Transcript of OTS' William Henley on Impact of California Wildfires and Implications for Disaster Recovery Planning
Richard Swart: Hi, this is Richard Swart with Information Security Media Group ,publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we will be speaking with William Henley, the Director of IT Risk Management for the Office Thrift Supervision. How are you doing William?
William Henley: I am doing fine. How are you Richard?
Swart:Good. I want to talk about the California wildfires today and also the recent pandemic exercises that have occurred. Disasters and risks are certainly in the news recently. I was wondering if you could tell us, or estimate for us, how many financial institutions were affected by the California wildfires, and what impact did those fires have on financial institutions?
Henley: Yes. I can give you the aggregate information Richard. We have a regional office that is just south of San Francisco in Daly City, and from their monitoring of the institutions that they supervise we had four thrifts that had operations that were affected by the wildfires.
Swart: When you say operations were affected, was it just having to shut down their branches, or were they actually having to go into a full disaster recovery mode?
Henley: Well, we had two thrifts: One thrift implemented its disaster recovery plan, but it did not have to relocate; and the other thrift implemented its internal incident management plan. And then the other two just had minor disruptions, you know, a lot of that had to--or of those--I think it was more employees that had to relocate because of where their residences were located in danger zones, so they had a little disruption there, but nothing that they couldn’t overcome.
Swart: How well did these thrifts react?
Henley: Well, in looking at it in hindsight, or now that the biggest threat is behind us, I’d say that the thrifts responded very well. In this post-911, post-Katrina world, business continuity planning is a responsibility most financial institutions take very seriously.
Swart: Where there any take-aways or lessons learned from the reactions of these thrifts that other financial institutions might want to pay attention to?
Henley: Oh yes. Absolutely. There are always lessons learned that can be derived when looking at events or disasters like this. Most of our thrifts that have branches and offices in the affected areas, they are community-oriented and they have longstanding relationships with their customers and are active in the local communities. These fundamentals are reflected in our thrifts business continuity plans, which are designed to get the association back in business as quickly as possible to serve the needs of their customers and communities.
Now that means being well prepared to handle immediate and near-term financial needs of customers. Having adequate supplies of cash on hand for basic necessities of life for their customers, like food, water, clothing and shelter; getting beyond the immediate needs and focusing on rebuilding and restoring normalcy in the affected communities.
The OTS also issued a press release at the beginning of this week on October 30th that encouraged associations in the wildfire affected areas to 1) consider temporarily waiving charges for late payments and penalties for early withdrawal of savings; 2) reassess credit needs of communities and offer prudent loans to help rebuilding; 3) to restructure debt obligations when appropriate by adjusting payment terms; 4) solicit state and federal guarantees and other means to help mitigate excessive credit risk; and 5) consider all available programs offered by the federal home loan banks.
As for lessons learned, there are several and those are captured or are consistent with those that on June 15, 2006, and our CEO Memo 239, under the subject Hurricane Katrina Industry of Lessons Learned. So, we look at these disasters and generally there are some consistent themes and just a couple that I will mention are encouraging consumers or individuals to maintain replacement value insurance on their possessions, and the second is to keep it a current inventory of possessions.
So, I think the value of those two important lessons learned for individuals are self-evident and once again we offer this document, the CEO Memo 239 that gives the complete list of lessons learned from following Katrina.
But as part of their ongoing interest to build or enhance financial literacy of thrift customers, thrifts can include these lessons learned from the CEO Memo 239 and their community outreach activities.
Swart: Well then, what are some of the best practices the OTS recommends institutions take in preparing disaster recovery plans?
Henley: Well. the best practices have been documented in the interagency guidance and communicated in the business continuity planning booklet of the FFIEC’s IT Examination Handbook, and that booklet is currently undergoing revision and should be available for release--the revised booklet should be available for release shortly. But the current edition likewise is available at the FFIEC’s public website.
So, in summary, those recommendations are that the business continuity planning, the responsibility begins at the top, so it is imperative that the Board of Directors and senior management are involved because they are ultimately responsible for developing a comprehensive business continuity plan.
