Pandemic Progress Report - How Do You Rate?

Institutions are All Over the Map When it Comes to Preparing for Disaster
Pandemic Progress Report - How Do You Rate?
When it comes to pandemic preparation at U.S. financial institutions, it's a case of good news/bad news.

Bad news first: Many midsized and smaller financial institutions are not fully compliant with the recent FFIEC pandemic guidance and don't have formalized pandemic preparedness plans yet in place. (See related story: New Pandemic Guidance Issued by FFIEC and New Pandemic Guidance Issued: Interagency Memo Details Actions to be Included in Business Continuity Plans)

But the good news: We've spoken to several financial institutions about their efforts, and - as a result of regulatory pressure -- they all are working toward having a completed pandemic plan in place as part of their overall business continuity plan (BCP).

Good thing, according to William Henley, director of IT Risk Management at the Office of Thrift Supervision, who underscores the obvious: Compliance is mandatory. "It will be a learning process for institutions," Henley says, "but we expect that initially there will be organizations that just have not had enough time to update their business continuity plans (BCP) plans early on, [and] overall we would expect that within 6 months to a year all institutions will have updated their BCP appropriately."

Based on preliminary feedback from the national pandemic test of the financial services industry held in late September 2007, only a percentage of participants expressed that their institution was ready to face a pandemic. These results reinforce the need for this additional pandemic guidance, Henley says. "A severe pandemic event could significantly impact financial institutions and possibly the U.S. financial system if individual institutions are not prepared for it," he says.

Considerations for Pandemic Planning
The pandemic guidance helps institutions understand the impact of a pandemic event and how it differs from other types of disasters that they already have considered in their plans, Henley adds. In doing so, it allows them to modify and update their existing Business Continuity Plan to account for a possible pandemic scenario as well. Institutions under the OTS supervision are being examined for their compliance with the new guidance (as are other institutions under FDIC, OCC and NCUA oversight). The financial institution's business continuity plan should provide:

Preventive program: strategies on stopping/limiting spread of virus within your institution;
Documented strategy: the plan, written out with appropriate documentation;
Comprehensive framework: how it will all fit together within your overall plan;
Testing program: no plan is ready unless it is tested, so test your plan!
Oversight program: assign personnel to oversee the entire pandemic plan and needed actions

Progress Varies

Although institutions across the country have begun working to integrate a pandemic preparedness plan into their Business Continuity Plans, the level of preparedness ranges from "been there, done that" to "working on it."

South Adams Savings Bank ($194 million in assets) in Adams, MA, is one of the early developers. "We began preparing as soon as the initial guidance was issued back in 2006," says Kathy Dery. "We are very prepared for a pandemic disaster."

The bank has formed a liaison with the regional pandemic health care initiative headed up by the local hospital and the emergency care group, and the bank has stockpiled gloves and masks for its employees. Dery is confident about the depth of the bank's preparedness for a pandemic and says, "The business continuity plan is board-approved and in line with the just issued guidance."

Hearing that your institution's plan looks good from your examiner is a good thing, says Shawn Dotson at Partners FFCU ($58 million in assets) in Glen Allen, VA. When contacted about the credit union's level of preparedness for a pandemic and how they were progressing with their pandemic plan Dotson says, "We do have a plan in place. We are currently in the middle of a CUNA audit. From what I have heard, our plan looks good to [the auditor]."

Partners also has conducted employee training on pandemic preparedness. "We then went over with employees what branches would be open, work schedules and how the employees would handle the transactions to limit exposure," she says. While the transaction process will be "much slower than our members are used to expecting, we will be open through the pandemic," she says.

The credit union even has a standing reservation at a hotel close to the office so that the employees can stay there in case the pandemic hits family members in their home, she notes.

At Citizens Bank in Mount Vernon KY, the bank has been working on its plan for almost a year. The problem is the bank's size and employee numbers may not sustain the bank being open during a pandemic. "We've been rolling pandemic planning into our DR/BC plan," says Dennis Weiskircher, IT manager and security officer. "It's not perfect, but we're such a small institution that if we have a large percentage of our employees out for any length of time, we're going to have to all but shut the doors. We have plans for what it would take to keep a skeleton crew running, but it wouldn't be pretty."

