Preparing for a Pandemic: Updating Your BCM

How quickly the world can change. Three months ago, COVID-19 was just beginning to bubble up as a major concern for most businesses in the United States. In late January, health officials diagnosed the first U.S. citizen with the disease. By February, the World Health Organization declared a global public health emergency.

And at the end of March, nearly every state issued stay-at-home orders as many businesses closed, and roughly 80 percent of Americans began operating under some form of home-based lockdown to slow the spread of the novel virus.

Like many other essential businesses, financial institutions are now quickly shifting priorities to ensure they are equipped to conduct business in a changing environment while also dealing with the effects of a health crisis. Bank leaders must ensure they are prepared to increase digital operations to meet customer needs and maintain compliance and security protocols. The institutions that will most successfully navigate these turbulent times are those that came prepared with effective business continuity management (BCM), which goes beyond the traditional business continuity plan to embrace a steady continuity process, rather than just an annual update.

It’s not just a worldwide pandemic that should prompt businesses to maintain a solid BCM. Natural disasters and other unexpected events also emphasize the importance of preparedness. Financial institutions can reference guidelines and recommended processes on updating BCM from the Federal Financial Institutions Examination Council (FFIEC). Resources from the FFIEC include assistance and guidance in the areas of business impact analysis (BIA), risk assessment, risk management and risk testing and monitoring.

Despite the FFIEC’s 2019 updates, some financial institutions still found themselves unprepared for the operational challenges associated with many businesses closing shop. Quickly developing a plan while under the pressure of a pandemic is not ideal, as an organization should avoid planning during or after an unexpected event by maintaining an up-to-date BCM.

With all of this in mind, if an organization’s BCM needs revisiting, there are several best practices to consider.

Pandemics and Your BCM

A global pandemic is an event that few had expected, but a valuable lesson in preparedness has come from COVID-19. While pandemics are more of a human resources issue than a technical one, technology is a facilitator, and most of the technology required to handle a pandemic and forced remote work should be built and implemented in advance.

Unfortunately, an increased reliance on remote working technology also changes the risk and fraud environment. Financial institutions must be flexible in dealing with these new challenges.

The FFIEC issued guidance on pandemic planning in 2006, with information on what financial institutions should include within their BCM:

• Steps to ensure continuity of services that include monitoring outbreaks, developing communication plans for employees and third-party service providers, procuring supplies for appropriate hygiene, etc.
• Strategies that provide for scaling the institution’s pandemic efforts, including plans for preparation for potential following wave(s).
• A framework for systems and procedures that allow the organization to continue its operations if essential staff members are unavailable to work, including work-from-home policies, redirecting customers to electronic banking services or alternative operations sites.
• A testing program focusing on procedures to ensure continuity of critical operations and services.

Based on the experiences of the current pandemic response, bankers can expect that the agencies will look to update the plans with new information and recommendations.

Data Protection

Threats to business continuity can come in many forms, including pandemics, disruptive data loss or breaches. These threats could affect any region at any point in time.

Data play a critical role in today’s banking environment which means data should take priority in a modern BCM. This begins with an institution’s business impact analysis (BIA), which prioritizes and asses all business processes and functions. In order to protect the financial institution from the impact of lost data or a breach, make sure the following pieces are included into the BIA:

• Security: The BCM process should reference the bank’s network segmentation policy, which should limit the access and movement of data, as well as the data backup policy, to eliminate any unnecessary connections into or out of a backup storage site—especially crucial in the event of a ransomware attack.
• Classifying Data: Data classification can be cost prohibitive, especially for community banks. At a minimum, an institution must understand what data they have, what data is critical, where it is stored, how it is protected and how it can be recovered.
• Data Flow Diagrams: This diagram is a visual representation of a bank’s data, showing how and where it enters, flows through and exits the institution. The diagram is vital to the BCM and should be revised every few years or when introducing new business processes or lines of business.

Assessing Threats and Risks

A risk assessment is another important phase in the BCM cycle. During this phase, the FFIEC recommends institutions develop scenarios of threats that could cause disruption to business continuity and processes. Financial institutions should develop a formal threat analysis to assess how a variety of factors like regional environmental factors and terrorist plots increase the likelihood of disruption to business at each location.

In normal circumstances, a threat analysis should be conducted every 18 to 24 months, but in riskier times, six to 12 months is more suitable. Another important factor to consider is doing the threat analysis at the main location and disaster recovery sites as well as on any external or internal sites critical to the bank, such as where the data is housed.

Putting Your Plan to the Test

The last, but most important, part of the BCM process is testing and ensuring the institution is fully prepared. Many institutions conduct small and function-specific tests on a quarterly or monthly basis, starting with critical functions. By running these tests frequently, the institution’s leaders will have a more accurate picture of their BCM overall effectiveness. The increase in flexibility and resiliency that testing provides, coupled with a robust infrastructure, goes a long way in weathering, or outright avoiding, many issues.

By updating a BCM plan with best practices, including data protection, assessing threats and testing the plan, an institution will be in a better position to respond to unexpected events and continue serving customers without disruption.

Steve Ward has more than 28 years of experience in the technology sector, 13 of which he spent working directly with community banks, and currently serves as CSI’s vCIO manager. In his role, Steve partners with organizations to understand their strategic IT objectives and makes recommendations that align with their business goals.