Pandemic planning falls under the category of ‘operational risk’ planning. This should be part of every organization’s Business Continuity Plan (BCP); however, there are a number of unique planning elements that need to be considered. Interagency advisory FIL-25-2006 and Basel II banking regulations identify pandemic as a potential threat to any financial institution regardless of size and location, and should be considered in business continuity planning. For critical infrastructure entities, business continuity planning for a pandemic is required. Many of the traditional assumptions and planned responses for business continuity are designed to deal with disasters where facilities and systems are suddenly knocked out of action. These traditional planned responses will not be effective in a pandemic.

Impact

In a pandemic, it will be people rather than infrastructure that will become unavailable. A pandemic can be caused by any infectious disease occurring naturally or released as a bio-terrorism weapon. The World Health Organization (WHO) believes that the most likely infectious disease that could evolve to pandemic status is the Avian (Bird) Flu. This is caused by the influenza virus known as H5N1. This virus has already passed from birds to humans, and it has a very high rate of mortality. At this time, the virus has not mutated to the point where it can be passed from human to human; however, mutation is a primary concern of the WHO. Statistical projection models estimate that if this were to occur potentially 30% of your employees and customers could be directly affected by a pandemic in weeks or months.

20th Century Pandemics

In the 20th Century there have been three pandemics. 

1. The Spanish flu of 1918-1919 was the worst of the pandemics causing over 500,000 deaths in the U.S. and up to 50 million worldwide.
2. The Asian flu of 1957-58 caused about 70,000 deaths in the U.S.
3. The Hong Kong flu from 1968-69 caused nearly 34,000 American deaths. 

The SARS virus outbreak in 2003 had the potential to become a fourth pandemic. The human and financial costs of an avian flu pandemic could be devastating.
A pandemic is at least as likely as some other disaster scenarios for which BCP plans are already in place. At a minimum, banking regulators expect banks to have considered the potential for losses due to a pandemic as part of their economic capital regimes.

Unique BCP Objectives

In the event of a disaster, nearly all BCP strategies are to operate with backup infrastructure in geographically dispersed locations for a limited period of time. In the event of loosing one location, staff would be ‘crammed’ into the premises that remain operational. This is precisely the wrong strategy for dealing with a pandemic where overcrowding would be considered dangerous and strongly discouraged, or prohibited. 
The initial response of civil authorities to an outbreak will be to discourage large gatherings of people such as your staff and customers. Quarantine is the first step in the response methodology.  
Most existing BCP plans do address the unavailability of key individual staff members, as a risk to be considered, but with a pandemic there is an issue of substantially increased scope and impact with more people and locations involved.

Pandemic
BCP Planning Objectives

1. The impact of a pandemic would be unpredictable. Any business location could be affected and multiple locations could be affected at the same time.
2. Civil authorities, and sensible management, will want to limit human-to-human transmission of the disease. To support this, gatherings of people will be discouraged. 
3. Many employees, although not directly affected by the virus, will choose to stay away from work to treat family members or out of concern of exposure. An estimated 25% to 50% absentee rate should be anticipated.
4. In the event of a pandemic, business operations will not return to normal for a period of 6 to 18 months. A minimum 12 month planning target is recommended.
5. Key business support vendors will experience a similar prolonged impact which may restrict their ability to provide services to you.

Pandemic Planning Strategies

There are some specific planning strategies that an organization can address in advance of a pandemic as part of their enhanced Business Continuity Plan. These strategies include:

1. Actively promoting the technical capability and processes for working at home, “telecommuting”. Staff will be encouraged or required to work from home for long periods. Secure remote network computer and application access should be provided. Policies and procedures should be developed to support this revised work environment.
2. Modify your organizations decision making processes so that business units can function in a semi-autonomous mode as individual “focused business cells” if necessary. The normal ‘chain of command’ communication structure is likely to be disrupted in a pandemic.
3. Increase the cross training of staff so that they can continue to support key business processes in the ‘focused business cells’.
4. Identify key vendors and service providers and anticipate how services may be provided or worked around if they are not able to meet your demands.
5. Plan for and increase the use of Telecommunication services such as Interactive Voice Response (IVR) to answer and route customer calls.
6. Increase the business support capability of your business web site and increase the use of Internet-based services including Internet Banking.
7. Review personnel policies for sick leave compensation and guidelines for when employees are allowed to return to work after a pandemic illness. This may be one time when it is prudent to pay employees for an extended illness.
8. If you haven’t done so already as part of your BCP, identify all essential critical business functions and the employees that are responsible for them. Determine the number of trained staff and the need for further cross training.

How Assurity River Group can help with
Pandemic Planning and Business Continuity
Best Practices

Enhance your BCP with a revised strategy for Pandemic planning and response.  Assurity River Group can help you review and update your current Business Continuity Plan, Remote access (Telecommuting) and Internet business security controls. We can assess your electronic communications policy to determine whether employee security controls are a risk that should be addressed.  We can help you assess your external service provider(s) as to their security and preparedness, as well as help you to develop alternatives in the event of their inability to respond to a pandemic. 
Policy creation.  Assurity River Group helps organizations draft effective information security policies and standards to ensure ongoing security with all electronic communication, for both HIPAA and GLBA compliance. 
Solutions.  Assurity River Group can provide and implement: 

1. Information Security Policies specific to your organization 
2. Internet Banking policy and standards 
3. Secure Remote access and Telecommuting standards and solutions. 
4. We have experience in implementing systems to enable employees to securely transmit encrypted documents.  
5. Assurity River Group can also provide a number of remotely managed services to protect your computer systems from pervasive threats on the Internet. 
   

Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.