The FFIEC’s Take on Addressing Pandemic Planning within Business Continuity Processes

The last time the Federal Financial Institutions Examination Council (FFIEC) issued guidance to financial institutions regarding pandemic planning was in 2007 in response to the avian flu pandemic.  Many institutions likely have a pandemic response section within their business continuity plans but have not had to put such procedures into effect until this year.  In March 2020, an update to the original interagency guidance was issued to provide additional considerations for minimizing the potential impact of a pandemic in response to COVID-19.  Based on this new guidance, and the events of 2020, institutions should be revisiting and updating their pandemic plans to incorporate the new guidance and lessons learned from COVID-19.

The FFIEC says pandemic plans should be incorporated into an institution’s overall business continuity plan, but the objectives of pandemic planning have several distinctions.  Business continuity plans typically focus on disruptions that are relatively short in duration and are limited to a specific geographic area or location.  Pandemic plans should be designed to mitigate events that could vary significantly in scale and duration.  Pandemics, as we have seen, could impact an organization’s entire geographic area and may occur in multiple waves over a longer duration of time than business continuity plans are typically designed to address.  One of the most significant challenges a pandemic presents is a staffing shortage due to employee absenteeism.  Due to these factors, a pandemic plan needs to be flexible and scalable to respond to a wide range of potential effects.  The potential impact a pandemic could have on critical financial services should be incorporated into ongoing business impact and risk assessment processes to determine if additional mitigation plans need to be developed.

To adequately address the threat of a pandemic, institutions should incorporate the following elements into their plan:

1.  A preventative program to reduce the likelihood of a pandemic affecting the institutution’s operations.  Items to consider include monitoring of a potential outbreak, cross-training employees on other job roles, educating employees on practices to reduce the spread, ensuring adequate hygienic supplies are on hand and coordinating potential response activities with critical vendors.

2.  A documented strategy to deal with the effect of a pandemic.  The FFIEC’s guidance references the Center for Disease Control’s Pandemic Intervals Framework, which describes the progression of a pandemic using six intervals.  Response strategies should be modeled after the effects of each interval to ensure institutions can respond quickly when a pandemic event occurs and then pivot to prepare for additional waves that may occur.

3.  A comprehensive framework of facilities, system or procedures to allow the continuation of critical operations and services in the event of staffing shortages.  These procedures could include remote work arrangements, restriction of visitor or customer access to facilities, responses to actions by government officials and increased reliance by customers on electronic banking, customer support centers and ATMs.

4.  A testing program to ensure that the identified strategies and framework will allow the continuation of critical operations and services through a pandemic-like scenario.  Testing procedures could include stress-testing remote work systems and procedures via planned work-from-home days, coordinating with vendors to ensure infrastructure can adequately handle spikes in electonic banking and telephone banking usage, completing tabletop exercises to test work procedures and communication protocols that could be impacted by absenteeism rates and participating in regional or industry-wide testing exercises for the financial services sector such as those hosted by FS-ISAC.

The ultimate responsibility for business continuity and pandemic planning lies with senior management and the Board of Directors.  The Board or a committee should be responsible for reviewing and approving the pandemic plan and ensuring sufficient resources are invested into each element of the plan.  Senior management’s responsibilities should include developing specific policies and procedures to implement the plan, communicating the plan through the institution and ensuring that a regular testing program is completed that is appropriate for the size and complexity of an institution’s processes.

If you want to read the full guidance, it can be found on at the following link on the FFIEC’s website. Additionally, if you have questions or would like to discuss business continuity or pandemic planning, please contact us, we would be happy to talk.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
The Impact of the Baltimore Key Bridge Disaster on Supply Chain
IPE 101 – Assessing Management IPE Controls and Report Risks
IPE 101 – Differentiating Populations and Key Reports
IPE 101 – Defining and Understanding Information Produced by Entity
SEC Adopts Final Climate Disclosure Rules
HMDA: Common 2022 Violations and How Community Banks Can Address Them Before the 2023 Filing
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×