Business Continuity, Disaster Recovery Start at HomeInterview with Harry Rhulen, CEO of Firestorm, on the Principles of Sound Planning
Harry Rhulen, CEO of Firestorm recently answered questions regarding business continuity planning and the overall preparedness of the financial services industry - especially when it comes to pandemic planning. Firestorm (www.Firestorm.com) performs business continuity planning, vulnerability analysis, risk mitigation and crisis management for the financial services industry and other critical infrastructure industries.
Q: What led you to start Firestorm and your involvement in the financial services industry?
Rhulen: Jim Satterfield and I started Firestorm three years ago. Jim and I come from the insurance industry; Don Huggins comes from the U.S. Secret Service and also took part in the Federal Air Marshals program after 9-11.
The concept we all agreed on was: All vulnerabilities and exposures could be identified in advance and therefore could be planned for and mitigated for or eliminated as a possible threat to business continuity.
On that premise, we started, and as we began we received questions about pandemic and communicable illness planning. We were asked by Dr. C. Everett Koop, the former US Surgeon General, to come to Dartmouth, where Koop is a professor, to participate in a planning session for the school. Dr. Koop also has a bio-terrorism and pandemic planning group at the school. Dr. Koop is now part of our expert council, which has more than 100 individuals from different specialties that bring subject matter expertise to Firestorm. They consult on topics including pandemics and communicable disease and across the board on almost all business issues.
Not long after that, we were doing consulting work with First American, and they have a credit union. We got a panicked call from the credit union that the NCUA was coming to examine them and they didn't have a business continuity plan in place. We went in and rapidly did a vulnerability assessment and a threat analysis, wrote a plan for them and helped them test it. After the audit, they've done further training and education of their employees. We are very familiar to the financial institutions' needs in continuity planning, pandemic planning, even smaller gap analysis, and writing plans.
This applies for institutions of any size. We helped First American Credit Union not just meet regulatory requirements, but also create a culture of preparedness. To not do so is a mistake both for an institution's employees and customers.
Q: How likely is this pandemic? There are doubters out in many institutions, including senior management, who think their regular business continuity plan (BCP) will work for a pandemic?
Rhulen: There is an easy answer -- they don't have the option to say it won't happen here. The U.S. government has produced documents citing the estimates of workforce reduction numbers and the probability that a pandemic will occur. All of that information is something that they don't have the ability to refute. If they've met their regulatory requirements for business continuity plans for their institution, that doesn't give the board of directors protection. If there is a known vulnerability that they have failed to address, failure to plan is going to be negligence on their part. Just because they've met their regulator's requirements, it doesn't mean that they've met their legal requirements. Anyone who says 'well, we know there's a pandemic, but we're not going to plan for it, or we'll just do the minimum required by our regulator, because we don't believe there's going to be a pandemic,' they are relying on the business judgment rule to protect them, and the fact that they've made a bad business judgment they may be protected in a court of law when it comes to negligence, but they're going to have all kinds of other issues to deal with after a pandemic hits. First, the institution will fail to exist because of their failure to plan, and the community they serve will undergo undue hardship as a result. It comes back to this: They are they the fiduciaries of their customers' funds. Not only that but also the expectation that the financial resources and the critical infrastructure in their community will remain intact and remain functional, and that is an obligation they must meet regardless of their regulatory compliance requirements. Even if they succeed in defending themselves in a court of law, they have an obligation to their customers and to their community.
A financial institution has a greater obligation than their regulatory requirements. They have an ethical requirement to make sure that they have protected their consumers and their community to the greatest extent possible. They must live in a culture of preparedness that shows their level of understanding that they must remain open, intact and available to support the community from that critical infrastructure standpoint.
Q: From your perspective, have regulators put enough pressure on institutions to prepare for this adequately and with enough intensity for action? Are they moving fast enough?
Rhulen: Whenever regulations are put in place, it is typical that the industry will fight against it because they don't want to spend more money on meeting compliance with a new regulation. They want to show shareholders and the marketplace that their earnings are as high as possible --this is very short-sighted on their part, and is to the detriment of the long-term viability of their institution. Regulators are hamstrung by the very large financial institutions that have tremendous resources, including both financial and lobbying resources. They put a lot of pressure on the regulatory bodies so to some degree the regulators can only do a certain amount.
