Docstoc

TD Banknorth

Document Sample
TD Banknorth Powered By Docstoc
					 Pandemic Preparedness
 Myths, Hype, and Reality

    FIRMA Phoenix, 2007


     Michael J. O’Connor

VP – Risk Contingency Manager
Agenda


•   Presentation Objectives

•   Background

•   Incident Management Program

•   Definitions

•   Status of Threat

•   Planning Process

•   Key Research Areas

•   The Plan

•   Challenges

•   Information Sources




4/16/2007                         1
Presentation Objectives


•   Pandemic Preparedness Roadmap
      – A starting point for those who need it
      – More details for those who are further along
•   Sources of Information
      – Government, industry, medical
•   Myth-busting…
      – And deflecting the media hype
•   Lesson learned (so far)




4/16/2007                                              2
Background


•   Headquartered in Portland, Maine
•   Approximately 59% owned by TD Bank Financial Group (TD)
      – Will likely be 100% by end of April, 2007 (pending final approval)
•   Over 9,000 employees
•   Approximately $40 billion in assets as of 12/31/06
      – Banking, Insurance brokerage, Wealth Management, Investment Planning lines
        of business
•   Markets served:
      – Maine, New Hampshire, Vermont, Massachusetts, Connecticut, New York, New
        Jersey, Philadelphia




4/16/2007                                                                            3
Incident Management Program



      • Need for formal, defined plans and testing
            – Contact lists, command centers, workgroup/system/process recovery,
              contingency plans
            – Table-top tests
            – Full-scale tests
      • Need for consistent approach
            – Defined communication; content, medium, and responsibility
            – Defined relationships; internal and external
            – Defined accountabilities; remember Al Haig?
      • Leverage program for “Minor” incidents




4/16/2007                                                                          4
 Incident Management Program


                                                         Resolution




                         Qualification                                                                                  Post-
 Reporting
                             and                      Communication                     Closure                       Incident
and Routing
                          Initiation                                                                                  Review




                                                          Impact
                                                         Mitigation




         Objectives of each Stage

         Reporting and Routing – Ensure that the incident has been reported to the right person for decision-
         making and tracking purposes
         Qualification and Initiation – Notify key responders there may be an incident; determine if this is an
         incident; its severity; initiate the Incident Management Team; and develop appropriate Resolution,
         Communication, and Impact Mitigation plans
         Resolution/Communication/Impact Mitigation – Execute (and adjust as required) the appropriate
         plans developed by the Incident Management Team; report progress back to the Incident Management
         Team
         Closure – Ensure that all Resolution, Communication, and Impact Mitigation steps have been completed;
         also, define and manage any long-term recovery plans
         Post-Incident Review – Within 2 weeks of the incident being officially closed, assess the effectiveness of
         the Incident Response process as applied to this particular incident and develop recommendations for
         improvement.

 4/16/2007                                                                                                                       5
Incident Management Program



      • All TD Banknorth departments and subsidiaries
      • “Major” Incidents
            – Natural
            – Human-caused
      • Incidents managed by Risk Contingency Manager
            – There are exceptions...
            – Determined by Chief Executive Officer, Chief Operating Officer, Chief Risk
              Officer, Chief Auditor, or General Counsel




4/16/2007                                                                                  6
Incident Management Program


 Type                        SME                  Incident        Resolution Team   Communication   Mitigation Team
        PANDEMIC                                  Management Team Lead              Team Lead       Lead

 CRITICAL
 Phishing (External Fraud)   Risk Management      Primary
 3rd Party Data Breach       Risk Management      Primary
 Customer Data Compromise    Risk Management      Primary
 Internal eCrime             Corporate Security   Primary
 Flood                       Facilities           Primary
 Fire                        Facilities           Primary
 Blizzard                    Facilities           Primary
 Robbery                     Corporate Security   Primary
 Kidnapping/Hostage-Taking   Corporate Security   Primary
 Terrorism                   Corporate Security   Primary
 Technical Failure           Technology           Primary


 URGENT
 Phishing (External Fraud)   Risk Management      Secondary
 3rd Party Data Breach       Risk Management      Secondary
 Customer Data Compromise    Risk Management      Secondary
 Internal eCrime             Corporate Security   Secondary
 Flood                       Facilities           Secondary
 Fire                        Facilities           Secondary
 Blizzard                    Facilities           Secondary
 Robbery                     Corporate Security   Secondary
 Kidnapping/Hostage-Taking   Corporate Security   Secondary
 Terrorism                   Corporate Security   Secondary
 Technical Failure           Technology           Secondary

