Transcript TD Banknorth

Pandemic Preparedness
Myths, Hype, and Reality
FIRMA Phoenix, 2007
Michael J. O’Connor
VP – Risk Contingency Manager
Agenda
•
Presentation Objectives
•
Background
•
Incident Management Program
•
Definitions
•
Status of Threat
•
Planning Process
•
Key Research Areas
•
The Plan
•
Challenges
•
Information Sources
4/16/2007
1
Presentation Objectives
•
Pandemic Preparedness Roadmap
– A starting point for those who need it
– More details for those who are further along
•
Sources of Information
– Government, industry, medical
•
Myth-busting…
– And deflecting the media hype
•
Lesson learned (so far)
4/16/2007
2
Background
•
Headquartered in Portland, Maine
•
Approximately 59% owned by TD Bank Financial Group (TD)
– Will likely be 100% by end of April, 2007 (pending final approval)
•
Over 9,000 employees
•
Approximately $40 billion in assets as of 12/31/06
– Banking, Insurance brokerage, Wealth Management, Investment Planning lines
of business
•
Markets served:
– Maine, New Hampshire, Vermont, Massachusetts, Connecticut, New York, New
Jersey, Philadelphia
4/16/2007
3
Incident Management Program
• Need for formal, defined plans and testing
– Contact lists, command centers, workgroup/system/process recovery,
contingency plans
– Table-top tests
– Full-scale tests
• Need for consistent approach
– Defined communication; content, medium, and responsibility
– Defined relationships; internal and external
– Defined accountabilities; remember Al Haig?
• Leverage program for “Minor” incidents
4/16/2007
4
Incident Management Program
Resolution
Reporting
and Routing
Qualification
and
Initiation
Communication
Closure
PostIncident
Review
Impact
Mitigation
Objectives of each Stage
Reporting and Routing – Ensure that the incident has been reported to the right person for decisionmaking and tracking purposes
Qualification and Initiation – Notify key responders there may be an incident; determine if this is an
incident; its severity; initiate the Incident Management Team; and develop appropriate Resolution,
Communication, and Impact Mitigation plans
Resolution/Communication/Impact Mitigation – Execute (and adjust as required) the appropriate
plans developed by the Incident Management Team; report progress back to the Incident Management
Team
Closure – Ensure that all Resolution, Communication, and Impact Mitigation steps have been completed;
also, define and manage any long-term recovery plans
Post-Incident Review – Within 2 weeks of the incident being officially closed, assess the effectiveness of
the Incident Response process as applied to this particular incident and develop recommendations for
improvement.
4/16/2007
5
Incident Management Program
• All TD Banknorth departments and subsidiaries
• “Major” Incidents
– Natural
– Human-caused
• Incidents managed by Risk Contingency Manager
– There are exceptions...
