the coronavirus.
The Guidance is unequivocal in its directives:
The adverse economic effects of a pandemic could be
significant, both nationally and internationally. Due to their crucial
financial and economic role, financial
institutions should have plans in place that describe how they will manage
through a pandemic event. Sound planning should minimize the disruptions to
the local and national economy and should help the institution maintain the
trust and confidence of its customers. [Emphasis in original.]
According to the Guidance, “pandemic
planning presents unique challenges to financial institution management. Unlike
natural disasters, technical disasters, malicious acts, or terrorist events,
the impact of a pandemic is much more difficult to determine because of the
anticipated difference in scale and duration.”
The following constitute the actions that
management should be undertaking, per the Guidance:
1. A preventive program to reduce the
likelihood that an institution’s operations will be significantly affected by a
pandemic event, including the monitoring of potential outbreaks, educating
employees, communicating and coordinating with critical service providers and
suppliers, in addition to providing appropriate hygiene training and tools to
employees.
2. A documented strategy that provides
for scaling the institution’s pandemic efforts so they are consistent with the
effects of a particular stage of a pandemic outbreak, such as first cases of
humans contracting the disease overseas, first cases within the United States,
and first cases within the organization itself. The strategy will also need to
outline plans that state how to recover from a pandemic wave and proper
preparations for any following wave(s).
3. A comprehensive framework of
facilities, systems, or procedures that provide the organization the
capability to continue its critical operations in the event that large numbers of the institution’s staff are unavailable for prolonged periods. Such
procedures could include social distancing to minimize staff contact,
telecommuting, redirecting customers from branch to electronic banking
services, or conducting operations from alternative sites. The framework should
consider the impact of customer reactions and the potential demand for, and
increased reliance on, online banking, telephone banking, ATMs, and call
support services. In addition, consideration should be given to possible
actions by public health and other government authorities that may affect
critical business functions of a financial institution.
4. A testing program to ensure that
the institution’s pandemic planning practices and capabilities are effective
and will allow critical operations to continue.
5. An oversight program to ensure ongoing
review and updates to the pandemic plan so that policies, standards, and
procedures include up-to-date, relevant information provided by governmental
sources or by the institution’s monitoring program.
The Guidance provides helpful and important
links to information resources, as follows:
1. The National
Strategy for Pandemic Influenza (National Strategy) and the Implementation
Plan for the National Strategy for Pandemic Influenza (National Implementation Plan) issued by the
federal government provide a complete guide to pandemic planning.
The documents
can be found at https://www.cdc.gov/flu/pandemic-resources/index.htm.
The document can be found
at https://www.fsscc.org/influenza/financial_planning.jsp.
3. The
Department of Homeland Security (DHS) published The Pandemic Influenza
Preparedness, Response, and Recovery Guide for Critical Infrastructure and Key
Resources. This document is one of the tools DHS developed to enhance
pandemic planning. It provides a source listing of primary government and
pandemic influenza-specific background material, references, and contacts.
Institutions may find the Continuity of Operations – Essential (COP-E) planning
process especially useful.
The document can be found at:
4. The Department of Health and Human Services Center for Disease Control
published Interim Pre-pandemic Planning Guidance: Community Strategy for
Pandemic Influenza Mitigation in the United States – Early, Targeted, Layered
Use of Nonpharmaceutical Interventions. This document provides information
about community actions that may be taken to limit the impact from pandemic
influenza when vaccine and antiviral medications are in short supply or
unavailable. Financial institutions may be asked to plan for the use of the identified interventions to help limit the
spread of a pandemic, prevent disease and death, lessen the impact on the
economy, and keep society functioning.
The document can be found at http://www.pandemicflu.gov/plan/community/commitigation.html.
5. The Department of Health and
Human Services (DHHS) has published a series of checklists that are intended to
aid preparation for a pandemic in a coordinated and consistent manner across
all segments of society. Included are checklists for state and local
governments, for U.S. businesses with overseas operations, for the Workplace,
for Individuals and Families, for Schools, for Health Care and for Community
Organizations.
They can also be found at http://www.pandemicflu.gov/.
