Alert & Declare: (877) 364-9393
Member Emergency Hotline
Emergency Hotline
Agility Recovery +

AB 2511 compliance is proving challenging for most skilled nursing facilities (SNFs) in California, with many receiving citations for non-compliance during life safety code surveys since the requirements went into effect on January 1, 2024.

Adherence to AB 2511 is critical, as SNFs are trusted with providing life-saving care around the clock. AB 2511 introduced new requirements for SNFs, including:

  • – Increasing onsite fuel storage for emergency power systems from 6 to 96 hours
  • – Expanding the requirement for emergency power to include heating and cooling systems and life-sustaining equipment

To address non-compliance, SNFs must submit a plan of correction (POC) that includes evidence of compliance, such as a memorandum of understanding (MOU) with a fuel delivery provider and documentation of assessment results reviewed by the Department of Health Care Access and Information (HCAI). The POC should also include:

  • – A narrative and timeline for resolving non-compliance
  • – Copies of contracts with relevant parties
  • – Details of temporary measures to ensure safe temperatures and emergency power for life-sustaining equipment during construction

Temporary measures should align with the facility's emergency operations plan (EOP) for utility or power loss, and information about third-party support services should be provided if applicable.

How Agility Recovery Can Help

A membership with Agility can help skilled nursing facilities maintain compliance with AB 2511 by being your dedicated fuel provider , ensuring fuel is delivered in a timely manner, providing scalable power recovery solutions, and producing proof of compliance and documentation for your plan of correction (POC).

Earlier this year, Agility Recovery and The Conference Board joined forces for an extensive study, examining the growing significance of operational resilience.

Analyzing data from 147 business continuity professionals, 85 executives, and individuals from 56 firms, the study underscores the pivotal role operational resilience programs play in distinguishing between a business's success and failure during crises. This article delves into the connection between the report and ongoing events. It also explores how these events influence the perspectives of the continuity professionals surveyed in the study. Prepare for some surprising insights into what experts consider the most dangerous threats and what they believe might not be as critical. While every business has different needs, many of the threats to their continuity plans remain the same.

Perceptions vs. Reality in Operational Resilience

In the realm of operational resilience, perceptions don't always align with reality. While persistent cyberattacks , including DDoS, social engineering, phishing, and ransomware , top the list of perceived threats, several organizations that have experienced these attacks reported minor impacts. Are these threats being overestimated, or are organizations genuinely well-prepared? On the flip side, terrorist attacks, despite their global prominence, score the lowest in terms of both major impact and future risk. Recent events, such as the massive cache of military weapons left in Afghanistan , highlight the potential for determined bad actors to create global havoc. Some of these weapons have turned up in Kashmir and continue to fuel the conflict between India and Pakistan, two nuclear powers. The geopolitical landscape adds another layer of complexity. Despite ongoing tensions like Russia-Ukraine and China-Taiwan, geopolitical conflict and war are only recognized as a "top 5" risk by 40% of respondents . This raises questions about our perception of risk in the face of global military powers. Meanwhile, economic uncertainty casts a significant shadow, with the global economy weakening, interest rates rising, inflation continuing, and recession looming. These facts and figures challenge organizations to navigate the complex terrain of operational resilience and business continuity effectively.

The Lingering Impact of Pandemic Disruption: Perceived vs. Future Risk

Pandemic disruption continues to cast a long shadow over the global economic landscape. It's worth noting that 64% of respondents acknowledge its catastrophic or major impact on businesses. Surprisingly, only 12% consider it a top-5 risk in the future. This discrepancy may stem from the belief that, as a known event, most companies handled the pandemic well. However, this perspective could be shortsighted. Future epidemics or pandemics may introduce different risk factors and impacts, underscoring the need for ongoing preparedness. The toll of COVID-19 is a stark reminder. Lockdowns, supply chain disruptions, business closures, illness affecting over 676 million people, and more than 6.8 million deaths worldwide serve as somber statistics. Few business continuity plans effectively addressed the novel virus, leaving uncertainty about their applicability to future pandemics. Moreover, resilience professionals voice concerns about the technology and human risks associated with the shift to remote and hybrid work trends, citing lower employee engagement, reduced collaboration, and increased burnout. The proliferation of remote work locations adds new physical risks to the equation, as organizations must consider the safety of employees in numerous diverse settings. Exploring the disparities between perceived and future risks sheds light on the multifaceted challenges of operational resilience and business continuity in a post-pandemic world.

Risks of Remote Work: Balancing Benefits and Concerns

While reducing physical office space can boost the bottom line, organizations embracing remote/hybrid work face a delicate balance of benefits and risks. Despite enjoying reduced real estate footprints and expanded labor recruitment opportunities, 65% of respondents express concern about the overall risk associated with current remote/hybrid work strategies. The advantages for employees, such as eliminated commutes and increased time with family, are tempered by challenges. Diminished engagement, collaboration, and heightened screen fatigue contribute to burnout, potentially impacting productivity and organizational objectives. Human-factor risks abound in the remote workspace, with an expanding cyber attack surface and the presence of external entities—kids, cleaners, pet sitters, and curious roommates—introducing security concerns. Moreover, the lack of control over local power and internet infrastructure poses additional risks. Questions about technology deployment, broadband/WiFi stability, and potential weather-related outages underscore the complexities of managing a remote workforce. As organizations strive for remote work success, acknowledging and mitigating these risks becomes paramount in maintaining a secure and productive virtual environment.

