A pandemic presents challenges that do not arise in typical business continuity planning. For example, typical business continuity plans address manmade or natural disasters that are normally short in duration or more limited in scope or geographic area. The Statement indicates that the BCP for a pandemic will need to address a situation that could include a prolonged duration that occurs in waves and affects multiple geographic areas. To address these differences, a financial institution should first assess the potential effect of a pandemic on the institution’s ability to deliver critical financial services. Based on this risk assessment and business impact analysis, the Statement directs financial institutions to update their BCPs, including the following:
- A preventative program to limit the effect on operations in the event of a pandemic. The financial institution should monitor potential outbreaks; educate employees, including hygiene training; and coordinate with critical service providers and suppliers.
- A documented strategy to be able to scale the financial institution’s response to the different stages of a pandemic outbreak, such as the six intervals described by the Centers for Disease Control and Prevention (CDC). The strategy should also address recovery from a pandemic wave, preparation for the next wave and plans for re-entering personnel into the workplace.
- A comprehensive framework of facilities, systems or procedures in the event of significant absenteeism. Financial institutions should be prepared to minimize staff contact, implement telecommuting plans or conduct operations from alternative sites. Moreover, with the expectation that customers will rely more heavily on electronic banking services, institutions should be prepared for significant spikes in usage and potential strains on those systems.
- A testing program to ensure that its pandemic plan is effective. A testing program should include testing for the roles and responsibilities of management, employees, key suppliers and customers; key pandemic planning assumptions; increased reliance on online and telephone banking and call center services; and remote access telecommuting capabilities.
- An oversight program to ensure ongoing review and updates to the pandemic plan to ensure that the plan is sufficiently flexible to incorporate new information and risk mitigation approaches.
Because pandemic planning presents different challenges from typical business continuity planning, the Statement provides guidance on how management should approach developing a pandemic plan. The senior management responsible for developing the pandemic plan should include management from all functional, business and product areas, not just information technology but also human resources, legal, administrative and key product lines. The board of directors has oversight of development of the pandemic plan, and the board or an appropriate committee should approve the written plan and ensure that senior management is investing resources appropriately. Once the written plan is approved, senior management has the task of translating that into policies and procedures and then effectively communicating those policies and procedures to staff.
In conducting a business impact analysis (BIA), management should assess the potential effects of a pandemic, including (1) assessing and prioritizing essential business functions and processes; (2) identifying the potential impact of a pandemic on the institution’s essential business functions and customers; (3) identifying the legal and regulatory requirements for business functions and processes; (4) estimating the maximum downtime that may occur during a pandemic; (5) assessing cross-training conducted for key business positions and processes; and (6) evaluating the plans of critical service providers for operating during a pandemic. The FFIEC also recommends consideration of a list of 12 planning assumptions published by the Department of Homeland Security (DHS) in connection with a BIA, but even those assumptions should be reassessed in light of the developing facts related to COVID-19. For example, the DHS assumptions include the following: “The clinical disease attack rate will be 30 percent in the overall population during the pandemic. Illness rates will be highest among school-aged children (about 40 percent) and decline with age. Among working adults, an average of 20 percent will become ill during a community outbreak.” Preliminary indications are that these assumptions may not hold true for COVID-19, so financial institutions will need to be nimble in updating their BIAs as warranted by facts on the ground.
In any event, a critical consideration will be expectations for higher absenteeism as the situation develops. Employees may be sick themselves, may need to take care of sick family members, or may need to be out of work because of school closings, quarantines or interruptions in public transportation. The DHS believes that rates of absenteeism could be as high as 40 percent during the peak weeks of a community outbreak. Finally, the BIA should consider external factors, the availability of external services and possible disruptions to such services, including due to governmental actions. For example, a financial institution should analyze whether its remote access capabilities and the capabilities of external service providers are capable of handling a higher load of users in the event of an increase in reliance on telecommuting, including the community’s technology infrastructure.
A financial institution’s risk assessment and risk management programs should also consider the adverse effects of a pandemic, including steps to (1) prioritize the severity of potential business disruptions; (2) perform a gap analysis that compares existing business processes with what is needed to mitigate the severity of potential business disruptions; (3) develop a written pandemic plan; (4) have senior management and the board of directors or an appropriate committee review and approve the pandemic plan; and (5) communicate and disseminate the plan to employees. Because many of these are expectations for actions that should precede an actual pandemic event, financial institutions should prioritize the steps with most immediate impact on current preparedness.
Coordinating with third parties to share information and provide support and maintenance of vital services during a pandemic is a key component of pandemic planning. Management should also ensure that there are plenty of essential supplies on hand, as well as proactively manage equipment maintenance to ensure sustainability during service disruptions. Management should also look for potential supply chain weaknesses and develop alternatives for obtaining critical services and supplies.
Management should develop a strategy for identifying and communicating to staff when the status of a pandemic alert changes. Management should monitor national and international pandemic news sources to be aware of potential outbreaks, including websites devoted to national healthcare issues. Management should then communicate to employees and service providers what actions it intends to take based on these changes in pandemic status.
For employees, management should consider risk mitigation strategies such as publicizing CDC “Cover Your Cough” and “Clean Your Hands” programs; encouraging employees to avoid crowded places; implementing “social distancing” techniques to avoid face-to-face contact; and reviewing and considering the use of other non-pharmaceutical interventions developed by the CDC.
The Statement includes links to the following resources that financial institutions should review to assist in updating their business continuity plans to address a pandemic including the FFIEC’s Business Continuity Management booklet found at https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx.
Subsequently, on March 9, the agencies issued a further release encouraging regulated institutions to help meet the financial needs of customers affected by COVID-19, and indicating that prudent accommodations consistent with safe and sound lending should not be subject to examiner criticism. That guidance also emphasizes the willingness of the regulators to expedite “any request to provide more convenient availability of services in affected communities” and to work with affected financial institutions in scheduling examinations or inspections to avoid aggravating operational challenges.
We have organized a global task force to address the myriad issues that face clients as a result of the coronavirus outbreak. Please see our Coronavirus Resource Center for further information.
1 National Strategy for Pandemic Influenza, Implementation Plan (May 2006), at 25, https://www.cdc.gov/flu/pandemic-resources/pdf/pandemic-influenza-implementation.pdf.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.