Fighting Disaster Through Business Continuity Planning

Written by

As Hurricane Ian began to coalesce in the Caribbean in late September, all of Florida hunkered down. This included Climate First Bancorp, the holding company for $250 million Climate First Bank, which serves primarily commercial organizations. The storm was initially expected to make landfall in the U.S. by hitting St. Petersburg, Florida, Climate First’s headquarters. The bank’s leaders knew that they had to begin preparations, so they turned to their business continuity plan. 

The two-year-old bank is also in the middle of shifting its data storage to a third-party, so servers aren’t hosted at individual branches. As the storm rolled forward, though, the bank had to undergo a temporary shift of the data and operations from the St. Pete location to one in Winter Park, near Orlando. This gave the organization protection in case St. Petersburg saw significant damage. 

It served them well. As the state suffered flooding and destruction that reports have estimated between $50 billion and $65 billion, St. Petersburg and Orlando avoided the worst of the storm. Still, customers saw little disruption and the experience further prepared Climate First Bank for another hurricane that would hit weeks later. “We’re a climate focused bank, and this is supposed to be more than a 100-year flood,” says Lex Ford, president at Climate First Bank. “How many years in a row have we had a 100-year flood?”

Business continuity planning isn’t just a nice-to-have, but a requirement by regulators. How robust the continuity plan is, however, will determine how ready the organization can react when unexpected disturbances or upheavals in the normal course of business occurs. With the rate of natural disasters rising, so does the possibility that banks will have to lean on continuity preparation. Boards have a responsibility to ensure that such plans have robust strategies in place, but many organizations lack certain coverage.

Business continuity planning within institutions shifted in response to Covid-19. With more than 80% of executives and directors reporting that their organizations have remote workers, 44% saw a gap in their bank’s business continuity plan with regards to remote work procedures and policies, according to Bank Director’s 2022 Risk Survey, conducted in January 2022. That rate is down from 77% admitting such a gap in 2021. 

Meanwhile, despite the increase in intensity of hurricanes and other tropical storms since 1995, according to the Environmental Protection Agency, only 16% of respondents said their board has discussed the impact of climate change on the organization at least annually, according to the 2022 Risk Survey. Six out of 10 respondents said their board and senior leadership team understood the physical risks the bank faced due to climate change.

But when it comes to continuity preparations, “you’re not just planning for things that are obvious,” says Julie Stackhouse, a director at $27 billion Simmons First National Corp., headquartered in Pine Bluff, Arkansas. Stackhouse also served at the Federal Reserve Bank of Minneapolis in 2001, and was at a meeting in the New York Federal Reserve during 9/11. She witnessed first-hand the response of financial institutions. This experience of seeing banks react to the sudden attack crystalized the importance of continuity planning for Stackhouse.

When a disaster hits, “human beings have an emotional response,” says Stackhouse. Employees will worry about family and friends, not just the bank. During these moments, “you need to think about the practicality of personality,” Stackhouse adds.

How will employees respond under the pressure of an attack or a storm that destroys nearby homes, or a ransomware that could threaten their jobs? Considering those emotions during moments of clarity — and planning for an expectation that some employees won’t be available — is vital to the success of any continuity plan. For boards, ensure that management has considered the employees’ emotional response to such situations, or else the best plan may prove worthless when pressure rises. 

Climate First’s plan deals with the human side by spreading employees across the state. Even with two branches, the majority of its employees work from home. This served them well during Ian. But the bank took its experience with Ian and began to expand the states that it would hire from to ensure an interruption in Florida wouldn’t impact every employee of the bank. Some employees work permanently outside the state, and others occasionally do. “Many [new hires] live three, four, five states away,” Ford says. 

It’s one strategy the bank has used to counter the threat of any one incident shutting the organization down. But it’s a solution unique to the institution itself. For directors, it’s vital to review the continuity plan, seeking insight into key issues for the individual bank. 

“The first question” for boards, says Stackhouse, “is have you seen the business continuity plan? Do you know how often it’s updated? Do you know if the key expectations are laid out in the plan?” 

Stackhouse says that it’s surprising how many directors have failed to even inquire about the plan on this basic level. Once you have looked at the plan, though, you need to go further, asking about how communication will occur if a disturbance to the organization’s infrastructure takes place, Stackhouse says. How will leaders communicate with employees and each other? Banks should have tactics in place for such communication and expect different layers of disruption. You may not know what unexpected disaster could eventually impact the organization, but you can lean on other scenarios — in the news or experienced directly by the bank — to prepare in case communication is disrupted in an unexpected way.

