Risk, Business Continuity Planning: Trends and Lessons from Covid-19

The Covid-19 pandemic has introduced unprecedented strains to the economy, enhancing concerns about credit risk and pressuring lenders’ ability to serve their borrowers.

Cybersecurity and other risk environments have also evolved, following government-mandated work from home models. These shifts are prompting bank leaders to evaluate their business continuity plans and pandemic planning initiatives to ensure they’re putting safety and efficiency first.

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, was conducted in January before the U.S. economy felt the full effect of the coronavirus. Yet, insights derived from this annual survey of bank executives and board members help paint a picture of how the industry will move forward in a challenging operating environment.

Credit Risk
Most community banks have issued loans through the Paycheck Protection Program (PPP), the Small Business Administration’s loan created under the Coronavirus Aid, Relief and Economic Security (CARES) Act passed in late March. These loans, which may be forgiven if borrowers meet specified conditions, allowed small businesses to retain staff, pay rent and cover identified operating expenses.

However, it’s likely that businesses will seek additional credit sources as the economy restarts. The lapse in business revenue generation will pose significant underwriting challenges for banks.

More than half of respondents in the 2020 Risk Survey revealed enhanced concerns around credit risk over the past year, while 67% believed that competing banks and credit unions had eased underwriting standards.

While there’s no way to determine what the future holds, near-term lending decisions will likely occur amid an uncertain economic recovery. There are some important questions institutions should consider when determining their lending approach:

  • How will our organization evaluate lending to businesses that have been closed due to the coronavirus?
  • Should a pandemic-related operational gap be treated as an anomaly, or should lenders consider this as they underwrite commercial loans?
  • What other factors should be considered in the current environment?
  • How much bank capital are we willing to put at risk?

Cybersecurity
Directors and executives who responded to the survey consistently indicate that cybersecurity is a key risk concern. In this year’s survey, 77% revealed their bank had placed significant emphasis on increasing cybersecurity and data privacy in the wake of cyberattacks targeting financial institutions, such as Capital One Financial Corp.

With more bank staff working remotely, cyber risks are even greater now. Employees are also emotionally taxed with concerns about their health, family and jobs, increasing the risk for errors and oversights. Unfortunately, the COVID-19 pandemic presents cybercriminals with a ripe opportunity to prey on individuals.

Business Continuity
In the survey, respondents whose bank had weathered a natural disaster within the last two years were asked if they were satisfied with their institution’s business continuity plan. The majority, or 79%, indicated they were.

However, the Covid-19 pandemic isn’t a typical natural disaster. Although buildings haven’t been destroyed, companies are still experiencing significant disruption to their normal operations — if they’re able to operate at all.

These circumstances, coupled with expanding technology and banks operations increasingly moving to the cloud, will likely lead to further changes in business continuity planning.

Remain Flexible
In an interagency statement released a week before the World Health Organization declared that the Covid-19 outbreak a pandemic, federal regulators reminded depository institutions of their duty to “periodically review related risk management plans, including continuity plans, to ensure their ability to continue to deliver their products and services in a wide range of scenarios and with minimal disruption.”

The Federal Financial Institutions Examination Council also updated its pandemic guidance, noting the need for a preventative program and documented strategy to continue critical operations throughout a pandemic.

Since that time, banks have encouraged customers to broadly adopt digital platforms and, when necessary, serve customers in person through drive-through lines or by appointment to reduce face-to-face contact. Bank employees wear masks and gloves, branches are cleaned frequently and, where possible, staff work remotely.

Gain Insights
The pandemic is a real-world tabletop exercise that can provide important takeaways about the effectiveness of an organization’s business continuity plan. It’s important for organizations to take advantage of this opportunity.

For example, there could be another wave of Covid-19 later this year; alternately, it could be years before we see an event similar to what we’re experiencing. Either way, your bank must to consider the potential consequences of each outcome and have a plan ready. Reviewing your organization’s business continuity plans and initiatives can help reveal opportunities to move forward with confidence, despite challenging operating environments.

When Disaster Strikes, You Better Have a Plan


strategy-9-14-17.png

Hurricanes Harvey and Irma, which struck different locations on the U.S. coastline in August and September, were a tragic reminder that we live in an uncertain world, and natural disasters can cause widespread devastation. The individuals who have been directly affected will always be the first concern, but it’s equally important that businesses and government agencies be able to rebound quickly after a widespread disaster because their ability to function effectively is vital to the recovery of the communities they serve.

Every bank needs a business continuity management plan that the senior executive team and board of directors can activate in the event of a disaster like Harvey or Irma. The plan should be reviewed and tested annually, and updated as needed, suggests Christopher Wilkinson, a principal in Crowe Horwath’s Technology Risk Consulting Group who oversees business continuity planning and penetration assessments for the firm’s cybersecurity team. A common mistake that many organizations make is to see business continuity planning as purely an IT issue, when in fact it is much broader than that. “It’s important to make sure that you focus, first and foremost, on business continuity as a business issue and not just as an IT issue,” he says. In an interview with Bank Director Editor in Chief Jack Milligan, Wilkinson talks about the basic elements of a sound business continuity management program.

BD: What are the primary elements of a good plan?
Wilkinson: When you take a look at business continuity management (BCM) programs, there are four key components. The first component starts with a business impact analysis (BIA). Organizations used to look at business continuity as an IT problem when in fact it really is a business issue. IT is a big component of restoring business operations, but business continuity as a whole is not just an IT problem. A lot of organizations have made the shift to say, “When an event happens, I don’t necessarily want to restore [just] my payroll application. I want to make sure that the process of paying my individuals is restored in full.” And the BIA builds the requirements for each one of the organization’s critical business processes.