Unraveling the Investment Landscape in Operational Resilience

The realm of operational resilience is witnessing a surge in spending, but accurately benchmarking these investments poses a challenge for leaders. Parameters such as geographic locations, technology architecture, regulations, and risk tolerance play pivotal roles in shaping effective programs. Whether decentralized or centrally directed, the diversity in operational resilience labor models further complicates spending pattern assessments. Respondents reveal that 60% of operational resilience spending is directed towards labor and purpose-fit tools, yet the accuracy of spending patterns remains uncertain. Technology failover and alternate workspace recovery constitute a modest 16% of spending, showcasing the challenges in benchmarking accountability and costs. In the case of outsourcing IT to a third party, the responsibilities of the third-party provider are variable. Making a robust disaster recovery strategy complicated when outsourcing these tasks. With the evolving landscape of remote/hybrid work, traditional work area recovery models are being reevaluated, reflecting shifts in recovery strategies. Before COVID-19, numerous organizations would engage in contracts for a designated "hot/warm" site, intending to recover critical office staff in the event of an impact on a building. However, in the aftermath of the global pandemic, organizations are reassessing the risk/reward proposition of remote/hybrid working arrangements and making adjustments to their recovery strategies. The remaining 24% of spending is allocated to crucial activities like exercising, testing, training, and travel—a critical investment to bridge the gap between executive expectations and actual preparedness. As organizations navigate the complexities of operational resilience, understanding these investment dynamics becomes pivotal in fostering true preparedness. The study highlights a notable disparity between what executives expect and the actual state of preparedness. To bridge this gap and gain a genuine understanding of readiness, it is crucial to test and exercise capabilities. Furthermore, identifying gaps in recovery time (RTO) and recovery point (RPO) objectives enables better focus and prioritization of efforts to address these shortcomings.

Conclusion

In the intricate landscape of operational resilience, this exploration reveals a striking dissonance between perceptions and realities. From the overestimation of cyber threats to the underestimated risks of geopolitical conflicts, organizations grapple with aligning their strategies with the ever-shifting tides of global uncertainties. The enduring impact of the pandemic, the challenges of remote work, and the enigma of investment dynamics underscore the multifaceted nature of navigating operational resilience. As we unravel the intricacies, it becomes evident that a holistic and adaptive approach is essential for businesses to not only survive but thrive in the face of evolving risks.

A large part of business continuity planning is defining your organization’s RTO, or recovery time objective. How long can you realistically afford to be nonoperational? Defining your RTO can help your management and crisis teams understand expectations for recovery. Business continuity testing plays a huge part in determining whether you can realistically meet your RTOs and efficiently recover from a disaster.

Test to Know Exactly What Your Company Needs to Recover – and to Leverage the Resources Available to You

If you do not test, how can you know what recovery looks like for your organization and what you will need most urgently? One Agility customer discovered this the hard way. Though the bank had maintained a contract with Agility (previously with Rentsys) for years, they had never opted to schedule any testing with Agility’s customer success team. The bank knew they needed to have a continuity plan and recovery services available for compliance purposes but were unclear about what the recovery process would look like if their physical space were impacted by a disaster. When a hurricane hit their town, the bank’s team assumed they wanted a mobile unit, but did not know what that entailed, such as time for delivery and setup, options and additional cost drivers, or even where the unit could be installed. Agility was able to use Google Maps to estimate a zone where the unit could be installed but needed on-the-ground support to truly understand the layout. It wasn’t until this client saw another bank with an Agility mobile unit set up that they began to understand the capability of Agility’s recovery team, and they reached out to their Agility representative to understand what Agility could provide quickly to get the bank back up and running. Before seeing a recovery environment in person, it was hard for the bank to understand the benefits physical recovery services would bring. In short: By testing, you will identify the needs for your business – and pinpoint what’s needed for optimal response – before disaster strikes to be able to hit the ground running.

Test to Know What to Expect During a Recovery

Hopefully, a disaster like a tornado, hurricane, or even a major power outage is something that happens only once to your business. By testing, you will know what to expect if or when that disaster happens and set expectations among both your leadership and customers. From testing, organizations understand that downed trees, closed roads, and more can delay a recovery, since resources cannot easily get through barriers. Organizations must also often work with local municipalities to secure letters allowing recovery providers to pass through barricades. These things factor into your recovery timeline so you can prepare your customers. Finally, a recovery environment will never be able to completely recreate your office environment. If you test, this will not be a surprise, and you will be ready to dive into work in a modified space. The most important thing is that your business will be back up and running and operational.

