Posted by: David Schneier
Audit, bcp, business continuity planning, findings, observations, pandemic, Pandemic Planning, regulatory, Regulatory Compliance, testing
I’m returning to the office after having given in to the siren song of Memorial Day weekend. Despite enjoying the long break and all its trappings (way too much I might add), something that hit my radar last week remained on my mind.
Earlier in the week, I came across a comment in an IT audit report in which the auditor recommended that the institution for which the report was written plan to conduct a test of their pandemic policy. Before I continue, I need to come clean and admit that all auditors, myself included, are typically allowed a wide swath when writing our reports because while we stick to a somewhat standard approach to testing, our experiences and opinions heavily influence our findings and recommendations. However, I found this comment to be way too granular and oddly specific. First of all it would be the company’s pandemic procedure that would be tested, not its policy. While this may seem trivial I can show you the scars I’ve received at the hands of auditees when confusing such terms. Policy is how management specifies what needs to be done and procedure is how the organization gets things done; an audit confirms there are procedures in place to support the policy, that those procedures are sufficient to address the underlying risks, and that they’re being followed. My second issue with the recommendation is that the part of the overall business continuity plan (BCP) that addresses a possible pandemic scenario is only a subset. You might recommend that a test of the overall plan be conducted but it’s a bit unusual to specify which parts should be included.
You may recall all the hysteria just about a year ago courtesy of the H1N1 (swine) flu epidemic that had everyone on edge for most of the late spring and early summer. In the end, the numbers didn’t really reveal a remarkable increase in the number of flu cases reported year-over-year, only a shocking increase in the amount of media coverage it received. But one of the residual effects was an increased awareness in how a financial institution would manage through a quarantine situation. While there is real value to be derived from the planning for such an event, the bottom line is that most banks and credit unions are far more likely to confront evacuations and shut-downs due to fire, extreme weather or loss of services (e.g. electricity, heat/cooling, etc.). When you consider that it’s challenging enough for small and midsize institutions to conduct any form of testing, you’d want them to focus on their greatest and most likely risks. A quarantine situation, should one ever actually occur, would likely develop over a period of days and allow for a controlled transition from normal to reduced operations. I’m just not sure that beyond covering the pandemic response plan as part of the annual training curriculum that there’s much value in conducting either a table-top or off-hours test. It just doesn’t seem like good use of an already constrained staff. For so many of my clients, there’s so little time to get everything done that they can ill afford to focus on the wrong things. Perhaps a better recommendation would have been that the institution vary the parts of the plan they test each year, beginning with the pandemic section first.
At some point during the past year, it occurred to me that the difference between panic and pandemic was but a few extra letters. It reminded me of a bit that Kevin Nealon did on Saturday Night Live years ago with subliminal messages and I’ve thought since then that might explain all the hoopla. Because if you move past the Hollywood hype that usually fuels our fear and and think about it in practical terms, it’s just not that scary. We have ATMs for cash and deposits, and online banking for statements, bill pay and account transfers (I can’t recall one single bank or credit union that doesn’t offer these services). We have remote, encrypted connectivity from home for critical staff (not all of my clients make it available but the vast majority do) and most branches have drive-throughs, which further reduce the risk of exposure to airborne disease.
As I advised one BCP client recently, the annual pandemic test should consist primarily of making sure that the surgical masks and anti-bacterial soap are readily available.