Five mistakes banks make in pandemic planning

Experts cite five areas where financial institutions could improve their planning for a potential H1N1 outbreak

With the H1N1 virus threatening to hit hard this flu season, pandemic planning has become a priority for many organizations. A recent survey of about 1,500 U.S. organizations by the Pandemic Prevention Council showed that a slight majority reported that senior management has stressed the importance of preparing for a possible H1N1, or swine flu, outbreak.

However, while 75% of those surveyed have business continuity plans, only 55.6% of private companies have plans that address the H1N1 threat.

The banking industry has done a better job than other industries in developing pandemic plans, said Richard De Lotto, principal analyst in Gartner Inc.'s banking and investment industries advisory services. "It doesn't take much research into the 1918 pandemic to realize that you need to take this seriously," he said, referring to the "Spanish flu" pandemic that killed more than 500,000 in the U.S.

The avian flu threat and a 2006 advisory on pandemic planning issued by federal regulators helped to spur pandemic planning in the financial industry. The FFIEC updated the advisory in 2007 with expanded pandemic planning guidance. In April, the emergence of swine flu prompted an uptick in flu preparations, but experts cite several areas where financial institutions could improve their planning for a potentially massive H1N1 outbreak. Here are five mistakes banks make, or areas they overlook, in their pandemic plans:

1. Not doing enough

Even though financial services, as a heavily regulated industry, may be further ahead in preparing for a pandemic than others, many banks still don't have a comprehensive plan.

"The biggest issue is that the banks haven't really thought through it," said Ruth Razook, CEO of RLR Management Consulting Inc., a La Quinta, Calif.-based firm that provides IT, strategy and other services to community and independent banks. "They haven't taken that time."

Federal banking regulators are very serious about pandemic planning, she said: "The regulators are saying it will occur, that it's not a matter of if, but when. And if banks aren't prepared, it could get pretty ugly."

Specifically, regulators told her some financial institutions don't understand the difference between planning for business continuity and a pandemic. In the first, the building is gone but the people remain, while in the second, the building is there but the people are gone. "They're not grasping the fact that you could be down 50% of your people," Razook said.

David Schneier, a compliance consultant who works with financial institutions, said he's yet to review "a truly viable pandemic plan." Most of the plans he's seen discuss possible pandemic scenarios but don't provide actionable steps in the event of a quarantine.

"What happens when a bank or credit union cannot staff their braches due to a severe outbreak? How will operations be maintained if offices are closed down and staff is forced to work remotely? I suspect that much of what occurs will be ad hoc," he said.

Meanwhile, some large financial institutions that perform extensive pandemic planning at their corporate headquarters fail to extend the effort to their regional or local offices, said Brian Zawada, co-founder and director of consulting services for Cleveland, Ohio-based Avalution Consulting LLC. They mistakenly believe they should focus their efforts on the locations with the most staff.

"You have to be consistent and able to show that preparedness activities are applied across the entity, no matter where or how many people," Zawada said.

2. Lack of defined policies

Some companies don't have clear contagious illness policies, Zawada said. These policies clarify that if employees are sick, they stay at home and if they show up to work sick, their manager has the right to tell them to go home.

"Those that don't have such policies have managers running around saying, 'I have this person coughing up a storm. What do I do?' By the time they get an answer, it's too late and others are sick," he said.

Other policy issues that need to be decided on before a flu epidemic hits is how a financial institution plans to handle sick leave. "One bank said they had an employee come back from Mexico and came to work with a fever. They sent him home. If he doesn't have any sick time left, does he get paid or not?" Razook said. "Banks should be figuring out what those policies are, and I don't think they are."

David Sarabacha, principal at Deloitte & Touche LLP and leader of the firm's business continuity management team, said companies vary widely in how they plan to handle sick leave.

"It stretches from, 'It's not our problem. We give a certain amount of time for sick or vacation days. If something arises, we won't give anymore', to other organizations saying they'll give seven to 14 more days of time off, especially if they tell you to go home," he said. "A third option is to borrow from future time off."

However, companies are also concerned about potential abuse of extended sick leave policies, Sarabacha said. At a recent meeting he attended, an executive at a large financial institution said his organization had done a lot of planning of sick leave policies in the event of a pandemic but isn't going to let employees know out of concern the system could be abused.

H1N1 (Swine Flu)

The H1N1 influenza virus, first detected in April, was declared a pandemic by the World Health Organization (WHO) in June. According to the Centers for Disease Control and Prevention in the U.S., 27 states were reporting widespread influenza activity and almost all the influenza viruses identified so far are H1N1.

A report released by thePresident's Council of Advisors on Science and Technology (PCAST) in August concluded that the H1N1 flu is unlikely to resemble the deadly "Spanish flu" pandemic of 1918-19. Still, the current virus strain is serious health threat, unlike the swine flu episode of 1976, the group said.

