In response to the coronavirus (Covid-19) outbreak, the Federal Financial Institutions Examination Council (FFIEC) updated its 2007 Interagency Statement on Pandemic Planning to provide guidance to financial institutions on actions they can take to mitigate the potential adverse effects of a pandemic to their operations. It requires financial institutions to have plans in place that describe how they will manage a pandemic event.
The guidance lists five areas that a financial institution’s business continuity plan should include with respect to pandemics.
-
A preventive program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event, including monitoring of potential outbreaks, educating employees, and communicating and coordinating with critical service providers and suppliers, in addition to providing appropriate hygiene training and tools to employees.
-
A documented strategy that provides for scaling the institution’s pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, including plans for reentering personnel into the workplace.
-
A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that large numbers of its employees are unavailable for extended periods of time. Such procedures could include social distancing to minimize staff contact, telecommuting, redirecting customers from branch to electronic banking services, or conducting operations from alternative sites. Consideration should be given to visitor procedures and whether restrictions should be implemented on customers accessing facilities.
-
A testing program to ensure the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue.
-
An oversight program to ensure ongoing review and updates to the pandemic plan so that policies, standards, and procedures include up-to-date, relevant information.
The Interagency Statement makes clear that the institution’s board of directors is responsible for overseeing the development of the pandemic plan and that pandemic planning should involve senior management from all functional, business, and product areas, including human resources, legal, IT, support functions, and key product lines. It goes on to state that senior management is responsible for developing the plan; translating it into specific policies, procedures, and processes; communicating the plan throughout the institution; and ensuring the plan is regularly tested and remains relevant.
Finally, it provides a list of specific risk assessment and risk management actions an institution should consider and provides links and references to other resources for developing their pandemic plans.