The Guidance provides an outline of staged
preparedness in a section entitled “Phases:
Planning, Preparing, Responding and Recovering.” This approach is consistent
with identifying a cyclical aspect to process implementation. Each phase
identifies specific challenges and the actions that must be implemented in the
cycle.
In addition, the Guidance
suggests that a Business Impact Analysis (“BIA”) should be incorporated into the
BCP which contains the following features:
1. Assess and prioritize essential
business functions and processes that may be affected by a pandemic;
Identify the potential impact of a
pandemic on the institution's essential business functions and processes, and
supporting resources;
2. Identify
the potential impact of a pandemic on customers: those that could be most
affected and those that could have the greatest impact on the (local) economy;
3. Identify the legal and
regulatory requirements for the institution’s business functions and processes;
4. Estimate the maximum downtime
associated with the institution’s business functions and processes that may
occur during a pandemic;
5. Assess cross-training conducted
for key business positions and processes; and
6. Evaluate the plans of critical
service providers for operating during a pandemic. Financial institutions
should evaluate the plans and monitor the servicers to ensure critical services
are available. Financial institutions may wish to have back-up arrangements to
mitigate any risk. Special attention should be directed at the institution’s
ability to access leased premises and whether sufficient internet access
capacity is available if telecommuting is a key risk mitigation strategy.
Due diligence and risk assessment are
critical to the overall effectiveness of the BCP. These review requirements provide
the basis of dependable risk management. For instance, the Guidance states that
important pandemic planning should include:
1. Prioritizing the severity of
potential business disruptions resulting from a pandemic, based on the
institution’s estimate of impact and probability of occurrence on operations;
2. Performing a “gap analysis”
that compares existing business processes and procedures with what is needed to
mitigate the severity of potential business disruptions resulting from a
pandemic;
3. Developing a written pandemic
plan to follow during a possible pandemic event;
4. Reviewing and approving the
pandemic plan by the board or a committee thereof and senior management at
least annually; and
5. Communicating and disseminating
the plan and the current status of pandemic phases to employees.
The role of management is central
to the success of the BCP. As the Guidance states:
Senior
management is responsible for developing the pandemic plan and translating the
plan into specific policies, processes, and procedures. Senior management is
also responsible for communicating the plan throughout the institution to
ensure consistent understanding of the key elements of the plan and to ensure
that employees understand their role and responsibilities in responding to a
pandemic event. Finally, senior management is responsible for ensuring that the
plan is regularly tested and remains relevant to the scope and complexity of
the institution’s operations.
The risk assessment should include
not only the factors mentioned above but also must include a review of the
institution’s coordination with (1) outside parties, (2) identification of triggering
events, (3) employee protection strategies, (4) mitigating controls, and (5) remote access.
The Guidance sets forth the essential features of
applicable risk monitoring and testing criteria, especially since the information from medical
and governmental experts about the causes and effects of a pandemic continues
to evolve, an institution’s pandemic plan must be sufficiently flexible to
incorporate new information and risk mitigation approaches.
Such risk monitoring should include:
1. Roles and responsibilities of
management, employees, key suppliers, and customers;
2. Key pandemic planning
assumptions;
3. Increased reliance on online
banking, telephone banking, and call center services; and
4. Remote access and telecommuting
capabilities.
With respect to testing, the Guidance states
that testing for a pandemic may require variations to the scope of traditional
disaster recovery and business continuity testing, as potential test scenarios
will most likely be different. Test results should be reported to management, with appropriate
updates made to the pandemic plan and testing program.
The Guidance provides the following informative
resource links:
1. The official Federal web site, http://www.pandemicflu.gov, contains the complete text
of the National Strategy for Pandemic Influenza and other important, related
details.
2. Department of Health and Human Services (DHHS)
3. Business
Pandemic Influenza Planning Checklist (DHHS)
4. Avian Flu Website (DOD)
5. Centers for Disease Control (CDC)
6. World Health Organization (WHO)
8. Department
of Agriculture (USDA)
Link not currently active.
9. Department of Labor Occupational Safety and Health
Administration (OSHA)
10. Department of State
11. U.S. Agency for International Development (USAID)
Link not currently active.
12. Security and
Prosperity Partnership of North America (The North America Plan for Avian &
Pandemic Influenza)