Test to Learn What Permits Your Organization Needs

Oftentimes, what delays a recovery is paperwork. At the time of a major interruption, permits will be the last thing on your organization’s mind, but without them, recovery may be impossible. During testing, we encourage customers to incorporate all permitting aspects and involve those entities, so they are not blindsided during a recovery. Each state is different in how they handle permitting – if your business has multiple branches, it must account for different legal requirements. Recovery providers must rely on our clients to investigate permitting; though we cannot do it for businesses, we can help with networking. In fact, we helped one client with a permitting specialist to reduce a 4-6-week turnaround time for permits to just one week. Do not let a visit from the fire inspector be the reason you are unable to serve your customers!

In Conclusion

Defining your RTO is just one step in business continuity planning and disaster preparedness. Agility offers an integrated business continuity solution that helps businesses plan, test, train, alert, and recover – all in one. We offer several types of testing, including virtual tabletops, in-person tabletops, onsite mobile testing, and testing at our facilities throughout the U.S. Reach out to us today to learn more.

Experts rank business interruption as a top threat facing companies in 2022. Maybe it's no surprise that New York has new rules for business continuity plans. These rules affect the insurance industry. Does your business continuity plan meet the new standards? Do you have a business continuity plan? Learn more about the new rules and how to ensure your company is compliant.

New Regulations for NY Insurance Companies’ Business Continuity Plans

The New York Department of Financial Services (DFS) issued Circular Letters 6 and 7 (2021) in July 2021. They outline new regulations about how insurance companies work during a disaster through rules covering disaster planning, preparation, and response. The letters apply to authorized insurers in New York and serve customers in the state. Letter 6 is directed toward property or casualty insurers. Letter 7 applies to life and health insurers. The new regulations replace those in DFS Circular Letters 5 and 6 from 2019. The COVID-19 pandemic was one of the main reasons for implementing new standards. As DFS states, though, New York has a history of responding to disasters. Major storms , floods, terrorist attacks , and cybersecurity breaches have all affected the state.

What Do the New Guidelines Require?

Insurers authorized in New York must create and maintain two types of plans:

  • 1. Business continuity
  • 2. Disaster recovery

These plans must meet DFS standards. Insurers must conduct a business impact analysis . This analysis looks at how a disaster could disrupt business functions. Insurers must do a business impact and risk-based analysis at least once a year. They must also complete a risk-based analysis that evaluates the company's ability to help customers in New York affected by a disaster. All New York-authorized insurers must submit the following items to DFS:

  • – Disaster response plan
  • – Completed disaster response plan questionnaire
  • – Completed business continuity plan questionnaire

The deadline for submission was October 8, 2021. Some property/casualty insurance companies must also submit a pre-disaster data survey.

What to Consider in a Business Impact Analysis

The results of a business impact analysis affect your business continuity plan. The impact analysis should identify the impacts of a disaster-related disruption. It takes into account operational and financial effects. A business impact analysis needs to consider several factors, including:

  • – When a disruption would have the most impact, like a specific season or the end of a quarter
  • – Period before which the disruption would have an impact
  • – The operational and financial effects of physical damage to assets
  • – The effect of a loss of information technology
  • – The impact of the absence of critical employees
  • – Necessary resources for the company to continue operations at different levels of disruption
  • – The likelihood that customers’ dissatisfaction would lead them to choose another insurer

DFS requires a business impact analysis at least yearly. Doing it more frequently may be necessary. You can make updates if your business circumstances change during the year.

What to Consider in a Risk-Based Analysis

A risk-based analysis provides information for your disaster response plan. This analysis reports on your ability to help customers in New York affected by a disaster. Risk analysis includes several steps:

  • – Identify potential risks
  • – Analyze risks to determine their possible effects on your operations
  • – Estimate how likely each risk is to happen

Identifying and analyzing potential risks helps you develop ways to manage them.

Developing a Business Continuity Plan

A business continuity plan documents your procedures for an unplanned disruption. A plan covers maintaining operations or quickly restarting them. It includes planning for business processes, assets, human resources, and business partners. A business continuity plan is more comprehensive than a disaster recovery plan. Developing a business continuity plan takes several steps, including:

  • – Identifying the scope, objectives, and assumptions behind the plan
  • – Identifying key business activities, like financial, underwriting and claims, and data processing
  • – Assigning a restoration priority to each business activity
  • – Defining responsibilities of employees, lines of authority, and management succession
  • – Determining acceptable downtime for business processes and IT functions
  • – Creating a plan to maintain operations

The business continuity plan should include other information, such as procedures for activating the plan and communicating with stakeholders. DFS requires the plan to have a training curriculum as well.