Case Study: Elevations CU

High in the Colorado Rockies is Elevations CU, and from where John McCartney sits as IT vice president, he expresses confidence in the plans made thus far by the credit union. Elevations CU ($702 million assets) has 210 employees in seven locations across Boulder and Broomfield counties and serves 75,000 members. "We're pretty far along with our plan, in terms of having things in place," McCartney says.

Every year, Elevations holds a tabletop exercise with key members from all parts of the organization on business continuity. "We walk through a three-day, very detailed schedule of things we need to do to recover from a major disaster," he adds. Two years ago the credit union started planning for a pandemic, "but it was just an overview, and we asked preliminary questions like 'Do we have remote connectivity so people could log on and do work, are we doing cross training?,' and other simple things," he adds.

Elevations took part in last fall's three week national pandemic exercise. "That was very eye-opening for the credit union staff," he says. Following the exercise instructions, "We went so far as to looking at people in the business and have them not to be able to work at all, based on the scenario."

The exercise showed some of the key areas where the credit union might have a problem. "As an example in the accounting department where we have some specialized skills that people are using to do their work, we found a hole. We thought we had cross-training in there, but we didn't have as much as we needed," he says.

McCartney envisions the credit union's plan will result with a detailed set of instructions that "takes us through step by step of a pandemic. Whether we'll need to do a walk through every year on just a pandemic has yet to be determined." He says the credit union is well on its way for planning for a pandemic.

Questions persist, however, and when asked if they are nearing the point of being fully prepared his answer was "No, we certainly aren't. Could we keep our business running at the beginning of a pandemic and work our way through it if it hit now? I think we could but we don't have a formal written plan yet, so it would be harder to gauge response."

Elevations CU started cross training employees in 2006, when McCartney initially started looking at the pandemic and how to prepare for it. Along the way he has collected preventive and protective measures such as the little dusk masks, rubber gloves and other things that will help prevent spread of viruses including an antiseptic cleaner that is now in all of the credit union's branches.

He is now formalizing the project schedule and plan that will include more employee education and communications. "We have already identified key operation personnel as part of our regular disaster recover plan," he says. One other important program the credit union has worked on since late 2005 is remote connectivity for the operational staff. The program has been tested for its ability for employees to conduct work remotely, safely and securely, whether at the branch or at home. "It is robust and has worked out well. Even with the flu going around this winter, a number of staff have worked from home during periods when the 'crud' was at its peak," he says.

The one place that the credit union can't change is the face-to-face transactions when a member comes into the branch. "While we can't remove the customer-facing transactions to a remote action, though, but say the back office operations and accounting group can work very well remotely and perform all of the things they need to do," he notes.

Elevations' communication plan has been defined for business continuity. Within the plan is a three-day (72 hour) plan that has specific points to communicate with members. Messages could possibly come from board members or a key communications person from marketing. "We've identified the things we're expecting to communicate, and whether we'll be speaking to the newspaper, or on our internet site, those things have been identified specifically. This would also translate very well for our planned pandemic communications to members and we plan to follow a very similar process," McCartney says.

During the credit union's last NCUA examination, the business continuity plan was brought up. "The examiner asked what we have done so far in planning for pandemic, what have we done for due diligence and what is the current action plan to address those things we've not gotten to yet," McCartney notes. The credit union aims to complete its pandemic plan and have those things that have been identified done or in place by the end of the year.

One advice offered by McCartney is that institutions need to consider pandemic planning and business recovery as a continuous process. "Every year you have to look at your plan, and make sure to do it at least once a year. Examine it as though you were looking from an examiner's point of view. We will always be tweaking it and looking to refine certain processes as our environment and business needs change. If you don't do that, then your plan won't be there when you need it because it won't reflect the current business model you have."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.