Common Principles of Business Continuity Planning in the Emergency of an Avian Flu Pandemic
(Prepared by the International Monetary Fund)
St. Petersburg, June 9-10, 2006
Principle 1: The ultimate responsibility for business continuity planning (BCP) rests with an organization's board of directors and senior management.
A pandemic will present unique challenges and require targeted responses by management of financial institutions. Provision of adequate resources in monitoring, planning and managing the proper response to the emergence of an AFP will be required. Institutions have taken a variety of steps to document strategic plans, clarify responsibilities, and establish means for implementing plans. Examples of actions taken so far include:
Establishing a senior crisis management team. Implementation of overall contingency plans is generally supervised by senior management. Given the high degree of uncertainty, senior management will have to stand ready to respond with speed and flexibility. This senior group could consider the following:
Developing a strategic view of the main issues included in BCPs and alternative scenarios should be discussed well in advance, and possibly played out through "table-top" exercises or live tests.
Determining the desired level of preparedness for each firm and the required investment. One option is to measure the profitability of each segment of the business and the investment needed to maintain that activity in a pandemic. Cost benefit analysis—bearing in mind that the demand for and profitability of any activity may change in a pandemic—could then provide guidance for the appropriate investment plan for an AFP and where to prioritize.
Establishing separate task forces to develop detailed contingency plans by topics such as continuity of business, legal, human resource, communications (internal and external), health/hygiene and security. Each task force should report on a regular basis (once a month or more frequently) to the high-level management group for coordination, prioritization and for testing. Some institutions have hired outside expert consultants in crisis management and health care issues to guide the task forces through the process.
Designing succession planning, establishing how and when authority will be delegated if key management staff is absent. Procedures for temporary or permanent transfer of authority should be clear, and this information can be disseminated through the firm and to key counterparties, so that staff knows who will have the authority to act if management is incapacitated.
Given the characteristics of the pandemic, geographical dispersal of designated successors may be advisable for some firms (perhaps triggered by reaching one of the phases of the pandemic declared by the WTO).
The crisis management team should also have successors. Deputies to crisis managers should be fully informed throughout the preparatory phase.
Identifying reliable sources of information. A unit may be assigned the responsibility of monitoring key sources of information and identify any escalation in the potential for an outbreak. In a pandemic, rumors may spread faster than the virus. Having accurate information will be critical for timely decision-making. Obtaining reliable sources before an AFP may be effective.
The senior group should integrate market risk analysis into strategic planning and preparation. BCPs have tended to focus on the rates of recovery from disruptions in a firms' infrastructure, giving less consideration to market risk analysis (the risk of losses from changes in the value of financial instruments as a result of changes in risk perception, volatility, or market disruptions). An AFP will affect both the firm's businesses and its ability to conduct business. Few institutions are advanced in integrating these two risks.
Principle 2: Organizations should explicitly consider and plan for major operational disruptions.
BCPs plans aim at ensuring critical levels of production. BCPs designed to deal with a sudden temporary failure of infrastructure, are being expanded to incorporate threats to staffing levels. Such plans identify critical functions and focus on day-to-day workload management during a pandemic. For financial institutions, these may include providing liquidity, keeping ATMs functioning, maintaining the payments system, and managing financial market and counterparty exposures. BCPs typically include some or all of the following items:
Identifying escalating levels of responses designed for different phases of the outbreak. Determination of triggers for and steps taken in each phase should be identified in the BCP. As an example,
Phase 1: No human-to-human outbreak reported. The costs of preparations included in the regular budget but may include some stockpiling of critical supplies and establishing task forces in key areas for detailed planning, coordination and testing.
Phase 2: Human-to-human transmission is identified. More costly measures implemented. Activities in that region isolated, activities shifted to other locations where possible, and staff removed from the area.
Phase 3: Isolated outbreaks in the parent company's country. Preparations accelerated, most costly measures implemented, staff dispersal initiated.
