Skip to main content

Pandemic Testing and the BCP

Hey Guru!

We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding:

Management should improve the pandemic plan within the Business Continuity Plan. The pandemic plan has no defined action plan, nor has it been tested. Management needs to establish a clear action plan and test the action plan regularly.

They also commented that we did not test it in 2018, but we did test it in December of 2017. So I have 2 questions:

  1. Is pandemic testing an annual requirement?
  2. What can we do to satisfy the comment on the plan being too generic?


Addressing the second question first, this is a great example of having to read between the lines to determine what the examiner is really asking for. I also referred to this situation in another post. I’m guessing that the “action plan” they’re referring to is actually your succession & cross-training plan. Your recovery procedures won’t change, what they want is for you to develop your succession plan, cross-train alternate personnel, then test your recovery procedures with the alternate personnel.

We have seen this finding recently, and as a result we’ve added a succession plan section to each process in our BCP Blueprint application*. The next time you update your plan it will now prompt for the primary, secondary, and tertiary resources for each process. Just make sure the next time you conduct a BCP test (pandemic or otherwise), you test with alternate personnel in the primary recovery roles. That way you can validate your ability to recover critical processes and functions within recovery time objectives, regardless of key personnel availability AND regardless of the nature of the disaster. After all, the FFIEC guidance states that FI’s focus on the impact of the threat, not the nature of the threat:

“Non-specific events should be identified so that management can concentrate on the impact of various disruptions instead of specific threats that may never affect operations.”

Ultimately your ability to continue critical operations is the primary concern of the regulators, not necessarily that you’ve tested for a specific natural disaster (or contagion).

Regarding your first question, there is no specific requirement to test pandemic (or any specific threat) on an annual basis. The guidance only states that you maintain.

“…A testing program to ensure that the institution’s pandemic planning practices and capacities are effective and will allow critical operations to continue.”

Because reading between the lines of an examination is an imperfect science, ask the examiner if this approach (succession plan, plus cross-training, plus testing with alternate personnel) will address their concerns. I’ll be very surprised if it doesn’t.

For more about the importance of process-based business continuity planning, check out this article: BCP Plans Continue to Draw Criticism.

*This question came from a current Safe Systems BCP Blueprint customer, but those with other plan formats can accomplish the same result by adding a succession plan section to their BCP.