FFIEC Expands Pandemic Planning Guidance for Financial Institutions

Avalution Team Avalution Team | Jan 23, 2008

stacy FFIEC perspective v2Introduction
For financial institutions waiting for more formal guidance from the Federal Financial Institution Examination Council (FFIEC) before planning for a pandemic, the time is here.  The FFIEC, an interagency council that prescribes uniform standards for the United States financial industry, recently followed up the industry’s “Interagency Advisory on Influenza Pandemic Preparedness” and NCUA’s “Letter to Credit Union 06-CU-06 – Influenza Pandemic Preparedness” with new guidance.

This 10-page document, titled “Interagency Statement on Pandemic Planning”, outlines actions and strategies financial institutions should strongly consider when developing pandemic plans.  Similar to the “Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System” guidance released in April 2006, the guidance is not mandatory, but most financial institutions will likely consider implementing the recommended strategies to meet supervisory expectations.  If an institution does not implement the recommendations, examiners will likely inquire why and push for implementation.  Further, institutions that play a critical role in financial markets may be asked by the agencies to implement the standards, in an effort to monitor and control the risk of one financial firm significantly impacting the entire market.

While most financial institutions have business continuity programs in place, traditional planning efforts assume that the event will be localized and short-term.  As a pandemic could last 18 to 24 months, with two to three waves each lasting six to eight weeks, planning for a long-term public health event requires significant analysis and preparation.  In today’s global economy, as an outbreak in China could have almost as much of an impact as a local outbreak, financial institutions must plan for up to two years of periodic disruption/”business unusual”.

Interagency Statement Summary
The FFIEC document briefly outlines five key components financial organizations should include in their pandemic planning efforts:

  1. A preventive program, including monitoring, employee awareness, communication with key stakeholders and protective equipment, all designed to minimize the impact a pandemic could have on the organization
  2. A documented strategy, tied closely to predetermined “trigger points” to ensure that strategies are implemented (and retracted) as needed to protect employees and operations
  3. A comprehensive framework of facilities, systems, or procedures resilient enough to support telework operations and protect on-site employees, as well as provide customers with safe, reliable options to conduct business
  4. A testing program that sufficiently analyzes and stresses plans, strategies and resources to ensure continuity of operations, utilizing diverse scenarios and/or work-from-home days that effectively perform resource “stress tests”
  5. An oversight program to ensure ongoing review and updates, thus advancing the program to protect against the latest threats and include changing critical business processes

Rather than explaining in detail how to implement these five components, the remainder of the FFIEC guidance focuses on reviewing key issues organizations may experience when attempting to establish the components listed above.  The guidance includes clarifying board and senior management responsibilities, incorporating pandemic risk into the Business Impact Analysis, comprehensively developing risk assessment/risk management strategies, and conducting risk monitoring and testing.  The FFIEC’s recommendations and Avalution’s perspective on each are discussed in the sections below.

Board and Senior Management Responsibilities
As the FFIEC document states, before pandemic planning efforts begin, board members and senior management (including Human Resources, IT, General Counsel, Facilities, Finance, and any other key departments) must understand and appreciate the pandemic threat in order to support the efforts both financially and with the appropriate level of resources and effort  (consistent with all other business continuity planning activities).  It is the board’s responsibility to oversee the development of plans and strategies, while senior management is responsible for actually developing/updating the program and ensuring it is adequately and regularly tested.

Though the FFIEC guidance does not specifically mention this, a project sponsor at the executive level may be needed to provide general oversight and monitor the progress in maturing and enhancing the program for the pandemic threat.  This ensures a clear point of responsibility for providing necessary resources and supervising the organization’s adherence to the business continuity policy.

Incorporating Pandemic Risk into the Business Impact Analysis (BIA)
Traditional Business Impact Analyses assume the issues are localized and short term.  As recommended by the FFIEC, when conducting a BIA to analyze an organization’s ability to withstand a pandemic, planners should also assess business functions by analyzing the impact of a long-term incident.  The BIA should assess and prioritize critical functions and processes, analyze the pandemic’s impact on these functions/processes and identify customers likely to be most severely affected.  The analysis should verify that cross-training capabilities and the maximum allowable downtime for each business process is appropriate for both short-term interruptions and long-term public health events.