Phase 4: Outbreak affects key production areas or crucial facilities. The full range of the institution's plans is implemented.
Phase 5: Recovery period, including reintegration of staff and resumption of production, continued monitoring for further outbreaks, assessment of "lessons learned" from the outbreak.
Identifying core activities or basic minimum services. Institutions may identify the activities they will cease providing or scale down at each phase of the response plan, recognizing that demand for certain services will change in a pandemic.
Identifying key employees and supplies needed to provide those critical services. Scenario analysis can be useful to obtain a range of possible effects and actions. Institutions should recognize that identification of critical staff will depend on the length of the disruption and on the timing of the absenteeism. For example, some staff may only be critical at the end of the month or reporting period but may be considered non-essential at other times. Others may only become critical if the disruption lasts for an extended period.
Creating redundant or double teams for all critical staff functions. Some institutions are planning to split their critical staff into two sections to operate from different locations and are training ancillary workforce, including contractors, employees in other job titles, and retirees.
Developing staffing plans identifying work that must be done in the office and work that can be done from home. Scenarios have been adopted, identifying procedures if absenteeism lasts a week or several weeks.
Establishing remote and redundant facilities for activities that must be done from centralized locations (including, for example, dealing rooms and treasury functions). For this option to be effective, a number of further considerations are needed:
During the SARS epidemic, some institutions made special arrangements so that their critical staff could report to a facility without taking mass transportation.
If the facilities are in a populated area (e.g., another city), steps should be taken to protect the site from a spreading flu pandemic.
If staff is moved to remote facilities, determine if they commute from home. Identify when staff would be dispersed and if families move with them.
Institutions should undertake regular tests of the equipment and procedures for remote facilities that are not staffed or operational in normal times.
Expand use of telecommunications to ensure social distancing. Such efforts raise a number of specific issues:
Budget requirements means that planning must be made far in advance of an outbreak.
Using a wide range of devices from diverse locations raises security issues that must be addressed.
The carrying capacity of the bandwidth must be examined. For planning, some institutions have tried to estimate the impact of a large number of institutions shifting to remote computing.
How to ensure access to key data. Staff may require access to data that is only available in paper form.
Shift as many activities as possible to be conducted from home. For remote computing, BCPs need to consider:
Whether sufficient staff has remote computing capability, including access to key programs (if the firm has sufficient licenses), access to needed data, ports and other technical factors.
What work must be done "on line" and what work can be completed at home and submitted on some time schedule to a central location.
If pressures on the internet or company servers can be reduced by adopting two or three shifts.
Techniques for supervision of remote computing. Internal controls must be designed to ensure effective quality and risk control. Some institutions have also begun discussions with their regulators on possible limitations or modifications to prudential rules to ensure that any work from home meets requirements (reporting, documenting transactions, etc.)
Identification and maintenance of stockpiles of key supplies in the case of potential transportation disruptions. Given the uncertainty of timing and the cost of stockpiling, some institutions have begun slow accumulation in order to smooth the budgetary impact of such accumulation.
Consideration of how to proceed if key service providers (e.g., security personnel and accountants) are not available. Some institutions have begun discussions with critical suppliers of outsourced services to ensure that these providers have an effective contingency plan.
Make arrangements to ensure that the financial institution can receive payments from and provide access to cash and payment facilities for retail customers. Demand for cash could increase sharply and a few financial institutions have stockpiled cash and have identified means of distribution to branches and ATMs.
If business is shifted in location or scaled back, issues that must be considered include how to notify customers and how to provide services to customers from remote locations.
Development of backup options in case of a failure of the payments system, or if the central bank is unable to provide critical services.
Principle 3: Financial industry participants should develop recovery objectives that reflect the risk they represent to the financial industry.
