Pandemic Preparation: How do Financial Institutions Stack up?

Of all the major areas of business continuity/disaster recovery, pandemic preparation is where financial institutions say they've done the least work. And yet it is the major focus of banking regulators, which in 2008 expect institutions to step up their pandemic preparation efforts.

In this interview, Regina Phelps, founder of Emergency Management & Safety Solutions, shares insights on:

  • How financial institutions stack up against other industries in terms of pandemic preparation;
  • Where institutions are most prepared;
  • Where they are least prepared;
  • Other elements of business continuity/disaster recovery that need attention now.

TOM FIELD: Hi. This is Tom Field with Information Security Media Group. Today I'm talking with Regina Phelps, founder of Emergency Management and Safety Solutions, and the topic is pandemic preparation. Regina, thanks so much for joining me today.

REGINA PHELPS: You're welcome, Tom.

FIELD: In your experience, Regina, and I know you've got a lot of experience, how do financial institutions stack up against other industries in terms of their pandemic preparation?

PHELPS: Well, I think the good news is that the financial industry as a whole has really been a leader in the area of pandemic preparedness and pandemic planning, and this builds upon a very rich history that the industry has had in the area of business continuity planning and disaster recovery, which they have had mandated by law for of course many years now. And that has positioned them to be forward thinking and also really being able to get a better grasp of the magnitude of the problem in perhaps other industries that have less experience in the area of business continuity and disaster recovery overall.

FIELD: Now, what's really interesting and timely is, since you and I first spoke, the FFIEC has come out with new guidance on business continuity and disaster recovery with some specific points on pandemic preparation. How well prepared do you think these institutions are to meet the new regulatory expectations?

PHELPS: I think that's going to be an interesting question going forward. A couple of things to consider: First of all, I think that many of the larger institutions will be able to meet the newer regulations with not a tremendous amount of effort. But I think for smaller banks, credit unions and smaller organizations, I think they're going to have a little bit more of a challenge in being able to meet those new regulations. I also think, too, going forward that the industry as a whole - and for that matter, all of us in the area of emergency management or any type of continuity planning - are going to be challenged really with one key issue, and that is what I'm calling pandemic fatigue.

If you look at the pandemic front, it has been now widespread or widely known since about the year - the late part of 2004. And I think many of us have developed relatively short attention spans; and because of that, we expect things to happen pretty quickly. And if they don't, we dismiss them or assume they're not going to happen. And for a while, you could pick up every major contemporary publication and there was some article on pandemics, if not on the front page certainly in the first two or three pages into the publication. That has changed markedly over the last six to eight months, and we don't see that regular reporting of the pandemic threat.

However, the threat remains just as grievous as it did six months, a year ago, 18 months, two years ago. And I think the concern that we have is that people have now stopped focusing on it because they don't see it in the news and therefore don't believe it's going to happen.

I think the other issue that specifically is going to challenge the financial community is the current crisis within the whole economic financial markets within the United States, banking and so on. And I think when you have pandemic fatigue, combined with all of this upheaval in banking, there's so much attention now going away from this concept of planning, pandemic planning and really for that matter other types of planning, just focusing on these current crises, that I think it's going to be harder for people to comply with those regulations and maybe stay focused in order to be able to succeed in making progress on them.

FIELD: You make a great point there, especially about the pandemic fatigue. From what you see, in what ways are financial institutions most prepared for a pandemic?

PHELPS: Well, a couple of things. First of all, they have been really forward thinking in the area of remote work. So, for example, it's not uncommon in the banking world in the financial industries where many of the mission critical activity can work remotely, and that's also a really important help in any sort of pandemic event. And you'll see that many organizations are able to do trades and do all types of transactions and do real-time mission critical work either remotely or they have some fairly defined processes in place that will really assist them. So, that I think is a real strength that the financial industry has.

But conversely, it's almost also one of the things that will be a little bit of a hindrance for them. There was a recent study released by DHS (Department of Homeland Security) in December of 2007. In that study, which was really done at the behest of the financial industry, they asked essentially the question 'what about our remote work staff during the pandemic. Will they be able to access the internet? Will they be able to work successfully remotely?' And there was a lot of concern, and of course I'm sure everybody always goes back to the term 'the last mile,' which essentially is the failure of the telecommunications services to be delivered in that last mile very likely to an employee's home.

The study that came out in December of 2007 said, yes, indeed that is going to be a major problem. And if we have high absenteeism, coupled with schools being closed and kids at home, it is extremely likely that we have failures at the last mile. And then they said, which was really the driving blow to many banking pandemic plans that were built on remote work, that if you have mission critical functions and we have high absenteeism, you cannot depend on a remote work-from-home strategy.

So, the plus of what banking has done so well and what they were really counting on in the case of a pandemic is now conversely at this point in our infrastructure not likely to succeed for them. So that leads to a challenge that the banking industry is going to have, which is how in the heck are they going to revise their plans and possibly even revise them on the fly to then bring workers back in if they're not able to work remotely? And that would take into account many, many, many issues because if you're in an area with mass transit - let's say New York City, for example - will subways be running? And if they're running, would your employees wish to be on them in order to get to their job? How can they be in their workspace and be able to work safely? Can they be social distanced? Can cleaning be done in an adequate amount in order to make people feel safe? Do you have the right personal protective equipment? It brings up all of those issues that, if people were able to work remotely, would become less of a problem.

