The NAFCU recently introduced business continuity guidance and the Federal Financial Institutions Examination Council (FFIEC’s) 2007 Pandemic Planning Guide.
As the COVID-19, (coronavirus), continues to be felt, the FFIEC recently issued its updated Interagency Statement on Pandemic Planning to identify “actions that financial institutions should take to minimize the potential effects of a pandemic.” A related statement from financial regulators urged financial institutions, which include credit unions, to continue to meet the business requirements of members that are affected by the pandemic for FFIEC compliance.
This guide starts by introducing a discussion about the challenges brought about by the pandemic as compared with other disastrous events. The guide also explains how the pandemic risk can be incorporated into the continuity program of a credit union, including the business program analysis, risk strategy, and risk testing and monitoring.
Each phase of this assessment is discussed below.
The Challenges Caused by a Pandemic
To serve its members effectively, a credit union must tailor its traditional business services plan to assess the unique challenges in light of a pandemic. This guide shows how the plan of a credit union should allow for:
- A program that will reduce the chances of a pandemic will affect operations, including monitoring possible outbreaks, educating all employees about hygiene as well as other practices, and working with other vendors.
- A strategy for implementing a credit union’s response to a pandemic and efforts to ensure that they are aligned with all effects of a pandemic. An example of this is that credit unions should consider the alignment of their strategy with the 6 Pandemic Intervals Framework issued by the Center for Disease Control and Prevention.
- A framework of systems, facilities, and procedures that will allow a credit union to offer its critical operations if individual critical members become unavailable for a protracted period. An excellent example of this might be a credit union that could consider implementing rules for social distancing, alternative sites, telecommuting, electronic banking, and telephone banking services.
- Implementing a testing program for practices and the capabilities that will allow for critical services to continue.
- Having a program to ensure an ongoing review of the pandemic plan, using up-to-date, relevant information from both medical and government sources.
A pandemic introduces certain and significant risks to any business.
As a result, the guide makes the recommendation that senior management represents all areas of pandemic planning.
This includes, most notably, the board of directors of the credit union being responsible for overseeing the development and implementation of a comprehensive pandemic Strategy. All members of senior management should be accountable for the development of the plan, translating that plan into specific policies and processes, and procedures, and directing that plan to employees.
Business Impact Analysis and the Pandemic Risk
The Business Impact Analysis (BIA) introduced by the BCP evaluates the possible effects of a disaster on a credit union’s essential business purposes, processes, and resources. This guide further explains that by incorporating the pandemic risk in the BIA, there is an extra layer of complexity. The typical emergency response systems might not be possible in this type of situation.
The guide also refers to internal as well as external factors that might have an impact on business functions. From an internal outlook, the analysis should incorporate forecasting projections of possible employee absenteeism, which could be attributed to illness, needing to care for loved ones or infection fears during a community outbreak.
The guide also recommends external factors such as the impacts of public health restrictions such as quarantining requirements, travel restrictions, altered transportation schedules, school closings, or other possible disruptions of essential external services. The guide also recommends reviewing the list of 12 planning assumptions listed by the Department of Homeland Security.
Risk Assessment and Risk Management In a Pandemic
The risk assessment of a credit union is vital to the success of the continuity of business. The guide makes special note that risk assessment calls for prioritizing how severe the business disruptions are resulting from pandemics using the BIA of the credit union. The guide further recommends performing standard “GAP analysis” comparing the current processes and what is required to minimize the possibilities or severity of business interruptions. In doing this, the guide also explains how important it is to create a written pandemic plan that is often communicated to employees and reviewed by the board of directors as often as possible.
The guide also recommends that risk assessments include identifying events that might implement different elements of the credit union’s response methodologies to a pandemic, employee protection, hygiene, and mitigating controls. Mitigation controls can also include the cross-training of employees, creating succession plans, and increasing access methods. Further, the guide encourages credit unions to coordinate with all other parties, including community and business groups, public health, emergency systems, law enforcement management groups, and other critical services providers.
Risk Testing and Monitoring
Finally, the guide end with showing how a comprehensive pandemic business plan should be flexible enough to use new information as it becomes available as well as risk mitigation strategies as the information provided by the government and medical experts is received and implemented. A comprehensive pandemic business plan should incorporate testing procedures and the responsibilities of all management, employees, suppliers, and members.
Also, part of a program should be an assessment of critical pandemic planning tasks and testing with a greater reliance on such business elements as remote access, call center, online banking, and telecommuting systems. The guide also requires that all test results be reported directly to management, along with all of the appropriate protocols made for pandemic planning and testing programs. The unique and unprecedented circumstances presented by the coronavirus has forced the business to reevaluate everything about way business is done, especially compared with traditional business planning. Further, the guide provides a listing of alternative testing methods that should be made available to every member of the organization and members.
There can be little doubt that successfully carrying out a pandemic response plan now will lead to much more effective implementations in the future.