Another key question: Does the bank have business continuity staff? As a director, know what their roles are, what they do and how they handle key issues within the continuity strategy. Having ownership over the continuity plan will prevent it from becoming a secondary concern. “It is never a good answer if it’s everybody’s responsibility,” adds Stackhouse. 

One of the best ways to pressure test your institution’s continuity plan is to have practice runs with scenarios that could prevent the bank from operating. Discussing these scenarios will allow the organization to see what works, what doesn’t and what should be tweaked. Directors should take part in many of those tests, since they will likely be a key resource if a large enough event takes place. Not to mention, in such scenarios, management may lean on boards of directors for guidance.

For community banks, where resources may be more limited, focus on events that are more likely to occur. This will depend on the organization but could be a hurricane or extended power outage or cyberattack. Having run-throughs while leaning on the continuity plan will test what the C-suite has put together. Did communication hold? What additional resources do employees need to do their job? How did they react? Seeing this under a guided test-run will ease nerves if the real event occurs. 

Larger banks may have a team that can run specialized tests to simulate very specific scenarios, like, say, a war or unexpected attack on the nation. While you may not know what scenario will occur, having these test-runs will allow the bank to have case studies on hand, in the event a similar disruption happens.

For Climate First, the plan they put in place served them through the hurricane season this year. They will incorporate their experience into continuity planning for the future. The goal? To ensure customers never realize a disruption occurred. 

With the most distant client living in Hawaii, that person “probably didn’t even know we were going through a storm,” says Ford. 

“And I hope they couldn’t tell.” 

* * *  

For more information about other aspects of business continuity planning, consider reading “Getting Proactive About Third-Party Cyber Risk,” or  “The Topic That’s Missing From Strategic Discussions.” 

Bank Director’s 2022 Risk Survey, sponsored by Moss Adams LLP, surveyed 222 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas. The survey was conducted in January 2022.

Risk, Business Continuity Planning: Trends and Lessons from Covid-19

Written by

The Covid-19 pandemic has introduced unprecedented strains to the economy, enhancing concerns about credit risk and pressuring lenders’ ability to serve their borrowers.

Cybersecurity and other risk environments have also evolved, following government-mandated work from home models. These shifts are prompting bank leaders to evaluate their business continuity plans and pandemic planning initiatives to ensure they’re putting safety and efficiency first.

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, was conducted in January before the U.S. economy felt the full effect of the coronavirus. Yet, insights derived from this annual survey of bank executives and board members help paint a picture of how the industry will move forward in a challenging operating environment.

Credit Risk
Most community banks have issued loans through the Paycheck Protection Program (PPP), the Small Business Administration’s loan created under the Coronavirus Aid, Relief and Economic Security (CARES) Act passed in late March. These loans, which may be forgiven if borrowers meet specified conditions, allowed small businesses to retain staff, pay rent and cover identified operating expenses.

However, it’s likely that businesses will seek additional credit sources as the economy restarts. The lapse in business revenue generation will pose significant underwriting challenges for banks.

More than half of respondents in the 2020 Risk Survey revealed enhanced concerns around credit risk over the past year, while 67% believed that competing banks and credit unions had eased underwriting standards.

While there’s no way to determine what the future holds, near-term lending decisions will likely occur amid an uncertain economic recovery. There are some important questions institutions should consider when determining their lending approach:

  • How will our organization evaluate lending to businesses that have been closed due to the coronavirus?
  • Should a pandemic-related operational gap be treated as an anomaly, or should lenders consider this as they underwrite commercial loans?
  • What other factors should be considered in the current environment?
  • How much bank capital are we willing to put at risk?

Cybersecurity
Directors and executives who responded to the survey consistently indicate that cybersecurity is a key risk concern. In this year’s survey, 77% revealed their bank had placed significant emphasis on increasing cybersecurity and data privacy in the wake of cyberattacks targeting financial institutions, such as Capital One Financial Corp.

With more bank staff working remotely, cyber risks are even greater now. Employees are also emotionally taxed with concerns about their health, family and jobs, increasing the risk for errors and oversights. Unfortunately, the COVID-19 pandemic presents cybercriminals with a ripe opportunity to prey on individuals.

