Disaster Recovery Planning: Key Strategies in Navigating the Unknown
by Jennifer R. Grier, Senior Examiner, Supervision, Regulation, and Credit, Federal Reserve Bank of Atlanta
Hurricanes. Cyberattacks. Pandemics. Wildfires. Whether resulting from natural causes or human intervention, all these events pose the potential risk of significantly disrupting a community bank’s normal operations. Unfortunately, there is no fail-proof predictor of when or if a disaster event will occur at any given time. Therefore, it is important that bank management be proactive in developing a comprehensive disaster recovery and business continuity plan (BCP) to mitigate the uncertainty of these risks.
The occurrence and severity of natural disasters have increased significantly over the past decade. Between 2010 and 2019, the United States experienced almost twice the number of billion-dollar natural disasters than in the 2000s, at 119 and 62, respectively.1 During 2020, the United States was impacted by 16 separate billion-dollar disasters (see Figure 1): one drought event, 11 severe storms, three tropical cyclone2 events, and one wildfire3 event. As of October 7, 2020, the 16 weather/climate disaster events resulted in losses exceeding $1 billion in the United States.4
In addition to natural disasters, banks are also the frequent target of cybersecurity threats, such as malware and distributed denial-of-service attacks. Reportedly, banks and financial services organizations represented 25.7 percent of all malware attacks in 2018.5
Whether or not a bank can quickly resume operations after a disaster can have a lasting effect on its brand. From a macro perspective, a bank’s quick recovery can also serve as a positive sign of resilience for the local community. Not surprisingly, preparation is the key distinguishing characteristic of those banks that have been able to demonstrate agility and resilience during a crisis. These banks developed a disaster recovery plan with the intention of minimizing disruptions to both the bank and its customers.
Business Continuity Plan
A thoroughly tested BCP provides bank management with the appropriate framework for decision-making in the midst of a crisis. Lessons learned from previous disasters, such as Hurricane Katrina in 2005 and Superstorm Sandy in 2012, have highlighted why banks should develop a BCP that defines how to respond to and recover from business disruptions. The goal is to review all of the possible disruptions that could occur and then identify the appropriate mitigant for each risk.6
Figure 1: U.S. 2020 Billion-Dollar Weather and Climate Disasters
Source: NOAA; www.ncdc.noaa.gov/billions
For most banks, the planning process to develop an effective BCP will require multiple iterations. As outlined in the 2015 Community Banking Connections article “Business Resumption Planning for Banks,”7 an effective business continuity program has four key components: (1) business impact analysis, (2) risk assessment, (3) risk management, and (4) monitoring and testing.8 Additionally, if the bank uses outside vendors for key bank functions, there should be a discussion of the potential third-party risk.9
Until recently, most banks developed BCPs that primarily focused on recovery strategies for cyberattacks and natural disasters most prevalent in their respective markets. However, the COVID-1910 global pandemic has heightened the awareness and need for all banks, regardless of asset size and complexity, to incorporate pandemics in their BCPs.
Figure 2: The Continuum of Pandemic Phases
This continuum is according to a “global average” of cases, over time, based on continued risk assessment and consistent with the broader emergency risk management continuum.
Source: Reproduced from Pandemic Influenza Risk Management: A WHO Guide to Inform & Harmonize National & International Pandemic Preparedness and Response, WHO/WHE/IHM/GIP/2017.1, Chapter 2: WHO Global Leadership, p. 13, May 2017, ©WHO 2017; https://apps.who.int/iris/bitstream/handle/10665/259893/WHO-WHE-IHM-GIP-2017.1-eng.pdf;jsessionid=FF0E44DE342CCEF9F0A31E1EFB14C8E8?sequence=1; used with permission, accessed November 2, 2020
On March 10, 2020, the Federal Financial Institutions Examination Council (FFIEC)11 issued updated guidance identifying actions that financial institutions should take to minimize the potential adverse effects of a pandemic. Supervision and Regulation (SR) letter 20-3/Community Affairs (CA) letter 20-2, “Interagency Statement on Pandemic Planning,”12 encourages financial institutions to periodically review related risk management plans, including BCPs, and ensure that an institution is able to continually deliver products and services in a wide range of scenarios with minimal disruption (see Addressing the Unique Challenges of Pandemics box).13
Unique Characteristics of Pandemic Planning
Pandemic planning presents a unique challenge for financial institutions because there are more unknown factors to consider than in plans for recovery from a natural disaster or a business disruption. For example, the planning process should consider the difference in anticipated scale and duration of the bank’s operational disruption, as the disaster event may be more widespread, limiting public and commercial services in the bank’s community. Furthermore, unlike traditional disasters that have limited time durations, previous pandemics have been characterized by waves of activity spread over several months (see Figures 2 and 3).14
Figure 3: Preparedness and Response Framework for Novel Influenza A Virus Pandemics: CDC Intervals
Source: CDC; www.cdc.gov/flu/pandemic-resources/national-strategy/intervals-framework.html
The ramifications of a pandemic are far-reaching and encompass many disparate issues, including health and economic concerns. A severe pandemic could lead to extensive illness, loss of business productivity, and disruption or closure of school systems. For example, during the 2006 avian flu outbreak in Southeast Asia, the U.S. pandemic plan recommended that the public and private sectors assume that up to 40 percent of their staff might have been unable to report to work for two weeks because of personal or family sickness.15 The potential lack of vital staff to deliver an institution’s critical financial services (i.e., operational resiliency) and to maintain its infrastructure (i.e., technology and cybersecurity risks) should be incorporated into the ongoing business impact analysis and risk assessment processes. Thus far in the COVID-19 pandemic, financial institutions have generally demonstrated operational resilience related to cybersecurity and technology risks. However, institutions need to remain vigilant by considering the probability of additional service disruptions and update their BCPs accordingly.
