TGG has discussed the Avian Flu on several previous blogs. This is the third article in a series of ideas to consider when planning a Business Continuity Plan that includes the Avian Flu.

This article will address items to consider in Management, Medical and Cross Training sections with this article.

Management

• Determine a chain of command for the president/CEO if one is not in place.
• Determine a chain of command for the CFO, CIO, and other critical officers the bank has.
• Determine the fiduciary responsibility of the different officers if their superior is not available
• Consider additional personnel that could be asked to serve on the Board of Directors for either an interim basis or permanent basis.
• Determine if certain functions of the bank can be reduced or mothballed until the crisis has passed.
• Considerations may have to be given to changing the current employee hand book concerning leave of absence, illness, etc.
• Determine what branches could be consolidated for an interim period of time until additional staffing is available.
• Determine if transportation for employees would become an issue and what could be done about it.
• Determine if the Business Continuity Plan would have to be changed to adapt to the current circumstances.
• Set up a committee to investigate the different sections and determine a plan of action for items they determined were most critical to the bank.
• Items that the committee consider significant should be addressed in the Business Continuity Plan (disaster recovery plan) under a special section.
• Set a time frame to have different solutions agreed upon by management resolved and completed.
• Determine a chain of command for the president/CEO if one is not in place.

Medical

• Appoint several members of the staff to keep up with the latest means to protect the financial institution’s personnel from infection.
• Have the necessary swabs, latex gloves, masks in sufficient supply.
• Arrange with local hospital(s) to have inoculations brought to the bank for personnel if possible.
• Have cleaning crew versed in areas to keep clean with proper solutions.
• Consider implementing different filters for the banks aid conditioning and heating system.
• Set up procedures to have the employees wash their hands often to avoid contaminating each other and avoid contamination from the general public.
• Place hand disinfectant dispensers (waterless) in the lobby and in work areas for the public and bank personnel to use.

Cross Training

• Look at the different functions in the bank and consider where cross training can take place.
• The more technical positions like in Item processing and Core banking system, Networking and Main Frame need extra training. If the IT department is very small, an alternative backup may have to be looked at.
• Consider ether training bank personnel in the minimum required knowledge, outsourcing to an IT company or perhaps look to local college IT personnel.
• Training videos could be made for different positions that the steering committee determined were necessary.
• Look at the multiple functionality of different people and their ability to move to other positions.
• Build detailed procedures for each position to enable a new person to follow these instructions and accomplish the job.
• Determine alternates or backups for all positions.
• In-depth job descriptions for each position could be developed so Human Resources could target certain skills sets if needed.

Click here to read Part 1, Part 2, or Part 4 of this topic.

This is the second in a series of information concerning Avian Flu (Pandemic) and how a financial institution can plan ahead and use this in their Business Continuity Plan.

The last blog listed different sections that a bank should consider and explore. We will look at Personnel, Equipment and Video Conferencing sections with this article.

Personnel
· Explore the different positions in the bank that could be handled by working at home.
· Determine the minimum number of persons that need to be at the bank to allow each department to function.
· Determine the minimum bank personnel that need to interact with the public. Special areas may need to be set up with ventilation and glass walls and limited pass through slots.
· Determine if some functionality can be done through a local PC in the lobby with forms customers can fill out that is not tied to the network but could be a pier to pier network or wireless. Security would be still an issue with the wireless.
· Committee Meetings can be held through video or conference calls. The use of power point presentations may become common place but that entails much more time to prepare.
· Consider staggered hours for employees.

Equipment
· Personnel working out of the house will require PC’s or laptops.
· The equipment will need to have an antivirus and firewall activated and updated daily. It will need to be encrypted including the hard drive.
· Bank personnel will need a secure means of connectivity such as VPN, dial up networking, terminal services, etc. The equipment will have to be configured for remote connection and the accompanying security.
· Alternate recovery locations may have be used to reduce contacts for IT staff.
· Reflect on how IT can connect remotely to the home PC in the event they have a software problem. What to do if there is a hardware problem.

Video solutions/Connectivity
· Video conferencing between branches and even between executives may become a means to keep everybody connected.
· The Directors are also going to require a means to communicate and if meeting face to face becomes a problem then video conferencing, web conferencing, power point presentations, teleconferencing are all solutions.
· Web conferencing can be used for those at home.
· Use of the Intranet (banks website) for information purposes is a simple solution for those logged into the network.

These are a few items that the bank should consider when building a plan to handle the threat of Avian Flu.

By Gary Lauman, Senior Security Consultant with The Garland Group

Click here to read Part 1, Part 3, or Part 4 of this topic.

Avian Flu (Pandemic) has been in the news for some time on an almost continuing basis. The Garland Group conducts IT controls Reviews based on the FFIEC guidelines and this question has come up with a number of financial institutions we audit who are debating about including this item as a portion of the Business Continuity Plan.

Responses from examiners indicate that a pandemic is not required in a BCP at this time. However, they recommend that financial institutions begin looking at how to handle loss of key staff or loss of significant numbers of staff. It is generally though that from 15% to 40% of the work force will not be able to work because of their being ill or family illness if a pandemic hits the United States.

If the financial institution is ready to move ahead with adding this topic to their Business Continuity Plan (disaster recovery) Set up a separate section in the bank-wide BCP for “Absence of Personnel� or other similar heading.

TGG has identified several different topics that the bank will have to work through and build a plan according to their needs and resources. They are: Personnel, Equipment, Video/teleconferencing, Cross Training, Management, Medical, Outsourcing, Supplies and Testing.
We will follow up at a later date with specifics in the different topics.

By Gary Lauman, Senior Security Consultant

Click here to read Part 2, Part 3, or Part 4 of this topic.