Business Continuity
In the survey, respondents whose bank had weathered a natural disaster within the last two years were asked if they were satisfied with their institution’s business continuity plan. The majority, or 79%, indicated they were.

However, the Covid-19 pandemic isn’t a typical natural disaster. Although buildings haven’t been destroyed, companies are still experiencing significant disruption to their normal operations — if they’re able to operate at all.

These circumstances, coupled with expanding technology and banks operations increasingly moving to the cloud, will likely lead to further changes in business continuity planning.

Remain Flexible
In an interagency statement released a week before the World Health Organization declared that the Covid-19 outbreak a pandemic, federal regulators reminded depository institutions of their duty to “periodically review related risk management plans, including continuity plans, to ensure their ability to continue to deliver their products and services in a wide range of scenarios and with minimal disruption.”

The Federal Financial Institutions Examination Council also updated its pandemic guidance, noting the need for a preventative program and documented strategy to continue critical operations throughout a pandemic.

Since that time, banks have encouraged customers to broadly adopt digital platforms and, when necessary, serve customers in person through drive-through lines or by appointment to reduce face-to-face contact. Bank employees wear masks and gloves, branches are cleaned frequently and, where possible, staff work remotely.

Gain Insights
The pandemic is a real-world tabletop exercise that can provide important takeaways about the effectiveness of an organization’s business continuity plan. It’s important for organizations to take advantage of this opportunity.

For example, there could be another wave of Covid-19 later this year; alternately, it could be years before we see an event similar to what we’re experiencing. Either way, your bank must to consider the potential consequences of each outcome and have a plan ready. Reviewing your organization’s business continuity plans and initiatives can help reveal opportunities to move forward with confidence, despite challenging operating environments.

When Disaster Strikes, You Better Have a Plan

Written by


strategy-9-14-17.png

Hurricanes Harvey and Irma, which struck different locations on the U.S. coastline in August and September, were a tragic reminder that we live in an uncertain world, and natural disasters can cause widespread devastation. The individuals who have been directly affected will always be the first concern, but it’s equally important that businesses and government agencies be able to rebound quickly after a widespread disaster because their ability to function effectively is vital to the recovery of the communities they serve.

Every bank needs a business continuity management plan that the senior executive team and board of directors can activate in the event of a disaster like Harvey or Irma. The plan should be reviewed and tested annually, and updated as needed, suggests Christopher Wilkinson, a principal in Crowe Horwath’s Technology Risk Consulting Group who oversees business continuity planning and penetration assessments for the firm’s cybersecurity team. A common mistake that many organizations make is to see business continuity planning as purely an IT issue, when in fact it is much broader than that. “It’s important to make sure that you focus, first and foremost, on business continuity as a business issue and not just as an IT issue,” he says. In an interview with Bank Director Editor in Chief Jack Milligan, Wilkinson talks about the basic elements of a sound business continuity management program.

BD: What are the primary elements of a good plan?
Wilkinson: When you take a look at business continuity management (BCM) programs, there are four key components. The first component starts with a business impact analysis (BIA). Organizations used to look at business continuity as an IT problem when in fact it really is a business issue. IT is a big component of restoring business operations, but business continuity as a whole is not just an IT problem. A lot of organizations have made the shift to say, “When an event happens, I don’t necessarily want to restore [just] my payroll application. I want to make sure that the process of paying my individuals is restored in full.” And the BIA builds the requirements for each one of the organization’s critical business processes.

One of the biggest components, or variables, that is set during the business impact analysis is the recovery time objective, or RTO. This tells an organization how long a specific business process like HR or payroll can be placed on the back burner before it significantly impacts the organization.

You can look at the impact from a variety of different perspectives. The obvious one would be the financial impact to the organization, but there are others, like the ability to attract new customers or the impact on servicing existing customers. There are a variety of factors that you want to measure the impact of for each business process to determine the overall impact on the organization.

The second important variable in BCM is the recovery point objective, or RPO. This one is a little bit more difficult, but what this variable tells us is, if I had to go to a snapshot of data in the past for some of the systems associated with a business process, how far back could I go? Depending on how dynamic the data is, are we talking minutes, hours or days?

Disaster recovery is an IT issue, and basically what it tells the organization is, “How do I strategically prepare my critical applications to meet the RTO and RPO expectations from the process owners?”

