||Central Bank Of Barbados
4.3.1 Pandemic Plans
A pandemic occurs when there is a widespread disease outbreak and while a pandemic may vary in severity and duration, it may present significant financial or operational risks for a licensee for its duration and beyond. Notwithstanding that health and safety is of paramount importance, the Bank urges licensees to consider whether their business continuity plans are sufficiently flexible to address a wide range of possible effects during pandemic events. In some instances, a stand-alone pandemic plan may be developed, or pandemic considerations incorporated into existing business continuity plans and other internal plans.
Pandemic plans typically address:
- Staff health and welfare measures – these may include human resources and hygiene policies, staff training and communication, tracking of employees as to health status and location, travel restrictions, distribution of medical supplies and measures to address building contamination. For licensees with overseas staff, updating of evacuation and medical assistance procedures may be needed.
- Remote offices or telework arrangements – given the potential for government-imposed social distancing measures and closure of public facilities, considerations should be made for alternative working arrangements such as routine work-at-home capabilities, use of remote branches and recovery facilitates and split shifts. In some cases, institutions may consider pooling resources, or shifting work or staff across international locations.
- Controls and compliance – licensees will need to consider the length of time that a large percentage of staff could effectively process transactions or conduct other operations away from normal work locations or perform workarounds to maintain critical business functions. This may include the ability to meet management and compliance requirements.
- Cybersecurity – licensees should consider the increased risk of cyber events given the use of remote offices or telework arrangements, heightened anxiety among associated persons and confusion about the virus. It is important that licensees remain vigilant in their surveillance against cyber threats and take steps to reduce the risk of cyber events. These may include:
Policies and procedures should be considered that will mitigate risks that may arise due to the reduced ability to communicate with customers, inability to rely on mail or other disruption to the existing controls over communications with customers. In a case where a licensee has opted to avoid general distribution of information to its customers until such time as the risk level rises, there must be clear trigger points for releasing and updating information.
- ensuring that virtual private networks (VPN) and other remote access systems are properly patched with available security updates
- checking that system entitlements are current
- employing the use of multi-factor authentication for associated persons who access systems remotely
- reminding associated persons of cyber risks through education and other exercises that promote heightened vigilance
- Communicating with customers – licensees may experience significantly increased customer call volumes or online account usage during a pandemic which may cause temporary operational challenges. Licensees are therefore encouraged to review their BCPs regarding communicating with customers and ensuring customer access during a significant business disruption. Where staff may be unavailable to service customers, licensees are encouraged to promptly place a notice on their websites, indicating to affected customers whom they may contact about their accounts or access to funds.
- Communicating with the Bank – licensees should provide the Bank with emergency contact information for responsible persons during a pandemic.
- Critical functions and resource priorities – prioritising resources (including staff, facilities, systems) in advance where possible, will help to ensure that, in an environment with reduced resources, they can be directed at the most critical functions. Identifying critical functions in pandemic plans according to the various pandemic phases or trigger points is one method of supporting clear prioritisation.
- Succession and decision-planning – pandemic risk may require the need to update, and in some cases expand, delegations for various types of decisions, as well as explicit staff succession planning and cross-training for key operational roles that are needed to ensure continuity of critical operations.
- Testing – rehearsing and testing are important components of any preparedness plan. Licensees should ensure that published pandemic scenarios by relevant authorities are used as a basis for walkthroughs of pandemic plans.
The above should bear reference to any plans at the national level. See Operational Risk Management Guideline