Q: How would you define the culture of preparedness?
Rhulen: One good example of the culture of preparedness is El Al, the Israeli air line. They not only have reinforced steel doors to the cockpits of all of their planes, they also interview every passenger before boarding a flight. They don't just have covert air marshals on their flights, but an armed guard sits at the front of the plane in full combat gear. That is a prepared company, and as such El Al has not had any attempt to hijack a flight since taking this action.
Take this example back to the financial industry and ask: We don't have that level of preparedness at the institutions or at the regulatory bodies -- why? Because a lot of them don't want to spend the money and don't think that it will happen to them; they are in disaster denial. Everybody thinks it won't happen to them, it won't happen here, or it's not going to be that bad, or I can handle it. This creates an environment where the attitude is that they will take the least amount of action to meet their regulatory requirements. A regulator doesn't want the grief that will be brought down on them when a congressman or other legislative arm comes down on them because the large financial institution complains about the regulation. The institution when asked by the regulator will say, 'What are you going to do, shut me down because my pandemic plan isn't in place?'
It is a societal problem, because we are protected between two oceans, even though we did have 9-11, we've had very few terrorist type of events. Most of these institutions have the attitude if they're in the middle of America, they're probably worried a little bit more about bad weather or tornadoes, but not about too much else going on. They don't have a culture where they understand that they are part of the critical infrastructure, and that they have an obligation to the people whose money is on deposit in their vault.
Q: What are some of the points of advice you'd offer institutions, especially the smaller ones, in setting up a viable pandemic plan?
Rhulen: Most of the important things they need to do will cost them nothing. It's a cultural change -- the adoption of the idea that preparedness has value. Predict, plan, perform is the methodology that Firestorm follows. First thing every institution should do, and it doesn't cost anything more than the man hours to do it, is the predictive work. They need to analyze what all of their vulnerabilities are.
Even if you didn't have money to spend on this effort, you can get your people together, get your vulnerabilities together, put mitigation strategies together to the best extent you can. Then the most important part on the perform side is education and training to have the continual implementation of the idea that the performance of that plan has value. Start to build in people's minds that they should be continually vigilant to look out for other vulnerabilities that the company has or may develop in the future. It's not something you do once, put it in a book and put it on a shelf.
The business continuity plan needs to be a living document and process. This begins with something that has no cost, but is a leadership issue that the senior management at a bank or credit union needs to provide -- lead the way by example.
Q: The need for ATMs to be stocked with money raises issues about vendor management for institutions. How important is that part of the continuity plan for handling a pandemic?
Rhulen: Critical supply chain analysis is essential for any business continuity planning strategy, and physical cash is one of the supplies that any institution is going to need. With a small institution, they may be able to get the cash, but not have anyone there to receive it off the truck or stock the ATM. If they acknowledge that as a vulnerability, they can enter into an agreement with another local institution so they can make sure that their customer base has access to cash one way or the other.
Q: What is the book you wrote on disaster preparedness and who is the audience?
Rhulen: "Disaster Ready People for a Disaster Ready America" is a book I wrote with Jim Satterfield -- not for corporations, but for people and their families. The book is designed to help everyone build a disaster plan for their family. Why? Because if people are prepared personally to handle a disaster with their families when a disaster does occur, they won't show up for work, and therefore you won't be able to implement the corporate plan.
The better-prepared your employees are, the quicker they're going to come back to work, and the faster your institution will be back to business. We saw that in Hurricanes Katrina and Rita, where half of the firemen and police didn't come to work after the first day because they were dealing with their own family's safety issues. This is an essential point of failure of most corporate business continuity plans, they fail to tell employees what is expected of them and their role during recovery and the company fails to educate and help the employee prepare their families for a disaster. This book is a 12-step plan for disaster planning for your family. Family planning often fails because people don't know where to start, so the book takes the family step-by-step each month to help them prepare for emergency situations. At the end of one year, the family will be ready to face any disaster and have a process and plan in place.