Payment and securities settlement systems have the greatest need to ensure rapid and effective recovery capabilities. To that end, they typically have well developed standards concerning business continuity and operational risk. However, plans in many countries focus on back-up.facilities and redundancy of physical infrastructure and have only recently begun to plan for high absenteeism. Areas for additional development may include the following:
Identifying minimum, critical activities and the staffing needed to ensure continued provision of payment and settlement services in the face of increasing degrees of absenteeism. For payment systems, critical staff is often a very small group charged with opening and closing procedures, and monitoring of the system and participants behavior. "Value-added" services—e.g., credit provision—where individual decisions are required may be more difficult to maintain.
Identifying activities that could be provided on a remote basis (e.g., work from home). This option may require investment in laptops and communication technology to ensure secure communication. Provision of access to data and remote use of proprietary software will have to be considered in the context of security protocols.
Determining adequate distance between primary and secondary sites. Major systems have sometimes installed a third site typically "dark" or not staffed that is located in another part of the country and can be activated with some delay.
Coordinating between the authorities, infrastructure providers and users. All relevant parties—including those outside the home country—should be aware of what services will be available under different scenarios, and be able to assess whether their assumptions regarding the availability of basic infrastructure and services are valid, and what their clients' plans might imply for demand for their services.
Preparations by large complex financial institutions, key retail banks and the authorities themselves will need to be robust. Failure in any of these institutions will have an impact on the global financial system in addition to the direct impact on their own operations.
Principle 4: BCPs should address the full range of internal and external communication.
Communication with the staff, main suppliers and with government officials is likely to be key to addressing an AFP. Staff communication is critical for preventing panic, strengthening morale and providing essential information to ensure that staff health is protected and critical functions continue. Communication of information concerning the pandemic should begin immediately so a track record is established of the provision of accurate information. Some institutions are reviewing their communication programs to determine if special policies are needed in an AFP to address the high degree of fear and family concerns. Examples of communication issues to consider include:
Determining how to ensure adequate communication with staff—including cell phone, satellite phone and landline telephone numbers, and personal e-mail addresses. Identify platforms and back up system for communicating with staff, vendors, suppliers and customers for timely updates and emergency contact systems (i.e.. hotlines and dedicated websites).
Informing staff about the institution's BCP, how the plan would be triggered and where to monitor the institution's on-going preparation.
Establishing policies to communicate with counterparties—customers or, in the case of regulators, supervised institutions. Contact lists should be established and maintained. To ensure minimum disruption, counterparties should be able to get information on what services will be offered, under what conditions and if there are changes to these arrangements.
Clarifying how critical providers and suppliers plan to respond to an AFP. Discussion should include how each will communicate and work around disruptions that might occur.
Establishing education programs for staff:
Reminders on the importance of hand washing and health habits—cough hygiene diet and exercise.
Reminders to staff at high risk of the need for special care.
Advice on the difference between flu and a cold, and between avian flu and other flues (if appropriate).
Strong insistence that staff who feel ill should not report to work (together with liberal leave policies and non-punitive sick leave.)
Principle 5: Cross-border communications during a major operational disruption must be highlighted.
Communication of conditions in the country and in financial institutions with international regulators is a critical aspect of managing the impact of an AFP. Accordingly, regulators should ensure they will be able to communicate with appropriate counterparts.
Developing triggers and platforms for communicating with international counterparties, with timely updates and emergency contact systems (i.e., hotlines and dedicated websites).
Establishing and maintaining contact lists. To ensure minimum disruption, contact lists should be updated on a regular basis.
Communicating plans and possibly coordinating approaches to regulations for preparedness, testing and, in the event of a pandemic, regulatory forbearance.
Because an AFP will have an extremely broad impact on many levels of the economy and society, information should be widely disseminated among the widest group possible.
Principle 6: BCPs must be effective and identify necessary modifications through testing.
Testing BCPs and staffing arrangements are important but pose challenges. Testing remote sites and staff dispersal plans may be difficult because of the disruption and costs to the institution. Identification of scenarios to test may be problematic. Testing for low incidence virus may be relatively easy, but the lessons learned may not be adequate for a virus with high attack and fatality rates. In response, institutions are considering a variety of alternatives:
In the early stages of preparation, institutions may focus on testing of particular tools, rather than development of a complete scenario. This approach is less comprehensive and generally focuses on technology and infrastructure.