Developing a Disaster Response Plan

DFS requires a disaster response plan. Typically, your disaster response plan is part of your business continuity plan. It outlines how to minimize the impacts of the disruption. It shows how to return to normal operations as soon as possible. A disaster response plan covers roles, policies, procedures, and resource allocation. Disaster response plans for DFS should include information such as:

  • – The jurisdiction where the insurer has its domicile
  • – Addresses where the insurer handles insurance functions for policies in New York
  • – Types of insurance products the insurer administers
  • – Who handles activating, deactivating, and monitoring the plan
  • – Who will relay information between the insurer and DFS (disaster liaisons)
  • – Procedures for training employees
  • – Alternative methods for handling claims
  • – Communication channels the insurer will use

You'll need to explain your method for testing the disaster response plan and how often you test it.

Next Steps

Developing a business continuity plan isn't just about following New York's regulations. It's about ensuring the long-term success and stability of your company. Agility is a leading business continuity and disaster recovery end-to-end solution. We have decades of experience helping companies recover from every kind of disruption. Our suite of solutions includes business continuity testing , emergency power and fuel , data backup and recovery , temporary workspace , remote work technology , and more. Contact us today to schedule a free demo and see how we can help you protect your business. 

As an employer, you have limited control over regulating the exposure of your workforce to coronavirus. However, there are specific COVID-19 state safety guidelines for employers to follow. Besides, your organization can plan a speedy response to mitigate the consequences should this incident happen. Currently, the coronavirus is tearing across the United States—and around the world. Meanwhile, frontline workers are voicing their concerns over their safety during the pandemic. Everyone must do their part to ensure the public health and keep workplaces safe. People are turning to the federal government looking for answers. Even though the federal government has been reluctant to dictate COVID state regulations, some guidelines are established in most states . Organizations such as the Occupational Safety and Health Administration have offered limited guidance. For the most part, they've left rulemaking to state legislators. Now, legislators are tasked with creating and enforcing COVID-19 guidelines. Below are some of the most recent information about COVID state safety guidelines for employers.

Areas With Comprehensive COVID State Safety Guidelines

So far, OSHA has resisted establishing concrete standards for COVID in the workplace . As a result, some states have issued executive orders regarding workplace protection rules . As an example, Virginia was the first state to issue the Emergency Temporary Standard. The standard was the first of its kind to protect workers during the pandemic. Michigan and Oregon have followed suit and also issued emergency standards. Meanwhile, other states have issued guidelines. Furthermore, some cities have issued rules regarding the protection of workplace personnel. In general, officials recommend that employees stay at least 6 feet away from others. This practice is called social distancing. Most regulations also require that employers provide face masks to employees. Workers should always wear masks when full social distancing isn't possible. Many states’ executive orders require employers to heed the following :

  • – Ensure physical distancing of at least six feet between employees and their coworkers and customers
  • – Provide face masks and implementing requirements to wear face coverings and PPE
  • – Improve ventilation
  • – Provide employees with regular access to hand-washing and soap
  • – Require deep cleaning after COVID cases are discovered in the workplace

  • – Notify employees, exposed individuals, and health departments when cases are found
  • – Train employees on best practices to prevent virus spread.
  • – Implement plans & procedures for a pandemic response, infection control, returning to work, etc

So far, 14 states have issued comprehensive worker health and safety protection rules . These states include:

A new California law, AB 685 , adds yet another set of requirements for California employers. AB 685, which takes effect on January 1, 2021, requires California employers to notify employees, employees of subcontractors at the worksite, and union representatives, if applicable, whenever the employer receives a "notice of potential exposure" to a "qualifying individual" at the worksite. An employer may also be required to notify the local public health agency.

Each of these regions provides more detail about specific COVID-19 regulations. You can find those details on their official state websites.

Workplace Management in the Absence of COVID State Regulations

Not all states have specific COVID-19 protection rules. In that case, employers generally follow federal recommendations. The Centers for Disease Control and Prevention (CDC) issues those recommendations. In some instances, an employee tests positive for COVID-19 . If so, the CDC recommends that employers send that individual home immediately. Likewise, a worker may have symptoms of COVID-19. If so, they should notify their supervisor immediately and then go directly home. Employers should also close off areas used by an employee who was affected by COVID. The CDC also recommends that workers remain home in isolation. Furthermore, suggests CDC, workers should not return to their jobs. They should stay in quarantine until they meet the criteria to end home isolation. Affected workers should also seek guidance from a healthcare professional. A medical professional can advise workers when it's safe to return to their job.

What to Do When Employees Test Positive

An employee may test positive for COVID-19. If so, employers should immediately disinfect their workspace. Furthermore, employees should limit access to the area for 24 hours. In some instances, however, it isn't practical to limit access to an employee's work area. In this case, employers should limit access to an exposed employee's work area until it is thoroughly cleaned and disinfected. If possible, employers should open doors and windows to increase ventilation in the exposed area. Employers should also collect information about the employee's recent contact among coworkers. This history should go as far back as two days before the onset of COVID-19 symptoms. This information will help employers to identify other staff members who may have been exposed to the coronavirus.

