It Can’t Happen Here – Part 2

One of the risks that often get overlooked by a Small or Medium size Business (SBM) is related to its “Operational Risks.” Just about eleven years ago there was a fear of a flu pandemic and the Federal Financial Institutions Examination Council (FFIEC) and its member regulatory agencies issued letters and guidance on how a financial institution should prepare for such an event. At the time the possible spread of the H1N1 virus was the concern. This triggered actions by most, if not all, financial institutions to create plans to mitigate the impact of such an event and test those plans to ensure that they would work as designed.

Why is this still Important

The World Health Organization (WHO) has been tracking an outbreak of plague in Madagascar ( In the External Situation Report 12 they reported 2,267 cases and 195 deaths. Although this is not a current threat to the United States it reminds us that preparation is still required. This preparation may be more important to smaller organizations because they don’t have the ability to spread the risk across various parts of their organization and with smaller staffs the impact can be greater.

What Can You Do?

The FFIEC Guidance (warning – some of the flu-related links no longer work) can apply to any organization. It identifies a five-step approach which starts with Prevention and ends with periodic review and refresh of your plans. In many cases “Owner” and/or “Partners” should replace “Board and Senior Management”. If you read the document with those replacements it should be more relevant. Another important activity is the creation of a Business Impact Analysis (BIA) for pandemic situations so that you understand the risks facing your organization. The steps provided are a good outline of what should be done. For a more detailed discussion can be found in the FFIEC Business Continuity Examination Handbook, and the BIA Worksheet from ISACA (membership restrictions may apply).

The activities associated with the BIA do not just apply to pandemic planning. As you go through the process you may find other areas that need attention. SMBs often face key employee dependencies that should be identified and understood. Today, with all the information available on this topic there is no excuse for not taking some actions to understand your operational risks and take the necessary actions to mitigate those with the highest level of negative impact. Please contact me if you want assistance in getting started with this process.