In order to be effective, the second point is that the business continuity plan must be developed after a thorough risk assessment. Third, the plan should be appropriate to the size and complexity of the thrift or the financial institution. The fourth point is that the plan should be comprehensive enterprise wide, covering all operations in the thrift, not just IT. And the fifth point is that if the thrift uses service providers, the plan should address these relationships. The sixth point is that business continuity planning includes the integration of the institutions role in financial markets. The seventh point is the training of employees in their roles and responsibilities under the plan is essential. And, the eighth point is to test, test and test again. So, you can’t over-emphasize the importance of testing the plan. Because you want to make sure that the steps are connected and complete prior to having to deploy the plan or put the plan into affect following or in the face of a disaster.
And then finally, the plan should be reviewed and approved by the Board of Directors each year. Business continuity planning is really strategic planning for staying in business. It needs Board level commitment and oversight to ensure that it is embedded in the culture of the entire association.
Swart: Let’s switch our discussion over to a different type of risk. Many thrifts and other financial institutions participated in the Treasury Department’s recent nationwide pandemic exercise that occurred in September and October. Do you think that thrifts and other financial institutions are ready for a pandemic?
Henley: Well, the OTS joined the other financial institution regulatory agencies in 2006 in issuing a joint advisory on influence of pandemic preparedness. Now, this advisory was intended to raise awareness regarding the threat of a pandemic influenza outbreak and its potential impact on the delivery of critical financial services. It advises financial institutions and their service providers to consider this and similar threats and their event response and contingency strategies.
The issuance also discusses national strategy for pandemic influenza and the roles and responsibilities it outlines for financial institutions.
Now specifically, our thrifts certainly have increased awareness of the difference between responding to a pandemic versus a hurricane, earthquake and fires, no doubt from issuances like the joint interagency advisory that I referred to earlier.
The terrorist attack of September 11 taught us all to view potential disasters from a broader perspective and develop strategies for when employees are unable to report to alternate work sites. Now, we feel that thrifts’ pandemic planning can and should be part of its existing business continuity plan. Among the things I want to see are plans that provide realistic scenarios for employees to work remotely from alternate locations for an extended period of time. And these include adequate networking and telecommunication capabilities, not to mention shelter and food.
Swart: So, what would need to be different about this business continuity planning process for a pandemic than a regular disaster recovery or business continuity plan for natural or manmade disasters?
Henley: Okay. Well ,although a financial institution’s pandemic plan should be part of the overall disaster recovery continuity planning process, there are aspects of a pandemic plan that are different from the plans for natural and manmade disasters. When developing business continuity plans, financial institution management typically considers the effect of various natural or manmade disasters that may differ in their severity. These disasters may or may not be predictable, but they are usually short in duration or limited in scope. In most cases, malicious activity, technical disruptions and natural manmade disasters typically will only affect a specific geographic area, facility or system. And these threats can usually be mitigated by focusing on resiliency and recovery considerations.
Unlike natural disasters, technical disasters, malicious acts or terrorist events, the impact of a pandemic is much more difficult to determine because of the anticipated difference in scale integration. The nature of the global economy virtually ensures that the effects of a pandemic event will be widespread and threaten not just a limited geographical region or area, but potentially every continent.
While traditional disasters and disruptions normally have limited time durations, pandemics generally occur in multiple waves, each lasting two to three months. Consequently, no individual or organization is safe from the adverse effects that might result from a pandemic event. Experts predict that perhaps the most significant challenge likely from a severe pandemic event will be staffing shortages due to absenteeism.
These differences and challenges highlight the need for all financial institutions, no matter their size, to plan for a pandemic event when developing their business continuity plans. Pandemic plans should be sufficiently flexible and effectively address a wide range of possible effects that could result from a pandemic and pandemic plans need to be reflective of the institution’s size, complexity and business activities.
The potential impact of a pandemic on the delivery of a financial institution’s critical financial services should be incorporated into the ongoing business impact analysis and risk assessment processes. The institution’s business continuity plan should then be revised if need to reflect the conclusions of its business impact analysis and risk assessment.
Swart: What great information. I appreciate your sharing your time with us today, William.
Henley: You’re welcome, Richard.
Swart: Well, thank you for listening to another podcast with Information Security and Media Group. To listen to a selection of other podcasts or find other educational content regarding information security for the banking and finance community, you can visit www.bankinfosecurity.com or www.cuinfosecurity.com.