– Determined by Chief Executive Officer, Chief Operating Officer, Chief Risk
Officer, Chief Auditor, or General Counsel
4/16/2007
6
Incident Management Program
SME
Resolution Team
Incident
Management Team Lead
CRITICAL
Phishing (External Fraud)
3rd Party Data Breach
Customer Data Compromise
Internal eCrime
Flood
Fire
Blizzard
Robbery
Kidnapping/Hostage-Taking
Terrorism
Technical Failure
Risk Management
Risk Management
Risk Management
Corporate Security
Facilities
Facilities
Facilities
Corporate Security
Corporate Security
Corporate Security
Technology
Primary
Primary
Primary
Primary
Primary
Primary
Primary
Primary
Primary
Primary
Primary
URGENT
Phishing (External Fraud)
3rd Party Data Breach
Customer Data Compromise
Internal eCrime
Flood
Fire
Blizzard
Robbery
Kidnapping/Hostage-Taking
Terrorism
Technical Failure
Risk Management
Risk Management
Risk Management
Corporate Security
Facilities
Facilities
Facilities
Corporate Security
Corporate Security
Corporate Security
Technology
Secondary
Secondary
Secondary
Secondary
Secondary
Secondary
Secondary
Secondary
Secondary
Secondary
Secondary
Type
PANDEMIC
4/16/2007
Communication
Team Lead
Mitigation Team
Lead
7
Definitions
•
Pandemic: A pandemic is defined as an outbreak of an infectious disease
that spreads worldwide or across a very large part of the world
– The disease must be new
– The disease must affect humans, causing serious illness
– The disease spreads easily and sustainably among humans
•
Influenza: An acute contagious viral infection characterized by
inflammation of the respiratory tract and by fever, chills, and muscular
pain
– Avian viruses do not typically infect humans
• Mutation
• Transfer through another species
• Extremely close contact
4/16/2007
8
Definitions
World Health Organization - 6 Pandemic Phases
4/16/2007
9
Status of Threat
• A current influenza virus (H5N1) is classified as a Stage
Three pandemic health risk (per the World Health
Organization’s Six Pandemic Stages)
– The virus is not being transmitted from human-to-human, or it has spread
in rare instances where there is very close contact (one instance of this in
Indonesia)
• Stages Four through Five indicate increased health risk
– Stage Four: Small, localized clusters of human-to-human transmission
– Stage Five: Larger, localized clusters of human-to-human transmission –
Indicates substantial pandemic risk
• Stage Six – Pandemic
– Sustained, worldwide transmission in the general population
• Preparedness and Planning are critical
– There is no way to predict if the current virus will reach pandemic status
– Planning efforts can be leveraged for other Major Incident Types
4/16/2007
10
Pandemic Planning Framework
Corporate
1
Communication
Containment
Impact Mitigation
Employee
Hygiene, etc.
Human resources
Media
Travel policy
Business
continuity
Customer
Risk reduction
Vendor mgt.
Critical Business Processes
2
•General guidelines and principles
•Prioritized list
•Developed by Pandemic Working
Group members (SMEs)
•Presented to Operational Risk
Committee for feedback
•Approved by Executives
•Facilitated by Risk Management
•Agreed to by participants
•Presented to Operational Risk
Committee for feedback
•Approved by Executives
Departmental
3
•Workgroup recovery
•Leverage LDRPS work
•System recovery
•Reviewed by Pandemic Working
Group
•Staffing plan
•Contac lists/communication protocol
4/16/2007
11
Planning Process – Guiding Principles
• Leverage existing internal and external materials
• We are not physicians or medical experts; focus on the
planning and preparation, not the status of the virus
• Align planning and preparation to the World Health
Organization’s 6 pandemic phases
• Integrate efforts with the greater community
• Manage effort as a formal program
– The planning is ongoing and will never be complete
• Enterprise impact = enterprise involvement
– Broad representation
– Top to bottom support
4/16/2007
12
Planning Process
•
Working Group and governance has been established
–
–
–
•
Consists of Risk Management, Corporate Communications, Internal Communications,
Marketing, Human Resources, Corporate Security, Facilities, Safety, Technology
Board Risk Committee receiving quarterly updates
Executive Committee approving contents and supporting resource requirements
Plan is being aligned to World Health Organization’s Six Pandemic
Stages
•
Work plan is broken down into preparation for general impacts…
–
–
–
–
–
–
–
•
As well as impacts to our critical business processes
–
4/16/2007
Employees
Partners
Customers
Vendors
Facilities
Technology and other Infrastructure
Community
Business Line meeting has been facilitated to inventory and prioritize critical business
processes, and also understand service level agreements (including regulatory
requirements)
13
Planning Process – Corporate
Owner
Phase III
Pandemic Alert
Phase IV
Phase V
Pandemic
Phase VI
Business Processes
Containment
Communication
Impact Mitigation
Employees
Containment
Communication
Impact Mitigation
Customers
Containment
Communication
Impact Mitigation
Partners
Containment
Communication
Impact Mitigation
Vendors
Containment
Communication
Impact Mitigation
Facilities
Containment
Communication
Impact Mitigation
Technology/Infrastructure
Containment
Communication
Impact Mitigation
Community
Containment
Communication
Impact Mitigation
4/16/2007
14
Planning Process – Critical Business
Processes
• Develop materials
– Assumptions
– Scenarios
– Worksheets
• Finalize assumptions
• Select business line representatives
• Distribute materials
• Business Line Working Session
• Follow up (gaps, questions)
• Consolidate and publish document
• Working Group review
• Present Plan to Executive Management
4/16/2007
15
Planning Process – Critical Business
Process Assumptions
• 40% absenteeism over 3 – 4 month period
• Discretionary and Business Development activities on hold
• Alternate delivery channel volume expected to increase
• Vendor availability will be significantly reduced
• Customer volume to decrease
• Critical infrastructure may be impacted
• Government restrictions may be in place
4/16/2007
16
Key Research Areas
 National and TD Banknorth telecommunications
infrastructure
–
–
–
–
–
Will our VPN be able to support additional volume?
