New Pandemic Guidance IssuedInteragency Memo Details Actions to be Included in Business Continuity Plans
According to Michael Jackson, Associate Director, Division of Supervision and Consumer Protection Technology Supervision Branch of the FDIC, each institution should have as part of its plan a documented pandemic strategy that provides for:
The FFIEC statement on Pandemic Planning supplements the previous guidance from agencies released in March 2006 and late 2007.
Coincidentally, this actions comes on the heels of the release of Information Security Media Group's State of Information Security 2008 survey, which reveals that, of all potential disasters, financial institutions by their own assessment are least prepared for pandemics.
Accounting for Scale
One of the issues the agencies wanted to address in this ongoing supervision is that pandemic plans need to fit the needs and size of an institution.
"For a small bank we're not expecting to see a 100-page plan with a rigorous testing plan in place -- we want it to fit the institution, depending on the footprint of the bank and the needs of the institution and its customers," says Mark O'Dell, Deputy Comptroller of Operational Risk at the Office of the Comptroller of the Currency.
At this time, the FDIC's Jackson sees that institutions' progress on pandemic plans range widely - and this is a disparity that needs to be addressed. "Some are waiting and just making slight changes to their BCP, and some think they have more time to work on their plan."
This statement gives institutions the push to expand their business continuity plans to include more pandemic planning, Jackson notes. "The pandemic plans should be sufficiently flexible to address a wide range of possible effects and outcomes from a pandemic. This statement gives institutions a good start on a framework to either start a pandemic planning program or expand on their existing one."
Jackson suggests that institutions begin by comparing what they have in their existing plan to what is in this FFIEC statement. He also notes that the list of referenced websites in the statement should be checked for new information to update plans.
The boards of directors at institutions should review the statement and pandemic planning guidance, too, as they ultimately will be held responsible for their institution's pandemic plan, Jackson notes. "This has been articulated in the previous guidance and this statement. The board of directors being held accountable is not necessarily a negative, we think. With the proper planning and preparation, each institution will be successful in meeting the guidance's' requirements in having a viable, tested plan in place."
The need to ensure that third-party service providers are able to meet the needs of the institution should also be considered in pandemic plans.
Institutions may also want to consider getting amendments to their existing agreements with vendors that will ensure the vendor will be able to provide at least a minimum level of service or goods to the institution during a pandemic.
Having other vendors in place as back-up to the primary vendors may be a consideration for institutions to pursue. One of the unique differences between a pandemic and other catastrophic events is the staffing challenge presented by potentially high levels of absenteeism due to illness or family members falling ill during the pandemic.
Although this new guidance does not come accompanied by a hard deadline by which institutions must demonstrate compliance, the interagency message is clear: Be prepared for your next examination.
"Have your plan ready, and tested, have multiple back-up sites and vendors prepared to deliver to those sites," Jackson says.
Because of the multiple "unknowns" that may occur during a pandemic, along with considering that a pandemic would spread across wide geographic areas, institutions may need to have multiple sites for back-up operations.
"The most important part of the pandemic plan is the human element. It has to be considered more in planning for a pandemic," Jackson notes. Institutions may also want to look at possibly using remote deposit capture to help with the social distancing issues that they and their customers may face during a pandemic. "You will be able to have less interaction with the customers and still be able to provide a high level of service."