As Hurricane Ian began to coalesce in the Caribbean in late September, all of Florida hunkered down. This included Climate First Bancorp, the holding company for $250 million Climate First Bank, which serves primarily commercial organizations. The storm was initially expected to make landfall in the U.S. by hitting St. Petersburg, Florida, Climate First’s headquarters. The bank’s leaders knew that they had to begin preparations, so they turned to their business continuity plan.
The two-year-old bank is also in the middle of shifting its data storage to a third-party, so servers aren’t hosted at individual branches. As the storm rolled forward, though, the bank had to undergo a temporary shift of the data and operations from the St. Pete location to one in Winter Park, near Orlando. This gave the organization protection in case St. Petersburg saw significant damage.
It served them well. As the state suffered flooding and destruction that reports have estimated between $50 billion and $65 billion, St. Petersburg and Orlando avoided the worst of the storm. Still, customers saw little disruption and the experience further prepared Climate First Bank for another hurricane that would hit weeks later. “We’re a climate focused bank, and this is supposed to be more than a 100-year flood,” says Lex Ford, president at Climate First Bank. “How many years in a row have we had a 100-year flood?”
Business continuity planning isn’t just a nice-to-have, but a requirement by regulators. How robust the continuity plan is, however, will determine how ready the organization can react when unexpected disturbances or upheavals in the normal course of business occurs. With the rate of natural disasters rising, so does the possibility that banks will have to lean on continuity preparation. Boards have a responsibility to ensure that such plans have robust strategies in place, but many organizations lack certain coverage.
Business continuity planning within institutions shifted in response to Covid-19. With more than 80% of executives and directors reporting that their organizations have remote workers, 44% saw a gap in their bank’s business continuity plan with regards to remote work procedures and policies, according to Bank Director’s 2022 Risk Survey, conducted in January 2022. That rate is down from 77% admitting such a gap in 2021.
Meanwhile, despite the increase in intensity of hurricanes and other tropical storms since 1995, according to the Environmental Protection Agency, only 16% of respondents said their board has discussed the impact of climate change on the organization at least annually, according to the 2022 Risk Survey. Six out of 10 respondents said their board and senior leadership team understood the physical risks the bank faced due to climate change.
But when it comes to continuity preparations, “you’re not just planning for things that are obvious,” says Julie Stackhouse, a director at $27 billion Simmons First National Corp., headquartered in Pine Bluff, Arkansas. Stackhouse also served at the Federal Reserve Bank of Minneapolis in 2001, and was at a meeting in the New York Federal Reserve during 9/11. She witnessed first-hand the response of financial institutions. This experience of seeing banks react to the sudden attack crystalized the importance of continuity planning for Stackhouse.
When a disaster hits, “human beings have an emotional response,” says Stackhouse. Employees will worry about family and friends, not just the bank. During these moments, “you need to think about the practicality of personality,” Stackhouse adds.
How will employees respond under the pressure of an attack or a storm that destroys nearby homes, or a ransomware that could threaten their jobs? Considering those emotions during moments of clarity — and planning for an expectation that some employees won’t be available — is vital to the success of any continuity plan. For boards, ensure that management has considered the employees’ emotional response to such situations, or else the best plan may prove worthless when pressure rises.
Climate First’s plan deals with the human side by spreading employees across the state. Even with two branches, the majority of its employees work from home. This served them well during Ian. But the bank took its experience with Ian and began to expand the states that it would hire from to ensure an interruption in Florida wouldn’t impact every employee of the bank. Some employees work permanently outside the state, and others occasionally do. “Many [new hires] live three, four, five states away,” Ford says.
It’s one strategy the bank has used to counter the threat of any one incident shutting the organization down. But it’s a solution unique to the institution itself. For directors, it’s vital to review the continuity plan, seeking insight into key issues for the individual bank.
“The first question” for boards, says Stackhouse, “is have you seen the business continuity plan? Do you know how often it’s updated? Do you know if the key expectations are laid out in the plan?”
Stackhouse says that it’s surprising how many directors have failed to even inquire about the plan on this basic level. Once you have looked at the plan, though, you need to go further, asking about how communication will occur if a disturbance to the organization’s infrastructure takes place, Stackhouse says. How will leaders communicate with employees and each other? Banks should have tactics in place for such communication and expect different layers of disruption. You may not know what unexpected disaster could eventually impact the organization, but you can lean on other scenarios — in the news or experienced directly by the bank — to prepare in case communication is disrupted in an unexpected way.
Another key question: Does the bank have business continuity staff? As a director, know what their roles are, what they do and how they handle key issues within the continuity strategy. Having ownership over the continuity plan will prevent it from becoming a secondary concern. “It is never a good answer if it’s everybody’s responsibility,” adds Stackhouse.
One of the best ways to pressure test your institution’s continuity plan is to have practice runs with scenarios that could prevent the bank from operating. Discussing these scenarios will allow the organization to see what works, what doesn’t and what should be tweaked. Directors should take part in many of those tests, since they will likely be a key resource if a large enough event takes place. Not to mention, in such scenarios, management may lean on boards of directors for guidance.
For community banks, where resources may be more limited, focus on events that are more likely to occur. This will depend on the organization but could be a hurricane or extended power outage or cyberattack. Having run-throughs while leaning on the continuity plan will test what the C-suite has put together. Did communication hold? What additional resources do employees need to do their job? How did they react? Seeing this under a guided test-run will ease nerves if the real event occurs.
Larger banks may have a team that can run specialized tests to simulate very specific scenarios, like, say, a war or unexpected attack on the nation. While you may not know what scenario will occur, having these test-runs will allow the bank to have case studies on hand, in the event a similar disruption happens.
For Climate First, the plan they put in place served them through the hurricane season this year. They will incorporate their experience into continuity planning for the future. The goal? To ensure customers never realize a disruption occurred.
With the most distant client living in Hawaii, that person “probably didn’t even know we were going through a storm,” says Ford.
“And I hope they couldn’t tell.”
* * *
For more information about other aspects of business continuity planning, consider reading “Getting Proactive About Third-Party Cyber Risk,” or “The Topic That’s Missing From Strategic Discussions.”
Bank Director’s 2022 Risk Survey, sponsored by Moss Adams LLP, surveyed 222 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas. The survey was conducted in January 2022.