Steps for Employees After COVID-19 Confirmation

After testing positive for or showing symptoms of COVID-19, employees should practice isolation prudently. Workers should not leave their home for any reason other than to access medical care. During isolation, workers should monitor their symptoms. If there are any signs of emergency health conditions, they should seek medical attention right away. For example, if an employee has trouble breathing, they should go to an emergency room immediately. Workers should also stay away from other family members, if possible, during isolation. They should also use separate bathroom facilities if they're available. Isolated workers should make every effort to avoid contact with pets and family members. They should also avoid sharing personal household goods. For example, employees with symptoms of COVID-19 should not share items such as towels, dishes, cups, and utensils. While in isolation at home, employees should also wear a mask whenever they're around other family members.

Planning for Uncertainty During COVID-19

Planning for business continuity is one of the most important things your organization can do during an emerging threat such as COVID-19. However, all businesses should have a continuity plan despite the spread of the coronavirus. A contingency plan enables companies to remain resilient. It allows them to face any threat that might emerge. It involves preparing for continuity before, during, and after an event that can disrupt business. Any continuity plan should revolve around people. It's important to speak with employees early, often, and with compassion. During these conversations, employers should raise awareness about continuity policies . Educating and training your teams should on continuity tools and resources can provide a lifeline in an emergency. Staff members must know they're available during emergencies. Employers should also create a safe workplace . In the context of COVID-19, this means frequent and thorough sanitizing. Operational segmentation can be another tactical in such challenging times. This practice includes preparing for closing. It also includes planning for the eventual reopening of all physical locations. Concerning the COVID19 pandemic, employers should identify the location of mission-critical activities. They should consider how they can transfer these activities to alternative sites. When planning for continuity, employers need to assess their supply chains. In this regard, it's helpful to evaluate third-party dependencies and single points of failure . It's also critical to understand how these dependencies expose your business to risk. This understanding can help you to ensure continuity during the coronavirus pandemic.

A Back to Work Checklist for Employers

Many companies were forced to close their doors after the outbreak of COVID-19. However, a growing number of organizations are planning to return to the workplace. Naturally, employers want to get back to business as soon as possible. However, decision-makers may wish to consider a phased reopening. For example, employers can stagger shift times. Alternatively, they can divide employees into groups that come in during specified days or weeks. As a leader, you are tasked to prepare for a safe and successful return to the job. Employers should add a few items to their checklist to assist in the transition back to the workplace. Firstly, employers must develop a plan for returning to the workplace. In doing so, they should choose a workplace coordinator to respond to the COVID-19 event. When planning a phased reopening, management needs to determine which roles are the most essential to be returned to the office. Also, it's important to establish health and safety precautions. These precautions might include temperature screenings for returning employees. It's also helpful to compare coronavirus management practices with your business partners. In doing so, you can ensure that your interests are always protected. Finally, make sure that your staff members remain informed. Ensure that all team members sign up for timely alerts for COVID-19 from local, federal, and state health departments.

Managing the Unexpected

As each year passes, business interruptions become more common, especially in the age of COVID-19. During these kinds of emergencies, a notification system is critical. It's also important to train personnel in using the emergency notification system. Without training, the effectiveness of such a platform is limited.

Emergency Notification System to Keep Your Workforce Informed and Safe

An emergency notification system should serve as a crucial part of your preparedness program . Your crisis response team will have a proper set of actions for an emergency by following these suggestions. What's more, they can do so quickly and efficiently. Today's emergency alert system software goes beyond mass employee notifications. It takes extra steps to safeguard employee well-being , improve interdepartmental communication, and prevent economic loss. Finally, key emergency management personnel must always have access to information. The company's leadership has to establish a communication system for crisis team members. It's also essential to develop emergency processes. The processes should help you keep your program up to date as threats emerge. Communication is a two-way process. When in an emergency, a two-way response system streamlines the notification process, keeping you in touch with your crisis team and offering lifesaving advantages. Bi-directional messaging is one feature that can help stay connected with everyone on your team . For example, companies can request employees to confirm alert delivery by texting "c" to confirm or "y" for yes. With a two-way communication system, you can not only send push notifications, text, email, and voice messages from your computer, tablet or smartphone, but you can also receive an immediate response and see who is okay and who needs help and prioritize resources accordingly. Moreover, it's vital to have an integrated approach to crisis management. An integrated approach will ensure that your company is always prepared. In most instances, this means a system that's easy to implement and operate. Stakeholders should find that the system is easy to learn. It's also essential to support two-way communications during a crisis. An established response system will streamline your notification process. It will also give your team lifesaving advantages during an emergency.

Your Partner in Business Continuity

Now you know more about COVID state safety guidelines and planning for business continuity. However, the right platform can make the process easier and more cost-effective. Reach out to Agility Recovery today.

While every industry may be regulated differently, all aspects of business resilience aren't always considered holistically. A traditional approach to business continuity planning has always been centered around disaster recovery (physical location, telecommunications, data and IT systems). Regulatory standards on operational risk and resilience typically mention the response to and recovery from business interruptions. These days, we are witnessing an industry-wide shift towards the continuity of business operations. And even though the supervisory emphasis is still placed on operational risk, the change is evident.

