Pandemic Planning: Beyond 'Checkbox' Compliance - Harry Rhulen, BCP Expert
In an exclusive interview, Rhulen discusses:
Rhulen is Chairman and CEO of Firestorm Solutions, a BCP and disaster recovery consulting firm based in Denver, CO. He is also co-author of the book "Disaster Ready People For A Disaster Ready America." Two additional books will be published this year on pandemic planning: "The Pandemic Scam -Why Plan?" and "Luck is Not a Strategic Plan."
LINDA McGLASSON: Hello, I'm Linda McGlasson, Managing Editor for www.bankinfosecurity.com and www.cuinfosecurity.com. Today's Information Security Media Group Podcast is with Harry Rhulen, CEO of Firestorm, a business continuity planning and disaster recovery consulting firm. Welcome Harry.
HARRY RHULEN: Thank you very much Linda.
McGLASSON: Harry, you recently returned from Europe and have seen first hand the preparation and reaction to the Swine Flue virus and pandemic over there. How are they coping?
RHULEN: It is actually very interesting. Europe in general has a slightly different culture than we have here in the United States. Because they are not protected on both borders as the United States is by an ocean and therefore aren't isolated, they are subject to far more issues, more vulnerabilities and threats than we see on a day-to-day basis in the United States. The first thing you notice when you go to Europe, walking through the airport, is more people wearing masks. You will also see signs up in the airport not only just for Swine Flu, which is the H1N1 virus, , but additionally placards up for other diseases such as the H5N1 virus, which as you probably know is still affecting people very adversely in places like Egypt and Indonesia. They are trying to keep their people tuned into a much greater degree than I believe the media-based society herein the United States is doing.
McGLASSON: Can you point to examples of businesses around the globe that are doing a good job in preparation, planning and implementation of their response plans? And here in the United States, what should businesses and financial institutions in particular be telling their employees and customers at this point?
RHULEN: Very often when people talk about pandemics they talk about pandemic planning, but the reality is there are many diseases that do not reach pandemic levels that have the ability to incapacitate a financial institution, or any type of organization. It is the training and education of the employees that becomes paramount in the process. Teaching them how to identify the issues, how to use proper hygiene, what the cleaning protocols are, what cleaning products need to be used under what circumstances, all those things need to be incorporated into an overall communicable illness plan for an organization. Additionally, one of the things that most organizations found during this most recent Swine Flu outbreak is that they need to have very firm travel policies in place. You can't start or try to implement policies after the disease has already broken out. If you are going to be sending people to foreign countries, you need to know what your quarantine protocol is. If you are in a situation with the Swine Flu, say you have an employee that returned from Mexico, how long are you going to keep them from returning to the office? If you need to send somebody to a location that potentially is an infected area, how does that affect your worker's compensation policy? How does that affect all of the other benefits and policies that your organization has? There are many vulnerabilities and threats that need to be looked at as part of the overall communicable illness planning process, and the employees are the key to it. They are the ones who are either going to keep your organization safe or, if they are not trained and educated properly, they are the ones who are going to spread the disease. Again, it is not just about the Swine Flu and it is not about the H5N1. We at Firestorm have had clients recently that had issues with things such as Measles or drug resistant forms of Tuberculosis; also MRSA has been a big issue, the drug resistant form of bacteria that is a flesh-eating bacterium. So really overall communicable illness planning is important for any organization.
McGLASSON: So following up the first part of that question were examples of businesses around the globe that you have seen that are doing a good job in preparing and educating their customers?
RHULEN: One of the things you saw, even prior to the World Health Organization raising the pandemic level from a three to a four and then subsequently to a current level of six, is there are organizations who immediately upon being raised from a three to four started implementing their travel policies along with their overall communicable illness plan.
They started restricting travel and operating via conference call. Many of the conference call services such as Skype, which allows face-to-face communication over the internet, saw a dramatic increase in their usage. There are many organizations around the world that started implementing employee distancing policies where they were limiting the number of employees who could be in any one location at any time.
There were many steps that were taken and now as you know are continuing to be taken as the flu season in the southern hemisphere heats up. Argentina as you know had much quarantine and actually had to close various types of financial institutions and organizations to prevent the spread of the disease. So there are organizations that are doing things well.
The problem is you rarely hear about the ones that are doing things well because they are not the ones having the problem. What you hear about are the ones who haven't done the communicable illness planning and therefore do have to be closed or quarantined.
McGLASSON: Harry, going back to the spring pandemic response here in the United States, what are some of the areas in financial services, either nationwide or regionally, you see that more work needs to be done in meeting the expectations of the required pandemic response?
RHULEN: One of the problems that we have here in the United States, and I don't believe it is just with the financial services industry, is the fact that our regulators require certain types of planning to be done, but oftentimes senior management at the organizations or institutions only feel the need to do the planning necessary to what we call "check the box."
