Sunday, April 05, 2020

Pandemic Preparedness: Are you testing your Pandemic Plan?

Posted by OnCourse Staff February 5, 2013 3:21pm

Photo Credit: scottchan

By Buddy Arriola, CISA, IT Audit Supervisor 

Many institutions including Banks and financial institutions are required by state and federal regulatory agencies such as the Federal Financial Institutions Examination Council (FFIEC) and the Federal Deposit Insurance Corporation (FDIC) to develop and implement a Pandemic Plan for business continuity.  The FFIEC regulation also requires the establishment of a periodic testing program to ensure that the institution’s pandemic initiatives will operate effectively and will allow business continuity in the event of a real pandemic.   Although many institutions have developed and implemented a plan, Pandemic Plan Testing often times is excluded from the plan simply because many do not know how to test it. 

How do you test a pandemic plan?

Surprisingly, some institutions still ask the questions, “how do you test a pandemic plan?” or “Can pandemic plans really be tested?” Some institutions focus more on the clinical and preventive aspects of a pandemic as opposed to the impact of pandemics to their business.  These institutions focus more on monitoring the likelihood of outbreaks, controlling the spread of diseases, and educating employees regarding an event or a disease that does not exist and that they know nothing about.   As such, they are misled into thinking that either their plan is difficult to test or cannot be tested at all.  This is why it is important for institutions to perform a business impact analysis as the critical first step in developing their pandemic plan.  Business impact analysis allows management to focus on the impact of pandemics to their business as well as to develop controls to mitigate the impact of pandemics to their business.  It is not the pandemic that needs to be tested rather it is the controls institutions implement to mitigate or minimize the risks or impact of pandemics to their business that need to be tested.

The most critical issue that needs to be addressed in a Pandemic Plan is the serious staffing shortages as a consequence of the pandemic outbreak that could prevent many employees from reporting to work for an extended period of time.  Employees who contract the disease will not be able to report to work to perform their daily responsibilities.  Employees may also have to stay home to care for their sick children or family members.  Others may also have to stay home to care for their children due to school closings or other reasons.  Moreover, pandemics can also be deadly as such institutions may have to deal with loss of life of employees and/or family members.   Typically, the risk of serious staffing shortage is addressed or mitigated through employee cross-training.  Cross-training could minimize the business impact to an institution in the event a significant number of employees are unable to report to work due to widespread illness or epidemic.  Staff cross training is an effective way to ensure business continuity particularly for small businesses who do not have enough human resource to fill in for another person’s role.

Many institutions have a Staff Cross Training Program in place but such programs are not formally documented and are not incorporated as part of the institution’s Pandemic Plan.  For example, some institutions cross train their staffs by rotating some of their staff responsibilities on a periodic basis to ensure co-workers are able to fill in for others in their absence.  These institutions should make a conscious effort to document and to incorporate such processes into their Pandemic Plan.  They should also document the details and the progress of their cross training efforts to demonstrate that they are meeting their regulatory compliance obligation.

 Institutions should also consider cross training at the top and senior management levels to prepare the Institution for leadership succession if necessary.  Some institutions overlook this aspect of cross training program.  In the wake of recent disasters, some institutions realized the need to modify their business continuity plan to include leadership succession when C-level (Chief-level) staffs not only were unable to travel or to commute to work but also were unable to communicate with their employees (including via email, phone, cell phone, texting or any other form of communication).   Staffs at this level typically are the only ones who have approval and other decision making authorities that could stall an institution’s business operations if not properly addressed in the institution’s pandemic and business continuity plan. 

Another important issue to address in a Pandemic Plan is the possibility that a pandemic outbreak could render an entire facility inaccessible to employees and customers due to widespread infection or contamination.  In this case, many institutions resort to Remote Access or to a remote Alternate Processing Site for business continuity in order to allow employees to continue to work remotely from home or another designated remote alternate location in the event an entire facility becomes inaccessible due to contamination or infection caused by serious pandemic.  Insofar as customer service is concerned, many institutions offer some form of an Online/Internet Transaction Processing Systems to its customers.  This service will allow customers to do business with the institution remotely via the Internet while the facility is physically inaccessible. Most Banks for example offer online banking system to customers that allow them to transfer funds and pay bills remotely over the Internet.

Remote access, alternate processing site, and online/Internet transaction processing system are tools or services most institutions have.  They should capitalize on these tools and services to enhance their pandemic plan.  Remote access is a part of many institutions’ existing business continuity plan.  However, there are still some institutions that regard Remote Access as an “unnecessary” tool that serves more of a business threat and risk to their information security as opposed to as a business solution.  Over the years, remote access has evolved from an after office hours or emergency business tool to a tool that can support business continuity planning, according to TISN (Trusted Information Sharing Network).  Perhaps, these institutions should reconsider and reassess the benefits of Remote Access in support of their institution’s business continuity to enhance their pandemic plan.  Institutions should also incorporate alternate processing site and online/Internet transaction systems into their pandemic plan particularly if they already have these process and service in place.

