TD Banknorth

Document Sample
TD Banknorth Powered By Docstoc
					 Pandemic Preparedness
 Myths, Hype, and Reality

    FIRMA Phoenix, 2007

     Michael J. O’Connor

VP – Risk Contingency Manager

•   Presentation Objectives

•   Background

•   Incident Management Program

•   Definitions

•   Status of Threat

•   Planning Process

•   Key Research Areas

•   The Plan

•   Challenges

•   Information Sources

4/16/2007                         1
Presentation Objectives

•   Pandemic Preparedness Roadmap
      – A starting point for those who need it
      – More details for those who are further along
•   Sources of Information
      – Government, industry, medical
•   Myth-busting…
      – And deflecting the media hype
•   Lesson learned (so far)

4/16/2007                                              2

•   Headquartered in Portland, Maine
•   Approximately 59% owned by TD Bank Financial Group (TD)
      – Will likely be 100% by end of April, 2007 (pending final approval)
•   Over 9,000 employees
•   Approximately $40 billion in assets as of 12/31/06
      – Banking, Insurance brokerage, Wealth Management, Investment Planning lines
        of business
•   Markets served:
      – Maine, New Hampshire, Vermont, Massachusetts, Connecticut, New York, New
        Jersey, Philadelphia

4/16/2007                                                                            3
Incident Management Program

      • Need for formal, defined plans and testing
            – Contact lists, command centers, workgroup/system/process recovery,
              contingency plans
            – Table-top tests
            – Full-scale tests
      • Need for consistent approach
            – Defined communication; content, medium, and responsibility
            – Defined relationships; internal and external
            – Defined accountabilities; remember Al Haig?
      • Leverage program for “Minor” incidents

4/16/2007                                                                          4
 Incident Management Program


                         Qualification                                                                                  Post-
                             and                      Communication                     Closure                       Incident
and Routing
                          Initiation                                                                                  Review


         Objectives of each Stage

         Reporting and Routing – Ensure that the incident has been reported to the right person for decision-
         making and tracking purposes
         Qualification and Initiation – Notify key responders there may be an incident; determine if this is an
         incident; its severity; initiate the Incident Management Team; and develop appropriate Resolution,
         Communication, and Impact Mitigation plans
         Resolution/Communication/Impact Mitigation – Execute (and adjust as required) the appropriate
         plans developed by the Incident Management Team; report progress back to the Incident Management
         Closure – Ensure that all Resolution, Communication, and Impact Mitigation steps have been completed;
         also, define and manage any long-term recovery plans
         Post-Incident Review – Within 2 weeks of the incident being officially closed, assess the effectiveness of
         the Incident Response process as applied to this particular incident and develop recommendations for

 4/16/2007                                                                                                                       5
Incident Management Program

      • All TD Banknorth departments and subsidiaries
      • “Major” Incidents
            – Natural
            – Human-caused
      • Incidents managed by Risk Contingency Manager
            – There are exceptions...
            – Determined by Chief Executive Officer, Chief Operating Officer, Chief Risk
              Officer, Chief Auditor, or General Counsel

4/16/2007                                                                                  6
Incident Management Program

 Type                        SME                  Incident        Resolution Team   Communication   Mitigation Team
        PANDEMIC                                  Management Team Lead              Team Lead       Lead

 Phishing (External Fraud)   Risk Management      Primary
 3rd Party Data Breach       Risk Management      Primary
 Customer Data Compromise    Risk Management      Primary
 Internal eCrime             Corporate Security   Primary
 Flood                       Facilities           Primary
 Fire                        Facilities           Primary
 Blizzard                    Facilities           Primary
 Robbery                     Corporate Security   Primary
 Kidnapping/Hostage-Taking   Corporate Security   Primary
 Terrorism                   Corporate Security   Primary
 Technical Failure           Technology           Primary