Real Life Examples

No matter the size of the company, disruption may take any form and take your business by surprise.

Wells Fargo says it is working to fully restore systems as outage spills into day two.

CNBC, 2019

  • CEO Tim Sloan said the recovery from the outage was not as fast as the company or its customers expected.
  • Contact centers were up and running but customers face longer wait times if they are phoning in.

  • Complaints piled up that paychecks and direct deposits weren’t reflected in customer balances, but the bank says it fixed the issue.

The problem: It took too long for the company to recover from system issues, causing customer concern and complaints. In March 2019, Facebook experienced its most prolonged outage, affecting the social network and other platforms owned by the company. The company blamed a “server configuration change” for the outage, meaning that even a pro-tech company like Facebook was not prepared to maintain its critical service during a server change.

Regulation of Operational Resilience in the U.S.

In the US, business resilience is a top priority for regulators in the financial industry. The Federal Reserve and the Office of the Comptroller of the Currency (OCC) initiated a series of examinations for some of the largest banks in 2019. This focus remains unchanged in 2020, with an emphasis on operational resilience. The OCC’s Supervisory strategies for 2020 focuses on cybersecurity and operational resiliency, with emphasis on threat vulnerability and detection, access controls and data management, and managing third-party connections. Another objective is technological innovation and implementation, including the use of cloud computing, artificial intelligence, digitalization in risk management processes, new products and services, and strategic plans. The Federal Reserve listed cybersecurity management, risk identification and assessment, along with technological innovation as priority areas for their 2020-2023 strategic plan.

  • Improve forward-looking risk-identification and assessment capabilities to inform policy and support timely and effective risk mitigation through supervision.
  • Expand risk-identification capabilities to increase agility in identifying and responding to changing conditions.
  • Evolve policy and supervisory capabilities to keep pace with financial technology innovation and operational vulnerabilities, including cybersecurity, for supervised firms.
  • Enhance cybersecurity and data privacy programs and maintain a secure technology environment that fosters collaboration, continuous improvement, and innovation.

The FFIEC has also revised its Business Continuity Management Booklet to highlight the importance of operational resilience. The updated booklet focuses on enterprise-wide approaches that address technology, business operations, testing, and communication strategies integral to continuity of business operations. The examination procedures now will help examiners assess whether management includes business continuity as part of the risk management cycle of a company’s processes and operations, and if a BC program itself is adequate.

Digitalization is the future for all businesses, especially financial institutions. Your customers want to manage their accounts from their mobile devices and ensure their accounts are secured on the web. There are also expectations for financial institutions. Cybersecurity is a huge concern for clients, and your customers demand digitalized interactions. Unfortunately, not all businesses are willing to comply with digitalization. 87% of companies believe the digital landscape will disrupt their market. The key is to work with digitalization, not against it. That’s why more financial institutions are implementing an operational resilience strategy . Below, we’ll discuss the importance of operational resilience and business continuity, and what it all means for financial institutions.

Why Is Operational Resilience a Priority?

More financial institutions are focusing on operational resilience. Why? Here are three factors impacting the financial landscape.

The Risks of Increased Digitalization

Power outages cost the U.S. $150 billion annually. The increased reliance on digital solutions also puts your organization at risk for downtime impacted by the outages. The increased threat of security breaches impacts not only your institution but also your customers’ finances and data. You should address any risks and pre-plan your solutions. The best way to do this is by creating a business continuity and disaster recovery strategy .

Focusing on Operational Resilience

Operational resilience is at the forefront to keep up with customer demands. More customers want to access their finances on digital mediums. They also want to contact your institution via digital measures, all without interruption. Besides, more financial institutions are relying on third-party platforms. Examples include money transfer software and application platforms. However, with the demand comes increased risk. If ever an issue occurs, financial institutions need to know how to act fast enough to get your systems back in working order.

Protecting Reputation Risk

Let’s say your financial institution faces a security breach. Will your customers want to continue doing business with you? They will more than likely support your competitors instead. In addition, the internet makes public outcry louder. Your reputation will increase quicker and will impact your market severely.

An Approach to Operational Resilience

How can a financial institution create a detailed operational resilience plan? Here are four factors to focus on.

IT Upgrades

The best way to ensure your systems are secure and efficient is by upgrading your technology without any delay. Also, it’s essential to migrate your existing systems to the latest platforms whenever it’s necessary. While these upgrades carry their own risks, your company will stay safer in an unpredictable digital world.

Effectively Executed Digital Transformation

With that being said, it’s essential that all financial institutions effectively execute their digital transformation efforts. Any new system initiatives should undergo risk assessment, and you set risk controls in place. For the best results, you should partner with a technology-focused business continuity solutions provider. In case any issues occur with your digital transformation, you’ll always stay running.

Timely Board Involvement

Your board needs to be informed immediately when an issue occurs. Communication is the key to a powerful operational resilience strategy. The faster your board knows about the problem, the faster they can set a solution in place.

