Conducting Pandemic Risk Assessments: What Banks Need to Know

By Neal Doherty 

Everyone who works in compliance understands the need for flexibility and adaptability. More often than not, new laws are enacted by state legislatures at the stroke of midnight or beyond. These new requirements are often effective immediately, with no lead time and scant guidance on implementation. It is the job of the legal and compliance professionals to figure it out so businesses can operationalize the requirements.

Given the COVID-19 pandemic, the current state of affairs makes that environment look like a regulatory paradise. Hopefully the COVID-19 outbreak will be under better control soon and future pandemics will not be a regular occurrence. Let us hope the “new normal” is not normal, and that we get back to business as usual. 

The current pandemic has caused a complete change in how we work with financial services clients—and what they view as top priorities. Compliance officers and other stakeholders are being pulled in myriad directions, with priorities changing on a near daily basis.

For example, regulatory compliance projects in the works have been deferred as banks ramped up their ability to respond to a deluge of requests from small business owners seeking loans under the Paycheck Protection Program. We have also had to nimbly adapt in order to support our clients, including reallocating resources from lower–priority projects to update our own SBA loan offering under the PPP.

While it is too late to plan for the current pandemic, regulators will expect financial institutions to be better prepared for the next event, and they have offered guidance on how institutions should prepare.

Show you can scale protective efforts

In response to the outbreak of COVID-19, the Federal Financial Institutions Examination Council issued updated guidance on actions that financial institutions should take to mitigate business impact during a pandemic. This new guidance builds upon guidance issued in 2006 and 2007. ”Pandemic planning presents unique challenges to financial institutions,” FFEIC notes. “Unlike most natural or technical disasters and malicious acts, the impact of a pandemic is much more difficult to determine because of the anticipated difference in scale and duration. As a result of these differences, no individual or organization is safe from the potential adverse effects of a pandemic event.”

The updated guidance requires financial institutions to take steps to mitigate business impact during a pandemic. Following are some essentials to consider in evaluating whether your bank is prepared to effectively manage impacts to your business in the wake of the COVID-19 pandemic.

Under the updated federal guidance, financial institutions must have the following: 

• A preventive program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event. 
• A documented strategy that provides for scaling the institution’s pandemic efforts, so they are consistent with the effects of a particular stage of an outbreak. 
• A comprehensive framework of facilities and systems to ensure the institution can continue critical operations in the event that large numbers of employees are absent. 
• A testing program to ensure that pandemic planning capabilities are effective.
• An oversight program to ensure ongoing review and updates to the pandemic plan.

State regulators have published similar guidance, including the New York State Department of Financial Services, which has required financial institutions to submit a summary of pandemic preparedness plans to the agency. Under NYDFS’s guidance, an institution’s preparedness plan must include:   

• Preventive measures designed to mitigate the risk of operational disruption. 
• A documented strategy addressing the impact of the outbreak in stages. 
• Assessment of all facilities and systems necessary to continue critical operations. 
• Assessment of potential increased cyber-attacks and fraud. 
• Employee protection strategies. 
• Assessment of the preparedness of critical third-party service providers; 
• Development of a communication plan. 
• Testing the plan to ensure the plan is effective.  
• Governance and oversight of the plan.  

Identify and document all relevant risk

Integral to creating a preparedness plan is conducting a formal risk assessment. The current crisis has underscored the regulatory expectation that a risk assessment take into account the impact of a pandemic, as well as more isolated business continuity events.

Regulators expect financial institutions to identify and document all relevant risk factors and how well those risks are controlled. Per FFIEC guidance, financial institutions should complete the following risk assessment and risk management steps:  

• Prioritize the severity of potential business disruptions resulting from a pandemic. 
• Perform a gap analysis to determine what steps are needed to mitigate the severity of potential business disruptions. 
• Develop a written pandemic plan. 
• Require an annual review and approval of a pandemic plan by the Board of Directors or Board committee. 
• Communicate and disseminate the plan and the current status of the pandemic to employees.  

In addition, financial institutions should consider the following:

Coordination with third parties. Open communication and coordination with critical third-party service providers is vital.

Identification of triggering events. A triggering event occurs when an environmental change takes place that requires management to implement its response plans based on the pandemic alert status.

Employee protection strategies. Employee protection strategies are critical to sustain an adequate workforce.

Mitigating controls. Control processes can be implemented to mitigate risk and the effects of a pandemic.

Remote access. Robust employee telecommuting capabilities will be required.

Be formal and proactive

Risk assessments should be formal exercises performed annually. The exact process and methodology may be customized by an institution, however the identification of inherent risk and the alignment of associated risk-mitigating controls providing an assessment of the institution’s residual risk is the generally accepted format.

When advising banks on performing a risk assessment, we recommend that our clients establish a formal, proactive risk identification, assessment and mitigation approach and methodology. Important points to consider include: 

• The assessment of inherent risks should identify risk factors that align to each applicable requirement, process, or product feature. Drilling down and considering each risk factor in greater detail provides a more thorough understanding of the impact and likelihood of all potential risks. 
• The risk assessment approach and methodology should map risk-mitigating controls established to address each risk factor. 
• The risk assessment methodology should be based on a mathematically driven formula that scores inherent risk, control effectiveness and the resulting residual risk. Incorporating math as a basis for deriving the scoring enhances reporting and illustrates risk objectively using heat maps. 

Conducting the risk assessment to this level of detail and objectivity not only positions companies to a proactive risk management posture, but it serves as an invaluable control inventory and ongoing living record of a company’s risk position.

Now more than ever, regulators will expect financial institutions to have properly assessed the risks from pandemics and to develop appropriate preparedness and response plans. When the next pandemic arrives, regulators will want financial institutions to implement those plans to help mitigate operational impacts. For all our sakes, let’s hope they don’t have to.

Neal Doherty, consulting manager for CMS and regulatory consulting with Wolters Kluwer Compliance Solutions, is an attorney and compliance professional with 20 years of experience in the financial services sector.