The last time the Federal Financial Institutions Examination Council (FFIEC) issued guidance to financial institutions regarding pandemic planning was in 2007 in response to the avian flu pandemic. Many institutions likely have a pandemic response section within their business continuity plans but have not had to put such procedures into effect until this year. In March 2020, an update to the original interagency guidance was issued to provide additional considerations for minimizing the potential impact of a pandemic in response to COVID-19. Based on this new guidance, and the events of 2020, institutions should be revisiting and updating their pandemic plans to incorporate the new guidance and lessons learned from COVID-19.
The FFIEC says pandemic plans should be incorporated into an institution’s overall business continuity plan, but the objectives of pandemic planning have several distinctions. Business continuity plans typically focus on disruptions that are relatively short in duration and are limited to a specific geographic area or location. Pandemic plans should be designed to mitigate events that could vary significantly in scale and duration. Pandemics, as we have seen, could impact an organization’s entire geographic area and may occur in multiple waves over a longer duration of time than business continuity plans are typically designed to address. One of the most significant challenges a pandemic presents is a staffing shortage due to employee absenteeism. Due to these factors, a pandemic plan needs to be flexible and scalable to respond to a wide range of potential effects. The potential impact a pandemic could have on critical financial services should be incorporated into ongoing business impact and risk assessment processes to determine if additional mitigation plans need to be developed.
To adequately address the threat of a pandemic, institutions should incorporate the following elements into their plan:
1. A preventative program to reduce the likelihood of a pandemic affecting the institutution’s operations. Items to consider include monitoring of a potential outbreak, cross-training employees on other job roles, educating employees on practices to reduce the spread, ensuring adequate hygienic supplies are on hand and coordinating potential response activities with critical vendors.
2. A documented strategy to deal with the effect of a pandemic. The FFIEC’s guidance references the Center for Disease Control’s Pandemic Intervals Framework, which describes the progression of a pandemic using six intervals. Response strategies should be modeled after the effects of each interval to ensure institutions can respond quickly when a pandemic event occurs and then pivot to prepare for additional waves that may occur.
3. A comprehensive framework of facilities, system or procedures to allow the continuation of critical operations and services in the event of staffing shortages. These procedures could include remote work arrangements, restriction of visitor or customer access to facilities, responses to actions by government officials and increased reliance by customers on electronic banking, customer support centers and ATMs.
4. A testing program to ensure that the identified strategies and framework will allow the continuation of critical operations and services through a pandemic-like scenario. Testing procedures could include stress-testing remote work systems and procedures via planned work-from-home days, coordinating with vendors to ensure infrastructure can adequately handle spikes in electonic banking and telephone banking usage, completing tabletop exercises to test work procedures and communication protocols that could be impacted by absenteeism rates and participating in regional or industry-wide testing exercises for the financial services sector such as those hosted by FS-ISAC.
The ultimate responsibility for business continuity and pandemic planning lies with senior management and the Board of Directors. The Board or a committee should be responsible for reviewing and approving the pandemic plan and ensuring sufficient resources are invested into each element of the plan. Senior management’s responsibilities should include developing specific policies and procedures to implement the plan, communicating the plan through the institution and ensuring that a regular testing program is completed that is appropriate for the size and complexity of an institution’s processes.
If you want to read the full guidance, it can be found on at the following link on the FFIEC’s website. Additionally, if you have questions or would like to discuss business continuity or pandemic planning, please contact us, we would be happy to talk.
Related Posts
No related posts.