The next level of preparedness could include the conduct of "desk top" exercises, wherein senior management or business managers are given a scenario (that may change over the course of the exercise) and they discuss how to respond. Comprehensive table top exercises can be relatively cost efficient but test a wide range of responses including infrastructure, internal coordination, and communication channels.
Remote computing facilities could be tested. Institutions have identified departments or key individuals and evaluated efficiency when working from home for several days or a week.
Scenario testing could help identify weaknesses in preparation and help guide investment planning for heightened preparedness.
Principle 7: Financial authorities should incorporate BCP reviews into their frameworks for assessing financial sector participants.
Central bank and regulatory bodies play an important role in crisis management and planning, and should review their BCPs and those of the financial sector participants with the aim of minimizing payment, settlement and other financial market disruptions in the event of a pandemic.
Crisis Planning
Response to an AFP will involve a wide range of national authorities. A high-level group might be established to coordinate the different responses. Members may include the government (ministry of finance), the central bank, and the regulators. In addition, broader contingency planning might include key health and infrastructural authorities.
National authorities may have a critical role to play in coordinating the responses of private sector agents, as well as with the authorities in other countries. Individual institution's decision on whether to invest in preparedness or not will be influenced by the decisions of their counterparts in the market: the authorities may have to take the lead in setting expectations or providing a forum for industry-wide discussions among competitors. Likewise, the authorities may have to take the lead in establishing procedures if there are problems with cross-border transactions, or with subsidiaries or parent companies. This will require dialogue with regulators in partner countries or multilateral bodies.
Payments and Settlement System
In addition to having adequate BCPs to deal with critical staff shortages, providers of payment and settlement services should also:
establish alternative payment mechanisms in case the key payment systems were to fail (e.g., shift to end-of-day net settlement, or netting across the books of the central bank.).
Economic Policies
Consider policies concerning the provision of liquidity to banks. How can banks remain liquid and what will be done if they become illiquid? Ensure that the central bank has an adequate supply of cash and determine when note destruction will be slowed or halted.
Develop plans to absorb excess liquidity (either during the crisis if possible, or in the immediate post-crisis period). Consider the functioning of open market operations and money markets in the event of a significant deterioration in the financial system (e.g., interbank markets could become segmented).
Central bank should ensure adequate supply of cash, determine when note destruction will be slowed or halted, and assure that there is adequate capacity to deliver cash to financial institutions, considering that transportation networks may be affected.
Establish means for monitoring developments in external credit lines. In conditions of an AFP, international credit lines may be called or not rolled over. Consider alternatives for limiting the extent to which such lines are called.
Consider the consequences of sharply increased volatility or impaired liquidity in financial markets, and the effects of using "circuit breakers" or temporary suspensions of major markets.
Establish means of addressing instability in money and FX markets, including knowing minimum conditions to ensure such systems continue to function efficiently, and, in the event of disruptive market movements, establishing emergency "circuit breakers."
Determine if and under what conditions capital controls could be used.
Prudential Regulation
Consider the extent to which some prudential rules may be eased. For example, how should banks treat loans coming due but not paid, and should prudential rules on minimum liquidity and loan classification be modified? How would these decisions be made?
Determine what information on prudential forbearance can be provided to financial institutions for the preparation of their own BCPs. To what extent can banks assume that auditing rules or reporting requirements or rules governing conduct of business will be temporarily eased as they develop their own plans?
In countries with a diverse regulatory structure, coordination among different regulatory bodies is essential. A coordinated approach to regulations for preparedness, testing and, in the event of a pandemic, regulatory forbearance is critical. Because an AFP will have an extremely broad impact on many levels of the economy and society, information should be widely disseminated among the widest group possible.