For example, when you talk about RTO, do I have a system designed in such a way with data backups and system redundancy, and the ability to recover that system within the required recovery time objective that the business has given me? So in essence, it’s giving you a service-level agreement, or an SLA, for each and every one of your applications. It tells the IT department, “Here’s how long I can go without this system. Now it’s your job to make sure that system is positioned strategically to meet expectations.”

The third component of a BCM program is the business continuity plan. This is, once again, a business issue. When we document business continuity plans for organizations, one of the things that we’re doing is making sure that certain processes can still be performed in the event of a disaster. If it’s payroll, for example, what can I prepare beforehand to ensure that I can pay employees given the absence of either the systems, the people, or the resources and facilities that are available?

The fourth component of BCM is testing. Are we doing our tabletop testing? Are we getting the right people in a room and walking through disaster scenarios on an annual basis? Are we testing the business side and the business continuity plan? Are we testing the disaster recovery plan, and the ability for IT to recover both the systems and the data that support the business function?

BD: What mistakes do companies, including banks, typically make in their business continuity planning?
Wilkinson: That is a great question. I think one of the more common mistakes that I mentioned earlier is looking at business continuity as an IT issue, instead of as a business issue.

If we’re dealing with payroll and HR as an example, I very likely could recover the payroll application. But there may be other dependencies within the payroll process that aren’t up and running that aren’t IT related.

So it’s important to make sure that you focus, first and foremost, on business continuity as a business issue and not just as an IT issue.

Another mistake is that some of the smaller banks under $10 billion in assets haven’t done a business continuity risk assessment, where you’re prioritizing your threat based upon the company profile. That could be geographic location, which is probably one of the largest factors for banks. As you can imagine, if I’m a bank in the Florida Keys, I’ll have much different concerns with regards to the types of events or threats that may impact me than a bank in the Midwest.

So I need to make sure that I take a look at those threats, and then take a look at the controls that are in place from a business continuity perspective. Look at the most effective controls that are required for each one of those types of events, and then put those in place, and make sure that they’re effective.

BD: Do banks have any special issues when it comes to business continuity?
Wilkinson: Banks are probably a little less challenging than other kinds of organizations. If you think about manufacturing and distribution, you have to worry about supply chain management. The Japanese tsunami in 2011 was a great example of that; it disrupted the supply chain for folks in many industries. It became quite a challenge to be able to find some of the parts and raw materials that companies needed, especially if they were coming from Japan.

Probably the most challenging aspect within the banking world is the number of branches they have and their geographic distribution. Banks need to review their facilities and understand where the critical business processes lie within each one of those facilities, and then strategically design a business continuity plan for each one of those facilities, based upon their geographic footprint. That is probably the most challenging thing that bankers face that other industries may not.

BD: Are there other risks that banks need to worry about from a business continuity standpoint that don’t necessarily relate directly to some kind of natural disaster?
Wilkinson: There absolutely is. And that’s why when we talk about more mature organizations and their business continuity management program, what we’re starting to see is the convergence of the business continuity management program and the crisis management plan.

Having a crisis management playbook and a communication strategy for things like an active shooter scenario are starting to converge with business continuity management. The primary area where we see overlap is the management structure that’s going to be leading that organization through one of those events. They are very different situations if you think about a tornado versus an active shooter. But the overall management structure, and who’s leading the organization and making key decisions and putting out public communication—that’s where the primary overlap is for those two different kinds of events. In the past, we’ve looked at them as two different programs. More mature organizations are starting to converge those two into one larger program that speaks to business resiliency.

BD: Any last points you want to make before we close this out?
Wilkinson: Today we are a very mobile workforce. How am I to use that mobility strategically to assist my business continuity program?

One of the ways that organizations can take advantage of this mobility is if they have a laptop refresh program. Let’s assume that a certain number of bank employees carry laptops, and those laptops get refreshed on an annual, biannual or every-three-year basis. If you’re not leasing those laptops and you own them, it’s a good opportunity to take those laptops, put them in a secure location and leverage them in case something does happen. It’s a lot easier to pull out 15- or 20-year-old laptops that already have a lot of the software and systems I need loaded on them than it is for me to create new systems from scratch.

Number two, when we see banks or organizations connecting their business continuity programs, in the unfortunate case where there is an event, communication is key. There are a lot of different systems out there that allow me to communicate with my employees and my customers. Pricing varies between the different products that are available, but the ability to send text messages—especially because typically that’s one of the last things that ultimately will go down from an infrastructure perspective in terms of the amount of data that’s used across networks—is changing the way that we as practitioners implement our plans.