According to the PCAST report, the impact of a fall resurgence of H1N1 is impossible to predict, but an epidemic could infect 30% to 50% of the U.S. population, lead to up to 1.8 million hospital admissions, and cause between 30,000 and 90,000 deaths, mostly children and young adults. Seasonal flu usually kills 30,000 to 40,000 people in the U.S. annually, but mostly among people over 65, the report noted.

3. Lack of adequate staffing planning

Without a doubt, planning for a scenario in which you lose 40% of your staff for extended periods is difficult. However, there are other staffing scenarios that financial institutions also need to consider if the swine flu strikes hard, experts say.

For example, an organization may see a spike in demand for certain services or products and a sharp drop for others in a pandemic, Zawada said. An insurance company, for instance, might see a decline in property claims but an increase in short-term disability or life insurance claims. If more people stay at home, some financial-services firms expect to see increased credit card activity. Consequently, a company needs to develop a staffing model that meets customer needs while accounting for staff absenteeism, he said.

"Understanding demand and building appropriate staffing models [is something] many organizations have done, but some are just beginning," Zawada said.

An area that banks haven't paid enough attention to is succession planning, Gartner's De Lotto said. "People might die or be incapacitated for long periods. How do you arrange for a turnover of command in a department with proper provisioning and passwords when your IT department is sick?"

Permissions could be installed on a thumb drive, but in the end, it's difficult for an organization to imagine large chunks of its managerial staff dead or incapacitated and to plan for successors, he said.

Razook said some banks that have conducted pandemic planning have done a good job at building a skills matrix -- conducting an assessment of their employees' skills. That allows them, for instance, to figure out who could fill in as a teller.

"They identify where their issues are and they're cross-training," she said.

4. Not accounting for vendors

Considering how much most financial institutions are dependent on third-party vendors, a possible pandemic presents hidden risks, said Schneier, the compliance consultant.

"For the minority of institutions that have actionable pandemic plans in place, how many of them are dependent upon their vendors in order for the plan to work? How many of those vendors have their own pandemic response plans in place and how would you even know if those plans are viable?" he said.

"Imagine a likely scenario where there's a quarantine, your staff is sent home to work remotely and one of your key telecom or hosted solution providers has an outage that can't be properly managed because they're operating at severely reduced staff levels. What's your next move?" he added.

Many organizations have tried to assess their vendors' business continuity preparations via questionnaires, but didn't have much success, Zawada said. They either didn't know what to do with questionnaires that were returned or vendors wouldn't cooperate, claiming their plans were proprietary.

"Those that did it well had one-on-one dialogue with their key suppliers and business partners where they may have jointly planned," he said. "They clearly understand each other's business model and expectations. They're working together in a collaborative manner. There is some of that [collaboration] but probably more could be done."

Deloitte's Sarabacha said successful organizations figure out their critical vendors and share as much detail of their pandemic plans as the legal departments will allow in order to gauge how complementary they are. If the plans aren't complementary, then organizations need to consider back up vendors or alternate plans.

The ability to see a vendor's plans -- and results of plan testing -- starts in the procurement and contract process, he said. More and more organizations are including language in their contracts to cover that oversight, he said: "They're getting more precise in those contracts so you have the right to do it if you choose."

5. Not testing

An area that many financial institutions and other organizations don't focus on enough in their pandemic planning is testing, experts said.

"We can't appraise the effectiveness of our planning until we've triggered the plan -- that is, taken action in response to a real situation or in response to well strategized scenario-based testing that examines external factors and incorporates consideration of critical interdependencies," said Carol Ward, an independent banking consultant.

"The complexity and difficulty of setting up scenario-based testing shouldn't be underestimated. Ongoing risk monitoring and testing is the weakest link in the effort to be ready. And I think it is causing the most difficulty," she added.

Since many pandemic plans rely on having workers telecommute, capacity planning is essential, experts said.

"Wouldn't it be terrible to have a plan that says everyone will telecommute and then no one can get into the system?" Razook said. "That's where testing comes in. Have 50% [of the workforce] go home and dial into your system and see if it crashes."

Sarabacha said he's seen organizations test whether employees who don't normally work at home can do so, but not test their systems' capacity. "The challenge is from a capacity perspective. Can your internal systems handle the type of load that has never come before?" he asked.

Of course, some possible pandemic scenarios are tricky to test. For example, if schools shut down, banks will have employees who need to stay home with their kids -- a scenario that's difficult to develop into a tabletop exercise, De Lotto said.

"You can do some remote access tests and table top exercises, but it's kind of hard to simulate this [a pandemic]," Zawada said.

Dig Deeper on Security audit, compliance and standards