Learning Opportunities

Unfortunately, many businesses don’t have time to learn from a digital mistake. They also don’t have a chance to improve their reputation. However, financial institutions should use the digital landscape as an opportunity to learn the digital systems and what downtime could mean for your business. Knowing this information ahead of time will prepare you for an issue, so you know how to react if downtime occurs. Additionally, training your employees on the most common threats your organization may face will help thwart the disruptive events and any unfortunate business impacts. Conducting a tabletop exercise is another great way to ensure everyone in the organization knows their roles and how to act in a different scenario. With planning and training capabilities, employees know exactly how to respond in an emergency, and management can make sure everything is in place to handle the next incident.

Emergency Notification and Incident Management Software

To ensure that all of your employees are well and receive timely critical information, and to minimize the impacts of a disaster on a business, companies need to implement an emergency notification and incident management system and test it regularly. Besides that, companies should deliver pandemic-related business continuity training to enhance employee preparedness and alleviate any concerns. Utilize mission-critical business continuity software and services. Software, such as Preparis, can target the response and recovery of particular locations, thanks to geofencing and bi-directional messaging. For instance, a top-notch tool will allow you to send company-wide alerts using a variety of mediums, for example, push notifications, emails, text messages, and voice messages. The more mediums you use to send out an emergency message, the better your chances of reaching all of your recipients.

Challenges of Operational Resilience

There are many operational resilience challenges that financial institutions have to endure. Here are three common ones.

Managing Third-Party Relationships

Banks can’t achieve operational resilience alone. Financial institutions need the help of third-party platforms. These include your technology platforms, staff that maintains your app, and other companies that collaborate on money transfers and payments. Managing your third-party relationships  can be a challenge, even in our digital-centered world. It’s easy to struggle with collaboration agreements, information and data sharing, industry-funded utilities, and third-party risk management. Proper third-party management is becoming increasingly important to clearly define your collaboration with your colleagues, to improve your relationships with your vendors, and assess any collaboration risks.

Impact Tolerance

Unfortunately, disruptions happen, no matter how well you plan. It’s best to prepare for the impact a disruption will take on your business rather than facing the unpredictable setbacks. Establish your impact tolerance during the pre-disaster stage. Don’t just plan for your response to a disaster. Understand recovery time objectives and what’s expected of your business. Identify key functions, assets, and activities that you’ll need if a disaster strikes. You’ll also want to plan your communication strategy. Plan how you’ll approach customers, third-party vendors, and other members of your organization about the disaster and your process of improving it.

Data Security

Financial institutions not only worry about hackers compromising their company data but also their customers’ data. Many sources say company-wide data breaches could signal the end of a financial institution. Data security isn’t only a cybersecurity risk . With the growing demand for migration and digital transformation, you risk data loss when transferring your systems.

How to Improve Your Testing

Testing is key to a successful operational resilience strategy. But how do you improve your testing? Keep these facts in mind:

  • – What you’re testing
  • – How frequently
  • – The testing method
  • – The testing results
  • – How comprehensive the testing is
  • – How the testing helps you respond to issues

Testing also takes time and may not identify all issues. But comprehensive testing will help protect your business.

How BCM Helps

Business continuity management (BCM) is one of the core factors of any operational resilience plan. To ensure your financial institution complies with the best BCM strategies, the FFIEC released a new business continuity booklet in 2019. Here are the changes all banks should know.

Business Continuity Testing

BCM testing is easily understandable, compared to previous FFIEC booklets. The booklet defines specific expectations, including testing governance and strengthening outsourced technology. Consider the following testing areas to focus on:

  • – Programs
  • – Strategies
  • – Policies
  • – Plans
  • – Objectives
  • – Methods
  • – Scenarios
  • – Full-scale exercises
  • – Limited-scale exercises
  • – Tabletop exercises
  • – Industry exercises
  • – Testing for core and significant firms
  • – Industry exercises
  • – Post-test actions

Testing is a significant part of your BCM, and the FFIEC’s new testing standards will improve your testing strategies.

Board Reporting

This section details best practices when reporting any downtime to the board. Here are the requirements to make during board reporting:

  • – Risk assessment
  • – BIA
  • – Exercise and test results
  • – Resilience
  • – BCP
  • – Strategy updates
  • – Identified issues
  • – Metrics
  • – Audit results

While a BCM report isn’t required, the booklet does recommend providing a written presentation, which includes risk assessment, BIA, exercise and test results, BCP, and any identified issues. The booklet also requires that Board minutes should reflect business continuity discussions, credible challenges, and approvals.

BCP Is Now BCM

Instead of referring to it as a business continuity plan , the FFIEC now calls this method as business continuity management. What’s the difference? Business continuity planning signifies responding to a disaster, implementing recovery and resuming operations. BCM is different. This method focuses on addressing the risks and vulnerabilities of your system, helping prevent a disaster, and improving your business continuity strategy.