 Phishing (External Fraud)   Risk Management      Secondary
 3rd Party Data Breach       Risk Management      Secondary
 Customer Data Compromise    Risk Management      Secondary
 Internal eCrime             Corporate Security   Secondary
 Flood                       Facilities           Secondary
 Fire                        Facilities           Secondary
 Blizzard                    Facilities           Secondary
 Robbery                     Corporate Security   Secondary
 Kidnapping/Hostage-Taking   Corporate Security   Secondary
 Terrorism                   Corporate Security   Secondary
 Technical Failure           Technology           Secondary

4/16/2007                                                                                                         7

•   Pandemic: A pandemic is defined as an outbreak of an infectious disease
    that spreads worldwide or across a very large part of the world
     – The disease must be new
     – The disease must affect humans, causing serious illness
     – The disease spreads easily and sustainably among humans

•   Influenza: An acute contagious viral infection characterized by
    inflammation of the respiratory tract and by fever, chills, and muscular
     – Avian viruses do not typically infect humans
          • Mutation
          • Transfer through another species
          • Extremely close contact

4/16/2007                                                                      8

            World Health Organization - 6 Pandemic Phases

4/16/2007                                                   9
Status of Threat

      • A current influenza virus (H5N1) is classified as a Stage
            Three pandemic health risk (per the World Health
            Organization’s Six Pandemic Stages)
            – The virus is not being transmitted from human-to-human, or it has spread
              in rare instances where there is very close contact (one instance of this in

      • Stages Four through Five indicate increased health risk
            – Stage Four: Small, localized clusters of human-to-human transmission
            – Stage Five: Larger, localized clusters of human-to-human transmission –
              Indicates substantial pandemic risk

      • Stage Six – Pandemic
            – Sustained, worldwide transmission in the general population

      • Preparedness and Planning are critical
            – There is no way to predict if the current virus will reach pandemic status
            – Planning efforts can be leveraged for other Major Incident Types

4/16/2007                                                                                    10
Pandemic Planning Framework

                             Corporate                                •Developed by Pandemic Working
            Communication       Containment       Impact Mitigation   Group members (SMEs)
  1         Employee            Hygiene, etc.     Human resources     •Presented to Operational Risk
            Media               Travel policy     Business            Committee for feedback
                                                                      •Approved by Executives
            Customer            Risk reduction    Vendor mgt.

             Critical Business Processes                              •Facilitated by Risk Management
                                                                      •Agreed to by participants
  2                 •General guidelines and principles
                                                                      •Presented to Operational Risk
                    •Prioritized list
                                                                      Committee for feedback
                                                                      •Approved by Executives

                    •Workgroup recovery                               •Leverage LDRPS work
                    •System recovery
                                                                      •Reviewed by Pandemic Working
                    •Staffing plan                                    Group
                    •Contac lists/communication protocol

4/16/2007                                                                                               11
Planning Process – Guiding Principles

      • Leverage existing internal and external materials
      • We are not physicians or medical experts; focus on the
            planning and preparation, not the status of the virus
      • Align planning and preparation to the World Health
            Organization’s 6 pandemic phases
      • Integrate efforts with the greater community
      • Manage effort as a formal program
             – The planning is ongoing and will never be complete

      • Enterprise impact = enterprise involvement
             – Broad representation
             – Top to bottom support

4/16/2007                                                           12
Planning Process

      •     Working Group and governance has been established
             –   Consists of Risk Management, Corporate Communications, Internal Communications,
                 Marketing, Human Resources, Corporate Security, Facilities, Safety, Technology
             –   Board Risk Committee receiving quarterly updates
             –   Executive Committee approving contents and supporting resource requirements

      •     Plan is being aligned to World Health Organization’s Six Pandemic
      •     Work plan is broken down into preparation for general impacts…
             –   Employees
             –   Partners
             –   Customers
             –   Vendors
             –   Facilities
             –   Technology and other Infrastructure
             –   Community

      •     As well as impacts to our critical business processes
             –   Business Line meeting has been facilitated to inventory and prioritize critical business
                 processes, and also understand service level agreements (including regulatory

4/16/2007                                                                                                   13
Planning Process – Corporate

                                                 Pandemic Alert             Pandemic
                             Owner   Phase III     Phase IV       Phase V   Phase VI