Will ISPs be able to support additional volume?
Usage policy?
Additional users?
National telecommute day?
 Commitments from critical vendors
– Identify critical vendors (Vendor Management program and critical
business process analysis)
– Identify risks
– Evaluate contracts
– Survey their preparedness
 Temporary Human Resource (and other) policy changes
– Modify policies to handle a pandemic scenario or create separate
pandemic policies
– Who declares the “corporate state of emergency”?
4/16/2007
17
Key Research Areas (cont.)
 Temporary consolidation of branches
– Close most branches and focus on alternate channels?
– Requirements for employee entry?
 Cleaning and hygiene recommendations
– Start now
– Preparedness kits?
 Integration with state and local response planning
– State Emergency Management Agencies
– Law enforcement
– Hospitals
4/16/2007
18
Key Research Areas (cont.)
 Resource management strategies
– Cross-training
– Outsourcing
– Sharing with TD
 Travel policy
– Restrictions?
– Tracking employees?
– Testing upon return?
 Government actions
– Quarantines
– School closings
– Regulatory changes
 Containment
– Antivirals
– Vaccine
4/16/2007
19
The Plan
 Communication
– Employee
– Media
– Customer
 Hygiene, Cleaning, and Infection Control
 Pandemic Preparedness Kits
 Employee Travel
 Risk Reduction
 Human Resources
 Business Continuity
 Vendor Management
 Remote Access
4/16/2007
20
The Plan (cont.)
 Pandemic-specific policies
 Testing approach and plans
 Employee Assistance Program resources
 Contact lists
 Incident Management procedures
– Command center
– Escalation and notification
– External reporting requirements
4/16/2007
21
The Plan - Communication
Audience
Employee
Medium
Newsletter article
Message/Content
What is a pandemic?
How are we planning for it?
What can employees do?
Frequency
Quarterly
Delivered by
Mark Fitzgerald
Date
Expected Result
September, Awareness
2006
Customer
Media
Start now; will help to identify planning gaps
4/16/2007
22
Challenges
• Resource requirements
– Competing priorities for internal subject-matter-experts
– Vendor availability
– Support for the development of the plan itself
• Breadth, scale, and complexity of issues
– A pandemic would impact every aspect of our business
– Common assumptions are critical
• What level of detail should the plan contain?
– How detailed should the plans be for critical business processes?
– How deep should managers plan for having backup resources?
• Awareness, Advocacy, and Sponsorship
– Need to stress importance of planning without scaring employees
– Need to continue to provide employees with accurate information and
dispel rumors
– Need to ensure that Executive and Senior Management are continued
advocates of the planning process
4/16/2007
23
Information Sources
•
•
•
•
•
•
The Great Influenza (John M. Barry)
www.pandemicflu.gov
www.who.int
www.fema.gov
www.cdc.gov/flu/avian/
www.dhs.gov/dhspublic/
4/16/2007
24
Questions and Discussion
4/16/2007
25