Pandemic Planning for Financial Institutions: Plans are Worthless but Planning is Everything

Pandemic preparedness is an element of operational risk, which has long been recognized as a key risk category facing financial institutions. The precise details of a pandemic response plan are less important than a deep understanding of the bank’s systems and processes (both technological and human) and their dependencies.

By Jonathan Walcoff

April 22, 2020

The current COVID-19 pandemic has had devastating medical, social and financial effects around the world.  Much of the global economy has ground to a halt with no end in sight until the pandemic is controlled.  While resolving the medical issues must take first priority, we must also understand that financial institutions play an important role in helping society manage the crisis and ultimately restarting economic activity.  Pandemic preparedness is therefore a critical part of operational risk management and an important area of regulatory supervision.  Even if the actual crisis does not unfold in the way the plan predicted, the planning exercise is important.  As President Dwight D. Eisenhower said, “Plans are worthless but planning is everything.”[1]

Pandemic preparedness is an element of operational risk, which has long been recognized as a key risk category facing financial institutions.  The Basel Committee on Banking Supervision defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”[2].  Pandemics most directly implicate the dependency of the organization on its people but can also affect its customers and markets.[3]  The Basel Committee expressly identifies a pandemic as an event that can give rise to operational disruptions that “can result in significant financial losses to the bank, as well as broader disruptions to the financial system”.[4]  Both the Basel Committee and national bank regulators require banks to design and implement plans to mitigate the effects of business disruptions such as pandemics.[5]

The United States Federal Financial Institution Examination Council notes that pandemic planning differs from traditional business continuity planning.  Technical failures, natural disasters and malicious activity are typically limited in duration and geographical scope.  Pandemics, on the other hand, are by their nature geographically widespread and of uncertain duration because they may appear in multiple waves.[6]  Unlike a technical failure or natural disaster, the effects of a pandemic cannot be addressed simply by moving operations to another location.  In a pandemic, there may not be sufficient healthy employees to perform required functions, the remote location may be in an infected area and social distancing requirements may make onsite work dangerous.

U.S. regulators have said that pandemic planning must, among other things:

Assess and prioritize essential business functions and processes that may be affected by a pandemic:

  • Identify the potential impact of a pandemic on the institution's essential business functions and processes, and supporting resources;
  • Identify the potential impact of a pandemic on customers: those that could be most affected and those that could have the greatest impact on the (local) economy;
  • Identify the legal and regulatory requirements for the institution’s business functions and processes; and
  • Estimate the maximum downtime associated with the institution’s business functions and processes that may occur during a pandemic.[7]

These are obviously sensible requirements but, in an environment where the world’s best epidemiologists and virologists are uncertain of the course of the COVID-19 pandemic, how can advance planning by banks effectively address these risks?  How, for example, can a bank “identify the potential impact of a pandemic on customers” when the severity, scope and duration of the pandemic are unknown? 

This type of question arises frequently in evaluating potential operational risks.  Banks are required to set aside capital for operational risk exposure. Under the Basel Committee’s Advanced Measurement Approach, this exposure is determined by the operational risk faced over a one-year period at a soundness level consistent with a 99.9 percent confidence level[8] - in other words, for events that can be predicted to occur more frequently than once in a thousand years.  This requirement provoked clever responses from bank managers about the limited data set of computer systems failures from the eleventh century but that misses the point.  Consideration of previous operational risk events (both internal and external to the bank), together with scenario analysis by the bank’s subject matter experts and other business, environment and control factors can be useful in quantifying a bank’s operational risk, even when the precise nature of the risk is not knowable.[9]

The precise details of a pandemic response plan are less important than a deep understanding of the bank’s systems and processes (both technological and human) and their dependencies.  Identifying and understanding the risks is critical when faced with an actual operational risk event such as a pandemic.  Once such an event occurs, it is too late, for example, to find out that the bank is dependent upon an outside service provider that is shut down.