 Business Processes
  Impact Mitigation

  Impact Mitigation

  Impact Mitigation

  Impact Mitigation

  Impact Mitigation

  Impact Mitigation

  Impact Mitigation

  Impact Mitigation                                                                    14
Planning Process – Critical Business

      • Develop materials
            – Assumptions
            – Scenarios
            – Worksheets
      • Finalize assumptions
      • Select business line representatives
      • Distribute materials
      • Business Line Working Session
      • Follow up (gaps, questions)
      • Consolidate and publish document
      • Working Group review
      • Present Plan to Executive Management

4/16/2007                                      15
Planning Process – Critical Business
Process Assumptions

      • 40% absenteeism over 3 – 4 month period
      • Discretionary and Business Development activities on hold
      • Alternate delivery channel volume expected to increase
      • Vendor availability will be significantly reduced
      • Customer volume to decrease
      • Critical infrastructure may be impacted
      • Government restrictions may be in place

4/16/2007                                                           16
Key Research Areas

             National and TD Banknorth telecommunications
               –   Will our VPN be able to support additional volume?
               –   Will ISPs be able to support additional volume?
               –   Usage policy?
               –   Additional users?
               –   National telecommute day?

             Commitments from critical vendors
               – Identify critical vendors (Vendor Management program and critical
                 business process analysis)
               – Identify risks
               – Evaluate contracts
               – Survey their preparedness

             Temporary Human Resource (and other) policy changes
               – Modify policies to handle a pandemic scenario or create separate
                 pandemic policies
               – Who declares the “corporate state of emergency”?

4/16/2007                                                                            17
Key Research Areas (cont.)

             Temporary consolidation of branches
               – Close most branches and focus on alternate channels?
               – Requirements for employee entry?

             Cleaning and hygiene recommendations
               – Start now
               – Preparedness kits?

             Integration with state and local response planning
               – State Emergency Management Agencies
               – Law enforcement
               – Hospitals

4/16/2007                                                               18
Key Research Areas (cont.)

             Resource management strategies
               – Cross-training
               – Outsourcing
               – Sharing with TD

             Travel policy
               – Restrictions?
               – Tracking employees?
               – Testing upon return?

             Government actions
               – Quarantines
               – School closings
               – Regulatory changes

             Containment
               – Antivirals
               – Vaccine

4/16/2007                                      19
The Plan

             Communication
               – Employee
               – Media
               – Customer

             Hygiene, Cleaning, and Infection Control
             Pandemic Preparedness Kits
             Employee Travel
             Risk Reduction
             Human Resources
             Business Continuity
             Vendor Management
             Remote Access

4/16/2007                                                20
The Plan (cont.)

             Pandemic-specific policies
             Testing approach and plans
             Employee Assistance Program resources
             Contact lists
             Incident Management procedures
                – Command center
                – Escalation and notification
                – External reporting requirements

4/16/2007                                             21
      The Plan - Communication

           Audience           Medium                       Message/Content               Frequency      Delivered by                  Expected Result
Employee              Newsletter article   What is a pandemic?               Quarterly               Mark Fitzgerald   September, Awareness
                                           How are we planning for it?                                                   2006
                                           What can employees do?

                                Start now; will help to identify planning gaps

      4/16/2007                                                                                                                                22

      • Resource requirements
            – Competing priorities for internal subject-matter-experts
            – Vendor availability
            – Support for the development of the plan itself
      • Breadth, scale, and complexity of issues
            – A pandemic would impact every aspect of our business
            – Common assumptions are critical
      • What level of detail should the plan contain?
            – How detailed should the plans be for critical business processes?
            – How deep should managers plan for having backup resources?
      • Awareness, Advocacy, and Sponsorship
            – Need to stress importance of planning without scaring employees
            – Need to continue to provide employees with accurate information and
              dispel rumors
            – Need to ensure that Executive and Senior Management are continued
              advocates of the planning process

4/16/2007                                                                           23
Information Sources

•   The Great Influenza (John M. Barry)

4/16/2007                                 24
Questions and Discussion

4/16/2007                  25

Shared By: