By Kerry Hatzenbuehler & Melissa DeDonder
Although the Fall 2020 OCC Semiannual Risk Perspective has been published, the Spring 2020 issue relayed important information for banks to consider related to this crazy year. Many of you have documented and are continuing to document how the bank responded to the pandemic. Some of you may still have work to do, and that is ok. As we all know, the pandemic is not over and it appears the virus and its affects will not be going away anytime soon.
Hot Topic: Regulatory Exams Require Evidence of Business Continuity Plan (BCP) Implementation during Pandemic
Several of our bank clients have undergone recent regulatory exams and one of the hot topics is providing evidence of how the bank implemented their business continuity plans (BCPs) to protect customers and staff while maintaining ongoing operations.
Do you have a proper timeline of events addressing the following items?
- How did the bank protect customers and employees in the physical locations?
- Did you have staggered work schedules?
- What days were the lobbies closed? How did you social distance if the lobbies were not closed?
- How did the bank support work from home technologies? Were any new systems implemented?
- Were there days/times you had bandwidth issues? Was the internet down at any time?
- How did you implement assistance programs, such as the CARES Act Paycheck Protection Program (PPP)?
- Did you have a department or an entire department out due to COVID-19?
- Did you put in place a deferred loan payment program?
Although this is not an all-inclusive list, these are key questions to address so that you can document your responses, evaluate the related risk, and update as activities change.
Benefits of a Pandemic Timeline
Creating a timeline of events may just help explain why you were late on providing a Loan Estimate to an applicant, why a CTR was filed late, why you missed reviewing a certain report, or why you received a customer complaint.
This documentation will also come in handy when evaluating your current BCPs. This real pandemic could satisfy the annual testing requirements of the plan, but you must ensure the correct documentation is maintained.
Steps for Proper Documentation
While this is not an all-inclusive list, these key items can help get you started with this documentation. Management should clearly define the characteristics of a test, which may include the following:
- Dates and locations
- An executive summary comparing objectives and results
- Problems identified and lessons learned
- Validation of recovery point objectives, recovery time objectives, and maximum tolerable downtime
- Confirmation that systems can support critical business processes (e.g., transfer to alternate sites, increased workloads, manual workarounds, and communication)
- Integration of technologies that support critical business activities, including data replication, recovery, and off-site storage
- Verification of workplace restoration (e.g., network connectivity and communications)
Next, after the documentation is complete or during the annual review and approval of the plan, you can ensure any problems identified within the plan are managed and revisions to the BCP are made, as well as adjustments to the business continuity management process (including the exercise and testing program).
As a final step, this testing should be presented to the Board of Directors for review.
As always, it will be beneficial to you and your bank to be proactive, especially as we all work to adapt to the effects of the COVID-19 pandemic.