Telephone Conference on Contingency Planning for Disasters and
Lessons Learned From 2005 Hurricane Season
Summary of the Telephone Conference on Contingency Planning for Disasters and
Lessons Learned From 2005 Hurricane Season Sponsored by the FDIC Atlanta Regional Office
February 16, 2006
The year 2005 brought some of the most devastating hurricanes in US history led by Hurricane Katrina followed by Hurricane Rita and Hurricane Wilma. And some entities have not even been fully recovered from Hurricane Charley that already hit South Florida in 2004.
Standard guidelines are available from the FFIEC Business Continuity Planning Handbook, the FFIEC Uniform Rating System for IT, the Gramm Leach Bliley Act, and the recently implemented FDIC IT Risk Management Program. The importance of contingency planning is clear and essential for financial institutions. Along with the reminder, some "best practices" are emerging based on recent experiences. Not just of DR for disaster recovery, which implies a reactive approach, rather DR for disaster readiness for a more proactive approach. Not just BCP for business continuity planning, which tends to become cursory over time, rather BCM for business continuity management to be able to respond to whatever is here and now. BCM is possible through a responsive bankwide Crisis Management Team and a readily accessible Command Center for communicating with employees, vendors, and customers.
Low probability of a risk occurring used to be equated to a risk that can be absorbed based on a risk assessment. Probability calculation is now incomplete, without impact analysis of every risk considered. The levee break in New Orleans is a humbling experience of a low probability high impact event. Every institution should consider scenarios of high impact events, even if there is only a remote probability of the event occurring.
Flexibility and adaptability were key success factors. There were many lessons, however, the more important ones that seem to have made greater impacts are the following, not necessarily given in the order of priority:
- Establish a clear chain-of-command.
- Identify pre-established rendezvous points in case communication is not available.
- Establish redundant communication lines from the standard list such as use of CB radios; out of area cell phones as well as different providers; website messages, or even use of media (advertisements in newspapers, radio, and television); 800 and direct dial numbers, dedicated voice response units for notices and check-ins.
- Have a tested contact list for senior management, employees [including next of kin], customers, vendors, and key government agencies with land line telephone, cell phone, E-mail, pager, and facsimile numbers.
- Provide separate 800 numbers for use by employees and customers. Ensure that the call volume could easily be expanded in case of a spike in need.
- Know regional and local programs (FEMA, municipal, county, state, and federal). Assign internal contacts who would polish their expertise on the program.
- Prior to disaster, distribute out of zone (area codes) cell phones to key management personnel.
- Order adequate cash available on hand before the disaster hits for both customers and employees.
- If there is no power, provide alternate ways how customers can access cash.
- Consider how debit or stored value cards may be used outside the affected areas (if there is no power, cards will NOT work).
- Consider how to secure cash and customer safety.
- Consider holding a customer awareness and preparedness training in preparation for an impending disaster (e.g. before the hurricane season starts).
- Alternate Sites
- Have a secondary alternate site in case the primary alternate site becomes inaccessible for some reason or another.
- Consider redundant or different providers of infrastructure (power and telecommunication lines, etc) for the alternate site compared to the main office.
- Keep at least two copies of back-up tapes every time, one kept on-site and one sent off-site. Consider establishing mirroring arrangements at the off-site location. Keep back-up tapes even if mirroring is in effect in case the primary off-site location (hotsite) becomes inaccessible and a secondary cold site has to be utilized.
- Establish a good rapport with other institutions in the area in the event that branch sharing is the only way to service customers.
- If serviced, banks should participate in the vendor's contingency planning
- know the servicer's alternate sites and prepare how to get data there prior to the storm.
- Track the storm; establish the following not in the path of the storm:
- Alternate sites
- Command Centers
- Human Resources
- If there are employees in different areas, be ready to bus/fly in employees from other areas to
allow the employees of the affected area attend to family issues, if necessary, or if they become inaccessible due to lack of fuel, flooding, etc.
- Be ready to provide food and water, when not readily accessible due to a disaster, to employees and ensure bank services will continue.
- Consider providing/coordinating other needs of an employee and their family (nursery, clothing, shelter, etc) to ensure continued service.
- If institution has more than one key location, develop out of area Crisis Management Team prior to the disaster.
- Be familiar with services available through the correspondent banks (e.g. electronic funds transfer) in case they need to be used.
- Provide for alternate procedures if the on-line systems or automated processes
are down. Prioritize activities from bare essentials if resources are limited.
- Contact service providers and Disaster facilities prior to the storm.
- Contact FDIC for assistance in getting into restricted areas, if necessary.
An article on "Business Continuity Planning: Lessons Learned from 2004-2005 Hurricanes"
will be published on the Summer 2006 Supervisory Insight Journal, which can be downloaded from the Supervisory Insights homepage. It will be introduced through a Financial Institution Letter.
You may also download the FFIEC Business Continuity Plan Handbook - PDF 1,100k (PDF Help).
The views expressed are those of FDIC Atlanta Region staff, and do not necessarily reflect official positions of the Federal Deposit Insurance Corporation.