4/16/2007                                                                                                         7
Definitions


•   Pandemic: A pandemic is defined as an outbreak of an infectious disease
    that spreads worldwide or across a very large part of the world
     – The disease must be new
     – The disease must affect humans, causing serious illness
     – The disease spreads easily and sustainably among humans


•   Influenza: An acute contagious viral infection characterized by
    inflammation of the respiratory tract and by fever, chills, and muscular
    pain
     – Avian viruses do not typically infect humans
          • Mutation
          • Transfer through another species
          • Extremely close contact




4/16/2007                                                                      8
Definitions

            World Health Organization - 6 Pandemic Phases




4/16/2007                                                   9
Status of Threat



      • A current influenza virus (H5N1) is classified as a Stage
            Three pandemic health risk (per the World Health
            Organization’s Six Pandemic Stages)
            – The virus is not being transmitted from human-to-human, or it has spread
              in rare instances where there is very close contact (one instance of this in
              Indonesia)

      • Stages Four through Five indicate increased health risk
            – Stage Four: Small, localized clusters of human-to-human transmission
            – Stage Five: Larger, localized clusters of human-to-human transmission –
              Indicates substantial pandemic risk

      • Stage Six – Pandemic
            – Sustained, worldwide transmission in the general population

      • Preparedness and Planning are critical
            – There is no way to predict if the current virus will reach pandemic status
            – Planning efforts can be leveraged for other Major Incident Types



4/16/2007                                                                                    10
Pandemic Planning Framework

                             Corporate                                •Developed by Pandemic Working
            Communication       Containment       Impact Mitigation   Group members (SMEs)
  1         Employee            Hygiene, etc.     Human resources     •Presented to Operational Risk
            Media               Travel policy     Business            Committee for feedback
                                                  continuity
                                                                      •Approved by Executives
            Customer            Risk reduction    Vendor mgt.



             Critical Business Processes                              •Facilitated by Risk Management
                                                                      •Agreed to by participants
  2                 •General guidelines and principles
                                                                      •Presented to Operational Risk
                    •Prioritized list
                                                                      Committee for feedback
                                                                      •Approved by Executives



                           Departmental
                    •Workgroup recovery                               •Leverage LDRPS work
  3
                    •System recovery
                                                                      •Reviewed by Pandemic Working
                    •Staffing plan                                    Group
                    •Contac lists/communication protocol




4/16/2007                                                                                               11
Planning Process – Guiding Principles



      • Leverage existing internal and external materials
      • We are not physicians or medical experts; focus on the
            planning and preparation, not the status of the virus
      • Align planning and preparation to the World Health
            Organization’s 6 pandemic phases
      • Integrate efforts with the greater community
      • Manage effort as a formal program
             – The planning is ongoing and will never be complete

      • Enterprise impact = enterprise involvement
             – Broad representation
             – Top to bottom support




4/16/2007                                                           12
Planning Process



      •     Working Group and governance has been established
             –   Consists of Risk Management, Corporate Communications, Internal Communications,
                 Marketing, Human Resources, Corporate Security, Facilities, Safety, Technology
             –   Board Risk Committee receiving quarterly updates
             –   Executive Committee approving contents and supporting resource requirements

      •     Plan is being aligned to World Health Organization’s Six Pandemic
            Stages
      •     Work plan is broken down into preparation for general impacts…
             –   Employees
             –   Partners
             –   Customers
             –   Vendors
             –   Facilities
             –   Technology and other Infrastructure
             –   Community

      •     As well as impacts to our critical business processes
             –   Business Line meeting has been facilitated to inventory and prioritize critical business
                 processes, and also understand service level agreements (including regulatory
                 requirements)


4/16/2007                                                                                                   13
Planning Process – Corporate

                                                 Pandemic Alert             Pandemic
                             Owner   Phase III     Phase IV       Phase V   Phase VI

 Business Processes
  Containment
  Communication
  Impact Mitigation

 Employees
  Containment
  Communication
  Impact Mitigation

 Customers
  Containment
  Communication
  Impact Mitigation

 Partners
  Containment
  Communication
  Impact Mitigation

 Vendors
  Containment
  Communication
  Impact Mitigation

 Facilities
  Containment
  Communication
  Impact Mitigation

 Technology/Infrastructure
  Containment
  Communication
  Impact Mitigation

 Community
  Containment
  Communication
4/16/2007
  Impact Mitigation                                                                    14
Planning Process – Critical Business
Processes