Pandemic prevention is also another way of mitigating the risk of the spread of pandemic among employees as well as the risk of contaminating an entire facility.  Typically this is addressed through the adoption of periodic pandemic awareness campaign and mandatory employee training programs.  Institutions should incorporate pandemic awareness and training as part of their pandemic plan.

Tabletop Exercise

Many experts believe the most effective way to test a pandemic plan for business continuity is through Tabletop Exercise.  This process involves a theoretical review, evaluation, and discussion of the plan and procedures that typically leads to identification of issues and corrective action plans.  Many institutions resort to Tabletop Exercise to test their Pandemic Plan because it is less disruptive for their business and is cost effective.  Tabletop Exercise can be an effective way to prepare staff for actual pandemics because it can increase employee awareness and accountability.  Through review and discussion, employees become familiar with the plan and the procedures as well as with their pandemic plan roles and responsibilities.

While Tabletop Exercise comes with many advantages, it also has some disadvantages.  According to the Federal Emergency Management Agency (FEMA) Tabletop Exercise has the following weaknesses:

  • “Lacks realism and thus does not provide a true test of an emergency management system’s capabilities”
  • “Provides only a superficial exercise of plans, procedures, and staff capabilities”
  • “Does not provide a practical way to demonstrate system overload.”

Tabletop Exercise does not allow employees to experience what is involved in an actual business continuity setting.  In the wake of recent disasters, some institutions realized that simply reviewing their procedures was insufficient.  It is not the same as actually performing the procedures using actual systems and data because some important aspects and steps can be overlooked.  For example, when processing a transaction through an institution’s online processing system, an employee was stuck at a pop-up screen that requires top management approval or override.  They could not proceed to the next step because none of the employees with approval or override authority was available onsite or by phone or any other means of communication during the disaster.  During their Tabletop Exercise, they were able to proceed to the next step even without the participation of staff with override or approval authority.   Such institutions realized the importance of testing the procedures in actual settings as opposed to simply reviewing these as part of their Tabletop Exercise.  Such institutions plan to perform Full-Scale testing of their pandemic and business continuity plan as a result.  Therefore, even though Tabletop Exercise can be an effective way to test your pandemic plan, it must be used with caution because it does not have the same impact and results as Full-Scale Testing that makes use of actual systems and data.

Full-Scale Testing & Other Testing Methodologies

According to the FFIEC Testing Policy, there are other forms of testing in addition to Tabletop Exercise.  These include: Walkthroughs, Functional Testing, and Full Scale Testing.  Walkthroughs is similar to Tabletop Exercise.  It is an “oral” or “verbal” review and execution of recovery and business continuity steps or procedures. It is an effective training but is not a preferred testing tool.  The other two testing methodologies, Functional and Full scale testing involve the activation of actual recovery and business continuity resources except Full Scale Testing is more comprehensive than the other.  Full Scale Testing can be very costly but is the most complete form of testing as such is the preferred testing methodology.  In Functional and Full-Scale Testing, either the entire plan or portions of the plan are tested using actual as opposed to simulated pandemic and business continuity resources, systems and data.  Pandemic and Business Continuity Plans involving the use of technology such as VPN Remote Access or the activation of an “alternate” disaster recovery and business continuity site are best tested through Functional or Full Scale Testing as opposed to Tabletop Exercise or Walkthroughs.  Issues could surface during actual systems recovery and capacity testing that cannot be detected through Tabletop Exercise or Walkthroughs.   Functional and Full-Scale testing will allow institutions to identify and to address issues in advance to better prepare them for real pandemics or other disasters.  Typical issues encountered during a Functional or Full-scale disaster recovery and business continuity plan testing which may not be captured using Tabletop Exercise or Walkthroughs include hardware failure, communications failure, hardware/software compatibility issues, and backup media and data integrity. 

Develop a Test Plan

One of the things often overlooked by Institutions when developing their pandemic plan is the inclusion of the testing component of the plan.  Periodic Pandemic Plan testing is a regulatory requirement for many institutions.   These institutions should develop a periodic testing program for their Pandemic Plan to meet their regulatory compliance obligation.  The testing plan should detail testing schedule (test date, time, and location), test participants, test objectives, testing assumptions, testing scenarios, testing procedures and expected outcomes.  It is important to develop a test plan so institutions can have a basis for the reasonableness and adequacy of their scheduled testing.  Some testing if not carefully planned can end up in disasters as such it is important to plan cautiously.  An effective testing plan will allow institutions to assess whether or not they are meeting their pandemic plan testing objectives.  It will also allow institutions to successfully test their plan and ultimately verify whether or not they are meeting their plan objectives. 

