FFIEC Includes Monitoring of Vendors’ Pandemic Plans in Interagency Statement

This month, FFIEC agencies collectively issued an interagency statement on pandemic planning, supplementing the “Interagency Advisory on Influenza Pandemic Preparedness” and “Letter to Credit Union 06-CU-06 – Influenza Pandemic Preparedness” guidance. The statement is in response to the coronavirus (COVID-19) outbreak rapidly spreading across the United States and is a reminder to organizations that business continuity plans must address the potential threat of a pandemic and the impact it may have on the delivery of critical services.

Within the guidance, FFIEC agencies specifically call out having a business continuity plan (BCP) that addresses pandemics. They list the following 5 areas that should be included in the pandemic plan:

• A preventative program
• A documented strategy scaled to the stages of a pandemic outbreak
• A comprehensive framework to ensure the continuance of critical operations
• A testing program
• An oversight program to ensure the plan is reviewed and updated
  
  

What Is the Difference Between a BCP and Pandemic Plan?

Pandemic planning is part of a business continuity plan. Hopefully, your organization already had a pandemic plan in place before this statement was released, but if you didn’t or are just curious about the differences, there are two that make pandemic planning clearly unique. Consider the following:

1. Difficulty determining the impact: In BCP, you’re planning for natural or man-made disasters that tend to be shorter in duration or limited in scope. In pandemic planning, it’s more difficult to know the impact the pandemic will have on the organization because of the varying levels of scale and duration.
2. The length of time is greater: In BCP, the disasters are usually for a limited time but when a pandemic happens, it can occur in waves and last several months.
   
   

Keep the Board and Senior Management Involved

FFIEC agencies also remind organizations that pandemic planning is not only an information technology (IT) concern. It’s a risk to the entire business; therefore, remember to include the board and senior management in pandemic planning. The board must oversee the development and approval of a pandemic plan. Senior management must have sufficient resources to prepare the plan, monitor, communicate and test the plan.

Pandemic Planning in Third-Party Risk Management

According the to the interagency statement, “Management should also monitor its service providers, identify potential weaknesses in the service and supply chains, and develop potential alternatives for obtaining critical services and supplies.”

Don’t take this statement lightly. Not only should you have a pandemic plan in place, but your vendors should, too. It’s your organization’s responsibility to monitor your vendors during this perilous time, especially the critical and high-risk vendors, to determine if their pandemic plan is adequate. If their plan is inadequate, what are your alternatives should they no longer be able to provide the product or service your organization has outsourced to them?

No one saw COVID-19 coming, yet we all need to be ready to react. We’ve been required to have pandemic plans in place for many years so why are we all caught backpedaling rather than instinctively reacting? This is a time to double-down and make sure that we know not only what we have in place but what our third parties have in place.

Over reliance on a product or service is always an exposure point, particularly if they have left themselves in a vulnerable position in terms of their ability to execute a functional pandemic plan. This is the perfect time for third-party risk management, business continuity and information security to put the best foot forward and show what they’re all about.

We’ll leave you with this. Remember, our supply chain is only as strong its weakest link. No matter how resilient your own business continuity and pandemic practices are, you must understand your third parties’ practices as well and make sure they undergo thorough and rigorous testing until they meet your expectations.

It’s just that simple. Expecting the unexpected is the new norm.

Pandemic planning is part of a business continuity plan. Learn what to review in a vendor's business continuity and disaster recovery plans. Download the eBook.