      • Develop materials
            – Assumptions
            – Scenarios
            – Worksheets
      • Finalize assumptions
      • Select business line representatives
      • Distribute materials
      • Business Line Working Session
      • Follow up (gaps, questions)
      • Consolidate and publish document
      • Working Group review
      • Present Plan to Executive Management


4/16/2007                                      15
Planning Process – Critical Business
Process Assumptions


      • 40% absenteeism over 3 – 4 month period
      • Discretionary and Business Development activities on hold
      • Alternate delivery channel volume expected to increase
      • Vendor availability will be significantly reduced
      • Customer volume to decrease
      • Critical infrastructure may be impacted
      • Government restrictions may be in place




4/16/2007                                                           16
Key Research Areas



             National and TD Banknorth telecommunications
              infrastructure
               –   Will our VPN be able to support additional volume?
               –   Will ISPs be able to support additional volume?
               –   Usage policy?
               –   Additional users?
               –   National telecommute day?

             Commitments from critical vendors
               – Identify critical vendors (Vendor Management program and critical
                 business process analysis)
               – Identify risks
               – Evaluate contracts
               – Survey their preparedness

             Temporary Human Resource (and other) policy changes
               – Modify policies to handle a pandemic scenario or create separate
                 pandemic policies
               – Who declares the “corporate state of emergency”?

4/16/2007                                                                            17
Key Research Areas (cont.)



             Temporary consolidation of branches
               – Close most branches and focus on alternate channels?
               – Requirements for employee entry?

             Cleaning and hygiene recommendations
               – Start now
               – Preparedness kits?

             Integration with state and local response planning
               – State Emergency Management Agencies
               – Law enforcement
               – Hospitals




4/16/2007                                                               18
Key Research Areas (cont.)



             Resource management strategies
               – Cross-training
               – Outsourcing
               – Sharing with TD

             Travel policy
               – Restrictions?
               – Tracking employees?
               – Testing upon return?

             Government actions
               – Quarantines
               – School closings
               – Regulatory changes

             Containment
               – Antivirals
               – Vaccine



4/16/2007                                      19
The Plan



             Communication
               – Employee
               – Media
               – Customer

             Hygiene, Cleaning, and Infection Control
             Pandemic Preparedness Kits
             Employee Travel
             Risk Reduction
             Human Resources
             Business Continuity
             Vendor Management
             Remote Access


4/16/2007                                                20
The Plan (cont.)



             Pandemic-specific policies
             Testing approach and plans
             Employee Assistance Program resources
             Contact lists
             Incident Management procedures
                – Command center
                – Escalation and notification
                – External reporting requirements




4/16/2007                                             21
      The Plan - Communication



                                                                                                                         Date
           Audience           Medium                       Message/Content               Frequency      Delivered by                  Expected Result
Employee              Newsletter article   What is a pandemic?               Quarterly               Mark Fitzgerald   September, Awareness
                                           How are we planning for it?                                                   2006
                                           What can employees do?
Customer
Media




                                Start now; will help to identify planning gaps




      4/16/2007                                                                                                                                22
Challenges



      • Resource requirements
            – Competing priorities for internal subject-matter-experts
            – Vendor availability
            – Support for the development of the plan itself
      • Breadth, scale, and complexity of issues
            – A pandemic would impact every aspect of our business
            – Common assumptions are critical
      • What level of detail should the plan contain?
            – How detailed should the plans be for critical business processes?
            – How deep should managers plan for having backup resources?
      • Awareness, Advocacy, and Sponsorship
            – Need to stress importance of planning without scaring employees
            – Need to continue to provide employees with accurate information and
              dispel rumors
            – Need to ensure that Executive and Senior Management are continued
              advocates of the planning process



4/16/2007                                                                           23
Information Sources


•   The Great Influenza (John M. Barry)
•   www.pandemicflu.gov
•   www.who.int
•   www.fema.gov
•   www.cdc.gov/flu/avian/
•   www.dhs.gov/dhspublic/




4/16/2007                                 24
Questions and Discussion




4/16/2007                  25

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:3/1/2012
language:
pages:26