The analysis should also consider concerns such as changes in customer requirements or preferences (i.e. online or tele-banking), regulatory or legal requirements/implications (i.e. enabling customers to access their accounts), and supplier/vendor abilities to meet contracts/SLAs when they themselves may be severely impacted by the pandemic.  This last element is extremely important, as most BIAs assume that any interruption will only impact their organization or local region and therefore do not consider the ability of all vendors to still meet demand.  Critical interdependencies become even more important in a pandemic, as the process chain could break at multiple points and prevent the remainder of the process from functioning, even if resources are available.

As employee absenteeism could reach as high as 40%, the analysis should also consider how government measures to reduce the spread of illness (shutting down public transit, closing schools, restricting travel to infected countries, etc) or familial illness could affect the ability of personnel to report to work.  When developing strategies to encourage employees to feel safe reporting to work, planners should consider preventive measures, such as educating employees and acquiring Personal Protective Equipment (PPE), to diminish fear and teach “risk-reducing” behavior.

Some impacts Avalution recommends organizations consider during the BIA include predicting how spikes/ebbs in demand could affect business priorities, the possibility of standard operating procedures failing to meet these business requirements, how high levels of absenteeism could require significant changes in operations and how resource shortages could require scaling back/shutting down less critical business processes/functions.  Though typical BIAs assume that critical operations will be brought back before non-critical processes, in a pandemic, it may be necessary to shut down a non-critical but operative process in order to reassign resources to critical process that requires resources.

Risk Assessment/Risk Management
As the FFIEC states, organizations should also incorporate pandemic planning into overall risk management efforts, including performing a gap analysis to document pandemic planning areas for improvement, incorporating pandemic planning into the broader business continuity planning process, receiving board approval for the plan, and educating employees, customers and other stakeholders on organizational efforts to prepare for a pandemic.

Before deciding upon strategies and drafting plans, organizations should consider conducting an analysis of IT resources, as one of the most common strategies to overcome absenteeism actually becomes a significant obstacle itself.  Though having employees work from home decreases the opportunities for them to become sick or pass the virus on to others, very few organizations have the IT infrastructure in place to support this strategy.

When conducting this analysis, Avalution recommends organizations not only consider what resources are needed but also identify what positions can even be performed remotely before strategies can be developed for each business process, i.e. primary source document access requirements may prevent personnel from working remotely.  The analysis should consider necessary hardware (PCs/laptops), software, equipment (cell phones, faxes, scanners, etc), authentication methods (licenses, tokens, etc), VPN capacities, bandwidth barriers both at the main site and at the neighborhood level, and any other potential IT requirements.

Once appropriate strategies are developed, Avalution recommends the pandemic section of the plan (or the separate pandemic plan) should include a number of elements (many of which are recommended by the FFIEC) to prepare and protect the organization, including:

  • A definition of what a pandemic means to the organization, as well as any planning assumptions made during the development of the plan (length of a pandemic, origin of the outbreak, etc)
  • A description of the Crisis Management Team members, their roles and contact information for primary and alternates
  • An Emergency Operations Center (location from where the CMT will respond), as well as virtual strategies to sustain communication when in-person meetings are impossible or unsafe
  • Predefined triggers to compel the CMT to implement defined strategies, including WHO phase changes and local outbreaks, as well as methods to monitor news and media outlets for the occurrence of these triggers
  • Strategies the organization may implement before, during and after a pandemic, including social distancing, PPE, telework, scaling back/shutting down business processes/functions, modifying the way business processes are typically performed (reducing in-person customer interaction), etc
  • Key stakeholders with whom to communicate, including employees, customers, key critical vendors, shareholders, local authorities, emergency management agencies, media contacts, etc

Risk Monitoring and Testing
Once the plan is developed, the FFIEC recommends organizations perform regular testing.  As the potential impacts of a pandemic vary greatly from traditional crisis management issues, and as the potential issues differ significantly depending on the severity, frequent and varied testing is extremely important in proving the viability of a pandemic plan.  As the FFIEC document states, there are a number of methods to exercise the plan, including “work at home” days, table top or scenario based exercises, call tree exercises and community or region-wide exercises.

