| 
Tom Curry
Earlier this month, the Federal Financial Institutions Examination Council (FFIEC) on behalf of its member agencies – the Federal Reserve, FDIC, OCC, CFPB, NCUA and State Liaison Committee – issued a 10-page interagency statement to remind financial institutions that pandemic preparedness is a critical part of an intuition’s business continuity planning.
Although some commenters have been somewhat critical of the guidance as merely a reminder of earlier guidance with little change, the fact remains that all organizations – whether or not a provider of critical financial services – should have in place business continuity plans that take into account the threats posed by a pandemic outbreak and potential impacts on communities, customers, employees, other stakeholders and daily operations.
The methodologies detailed in the guidance and related materials should provide a sound framework for organizations of all types developing and/or updating their pandemic plans as part of their larger business continuity plans.
Jason J. Cabral
The guidance highlights the unique challenges posed by and key differences between pandemic planning and traditional business continuity planning. First and foremost, pandemics are larger scale and longer in duration. In light of an interconnected global economy and relative ease of travel, a pandemic is virtually assured to be widespread and not limited in size or scope or to a specific geographic area. Moreover, pandemics generally occur in many waves, each lasting a few months, and generally do not have limited time durations.
These factors often result in the most significant challenge posed by a pandemic event: that virtually no individual or organization is insulated which may lead to significant staff shortages. As a result, all organizations, regardless of type, should plan for a pandemic event when developing and/or updating their business continuity planning.
Five Areas that Should be Addressed
Dan Hartman
In light of the unique challenges posed by a pandemic, the guidance highlights five different areas which companies should provide for in their business continuity plans to prepare for a pandemic.
First, a business continuity plan should include a program designed to mitigate the impact of a pandemic to an organization’s operations. The program should provide for, among other things, detailed communications strategies with employees, customers, critical service providers and suppliers, and local and state government and other agencies or health care providers, ongoing monitoring of potential outbreaks and spread, proper education of and appropriate training and tools for employees, cross-training of employees and successions plans.
Second, organizations should develop a documented strategy that is scaled to the various waves of a pandemic, including the first cases of human transmission, the first cases within the U.S. (or relevant region) and, ultimately, the first cases within the organization. Such plans should include a documented strategy for recovering from a pandemic wave and preparing for subsequent waves.
Third, organizations should develop a comprehensive framework that provides the capability to continue its critical operations in the event large numbers of employees are absent for prolonged periods of time. As part of this framework, organizations can consider minimizing staff contact, including social distancing or splitting staffs between facilities and/or alternatives sites, encouraging employees to telecommute, redirecting customers to utilize online services instead of physical locations and/or transferring certain functions to other locations. Organizations should also be prepared to restrict access to non-employee visitors.
Fourth, organizations should develop a testing program designed to ensure that critical business processes will effectively operate during times of stress. A program should test key planning assumptions, including increased absenteeism rates and the duration of the pandemic, remote access and telecommuting capabilities, the capabilities to satisfy increased demand of online services, and the roles and responsibilities of management, employees and critical service providers and suppliers.
Finally, an oversight plan designed to ensure ongoing review and updates to policies, procedures and processes, as well as testing and reporting obligations.
More Than an IT Issue
The guidance also highlights that pandemic planning is not limited solely to addressing potential informational technology issues, but rather risks to the entire business. As such, all business functions and resources should be involved in pandemic planning.
The guidance also makes clear that an organization’s board of directors is responsible for overseeing the development of the pandemic plan and ensure that senior management is investing sufficient resources into planning, monitoring and testing the plan. According to the guidance, the pandemic plan should be reviewed and approved at least annually by the board (or a board committee) and senior management.
Finally, the guidance notes that senior management is responsible for developing the pandemic plan, translating the plan into specific policies, procedures and processes, testing the plan and communicating the plan throughout the organization to ensure that all employees understand their roles and responsibilities.
Incorporate Plan into Business Impact Analysis
The guidance also encourages organizations to include the potential effects of a pandemic in their overall business impact analysis. Organizations should consider the impact of employee absenteeism, the impact on critical external service providers and other restrictions, such as travel restrictions, localized quarantines or business closures. Organizations may also consider having back-up arrangements to mitigate further damage.
As part of pandemic planning, organizations should also consider what employment and privacy laws may be implicated by an organization’s response to a pandemic, proactively assess the availability of insurance coverage and analyze whether a pandemic may allow counterparties to utilize force majeure clauses in contracts to excuse ongoing performance.
Aside from the FFIEC’s guidance, companies are reminded that the U.S. government and industry and trade associations, among others, have issued extensive and comprehensive guidance to aid companies of all types in developing plans for pandemic events. Companies should also review and take into account guidance and other resources from the CDC, WHO, DHS and U.S. Department of Health and Human Services, among others.
Thomas J. Curry and Jason J. Cabral are partners in Nutter’s corporate and transactions department. Daniel W. Hartman is an associate in Nutter’s litigation department. Curry is former U.S. comptroller of the currency and all are members of the firm’s banking and financial services group.
