Similar to the Joint Statement on Destructive Malware issued in January in response to heightened geopolitical cyber risks from foreign actors, the FFIEC just released an Interagency Statement on Pandemic Planning in response to the current COVID-19 epidemic. Similar to the Destructive Malware statement, this statement does not impose any additional regulatory expectations on financial institutions, it’s intended instead to “…remind financial institutions that business continuity plans should address the threat of a pandemic outbreak and its potential impact on the delivery of critical financial services.” It is actually an update to the 2007 Interagency Statement on Pandemic Planning, which was in response to the H5N1 epidemic in 2006. This release seems to be part of a consistent pattern with all recent statements, they are reactive in nature and serve to put already existing expectations and best practices into the context of current events.
Pandemic events pose unique challenges to financial institutions. They don’t target infrastructure or technology-based interdependencies, but instead impact another critical asset; the employee. The only change since the 2007 statement is that many institutions are even more dependent today on third-parties for support and delivery of critical services. This makes evaluation of third-party Pandemic contingency planning more important now. Of course other areas have changed for the better. Electronic banking is more available (and more utilized) now than in 2006, so most customers have account access without having to physically access one of your branches.
Pandemic and your Business Continuity Strategy
As you evaluate your current BCM for Pandemic-related elements, the statement suggests your current BCM plan should provide for:
- A preventive program
- Monitoring of potential outbreaks
- Educating employees
- Communicating and coordinating with critical service providers and suppliers
- Providing appropriate hygiene training and tools to employees.
- A documented strategy to scale your response to the current 6-stage CDC framework:
- Plan on maximum absenteeism (as high as 40%) during the peak and immediately following the Acceleration phase (phase 4).
- Specific facilities, systems, and procedures designed to provide continuation of critical operations in the event that large numbers of staff are impacted by the event.
- Social distancing to minimize staff contact
- Redirecting customers from branch to electronic banking services
- Conducting operations from alternative sites
- Consideration for the impact of customer reactions and the potential demand for, and increased reliance on, online banking, telephone banking, ATMs, and call support services.
- A testing program designed to validate the effectiveness of the facilities, systems, and procedures identified.
- An oversight and update program to continually monitor and adjust your Pandemic program.
The Business Impact Analysis & Risk Assessment
As we mentioned in an earlier post, the new BCM Handbook eliminated the separate Pandemic section, but this statement makes it clear that regulators still expect institutions to assess Pandemic alongside all other reasonably foreseeable threats. Both your Business Impact Analysis (BIA) and your Risk & Threat Assessment should incorporate the potential effects of Pandemic. The BIA should take a non-threat specific approach to essential processes and functions, allowing you to identify interdependencies among critical operations, departments, personnel, services, and the processes and functions with the greatest exposure to interruption. Make sure you’ve included critical employees and third-parties in your impact analysis, and that the end result is a prioritization of business processes.
The risk assessment is where specific threats are identified, analyzed, and ranked according to impact and probability. The end result of this analysis should provide a listing of disruptive events by severity. Events with high impact and high probability are considered high severity and should receive top priority for resource allocation, and should also be tested more frequently. Pandemic is typically considered a low probability, high impact event, but during phases 3 & 4 may need have to have probability reevaluated. Doing so may result in a temporary assessment of high probability / high impact, allowing management to properly prioritize resource allocation in preparation for, and in response to, the Pandemic event.
Tests and Exercises
Finally, make sure to use the results of both the BIA and the risk assessment to inform your testing exercises. Make sure exercises validate your succession planning and cross-training by purposely excluding certain key individuals from active participation in the exercise. There will likely be a high reliance on remote access telecommuting during both the early stages (2 & 3) of the event, as well as the latter reactive stages (4 & 5). Have you identified employees with job duties capable of being performed remotely, and tested their remote access capabilities, including sufficient capacity, bandwidth, and authentication mechanisms? Do their remote access devices meet your current security standards, including AV/Anti-malware status and patch levels? Have you validated your call-trees and communication plans, including with critical third-parties? Are your employees versed in communicating a consistent message to customers during the event?
As of the date of this post, we’re somewhere between a phase 3 and phase 4. Financial institutions should use this Interagency Statement not just as a reminder of pandemic best practices, but as a clarion call to revisit their entire BCM and reevaluate all aspects of your resilience and recovery planning.