The most critical issue to address in a pandemic plan is serious staffing shortage which is addressed through Staff Cross Training.  As such, staff cross training should be a part of an institution’s pandemic plan testing.  Mandatory participation of cross-trained employees in an institution’s periodic Business Continuity Plan Testing is a suitable way to test the effectiveness of their staff cross training program.  It will allow cross-trained employees to gain the experience necessary to let them perform their pandemic and business continuity role and responsibilities effectively.  Moreover, it is a way to demonstrate an institution’s fulfillment of their regulatory compliance obligation (such as for FFIEC pandemic plan testing compliance).  As such, institutions should consider the incorporation of mandatory cross-trained employee participation in the development of their periodic pandemic testing plan.

Sometimes, an event happens and institutions consider their response to that event as fulfilling their business continuity testing obligation.  But how could this meet their business continuity testing obligation if they do not even have a testing plan to begin with that can be used as a basis for fulfilling their testing objectives or their expected testing outcome?  Developing test plans allows management to assess the adequacy and reasonableness of the plan.  Also, developing test plans increases staff accountability and awareness that can help ensure that testing are scheduled more regularly,  which in turn can help ensure that the pandemic and business continuity testing  and plan objectives are being met. 

Document Testing Outcome

It is good practice to document pandemic plan testing outcomes.  The document should detail all the testing performed as well as the testing results, specifically, whether or not the expected testing outcomes were met.  Formally documenting testing outcomes allows institutions to address any plan weaknesses, to develop corrective action plan(s), and to monitor the progress of the implementation of their corrective action plans to ensure an effective pandemic and business continuity plan.  The Pandemic Plan Testing outcome document also evidences the institutions’ compliance with the regulatory periodic pandemic plan testing.


In summary the two most critical things to plan for a Pandemic are:  a) staffing shortage and b) loss of facility Access.  These business risks can be mitigated by implementing staff cross training program as well as by incorporating remote access solution, online/Internet Transaction Processing System(s), alternate processing site, and pandemic awareness and training program in their plan that should minimize the impact of a pandemic on business.  These controls can be tested either through Table Top Exercise, Walkthroughs, Functional Testing, and Full-Scale Testing.  Full-Scale Testing is the most comprehensive as such is the preferred approach for testing an institution’s Pandemic Plan.  Regardless of what method of testing an institution chooses to test their plan, it is important to develop a test plan and to schedule the testing periodically at least annually.  It is also important to document the testing outcomes to ensure regulatory compliance for Pandemic Plan testing.



Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.


OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment

OnCourse Staff's Posts Subscribe to RSS Feed

Flood Coverage – Still a Hot Regulatory Issue
Interagency Statement on Sharing BSA Resources and Challenges
New Jersey's Corporate Business Tax Legislation: A Look at the Impact for Banks
Correspondent Banking: The Challenges of Data Transparency
Regulation E and Business Account Errors
Controls over Employee and Officer T&E Expenses
Is Regulation CC Put on the Back Burner?
Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
The Case of Foreign Banks and Heightened Scrutiny
IRS and New Jersey Tax Audits of Banks
State Taxation of Financial Institutions in Today's Environment
Does your 401(k) Plan need an Audit?
De-Risking of Foreign Correspondent Banks
Same Day ACH Credits – Phase One
FinCEN Finalizes Ruling on Beneficial Ownership and Ongoing Customer Due Diligence
Keep an Eye On Your Chip!
Is the IRS Status of your Defined Benefit plan in Jeopardy?
The Dilemma of Banking Medical Marijuana Businesses and Other Indirect Risks
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
BSA/AML Training: Is your program effective?
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Anti-Money Laundering – The Age of Technology
Top Compliance Topics Discussed at the NJ Bankers Compliance University
Some tips and tricks for dealing with Regulatory Examinations
Updated Regulation E Booklet from the OCC!
Is Flood Disaster Still on the Heat Map?
Have You Implemented Your Plan yet?
FDIC Consumer Newsletter
More Flood Insurance Changes...
Same Sex Married Couples - Ensuring Equal Treatment – Announcement from Consumer Financial Protection Bureau
Truth in Lending (Regulation Z) Annual Threshold Adjustments (CARD ACT, HOEPA and ATR/QM)
FFIEC Releases Revised BSA/AML Examination Manual: So what’s new?
OFAC Consolidates Non-SDN Listings
Coping with HOPA
Coping with the CFPB’s Ability-to-Repay Rule
ABA Survey on Impact of Dodd Frank Compliance
ABA Mortgage Origination Deskbook
Who handles Your Dormant Accounts?
Appraisal Disclosure Rule
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Appraisal Management Companies in Regulatory Crosshairs
All About the Home Owners Protection Act
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
The Credit -- Er, IT Crisis?
Keeping the Balance: IT Security and the Org Chart
IT Security: "IT's" About Process
Wag the Dog
Consumerization of Technology and its influence on Information Security
Detective, Reactive and Preventive: Evolving Your IT Security
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
How do you charge Early Withdrawal Fees on Time Deposits?
Do you still offer NOW Accounts?
Policy Changes Required – Do you Wait until Annual Approval?
Summarizing ACAMS White Paper on EDD and AML Risk Assessments (Industry Survey)
ACAMS to provide Free Webinar
ACBB Changes its Name
Who Do You Give Cash to?
ABA Briefing to Help Banks Address Cyber-security Threats
The OCC Issues Booklet: “A Common Sense Approach to Community Banking”
Safe Deposit Box Contents are not insured – But They COULD Be!
Allowance for Loan Loss Tips and Tricks
FDIC Can Review New Products
Let’s Talk About Overdrafts!
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
Regulation E and NACHA Rules: When you Want to Stop Payment on a Recurring Debit
CFPB Stands Up Against Poor Debt Collection Practices
Don’t Forget the Small Stuff
Double Endorsed Checks: What is the Risk?
Social Media – Will the Regulators Do Spot Checks?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
Is your BSA/AML automated monitoring system up to par?
The Importance of BSA Training
Office of Foreign Assets Control (“OFAC”) introduces the OFAC SDN Fuzzy Logic Search Tool
Filing the New CTR Forms: What you need to Know
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Solutions to Reducing Dormant Accounts at Your Institution
Pandemic Preparedness: Are you testing your Pandemic Plan?
Regulation E Foreign Remittance Rules
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Expiration of Unlimited Deposit Insurance for NIBTAs
Is Your Institution's Marketing UDAAP Compliant?
What is Enterprise Risk Management?
New OCC Guidance Released on Investor Owned Properties
Electronic Work Papers - Why acxell Made the Switch
OCC to Toughen Exams in Response to United States Senate Permanent Subcommittee On Investigations
Clarifying Regulatory Obligations Regarding Continuing Activity SAR Filings
Federal Regulatory Agencies Proposal New Rule
Risk management - Smaller institutions and the benefits of ERM
Strengthening Your Loan Maintenance Monitoring
New Lending Proposal from CFPB
FDIC Reaches Settlement on Overdraft Fees
FRB Guidance on Foreclosures
Loan Denials and Withdrawals – Tips to Sure Up your Process
Regulation O – 5 Easy ways to avoid violations
The Summer of CFPB Proposals
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
Dodd-Frank Rule to Change Legal Lending Limit Monitoring Requirements
The ABCs of a TDR
Supreme Court ruling for the Freeman, et al. v. Quicken Loans, Inc case
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Senior member of House of Financial Services Committee Introduces Overdraft Protection Act
FinCEN is looking to streamline the financial institution reporting process by issuing mandatory E-filing reporting requirements.
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
New Rules Proposal for Servicers Coming from the CFPB
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Banking Solutions: ALLL and GAAP in Agreement
How are the most recent regulatory enforcement trends that banks are facing today affecting internal audit? Why?
What are the most recent regulatory enforcement trends that banks are facing today?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
Regulatory Burden – Managing the Pain
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
TDR or Not to TDR …Much Ado about Nothing?
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
Consumerization of Technology and its influence on Information Security
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
The Proof is in the Pudding: Affects of Dodd-Frank on Community Banks
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
IT Security: "IT's" About Process
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Wag the Dog
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
A Culture of Whatever: On the Path to Proper Governance
The Test Drive: Leasing or Buying a HR IT Platform
Detective, Reactive and Preventive: Evolving Your IT Security
Cracking the ALLL Code: How to Develop the Right FAS 114 Methodology
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Part of the In Crowd: Thoughts on the Dodd-Frank Act
Another One Bites the Dust: Regulators Close 4 Banks
Keeping the Balance: IT Security and the Org Chart
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Welcome to OnCourse
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Credit -- Er, IT Crisis?
Painting a Masterpiece: The Art of the ALLL Reserve
The Law on Your Side: Understanding HR Regulations in 2011
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
No Respite from RESPA