The goal of these exercises should be to test the plan against a wide range of possible situations to ensure it is flexible and adaptable to any situation, as well as familiarize participants with the pandemic strategies.  After each exercise, the results should be summarized and presented to the board/senior management, and plans should be updated to reflect any lessons learned from the exercises.

Additional Preparedness Actions to Consider
Though the FFIEC document provides a number of key elements to incorporate, Avalution recommends organizations also consider each of the following activities.

A commonly, yet critically, overlooked area in business continuity planning is identifying the impact of absenteeism.  While many institutions perform cross-training and document key processes, very few have documented analyses on how 40% absenteeism (the predicted peak) could affect the organization’s ability to perform critical operations, especially if certain business areas experience spikes in demand.  Organizations should consider conducting a staffing analysis separate from the BIA to identify:

  • Minimum staffing levels needed to maintain minimal, essential operations
  • Employee single points of failure
  • Whether employees can perform essential business processes from home (or another location), including the availability of technology to enable work-from-home strategies
  • Alternate strategies that may enable continuity of operations during peak levels of absenteeism
  • Alternate sources of human resources (with appropriate knowledge and experience), including other departments and former/retired employees

While these questions could be covered in a Business Impact Analysis, separating out employee-specific questions will enable a more in-depth analysis of current-state staffing levels, minimum staffing requirements, key skills requirements, IT resource needs, and other concerns/requirements specific to departmental staffing requirements.  Specific to IT requirements, conducting a staffing analysis enables organizations to develop an IT requirements gap analysis and identify how IT resources must be expanded in order for work-from home strategies to be both feasible and viable.  This also provides quantifiable justification for strengthening IT infrastructure to support operations during a pandemic.

Organizations should also consider developing “business unusual” processes – alternate business processes and strategies designed to enable the continuation of the most essential services.  Many organizations, in order to take a holistic view of business operations, are documenting service continuity plans that:

  • Identify essential business processes and associated performance metrics
  • Identify anticipated demand changes caused by a pandemic (or the threat of a pandemic)
  • Document minimal capabilities necessary to meet expectations and performance metrics
  • Develop alternate strategies to meet expectations and performance metrics
  • Identify what and when to potentially scale back or shut down in order to reallocate scarce resources

These plans contain triggers, meaning pandemic event characteristics or “business impacts” (such as a certain percentage of absenteeism or significant spike in demand) that when met, lead management to consider service continuity strategies for implementation. By tying strategies to specific “business-impacting” trigger points, strategies are not implemented unnecessarily and the point at which to roll back strategies can also be more easily defined.

Another action organizations should consider is reviewing/revising Human Resources policies to appropriately address pandemic specific concerns, including:

  • Defining positions as “mission critical” (which may clarify expectations)
  • Outlining “stay-at-home-if-sick” and “return-to-work” expectations
  • Defining the right to quarantine visibly sick employees
  • Restricting visitor access
  • Continuing payroll even if employees are instructed to stay home
  • Establishing or redefining telework policies
  • Identifying methods to track sick employees

While some of these topics may already be covered, many require modification in order to address the business risk posed by a pandemic.

The FFIEC “Interagency Statement on Pandemic Planning” provides a high-level, yet well-thought-out set of issues for financial organizations to consider when developing pandemic plans and strategies. In addition to the guidance provided by the FFIEC, a number of other resources are available to assist organizations with pandemic planning, which the FFIEC encourages organizations review when integrating pandemic planning into their business continuity programs.

Organizations should consider any and all available guidance when developing their pandemic plans. As the 24/7/365 nature of the global economy has never experienced or had to survive an international pandemic event, preplanning efforts will likely make all the difference in whether an organization is able to survive and meet stakeholder expectations during a pandemic.