One of the biggest components, or variables, that is set during the business impact analysis is the recovery time objective, or RTO. This tells an organization how long a specific business process like HR or payroll can be placed on the back burner before it significantly impacts the organization.

You can look at the impact from a variety of different perspectives. The obvious one would be the financial impact to the organization, but there are others, like the ability to attract new customers or the impact on servicing existing customers. There are a variety of factors that you want to measure the impact of for each business process to determine the overall impact on the organization.

The second important variable in BCM is the recovery point objective, or RPO. This one is a little bit more difficult, but what this variable tells us is, if I had to go to a snapshot of data in the past for some of the systems associated with a business process, how far back could I go? Depending on how dynamic the data is, are we talking minutes, hours or days?

Disaster recovery is an IT issue, and basically what it tells the organization is, “How do I strategically prepare my critical applications to meet the RTO and RPO expectations from the process owners?”

For example, when you talk about RTO, do I have a system designed in such a way with data backups and system redundancy, and the ability to recover that system within the required recovery time objective that the business has given me? So in essence, it’s giving you a service-level agreement, or an SLA, for each and every one of your applications. It tells the IT department, “Here’s how long I can go without this system. Now it’s your job to make sure that system is positioned strategically to meet expectations.”

The third component of a BCM program is the business continuity plan. This is, once again, a business issue. When we document business continuity plans for organizations, one of the things that we’re doing is making sure that certain processes can still be performed in the event of a disaster. If it’s payroll, for example, what can I prepare beforehand to ensure that I can pay employees given the absence of either the systems, the people, or the resources and facilities that are available?

The fourth component of BCM is testing. Are we doing our tabletop testing? Are we getting the right people in a room and walking through disaster scenarios on an annual basis? Are we testing the business side and the business continuity plan? Are we testing the disaster recovery plan, and the ability for IT to recover both the systems and the data that support the business function?

BD: What mistakes do companies, including banks, typically make in their business continuity planning?
Wilkinson: That is a great question. I think one of the more common mistakes that I mentioned earlier is looking at business continuity as an IT issue, instead of as a business issue.

If we’re dealing with payroll and HR as an example, I very likely could recover the payroll application. But there may be other dependencies within the payroll process that aren’t up and running that aren’t IT related.

So it’s important to make sure that you focus, first and foremost, on business continuity as a business issue and not just as an IT issue.

Another mistake is that some of the smaller banks under $10 billion in assets haven’t done a business continuity risk assessment, where you’re prioritizing your threat based upon the company profile. That could be geographic location, which is probably one of the largest factors for banks. As you can imagine, if I’m a bank in the Florida Keys, I’ll have much different concerns with regards to the types of events or threats that may impact me than a bank in the Midwest.

So I need to make sure that I take a look at those threats, and then take a look at the controls that are in place from a business continuity perspective. Look at the most effective controls that are required for each one of those types of events, and then put those in place, and make sure that they’re effective.

BD: Do banks have any special issues when it comes to business continuity?
Wilkinson: Banks are probably a little less challenging than other kinds of organizations. If you think about manufacturing and distribution, you have to worry about supply chain management. The Japanese tsunami in 2011 was a great example of that; it disrupted the supply chain for folks in many industries. It became quite a challenge to be able to find some of the parts and raw materials that companies needed, especially if they were coming from Japan.

Probably the most challenging aspect within the banking world is the number of branches they have and their geographic distribution. Banks need to review their facilities and understand where the critical business processes lie within each one of those facilities, and then strategically design a business continuity plan for each one of those facilities, based upon their geographic footprint. That is probably the most challenging thing that bankers face that other industries may not.

BD: Are there other risks that banks need to worry about from a business continuity standpoint that don’t necessarily relate directly to some kind of natural disaster?
Wilkinson: There absolutely is. And that’s why when we talk about more mature organizations and their business continuity management program, what we’re starting to see is the convergence of the business continuity management program and the crisis management plan.

Having a crisis management playbook and a communication strategy for things like an active shooter scenario are starting to converge with business continuity management. The primary area where we see overlap is the management structure that’s going to be leading that organization through one of those events. They are very different situations if you think about a tornado versus an active shooter. But the overall management structure, and who’s leading the organization and making key decisions and putting out public communication—that’s where the primary overlap is for those two different kinds of events. In the past, we’ve looked at them as two different programs. More mature organizations are starting to converge those two into one larger program that speaks to business resiliency.

BD: Any last points you want to make before we close this out?
Wilkinson: Today we are a very mobile workforce. How am I to use that mobility strategically to assist my business continuity program?

One of the ways that organizations can take advantage of this mobility is if they have a laptop refresh program. Let’s assume that a certain number of bank employees carry laptops, and those laptops get refreshed on an annual, biannual or every-three-year basis. If you’re not leasing those laptops and you own them, it’s a good opportunity to take those laptops, put them in a secure location and leverage them in case something does happen. It’s a lot easier to pull out 15- or 20-year-old laptops that already have a lot of the software and systems I need loaded on them than it is for me to create new systems from scratch.

Number two, when we see banks or organizations connecting their business continuity programs, in the unfortunate case where there is an event, communication is key. There are a lot of different systems out there that allow me to communicate with my employees and my customers. Pricing varies between the different products that are available, but the ability to send text messages—especially because typically that’s one of the last things that ultimately will go down from an infrastructure perspective in terms of the amount of data that’s used across networks—is changing the way that we as practitioners implement our plans.