Important Steps of BCM

The FFIEC lists significant steps of BCM. These include:

  • – Oversee and implement resilience
  • – Align BCM with goals
  • – Develop business impact analysis
  • – Conduct risk assessment
  • – Develop effective strategies to meet resilience
  • – Establish a plan that includes incident response, disaster recovery, and crisis/emergency management
  • – Implement a BCM training plan for stakeholders and other personnel
  • – Conduct exercises and tests
  • – Review and update your BCM
  • – Monitor and report business resilience activities

There’s flexibility with these requirements. But your financial institution must meet all of them for compliance.

BCM as a Part of ERM

BCM is no longer relegated to a committee or staff person. Instead, it’s included in your ERM, which means your BCM will regularly be assessed, along with your compliance, operation, transaction, financial, and reputation risks. With this integration, your BCM will adopt risk management practices like measuring risk and the effectiveness of your risk mitigation.

What Does This Mean for Your Financial Institution?

The financial industry is moving in the direction of operational resilience and enterprise risk management. That’s why it’s not only imperative to implement ERM practices but align them with your BCM practices. ERM helps financial institutions assess, identify, monitor, measure, and mitigate risk. Integrating BCM helps improve the risk assessment function and also optimizes the plan for testing. Both of these management methods help a financial institution make better decisions if a disaster strikes.

Convergys Overview

As a global provider of software solutions, Convergys customers rely on them to be available every hour of every day. With a large portion of their workforce dedicated to call centers that provide 24/7 support for accounts, billing inquiries, and technical services, reliance is magnified. Their ability to remain operational is critical in helping their clients in various industries, such as communications, financial services, technology, retail, healthcare, and government. Convergys meets these needs through offices spread across 33 different countries, but each office comes with its own potential threats to business continuity.

The Challenge: Severe Flooding, Zero Threshold for Downtime

Severe flooding plagued much of Tennessee for several weeks. Thousands of individuals were displaced from their homes, and businesses were forced to shut their doors. Convergys’s facility in the city of Clarksville was no different. Over three weeks, five feet of standing water sat in the building’s basement. Leadership knew the building was now structurally unsound, and it was unsafe for employees to work inside. Four hundred employees were now without an office, and their customers couldn’t reach them for assistance.

The Solution: Mobile Recovery Solution to Restore Critical Operations

Management declared an emergency the morning of May 20th, and after conferring with Agility, it was determined to deploy a full mobile unit. Within four days of their emergency declaration, Agility delivered four mobile recovery units complete with computers, phones, office furniture, meeting spaces, three generators to power the whole system, and satellites to ensure a steady connection. The temporary workspace was shipped and assembled in the parking lot of their Clarksville facility.

Results

By May 31st, the mobile recovery units were operational, and 135 call center agents were utilizing the space. This brought one of their most valuable assets back online and reconnected them to their customers experiencing their own difficulties during the floods. The call center operated out of the mobile units for six months while Convergys focused their attention on finding a suitable location for a permanent office.

The scope of impact a major flood can cause, both to your business and your community, can be far-reaching and, in many cases, long-lasting. When we lost a production call center to flooding, Agility provided us with the assets we needed to get back in business quickly. Agility served as a valuable partner, providing workspace and computer equipment – in addition to satellite capability – as we have worked to resume our operations in support of our clients.

Mike Epstein, Convergys Senior Manager, Business Continuity

Slidell Memorial Hospital

Slidell Memorial Hospital has been serving its community for over 60 years. The acute-care facility has 229 beds, and their Regional Cancer Center is the only treatment center of its kind in the entire Parish. Slidell’s daily procedures range from heart surgery and back surgery to treatments for Parkinson’s disease and other neurological disorders. Since they’re the only option in the Parish for certain treatments, they need to maintain continuity in any situation to ensure their patients receive proper care.

Challenge:

Slidell reached out to Agility to preplan their response to a disaster or storm. Leadership knew the hospital had to be ready and maintain functionality to prevent a lapse of care for patients. After joining Agility, we conducted a diagnostic test, which helped them understand their workflow during recovery and gave us knowledge about what equipment they would need. When Hurricane Karen was heading toward Louisiana, Slidell reached out to Agility to initiate their recovery. 

Solution:

As an Agility member, Slidell took advantage of Agility’s flexible generator solution. Based on the recovery test and the type of storm headed their way, Agility had the specific generator that they would need to operate the hospital if traditional power was lost. All of the necessary equipment was delivered to Slidell immediately after they initiated their recovery plan. 

Results:

The generator reached Slidell before Hurricane Karen made landfall. However, the storm didn’t affect the hospital as severely as expected, so they didn’t need to utilize it as a power source. Doctors, nurses, and patients were thankful that Slidell was prepared for the worst, and employees still would have been able to provide critical care if the hurricane had been worse. Because Agility’s monthly fee is affordable, Slidell could find space in their operational budget to prevent any future continuity problems.

Slidell

With the type of operation we run, we have to be up and running no matter what. We have worked with other companies, but we found Agility to be the most cost effective solution for our hospital.

Bruce Clement, Chief Operating Officer