They have a plan, it sits on a shelf and it is not actionable if it really had to be put into practice, but it is enough to get the regulators to sign off and that is all they really do. That is what they miss, doing truly comprehensive vulnerability and threat analysis and then doing the education.
Obviously, the organizations in the financial services industry that have the most exposure are those that have retail locations. Those that interact with the public on a regular basis are retail branches of banks, credit unions, things of that nature; they have the most exposure to disease. And again, it is disease of all types.
One of the things you may know from the stories about the 1918 pandemic is that there was a recommendation from the government that you wash your money. Money they felt was one of the main ways that the disease was being transmitted from one individual to another because the physical piece of paper could transmit the disease if there was a small piece of spittle or phlegm on the person's hand when they transferred it to either the bank teller or to another individual. It was a way of transmitting disease and not having employees trained and educated as to how to deal with those issues. I think it creates a very significant exposure for financial institutions that have a retail component.
McGLASSON: What is your advice for individual institutions, where they should be in pandemic response now that a pandemic level six is declared and what are some of the additional resources that you could offer them?
RHULEN: What any organization needs to do, if they would like to have a truly implementable, actionable communicable illness plan, is they need to do an analysis of how their business works. What products come into their business? What happens when they are there? What goes out?
Again, if you have a retail location that is interacting with the public, there needs to be a specific protocol for how those things are going to occur. When our flu season returns it is going to be paramount that those types of organizations have hand cleaning protocols; and in certain situations, within certain communities, as the level of disease goes up there may be a need for rubber gloves, masks, things of that nature.
Additionally, if an organization has human resource policies that require people to come to work, which is one of the problems we have in the United States as opposed to absenteeism, we have what we call presenteeism. That is where employees come to work whether they are sick or not. That is a huge exposure for any organization when you are dealing with a pandemic because if I feel that I must come to work whether I am feeling ill or not, the likelihood that I am going to infect not only my co-workers but that the bank or financial institution becomes a source from which the disease is spread due to the number of people that I come into contact with on a given day-to-day basis. That becomes a very significant issue.
McGLASSON: You had mentioned you had some suggested additional resources that our audience may be interested in?
RHULEN: On the internet there are a tremendous number of resources that are available from the federal government. Firestorm has a document called The Human Resource Reference Guide for Pandemics that I would be more than happy to give to any of your listeners. It is not something that I am looking to sell, but it is a document that will walk them through many of the major human resource issues that have to be addressed when developing a communicable illness plan.
One of the problems with developing a communicable illness plan that is actionable is that it truly is an area of specialty that very few organizations have. Unless you have an in-house medical director, unless you have people whose job it is to spend their time thinking about the vulnerabilities and threats that have been created by communicable illness and then developing the appropriate plan and then doing the employee training and education, it is hard to do.
If you have people trying to do this who also have a day job, people who are trying to do their normal job on a day-to-day basis, the likelihood that you are going to get the plan done, especially in a pandemic environment, is unlikely. We used to be operating on the calendar. We had plenty of time to set up meetings. We could talk about this and come up with a good plan for it. Once pandemic occurred, once we as Firestorm referred to it and once we were on the clock and no longer on the calendar, there was no time for planning anymore.
There is no time for lengthy discussion. It needs to be done quickly. The training and education needs to happen immediately and there needs to be a truly implementable plan and that is going to require some dedicated resources and the commitment of management. That is one of the real keys to making the United States and its financial system more pandemic resistant and resilient.
McGLASSON: Harry, recommendations for institutions as they continue to watch the developments in the pandemic spread and their pandemic response?
RHULEN: One of the most important things in the financial services and banking industry would be to think carefully about your supply chain. Where do you get the physical cash from? Who are the organizations that support your infrastructure to make sure that you can continue to service your clientele?
One of the things that is going to happen is people are going to look to take far more cash out of their financial institutions so that they are prepared in the event of catastrophe. That is going to mean that the physical money supply that any individual institution needs is going to go up. Similarly, the way in which the institution runs its facilities is going to need to change based on various factors that occur within their community. I
t is going to be essential to have a detailed, communicable illness plan and policies, as well as have educated all of you employees. One of the things that we have seen in the healthcare community already, and I believe that you will see it in the financial service community as well, is the fact that employees will not show up for work whether they are healthy or not. One of the reasons is that any organization that deals with a large number of the public understands that they have a higher potential for exposures than an organization that doesn't deal with the public. Unless there is an education process, unless those employees understand how they are being protected and how their organization is taking steps to make sure that they minimize the infection rate, the chance that that employee is not going to present for work is infinitely higher.
McGLASSON: Harry, thank you so much for your excellent insights today on this country's pandemic preparation response.
RHULEN: It was my pleasure Linda and anyone who would like to contact me or have me get them in touch with the various experts that we use from Firestorm to help them in this process, we are happy to do that.
McGLASSON: Until later, I'm Linda McGlasson for Information Security Media Group.