We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding:
They also commented that we did not test it in 2018, but we did test it in December of 2017. So I have 2 questions:
- Is pandemic testing an annual requirement?
- What can we do to satisfy the comment on the plan being too generic?
Addressing the second question first, this is a great example of having to read between the lines to determine what the examiner is really asking for. I also referred to this situation in another post. I’m guessing that the “action plan” they’re referring to is actually your succession & cross-training plan. Your recovery procedures won’t change, what they want is for you to develop your succession plan, cross-train alternate personnel, then test your recovery procedures with the alternate personnel.
We have seen this finding recently, and as a result we’ve added a succession plan section to each process in our BCP Blueprint application*. The next time you update your plan it will now prompt for the primary, secondary, and tertiary resources for each process. Just make sure the next time you conduct a BCP test (pandemic or otherwise), you test with alternate personnel in the primary recovery roles. That way you can validate your ability to recover critical processes and functions within recovery time objectives, regardless of key personnel availability AND regardless of the nature of the disaster. After all, the FFIEC guidance states that FI’s focus on the impact of the threat, not the nature of the threat:
Ultimately your ability to continue critical operations is the primary concern of the regulators, not necessarily that you’ve tested for a specific natural disaster (or contagion).
Regarding your first question, there is no specific requirement to test pandemic (or any specific threat) on an annual basis. The guidance only states that you maintain.
Because reading between the lines of an examination is an imperfect science, ask the examiner if this approach (succession plan, plus cross-training, plus testing with alternate personnel) will address their concerns. I’ll be very surprised if it doesn’t.
For more about the importance of process-based business continuity planning, check out this article: BCP Plans Continue to Draw Criticism.
*This question came from a current Safe Systems BCP Blueprint customer, but those with other plan formats can accomplish the same result by adding a succession plan section to their BCP.