The Federal Financial Institutions Examination Council ("FFIEC") reminded financial institutions that their business continuity plans should include preparations in the event of a pandemic outbreak. The FFIEC - which includes representatives of the Federal Reserve System, FDIC, National Credit Union Administration, OCC, CFPB and State Liaison Committee - published an updated version of its pandemic planning guidance, which was previously issued in 2006 and 2007.
The FFIEC noted that there are important distinctions between "traditional" business continuity planning and pandemic planning. According to the FFIEC, traditional business continuity planning typically prepares financial institutions to address natural or man-made disasters that (i) are short or limited in scope, (ii) only impact a specific geographic area, facility or system, and (iii) are mitigated through resiliency and recovery considerations. On the other hand, pandemics have widespread geographic impact and can occur in multiple waves, each typically lasting between two to three months.
In preparing for a pandemic event, the FFIEC urged financial institutions to implement flexible plans that can address the different phases of a pandemic and that are tailored to an institution's size, complexity and business activities. Specifically, the FFIEC advised financial institutions to have preparations for:
- a preventive program to reduce the impact of a pandemic event on business operations;
- a documented strategy for aligning plans with the particular stages of an outbreak;
- a comprehensive framework to ensure that critical operations may continue if large numbers of staff are unavailable for long periods of time;
- a testing program to check pandemic planning practices and capabilities; and
- an oversight program to make sure there is a regular review of the pandemic plan.
Additionally, the FFIEC reminded financial institutions that:
- board and senior business management and not just information technology representatives should be involved in pandemic planning activities;
- potential pandemic effects should be included in the business impact analysis of the overall business continuity plan;
- risk assessment and risk management steps and "triggers" should be planned; and
- risk monitoring and testing are a key part of the overall planning process.
Commentary Steven Lofchie
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.