Lessons From Katrina, King
By David B. Sidon
Post-Katrina, and for that matter, the rest of an incredible hurricane season in 2005, disaster and business continuity planning are getting a renewed and vigorous look by everyone including the White House, Homeland Security and the Federal Emergency Management Agency, as well as the institutions and regulatory bodies that comprise our banking system. As we in the industry learn the importance of system recovery plans and business resumption plans (separate planning exercises, as I will describe presently) and as we start to test, in simulated exercises, our plans and responses, we quickly come to the recognition of contingency planning’s key ingredient/problem: People.
The banking industry is currently striving to comply with the guidance provided by the Federal Financial Institutions Examination Council in its March 2003 IT Workbook entitled “Business Continuity Planning” – guidance in place long before Katrina, but now easily promoted as the new standard by our regulators. Compliance calls for plans, plural. The guidance adds additional planning layers of risk assessment and business impact analyses. Of particular note is an emphasis on board-of-directors responsibilities. Conducting a “find” search of the word “board” in the document, excluding footnotes but including the accompanying audit work-program, reveals 24 matches. Although the workbook was unfortunately disguised as IT guidance, the board’s responsibility for oversight of comprehensive plans is unambiguous. So, aspect No. 1 of the “people” focus extends to our directorship.
Aspect No. 2 of the “people” focus is the recognition that system recovery and business resumption teams are quite distinct (except for the smallest of institutions). When considering the recovery of network or telecommunications capabilities, we find ourselves describing an action team of technologists, i.e. our IT department and the community of vendors supporting our IT departments. Their focus is returning a crippled system to a working state. Meanwhile, back at the branch, business processes interrupted by the system crash create a different set of challenges and the need for a different action team. Prioritizing what to do first once systems are restored and customers may be served is quite a different exercise requiring a thorough examination of current processes before prioritization and resumption procedures may be created.
Aspect No. 3 of the “people” focus has been spotlighted by some of the sad consequences of Katrina and her other destructive siblings. Similar “lessons” are also emerging from thoughtful and thorough simulated testing scenarios. What if the “people” in our plans are not available? What if they’re missing or dead? What if they’re displaced? At a shelter? What if their focus is on their family’s personal welfare and not that of the bank?
Disaster Scenarios for Banks
Here’s an example. I recently facilitated a testing exercise at a community bank. The management team and department heads were all around the conference table for three hours of plan “walk-through.” We used disaster scenarios designed to provide an element of surprise, a selection from the disaster scenarios posted, and available for general use, on my navis-group.com Web site. The goal was to propose a disaster and consider the adequacy of the written plans. The initial scenario set the tone for our session. We suggested a disaster in which a chemical spill demanded immediate evacuation of a 15-mile radius, occurring at 3 p.m. on a weekday, with the bank open for business. Our orderly, serious and devoted banking team started to outline the methodical shutdown and security steps described in their plans. I let them go for a few minutes and then interrupted with a dose of reality. If the local police or National Guard barged into your institution with immediate evacuation orders for an environmental concern of unknown proportions, would we or our employees really care first about the bank? Or would we be more concerned about our kids at school, our perhaps immobile elderly parents, our pets or our own skins? Might we be out the door ahead of our customers in an “every-man-for-himself” mode? I think we at least need to consider this reality with a high degree of probability. When bankers returned to re-open their facilities in New Orleans, was the bank their priority and did they even remotely have a full component of staffing? I’m pleased to report that the discussion testing that ensued at this particular bank really added a level of practicality to the written plans, once a real-life crisis attitude was introduced into the equation.
You know who always seems to get the “people” aspect right in disaster scenarios? Stephen King. His characters always maintain that nagging concern for loved ones, friends and pets that helps to explain their irrational behavior. His scenarios may be bizarre, but his “people” are always real, their reactions more on target. The bank vault may not always be methodically secured in the face of one of King’s grisly circumstances. I recently finished his current novel “Cell.” Trust me, our business continuity plans all fail the scenario that he exquisitely crafts. No banking facilities were methodically secured.
Writing this article has been a strange exercise in connecting the dots between continuity planning, Katrina and a horror-novelist. However, the dots are easy to find if you really look; our “people,” a mostly forgotten element of our planning efforts to date. When you write your plans and when you test your plans, I suggest adding a little human frailty as a dose of reality.
David B. Sidon (firstname.lastname@example.org) manages The Navis Group and Navis Search, specializing in compliance and technology project management and executive search engagements for financial institutions.