FIELDS: Well, that's frightening if that's where they're most prepared because I'm almost scared to ask now where are they least prepared?

PHELPS: Well, I think it's - this is an important thing to stop and think about. When you think about a disease, there're really only four things that any company can do, and that goes for banking as well as for other industries. So when you think about it, there's only four things really. One is under the broad umbrella of education and communication. So you need to have information already prepared about what you would tell your employees. You need to be considered to be kind of a go-to source of reliable and credible information so that your staff can trust what you're saying. Then you also need to have educational products already developed or at least available to your staff to teach them about hand-washing and cough hygiene and disease prevention and how the illness is transmitted and so on.

The second pillar, if you will, is this whole concept of social distancing, how far you are away from your coworkers. Minimally, the CDC recommends six feet, although there's no scientific research that says six feet is better than three feet which is better than 10 feet. So social distancing... Imagine a bullpen of people working on a trading floor. They're often very, very close together, as is in call centers and other environments like that. How do you social distance in order to at least spread people six feet away?

The third pillar really is overall, which is personal protective equipment. Would you have masks for your employees? When would they wear them? How often would they change them? What are the protocols for obtaining new ones? All of those sort of issues - when would you wear them, would you not wear them, what would you require or would you not require - all those policy questions are really critical.

And the fourth and remaining pillar really is in the area of cleaning because a respiratory illness is spread by really two things: One is what's called droplet nuclei, so talking, breathing, sneezing, all of those things whenever you're speaking, just simply breathing you're steering out all kinds of moisture out of your mouth. That will then settle onto objects. If you cough into your hand, touch a doorknob, then you've contaminated that doorknob. Moments later, somebody else comes along and touches that same doorknob, then rubs their nose, and that's how people become ill during any flu season. So how do you have a cleaning environment for your folks that really is going to make sense?

Those four pillars are the basis of any pandemic plan, and I think to some extent banking has thought about that; but they haven't gotten to the granular level that they need to get to in order to make their plans successfully. Because, to be honest with you, Tom, if you can only do those four things in order to make it safe for somebody to come to work, if your employees don't feel safe they're not going to come.

FIELD: Well said. Beyond pandemic preparation, what other elements of business continuity and disaster recovery do you see that need immediate attention from financial institutions?

PHELPS: Well, you know, I think the key thing that I'm going to really mention, besides for the overall pandemic planning - and let me just say that in a pandemic plan, about 90% of the pandemic plan is overall strong, good business continuing planning. And it's only about 10% that is disease related. I think my concern going forward - and I think the things that all planners in the bank industry need to consider is as we go forward in this period of economic uncertainty - in my 26 years of practice, what I have seen over and over again is that when things become tough financially, what occurred is that time and energy is removed away from this continuity planning process, disaster recover process. There might be less auditing of plans, less exercising of plans, less attention played to these documents overall. And what happens during downturns of the economy, there's a huge transition that goes on within the business. People are laid off. Departments get smaller. They might have moved. They might change vendors. So at the same time, when there is less attention being paid to these plans because of possibly staffing or just bandwidth within the organization, that's often the time also that the organization is in its biggest transition, of which the plans actually need a fair amount of updating based on the churn that's happening within a department, a group, a company.

So I think my concern for the industry is that as we go through these troubling times, that people don't remove their eye from the ball and overall strong continuity planning and the need to revisit their plans. And that when there are changes within a company, an organization, a department, that they remember that they have to look at those continuity plans to make sure that they are still accurate based on the changes that they'd just gone through.

FIELD: So, last question for you, Regina: As you know, there are a lot of institutions that are now paying maybe the first attention to pandemic preparation because regulators are saying they have to. If you had to boil it all down, what one piece of advice would you offer to a financial institution that's now seriously tackling pandemic preparation?

PHELPS: I think the most important thing I would say to them is that they need to plot a plan of action and stay the course. I think what has happened is that people started with a lot of enthusiasm in the pandemic planning initially. And over time, because, Tom, frankly, it's a very complicated issue, looking at your supply chain and looking at all the things in a great global plan really is what it is, that people get distracted. It becomes too much. It becomes too difficult. And then with all the other challenges that I've mentioned, it becomes too overwhelming and they begin to drift away from it.

So I guess my one piece of advice I would say for any organization who's working on their pandemic plan is to stay the course, develop a timeline and a trajectory, understanding that it is a very complex process to really understand your organization from stem to stern and a problem that could lasts for 18 months and that they need to stay the course. You know, it's like eating an elephant, right? One bite at a time. It's exactly the same thing as a pandemic plan, is to think about focusing, staying the course, moving forward, moving in some sort of manageable way so that you're continuing to make progress on a regular basis. And I think that will yield tremendous results for any company.

FIELD: Very well said. Excellent insight. Regina, thanks so much for your time and for your thoughts today.

PHELPS: My pleasure. Thanks very much, Tom.

FIELD: We've been talking with Regina Phelps, founder of Emergency Management and Safety Solutions. For Information Security Media Group, I'm Tom Field. Thank you very much.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.