OPERATIONAL RISK

A Guide for Community Banks on Natural Disaster Planning and Preparedness

Download this Guide

Introduction

Community banks across the country face numerous risks and threats to their operations. From cyber threats to pandemics and everything in between. While many of these risks can be planned for and mitigated through defensive measures, natural disasters are highly unpredictable and may cause impact to bank operations with limited warning. Hurricanes, forest fires, earthquakes, droughts, and other types of severe weather all pose major threats, not only to community banks but to communities as a whole.


Know your State Resources

Every state faces different risks when it comes to natural disasters, whether those risks be hurricanes, wildfires, or something completely different. Understanding the risks associated with your state and region of the country will help to identify proper resources for both preparedness and response.

To assist your bank in developing your response and improving your preparedness, the following resources can be accessed in most states:


Event-Specific Resources

Natural disasters that impact multiple regions such as hurricanes, earthquakes, and wildfires have many national-level resources. These event-specific resources can be critical to a bank’srecovery and response efforts:

Hurricane Resources

Earthquake Resources

Wildfire Resources


Know your Emergency Response Services

A disaster is not the time to research your local, state, and national emergency response services. Local police and fire departments, county sheriffs, state police, FBI, Secret Service, and even National Guard should be contacted prior to an emergency to ensure your business needs can be met and your bank has an understanding of the processes that will be followed during an emergency. Creating and maintaining contacts within various emergency responders can be the difference between quickly returning to normal operations and unnecessary delays.

Physical security during a natural disaster should not be overlooked. Criminals thrive during crises and banks that have been damaged, are without power, or otherwise inaccessible make attractive targets. Below is contact information for FBI and USSS Field Offices so that you may begin establishing strong relationships prior to an event.


Planning for Business Continuity

Creating a business continuity plan for your bank is an integral piece of your bank’s crisis response and enhances your bank’s recovery capabilities. In 2019, the Federal Financial Institutions Examination Council (FFIEC) updated their Information Technology Examination Handbook’s Business Continuity Management (BCM) Booklet.

This examination booklet describes business continuity management as “the process for management to oversee and implement resilience, continuity, and response capabilities to
safeguard employees, customers, and services.” This must be a top-down plan, beginning with the board and senior management, aligned with the bank’s strategic objectives and risk appetite.

Key items to consider for your BCM Plan:

  • Adopt policies and plans to manage all risks to the bank’s business continuity.
  • Define roles and responsibilities for incident response, including staff succession.
  • Evaluate and perform a business impact analysis.
  • Identify business-critical functions and interdependencies these functions may have.
  • Identify third-party service providers who may ease operational burden, if appropriate.
  • Develop a communications plan for both internal (employees) and external stakeholders
    (customers, general public).

Questions to ask when preparing your BCM Plan:

  • Do staff members know their role in an emergency?
  • What happens if staff members are unavailable to perform their BCM roles?
    • Do back-up staff members know what to do?
  • Is the bank prepared to continue operations if access to physical locations is impaired?
    • Can the bank meet customers’ needs if physical locations are inaccessible?
  • Who will the bank contact when experiencing a crisis event (order of priority will vary depending on the event)?
    • Board of Directors
    • Regulator
    • Law Enforcement
    • Insurance Company
    • Customers
  • What is the plan if a Recovery Time Objective (RTO) cannot be met?
  • Does the bank have plans and procedures for all types of risks?
    • Fires
    • Floods
    • Hurricanes
    • Earthquakes
    • Pandemics
    • Droughts
    • Critical infrastructure failures (power, water, transportation, energy/gas)
    • Other risks unique to the bank’s geographic location

All community banks are encouraged to explore the FFIEC’s Business Continuity Management Booklet for information on what examiners may expect to find in your bank’s business continuity plans. The information found in the booklet should be considered a minimum response when preparing for events that may invoke business continuity plans and procedures.


Exercising Plans

Exercising plans is a critical component of preparing for natural disasters. While some exercises, such as fire drills, may be commonplace in most organizations, preparing for all types of potential events is critical in ensuring a bank’s resilience.

Additionally, external training and exercising for key staff can prove beneficial. The following resources are available on ICBA’s Natural Disaster Resources webpage: