Contingency Planning: What Every Director Should Know
On the morning of Sept. 11, Charlie Pfeiffer and Olivia Tention were in Phoenix, Arizona attending a business conference when they heard the news that terrorists had attacked. Their offices, on the 14th floor of Two World Trade Center, no longer existed.
Pfeiffer and Tention, senior operations executives for UnionBanCal Corp.’s International Banking Group, jumped in Pfeiffer’s car and set off on a 360-mile drive to Monterey Park, California. UnionBanCal’s contingency plan called for electronic operations to be routed to emergency backup facilities there, and the two executives had no time to lose because all commercial flights in the United States had been grounded.
As a result of their heads-up response, the bank was able to resume full operations by the end of the day, and the IT staffers trained by Pfeiffer and Tention essentially recreated the computer systems that were lost, from scratch, within a week. But the most welcome news came the morning of Sept. 12, when the company was able to confirm that all 106 of its World Trade Center-based employees had safely escaped the building’s collapse.
Key to UnionBanCal’s quick resumption of operations was a thorough contingency plan, vetted and approved by the board of directors. In fact, The Bank of California, which merged with Union Bank to form UnionBanCal in 1996, had seen its World Trade Center offices destroyed once before, in the 1993 terrorist bombing of the building, so there was some precedent for the emergency steps that were taken in September 2001.
Directors are ultimately responsible for ensuring the continuity of a company’s business operations, and disasters, natural or otherwise, are included in the risks of doing business. Thus, reviewing and approving a workable emergency plan has always been part of a board’s fiduciary duty.
Banks in Florida and Louisiana, for example, have hurricane contingency plans. Similarly, California companies must assess the perils posed by earthquakes. But in the wake of the Sept. 11 attacks, business leaders across the nation have been reminded that they, too, are responsible for creating comprehensive contingency plans that are detailed enough to keep myriad functions operational, yet broad and flexible enough to cover many types of emergenciesu00e2u20ac”even those that strike with no warning.
Therefore, it is now more important than ever that directors understand their responsibilities with respect to contingency planning. Corporate governance experts and regulators agree that, at a minimum, the board should review existing plans once a year, preferably delegating the job to a committee. The board should also require that the plans be tested and evaluate a plan’s performance after any emergency that requires its implementation. Many experts also recommend that the board periodically seek the opinion of outside experts to make sure management is on the right path, though the extent of such third-party review depends on the particular board and the resources of the company.
According to Clifford A. Wilke, director of bank technology at the Office of the Comptroller of the Currency, “From the OCC’s perspective, our expectation is that the board ensures that an adequate contingency plan is in place and is monitoring and testing that plan on a continual basis.”
But there is a distinction between directors’ role and management’s role. “Directors are not responsible for contingency planning,” says Charles M. Elson, an attorney and law professor who serves as director of the Center for Corporate Governance at the University of Delaware. “Their job is to make sure the company is run as effectively as possible. So their responsibility is to make sure management is engaging in planning.”
“Boards are not there to micromanage operating tasks, just to make sure they are being done,” says Nell Minow, a corporate governance expert and editor of The Corporate Library website. “So at least annually, they should have contingency planning on the agenda to give management the opportunity to report on what they are doing.”
Furthermore, she adds, “The board should consult its own experts from time to time to make sure that management is up to date.”
UnionBanCal provides an example of successful differentiation of the roles of directors and management. After the 1993 World Trade Center bombing, The Bank of California created an Emergency Operations Committee that could be called into action in such cases.
Today, UnionBanCal executive vice president Linda Betzer heads that committee. In the two weeks after Sept. 11, she says, the EOC had once- or twice-daily meetings with executive management. There was no need for an emergency board meeting because procedures were already in place for rapid communication in the case of an emergency. Says Betzer, “The board was interested in what we were doing but didn’t feel the need to step in because they have a lot of confidence in the team.”
