In recent weeks, circumstances surrounding the unprecedented COVID-19 pandemic have prompted many businesses in the financial services industry to revisit and update their business continuity and pandemic plans. An effective business continuity plan (BCP) is a necessary tool to guide your organization through unexpected scenarios and ensure no disruption of service to your customers.
Lessons Learned from COVID-19
One of the most critical lessons from COVID-19 is the importance of effective business continuity planning. A BCP reflects the time and effort your institution has put forth, and there is no substitute for a thorough and tested plan. As your institution continues responding to the COVID-19 situation, ensure your BCP is up to date and comprehensive with the following best practices.
1. Identifying gaps: If your BCP is not regularly reviewed, gaps in your plan or processes can easily develop, and your institution should identify and create responses to address these gaps. For example, most plans likely included the provision that most employees should work remotely in the event of a pandemic. However, that requires businesses to test virtual private network (VPN) connections and coordinate logistics, including plans for those employees who don’t use laptops or have required technology at home. Many businesses were recently forced to confront those IT issues quickly as they adapted operations in response to COVID-19, showing that identifying potential gaps is a critical step.
2. Responding to Unique Scenarios: There is no silver bullet when it comes to continuity planning—an institution’s BCP should be formulated on a case-by-case basis. Every organization has different scenarios to consider and respond to, especially during an event like COVID-19. For example, some institutions chose to take employees’ temperatures as a precaution against inadvertently spreading the virus, making it necessary to include information about Americans with Disabilities Act (ADA) rules and state specific privacy regulations in the BCP. Organizations should also include plans and procedures addressing potential changes to business operations in response to unexpected events, including identifying essential workers for your institution.
3. Maintaining Communication: In response to COVID-19, many financial institutions are closing their lobbies, reducing hours or encouraging the use of digital banking channels. These changes should be clearly and consistently communicated to employees and customers. Employees need updates on business operations and policies, while customers need information about accessing bank facilities and their accounts, making deposits and obtaining loans. Open communication will ensure that all parties stay engaged and aware of relevant updates, which is especially important in an evolving pandemic situation.
4. Revisiting Strategic Plans: Since most strategic plans include specific goals set before an unexpected event, your institution should revisit those plans and adjust accordingly after experiencing disruption. Due to the circumstances surrounding COVID-19, many organizations are undergoing impromptu strategic planning to update their plans based on operational and business changes, and institutions should also consider an increased demand for certain products and services, such as digital banking, during the planning process.
Preparing for Future Pandemics
Though a BCP and a pandemic plan have distinct differences, the global COVID-19 pandemic has shown the importance of planning for both. Health experts have discussed the possibility of COVID-19 returning in the fall, so businesses should begin planning for this outcome during the upcoming summer months. Consider addressing these important topics as your institution begins reviewing your pandemic plan.
1. Coordinate with Vendors: When planning, businesses must communicate not only with employees and customers, but also with critical vendors. If your institution relies on a vendor to help provide an essential product or service and the vendor experiences a disruption, your operations—and customers—will be affected. If you haven’t already done so, your institution should plan to acquire feedback from critical vendors on their specific action plans. This also applies to third-party and even fourth-party vendors.
2. Anticipatory Planning: Your pandemic plan should also include processes for tracking employees and any potential impact that absences could have on day-to-day operations. If an employee contracted the virus during a pandemic, how would your operations be affected? By identifying back-ups for essential employees and systems, your institution can avoid disruption. Don’t wait until your business is confronted with an unexpected situation—act now to ensure your customers will continue to be served if key individuals cannot work.
3. Changing Business Needs: When updating your pandemic plan, your institution should consider how a pandemic could affect your day-to-day operations. Because of COVID-19, many customers are relying on digital banking solutions. Institutions should consider how they will service and setup accounts for customers who have been slow to adopt digital banking, all while complying with necessary regulations. Additionally, institutions should develop a documented strategy to scale response efforts accordingly.
4. Cyber Insurance: With cybercriminals preying on fear and panic during a pandemic, cyber insurance is an important component in protecting your institution and customers, but there are a variety of factors that must be considered. For example, if your institution has retained a forensic investigator, were plans made to have the investigator approved by your insurance company? Your institution should also consider whether your insurance includes coverage for only a certain number of customers impacted versus only a certain dollar amount. Or does it cover both? Another consideration is whether your insurance covers specific services, such as credit monitoring protection for customers affected.
5. FFIEC Guidance: The Federal Financial Institutions Examinations Council (FFIEC) updated its Business Continuity Management Booklet in 2019, which is a useful resource for business continuity planning and also includes information on pandemics.
The ongoing COVID-19 pandemic is changing the landscape of banking, and your institution must be ready to adapt. A strong BCP and pandemic plan will allow your institution to focus on developing new business opportunities and serving your customers.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprise-wide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.