By Ken Brock
Fifty years ago, smart businesses prepared for potential threats like fires, tornadoes, burglaries and the recent earthquakes that have sent Puerto Rico into a state of emergency.
Today, companies have to worry about incidents our grandparents could never even have imagined – everything from stolen data to social media trolls to active shooter situations. “Worst case scenarios” have become realities in many instances.
For example, more than half of companies experienced a downtime event that lasted more than eight hours in the past five years, and one-in-three organizations were hit by a virus or malware attack in the last five years.
Thorough business continuity programs are becoming increasingly vital for organizations across every industry, and credit unions are no exception. These programs assist businesses with identifying and preparing for potential threats, and evaluating an institution’s ability to respond to and recover from risk events.
Diverse Risks
Potential risk incidents can be diverse, and financial institutions face more of them now than ever. According to the PenFed Business Continuity Risk Assessment, these risks include brand and reputational, data breach, technology disasters including third party vendors, natural disasters, manmade incidents, pandemics and active shooter scenarios.
In 2017, we faced a terrible tragedy: the island of Puerto Rico, where PenFed has three financial centers, more than 200,000 members and 50 employees, was hit by Hurricane Maria, a deadly category five storm and the worst natural disaster in recorded history to affect the island.
Homes were swept away, and people couldn’t locate their family members. There was no running water and little food or drinkable water. In the hours and days following the storm, we used a tool we had developed for employees to check in and let us know they were safe. We provided generators, meals and disaster relief packages to employees and their families. With the power out, cash was king, and we opened our ATMs with no fees for everyone on the island. The National Credit Union Foundation stepped in to raise money to support the island.
Tips to Strengthen Your Plan
Thankfully, we had plans and checklists in place for weather scenarios. But through this disaster and other incidents, we’ve learned a lot about what to prioritize and what resources are most helpful in times of chaos. Here are some tips for credit unions looking to develop or strengthen their business continuity programs:
1. Assume you will have an incident that will be disruptive to your organization.
Hope for the best, but prepare for the worst. Recognize that incidents will happen, even if they seem unlikely now. Be prepared.
2. Start by creating simple playbooks.
Identify the key things that need to happen, and work backward with the details from there. It’s important to note that every credit union’s playbook will be different. When I share PenFed’s playbook with credit unions across the industry, I always prepare a more general document that can be customized for each institution. There are certain things that everyone needs to address, like employee safety, but no one playbook will fit every institution, even within the same industry. For example, an office in Nebraska might prioritize a tornado playbook, while an office in California would prepare for earthquakes and wildfires.
3. Focus on the employees, and don’t underestimate them.
It’s important to focus on employee safety and wellbeing first, so that they can in turn support the members. In Puerto Rico, it was amazing to see how the employees banded together to help each other and to help members. Some of them drove two hours to work every day through streets with downed power lines and no traffic lights. When one employee had no one to watch her children, another stepped forward to locate care for her kids. It was remarkable to see camaraderie like this.
Make sure employees know they are fully supported by the CEO and the executive team. Have regular conversations and training about the “what ifs.” If a “what if” happens, people will be prepared.
4. Have a different corporate framework for natural and non-natural disasters.
Natural events, like hurricanes, floods wildfires and earthquakes, will require different responses than non-natural events like theft or gas leaks. Create a scenario-based playbook for the most likely incidents in each category. With weather events, you’ll often have 48 hours’ notice, and you’d be surprised how much you can accomplish in two days – whether it’s setting up sandbags, taking pictures of buildings for insurance purposes, or making sure employees and their families have cash and supplies.
5. Risks will vary for different people in the organization.
Someone who works in a local branch will face different risks than someone who works in the IT department at a corporate headquarters. Member-facing employees, for example, should always be trained in how to respond during a robbery or an active shooter scenario, whereas IT professionals should be well-versed in data protection and breach responses.
Review policy and security on an ongoing basis to make sure the right controls are in place. Local law enforcement can also help by providing training videos and other resources. And make sure employees understand that their safety is always the top priority.
6. Social media can be a business continuity risk, but it can also be a valuable tool.
Risk assessment should always include social media incidents – and companies should have a team that monitors social media for concerning comments and feedback. But social media can also be a positive tool during and after disasters, whether it’s used to raise funds for those impacted, notify employees of new information, or check on people’s safety.
At PenFed, much of what we learned about preparing for risk, we learned from the remarkable community we serve. Our core members are military servicemembers who prepare every day for the likeliest and unlikeliest scenarios. As they work to keep us safe, we strive to work to keep them safe as well. And, just like the military, the more prepared an organization is, the better able it will be to respond quickly and efficiently in dangerous or stressful situations.
Ken Brock is director of operational risk management for PenFed Credit Union.