On 6 March 2020, the Dutch Central Bank (De Nederlandsche Bank, DNB) issued a press release emphasising the potential major impact of the Coronavirus on the continuity of financial institutions.
DNB believes that the Coronavirus requires a different approach from standard continuity planning. Financial institutions have traditionally focused on the continuity of their services in the form of business continuity management processes and business continuity plans (BCPs). BCPs are typically aimed at restoring critical business processes after relatively short disruptions caused by natural disasters, infrastructure failures and terrorist attacks. However, DNB points out that a pandemic can take weeks to months at a time and is generally not a one-off short-term incident. During a prolonged period of time financial institutions could face significant absenteeism rates from staff or quarantine measures imposed by (local) authorities. This could impact business activities and have an effect on administrative decision-making within a financial institution. Given the national impact and the expected duration of a pandemic, it will prove difficult to continue critical business processes at fall-back locations.
DNB notes that BPCs that are sufficient to deal with brief isolated events may prove insufficient in the event of a continuing pandemic. DNB expects financial institutions to have recognised this risk, analysed its impact and, where necessary, to have taken additional measures. More specifically, DNB expects that the following is addressed in financial institutions’ business continuity management:
- Financial institutions should proactively follow the developments surrounding a possible pandemic. Preferably a multidisciplinary team should be set up, comprising representatives from IT, HR, business and business continuity planning.
- Possible consequences for the establishment of a (flu) pandemic should be mapped and analysed. When elaborating this (risk) analysis and defining measures derived from it, financial institutions must be sufficiently aware of their social importance and the importance of their role in the financial system.
- Existing BCPs should be assessed for adequacy, taking into account the possible operational consequences of a pandemic (including 30 percent or even more absence of staff). Where necessary, improvements to existing BCPs should be implemented as soon as possible, taking into account both the directly time-critical business processes and the business processes that become critical in the event of (long-term) outages. These can be processes that are not defined as critical in regular circumstances. An evaluation of the (IT) change calendar should be part of this.
- The pandemic scenario should be explicitly included in the test strategy of BCPs.
- Changing behaviour and preferences of customers and staff should be taken into account and infrastructural facilities must be able to support a strong increase in internet traffic (working from home).
- It must be verified that, where external service providers and / or critical suppliers are used, such parties have taken adequate measures and are sufficiently prepared for a pandemic (the dependence on all outsourcing partners must be clear and measures must be sufficient). In the case of critical outsourcing relationships (or suppliers), this may mean that outsourcing partners / suppliers for multiple financial institutions must be able to continue to provide services.