UnionBanCal’s annual review of its contingency plan had already been scheduled for the November board meeting. In addition, the EOC gave a formal evaluation of the plan’s post-Sept. 11 performance at the October meeting.
“No changes have been made as a result of director intervention,” says Dan Brigham, the bank’s vice president for government affairs who works closely with the board of directors on public-facing issues. “But the EOC has reviewed and refined their plans somewhat, and the consensus around here is that [Betzer] did a fantastic job.”
“Of course, the board had questions for us when we did our formal report,” says Betzer. “They wanted to know what we learned, what we could have done differently, and what other banks experienced.”
Bank of America Corp., which occupied four floors of One World Trade Center, was also greatly affected by the terrorist attacks. As with UnionBanCal, the BofA board was kept informed but remained at arm’s-length during the emergency itself. According to company spokesperson Eloise Hale, “We operate daily on contingency plans since we’re nationwide, but the board isn’t involved on a daily basis.”
“The events of Sept. 11 demonstrated Bank of America’s expertise in managing operational risk,” Amy Brinkley, Bank of America’s credit risk chairman, told shareholders at a conference in late November. “Even after moving key operations from the World Trade Center, we completed all domestic and international payments and equity processing on time that day. We continued to operate globally with virtually no interruption. … During the same week, we handled the effects of a hurricane in Florida and completed three systems and operational conversions. Very simply, the combination of thorough contingency planning, location diversity, and capable and courageous people produced the desired results.”
Both UnionBanCal and Bank of America credit their thorough contingency plans for the rapid restart of business operations following one of the worst disasters in U.S. history. Yet, until Sept. 11, even the most rigorous contingency planners probably never imagined that commercial airliners could be turned into weapons of mass destruction. The fact that the companies coped as well as they did with a completely unforeseeable act of violence highlights the importance of having flexible plans that cover a wide range of emergencies, as well as the necessity for continual review of any plans in place.
“The crises that you anticipate are probably not the ones that are going to arise,” observes Tom Horton, a former chairman of the National Association of Corporate Directors who currently chairs the NACD’s Information Security Panel as well as serving as a director of several organizations, including Ormond Beach, Florida-based The Commercial Bank. “It’s impossible to have a perfect plan in place,” he says. “But you can plan some things, such as: Who is going to be in charge? Who is going to be notified? Who is on the emergency team? Should someone else run the business while the CEO heads the emergency team?”
“There is no such thing as a ‘complete’ contingency plan,” notes Minow. “Every new development, especially terrorist acts, should trigger a complete review.”
“Someone other than the folks who are close to it needs to review the plan on a continuous basis,” recommends the OCC’s Wilke.
Minow recommends that the board make sure the plan “provides for everything from employee evacuation to backup files stored in at least two offsite locations and alternate mail delivery systems. They should also make sure that companies have fire-drill-style exercises to practice their response to a wide range of emergency scenarios.”
“It’s not a bad idea to simulate some kinds of emergencies,” agrees Horton. “The board might have some emergency sessions without the CEO present, for example.”
“It’s the little things that can kill you in disaster recovery,” says Walter Walker, executive vice president of information technology at Hibernia Corp. “Where are the data tapes? Do we have updated contact lists? Are there enough modems?”
Directors, of course, aren’t the proper people to update the contact lists. As Elson puts it, “The board’s responsibility is to ask management what’s being done, and if it gets the wrong answer, it should act accordingly. And acting accordingly means making sure it gets the right answer the next time it asks the question.”
Hibernia, whose headquarters are in New Orleans, has offices in many coastal communities in Louisiana and Texasu00e2u20ac”communities that are at considerable seasonal risk of hurricane damage. In fact, Hibernia’s website offers a helpful hurricane preparation checklist for customers of its insurance business. Naturally, the company’s own contingency plan is just as detailed when it comes to hurricane readiness.
In September 1998, Hurricane George left nearly one million homes in four U.S. Gulf Coast states without power and caused approximately $1 billion in property damage. Hibernia’s contingency plan called for much of the bank’s electronic transaction processing to be moved to Shreveport, so despite widespread flooding and power outages, the data was safe.
“If a hurricane gets into the Gulf, we’re on a state of alert,” Walker says. “We may actually move departments ahead of time. Our data center is located in New Orleans, and we’d move our backup tapes to Little Rock if necessary.”
Walker’s two-person department coordinates disaster planning for all the bank’s business units. Regular testing is conducted, and post-disaster reviews are reported to the audit committee of the board. In addition, there is a formal annual report to the board every December.
In 1999, this reporting mechanism was stepped up because Walker’s department was busy planning for the Y2K bug that was predicted to cause widespread technology failures on Jan. 1, 2000. During that time, the board received monthly updates about the bank’s state of readiness. Hibernia wasn’t the only bank that gave its contingency plans a painstaking overhaul that year. “Many boards had Y2K on their agenda for months before the millennium, and then it turned out to be a nonevent,” says Horton. “Some people said all the preparation was a waste, but the more careful observer would say that the preparation was what made it a nonevent.”
The beefed-up contingency plans developed in 1999 now form the basis for many banks’ current contingency plans, especially now that protecting electronic assets has become just as important as guarding physical vaults. Walker describes Hibernia’s Y2K plans as “the backbone of our business resumption plans.” The OCC’s Wilke notes that with flights grounded and communications seriously disrupted, many companies turned to their Y2K plans on Sept. 11.
For example, if UnionBanCal hadn’t built a layer of redundancy into its electronic operations, so that all transactions on the East Coast were also recorded on West Coast servers, it is doubtful that the company could have resumed processing those transactions within a week of Sept. 11, let alone the same day. As it happened, the bank’s primary backup facility was unusable, so the secondary backup had to be called into play.
Says UnionBanCal’s Brigham, “Y2K was certainly the impetus for us to create all sorts of backups, completely update our platforms and PCs, and implement multiple layers of redundancy.”
“The first thing that a board should do is to realize that information is one of the company’s most important assets,” declares Horton. “And along with that goes your reputation, which is hard to put a price tag on.”
Electronic threats loom for any company operating in the 21st century. Since the passage of the Gramm-Leach-Bliley Act, all financial institutions are required to have information security policies that are approved by their boards.
“Boards of directors aren’t supposed to know all about electronic cookies and bots and firewalls, but they are responsible for the health of their company in perpetuity,” says Horton. “So they need to ask questions such as who is responsible for protecting this information? Who is monitoring that party’s performance? How do we know it’s working?”
“Moreover, banks are more sensitive to business disruptions than other types of companies, since their very reputation for safety and security depends on it. Says the OCC’s Wilke, “The financial industry, because of its long history, has a strong level of trust with the consumer. After a disaster, a dry-goods store might be closed for a week and suffer no adverse public reaction, but for a bank, that wouldn’t be acceptable.”
Are there lessons to be learned about contingency plans from the recent terrorist attacks? Most definetely.
Says Walker, “Before Sept. 11, the most probable disasters here in New Orleans were hurricanes or ice…”With hurricanes, we’re used to having lots of time. Since Sept. 11, the question we’ve asked ourselves is, can we respond to an emergency even if we don’t have a lot of time? And we’ve answered that question, ‘yes,’ to the satisfaction of the board. The same plan can cover multiple kinds of events.”
Adds Wilke, “There are two key areas we need to spend more attention on, moving forward. The first is the people aspect: Are there succession plans in place for top management, and are there backups available for key personnel such as IT staff (especially for small community banks where that function may be handled by one or two people)? Second is critical infrastructure: What happens if there is literally no power or water, and people need to be relocated?
“Even with a hurricane, we usually have a few days to prepare. In the case of terrorism, we had no warning.”
Join OUr Community
Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.
Become a MemberOur commitment to those leaders who believe a strong board makes a strong bank never wavers.