President Eisenhower gained his insights into planning as Supreme Allied Commander in Europe during World War II, which included command of the Normandy invasion in June 1944[10].  He noted that “when you are planning for an emergency you must start with this one thing: the very definition of ‘emergency’ is that it is unexpected, therefore it is not going to happen the way you are planning”.[11]  But the knowledge gained in the planning process is critical once the emergency occurs.

As the COVID-19 pandemic plays out, we will gain valuable insights that will factor into planning for future pandemics and other operational risk events.  These future crises will no doubt raise new and unanticipated issues that can be effectively addressed only if robust planning process that takes past events into account is in place.  Regulators should ensure that institutions under their supervision have thoughtful and detailed plans in place to address pandemics and other operational risks.


[1]See, Quote Investigator, https://quoteinvestigator.com/2017/11/18/planning/#note-17261-1 (hereinafter, “Quote Investigator”).

[2] Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, note 5 (2011).  https://www.bis.org/publ/bcbs195.pdf  (hereinafter “BIS Principles”)

[3] There can also be second order effects, such as an increased vulnerability to cyber attacks during a period when people resources are depleted.  See Costas Mourselas, A Peek Inside Op Risk Managers Corona Virus Response, risk.net (March 6, 2020).  https://www.risk.net/risk-management/7491576/a-peek-inside-op-risk-managers-coronavirus-toolkit

[4] BIS Principles, supra note 2, at paragraph 57.

[5] Id., Federal Financial Institutions Examination Council, Interagency Statement on Pandemic Planning (March 6, 2020).  https://www.ffiec.gov/press/PDF/FFIEC Statement on Pandemic Planning.pdf The FFIEC is comprised of representatives of the major U.S. federal bank regulators including the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation and the Consumer Financial Protection Bureau.

[6] Id.

[7] Id. at pp.5-6.

[8] Federal Deposit Insurance Corporation, “Operational Risk Management:  An Evolving Discipline”, Supervisory Insights, Summer 2006.  https://www.fdic.gov/regulations/examinations/supervisory/insights/sisum06/sisummer06-article1.pdf. Note that under the Basel III regime, the Advanced Measurement Approach will not be available.  See, Basel Committee on Banking Supervision, “Basel III: Finalizing Post-Crisis Reforms” (December 2017) at 128 et seq.  https://www.bis.org/bcbs/publ/d424.pdf

[9] Board of Governors of the Federal Reserve System, FEDS Notes, “Is Operational Risk Management Forward-Looking and Sensitive to Current Risks?” (May 21, 2018). https://www.federalreserve.gov/econres/notes/feds-notes/operational-risk-regulation-forward-looking-and-sensitive-to-current-risks-20180521.htm

[10] This was the largest amphibious invasion in the history of warfare.  See, Imperial War Museum, “The 10 Things You Need to Know About D-Day”, (4 January 2018) https://www.iwm.org.uk/history/the-10-things-you-need-to-know-about-d-day

[11] Quote Investigator, note 1


Jonathan Walcoff practiced corporate, securities and financial law for more than 30 years in New York, Tokyo and Hong Kong, most recently as Managing Director & Associate General Counsel of JPMorgan Chase & Co.  He is a member of the Board of Visitors of Columbia Law School and previously served on the Committee on Securities Regulation of the Association of the Bar of the City of New York.  He is a graduate of Dartmouth College and Columbia Law School.

JW Pandemic Financial Institutions (EN) (ed) + Access.pdf 99.84 KB

Jonathan Walcoff practiced corporate, securities and financial law for more than 30 years in New York, Tokyo and Hong Kong, most recently as Managing Director & Associate General Counsel of JPMorgan Chase & Co. He is a member of the Board of Visitors of Columbia Law School and previously served on the Committee on Securities Regulation of the Association of the Bar of the City of New York.  He is a graduate of Dartmouth College and Columbia Law School.