Storm Clouds on the Horizon
How’s your business continuity plan? How’s your disaster recovery plan? Ready for a major hurricane, or significant power outage? As the breeze picks a bit and the weather forecasters speculate on whether that disturbance coming up the coast will head out to sea or not, is this a “triggering” moment in which the business continuity plans come off the shelf and pre-planning activities commence?
In August of last year, I had the opportunity to facilitate a full day hurricane simulation in conjunction with Mass. Bankers Association and the National Weather Service. After a fascinating session on the history of New England hurricanes, Glenn Field of the Taunton office of the weather service provided a life-like scenario of a major hurricane aimed at Buzzards Bay as a realistic timeline to our chaotic planning session. Against a backdrop of charts, maps and projected paths, a dozen bank teams worked on business continuity planning decisions, while meeting regulatory and customer demands. The key lesson learned was an obvious one – plan ahead – decisioning “during” the event is way too late!
The hurricane road show comes to Connecticut on Thursday, September 4th and we hope that your bank will participate with us. There are three distinct parts to the day that we have planned. We have asked the National Weather Service to reprise the “History of New England Hurricanes” presentation for us. It turns out that we’ve been fairly lucky in terms of the routes that hurricanes have followed over the last fifty years, leaving most of us under 60 years of age with little experience with just how serious a major hurricane can be. Part two of our session will be a review of the BCP guidance updated by the FFIEC in March of this year. In addition to adding specific guidance on pandemic planning, the bulk of the updates to the regulatory booklet are inspired by recent hurricane and other serious weather events and clearly fits into the no-fooling-around-anymore category. For years, as New England bankers, we have become cavalier about our ability to weather the regular onslaught of Nor’Easters. However, the regulatory message seems to be “you can handle an inconvenient two or three day closing, but what about a real disaster”? The updated guidance includes a brand new section inspired by lessons-learned that addresses issues such as security, data synchronization, crisis management, incident response, remote access, notification standards, insurance and government and community communications. Does your plan address these elements?
Hmmm, winds are up to 30 miles per hour and the sky’s looking a little dark.
The main part of our day is the hurricane simulation. It has a bit of a reality-show feel to it and as such, I’ll reveal few specifics here. Suffice to say that regulatory demands, customer issues, media relations and other concerns will creep into the session at surprising times and in unexpected ways. The “simulation” of the normal day-to-day banking duties that must be maintained in the midst of the ever gathering winds will consist of each bank team working on business continuity strategies. Taking a process-centric approach, each bank team will consider ten or fifteen key business processes across all functional areas of the institution. If our day proceeds as planned, it should be a challenge to accomplish the task.
Wow, did you just notice the lights flicker!
Weather gear, flashlights, prayer books and first-aid kits are optional. Cell phones are mandatory. We do ask participants to come prepared to be immersed, as the role playing is most beneficial if your skepticism is parked at the door.
Hope you can join us. If not, weather permitting, look for the post-mortem report in next quarter’s Connecticut Banking magazine. Gotta go now, the lawn furniture just blew off the deck.
David B. Sidon CPA
The Navis Group
Enterprise Risk Management a/k/a/ERM. What is it? It might take a War and Peace length book to explain and cover all the intricacies and interpretations, but if you’ll invest 2 or 3 pages worth of your reading time, I’ll do my best....click for pdf
David B. Sidon CPA
The Navis Group
“Back-up is not enough.”
“Documentation is key.”
“Overall, we believe we were able to re-affirm our pandemic and business continuity plans.”
These are the words of Milford Bank’s CEO Robert Macklin, Security & Facilities Manager Ric Biroscak, and Branch Administration VP Jorge Santiago, in an interview discussing their experiences with a national pandemic planning exercise. Milford has been early to proactively respond to concerns about pandemic planning. In 2007, the bank collaborated with the Milford Chamber of Commerce and Milford Health Department to create a community pandemic continuity guide for businesses, leveraging banking and other national guidance to provide for their community, in addition to providing for the bank’s own welfare. The resulting document is available on the Milford Chamber of Commerce website.
In September-October 2007, the Financial Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC) coordinated a national financial services pandemic flu exercise. In a media briefing following the event, it was reported that 2,775 organizations were involved in the exercise, 62% of which were banks and credit unions.
The test was designed to be completed over a three week period, with the three intervals representing stages of an overall 10 week pandemic event. The national test simulated absentee rates based on employee last names. Reasons for absence were described as: taking care of dependents, fear of infection, transportation issues, illness, or death. For interval #1, representing the first 2 weeks of the pandemic simulation, last names beginning with the letters A, E, F, J, K, N, O, Q, T, U, V,X, Y, and Z were used to approximate a 25% absentee rate. The target absentee rate for interval #2 (weeks 3 through 6 of the pandemic event) was 49%, based on last names beginning with the letters A, C, E, F, G, I, J, K, N, O, Q, R, S, U, V, X, and Z. The target absentee rate for the last 4 weeks of the simulated event was 35%, based on last names beginning with the letters D, E, G, H, I, K, L, N, and R.
Milford’s experience echoes that of other participants, as the random aspect of defining absentees seemingly well reflects the random nature of a pandemic. Milford’s team was particularly sensitive to employee safety, well-being and wage continuity; placing a focus on how to ensure that sick employees stay home and not infect the rest of the bank. One of the important realities illuminated by this test is that management must honestly plan in terms of the possibility of losing entire departments and not be lulled into thinking that a pandemic will fairly distribute itself across all divisions. Instead of management planning on how they might manage with only half of the bank’s staff, the bank must plan on how it will get by with only half of its entire organization chart, including many or maybe most of senior management.
I recently facilitated an abridged version of the test with the management team at Rivergreen Bank in Maine, compressing the three week test into a three hour tabletop discussion. The random absentee methodology left much of the management team “available”, but presented the interesting challenge of only five branch personnel left to staff three offices, with no IT support in-house available. Their deliberations focused on three “basics”; cross-training, communication, and written procedures. Milford responded similarly and I expect that the survey results from the national test will suggest comparable focus.
In planning for pandemic, a company is in essence creating a disaster recovery plan for its most mission critical “system” – its people. Katrina taught us that illness is not the only reason for reduced personnel availability, as national disasters pose housing, displacement, and transportation issues that may generate absenteeism in a similarly random fashion.
Guidance now abounds. For example, Milford’s community plan references “materials modified from San Francisco Department of Public Health”. Banking guidance includes the ABA’s “Emergency Preparedness Toolbox” and the “Interagency Statement on Pandemic Planning” issued by the FFIEC in December. The FFIEC guidance contains a full page listing of helpful websites.
I was genuinely impressed with Milford Bank’s proactive planning. They have health supplies at the ready. They have a customer information brochure prepared in advance. Emergency planning is a standing agenda item for their quarterly employee meetings. Remote computing access is securely in place. Alternative communication is set up through a Yahoo user group. And more. What did we all learn back in Scouts? Be prepared.
Defining risk tolerance
David B Sidon, CPA
Consider that there are only four answers available: high, medium, low, or not applicable. Risk, like beauty, is in the eye of the beholder. So what’s the criteria? Your own judgment? Regulatory guidance? Guidance from senior management? Or a strict definition of risk tolerance as approved by your board of directors? ...click here for pdf
Banking , Enterprise Process Risk, and Apple Pies
David B Sidon CPA
Enterprise risk assessments are all the rage, and I think each definition of the word “rage” may apply (fury, frenzy, fume, fad, trend, etc). Banks subject to FDICIA compliance requirements (currently institutions with assets in excess of $1 billion) have had an early experience with enterprise risk assessment and control. Sarbanes‐Oxley (SOX) brings the requirement to most of the stock banks. And the mutuals and closely‐held stock banks are just starting to catch on to the fact that they, too, are struggling with enterprise risk. The struggle, however, lies in a lack of cognizance that assessing IT risk, GLBA risk, BSA risk, business continuity risk, and internal control risk, holistically amounts to an enterprise‐wide risk assessment. The struggle is in addressing the pieces of the puzzle individually, rather than as a whole...click here for pdf.
Bird Flu: Time to Prepare
David B. Sidon, CPA The Navis Group
Jack died last night. Now what?
The first person to die from the long‐predicted, dreaded pandemic is someone from your town, a 45 year‐old customer named Jack, a local businessman just returned from Singapore. Today is Wednesday; Jack died last night....click here for pdf
Business Continuity Planning
Lessons Learned from Katrina and Stephen King
David B. Sidon, CPA The Navis Group
Post‐Katrina, and for that matter, the rest of an incredible hurricane season in ’05, disaster and business continuity planning are getting a renewed and vigorous look by everyone including the White House, Homeland Security, and FEMA as well as the institutions and regulatory bodies that comprise our banking system. As we in the industry learn the importance of system recovery plans and business resumption plans (separate planning exercises as I will describe presently) and as we start to test, in simulated exercises, our plans and responses, we quickly come to the recognition of contingency planning’s key ingredient/problem. People. ...click here for pdf
David B Sidon, CPA The Navis Group
Have you Googled an address lately using the Satellite imagery function? WOW! You can actually see the cars in the parking lot at the office building you’re traveling to. But ... as a C‐level executive, could you look down into your enterprise with the same sort of detailed view? ...click here for pdf