Addressing the Unique Challenges of Pandemics
SR letter 20-3/CA letter 20-2 suggests that a financial institution’s BCP address five elements:
- A preventive program
- A documented strategy that provides for scaling the institution’s pandemic efforts
- A comprehensive framework of facilities, systems, or procedures
- A testing program
- An oversight program to ensure ongoing review and updates to the pandemic plan
See the full text at www.federalreserve.gov/supervisionreg/srletters/SR2003a1.pdf.
The increasing occurrence and severity of natural disasters and other business disruptions have heightened the potential risk to community banks. Based on lessons learned from previous disasters, a bank should consider using an organization-wide approach in developing a BCP to ensure that the institution’s board of directors and senior management are aware of their respective roles in limiting disruptions to the bank’s operations and services to its customers. In addition, the bank’s BCP should address a pandemic event and provide for an appropriate operational response, a documented strategy scaled to the stages of a pandemic outbreak, a comprehensive framework to ensure the continuance of critical operations, and a testing program to ensure that the BCP is effective in recovering critical operations. To confirm the adequacy of the planning process and the execution of the plan, the BCP should identify roles and responsibilities for overseeing business continuity during a disaster, including periodic review and updating of the plan to reflect actual experience in recovering from a disaster.
- 1 These figures are from the National Oceanic and Atmospheric Administration’s (NOAA) National Centers for Environmental Information; they have been adjusted for inflation.
- 2 The NOAA defines a tropical cyclone as a “rotating low-pressure weather system that has organized thunderstorms but no fronts (a boundary separating two air masses of different densities). Tropical cyclone with maximum sustained winds of 39 mph or higher are called tropical storms. When a tropical storm's maximum sustained winds reach 74 mph, it is called a hurricane.”
- 3 According to the National Weather Service Instruction 10-1605, wildfire is defined as “any significant forest fire, grassland fire, rangeland fire, or wildland-urban interface fire that consumes the natural fuels and spreads in response to its environment.” Significant is defined as “a wildfire that causes one or more fatalities, one or more significant injuries, and/or property damage.” See www.nws.noaa.gov/wsom .
- 4 See NOAA National Centers for Environmental Information (NCEI) U.S. Billion-Dollar Weather and Climate Disasters, 2020, available at www.ncdc.noaa.gov/billions/; DOI: 10.25921/stkw-7w73.
- 5 “Banking and Financial Services Threat Landscape Report,” Banking & Financial Services, INTSIGHTS, April 2019, p. 3, available at https://tinyurl.com/y4po3484 .
- 6 Aaron Cohen and Anthony Toins, “Business Resumption Planning for Banks,” Community Banking Connections, Third Quarter 2015, available at www.cbcfrs.org/articles/2015/q3/business-resumption .
- 7 See Cohen and Toins.
- 8 See the discussion of the Business Continuity Planning Process (page 3) in the FFIEC Business Continuity Planning IT Examination Handbook, available at http://ow.ly/STGbe .
- 9 See Cohen and Toins.
- 10 According to the World Health Organization, COVID-19 is an infectious disease caused by the most recently discovered coronavirus. The first reported outbreak was in Wuhan, China, in December 2019. COVID-19 is now a global pandemic.
- 11 The FFIEC comprises principals of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee.
- 12 SR letter 20-3/CA letter 20-2 is available at www.federalreserve.gov/supervisionreg/srletters/SR2003a1.pdf .
- 13 Additional information is available in the FFIEC Business Continuity Management Examination Handbook, available at https://ithandbook.ffiec.gov/it-booklets.aspx .
- 14 See Pandemic Influenza Preparedness and Response: A WHO Guidance Document, Geneva: World Health Organization, 2009, available at www.ncbi.nlm.nih.gov/books/NBK143061/ .
- 15 United States Homeland Security Council, Implementation Plan for the National Strategy for Pandemic Influenza, May 2006, p. 20, available at https://georgewbush-whitehouse.archives.gov/homeland/pandemic-influenza-implementation.html .