Security Plays Key Role in Contingency Planning
by Don S. Tokunaga, vice president and director of security, First Interstate Bank
As part of its contingency plan, First Interstate Bank has a chart outlining important responsibilities in an emergency plan and cross referencing it with departments that play primary ("p") and secondary ("s") responsibilities. The column marked "bank security" is filled with both "p"s and "s"s. This is logical since the bank's primary concern during an emergency is its employees, and the security department's main mission is to protect those employees.
Still the chart illustrates the critical role that bank security plays throughout banks during any disaster.
When crisis hits, Don S. Tokunaga, vice president and director of security, is the person in charge of First Interstate's Emergency Operations Center, the brains of disaster response. He shared with ABA Bank Security and Fraud Prevention his thoughts on First Interstate's program and disaster recovery planning in general.
Why is a disaster recovery program so important to banks?
First and foremost, it's our assurance that should a disaster occur, our employees will be protected and will know what to do. Our disaster plan addresses life safety issues at its primary core. We then address our second most important concern-protecting the physical assets of our bank. Because those two areas are so important, security must step in immediately in any disaster.
A third reason a plan is necessary is to have a defined path toward recovery. A critical aspect in any business that meets with disaster is recovery of the bottom line. You must keep expenses of recovery down as much as possible, while at the same time spending as much as you need to get back in business as quickly and safely as possible. The only way that can be accomplished is through preparation and later -- through cooperation and commitment by employees.
A fourth reason for a disaster plan is to illustrate to regulators you are complying with their requirements. For us that includes the Federal Financial Institutions Examination Council guidelines that outline the steps financial institutions must take to develop the plan, from gaining board of directors' and senior management approval to determining specific strategies.
The Americans with Disabilities Act also has requirements we must meet concerning life safety issues. We must assure that our facilities are accessible so that our disabled employees and customers can get in and out of our facilities as quickly as possible.
In California we also must meet state regulations that go along with the FFIEC guidelines including SB 198, which governs life safety issues for employees.
What happens to organizations that don't have a plan?
On top of the danger they have put their own employees and customers in, they may very well have their charters revoked by the regulatory agency that governs them.
They also can receive stiff fines from the federal and state governments. Beginning in 1992, for example, fines for violation of SB 198 climbed to a maximum of $70,000 per violation. Federal fines can go as high as a million dollars per day.
Where within First Interstate does disaster planning occur, and how does security fit into the planning?
At First Interstate Bank, disaster planning gets started in the business resumption division. All operating units have a hand in keeping our disaster plan current-and that means current on a daily basis. You have to know where personnel and assets are within the bank on any given day for implementing a plan, and we have special software to track that.
We also have a business resumption planning committee made up of key individuals from all areas of the bank. This group meets monthly, or more often should a need arise, and in California that need arises frequently.
The group maintains our plan, which covers all three phases of a disaster: before, during and after. First Interstate's disaster plan was put together on a layered basis, with each level completed only after successful completion of the previous level. The levels are:
- Contingency plans for First Interstate Bank's employees and their families including life safety techniques, home drills and procedures.
- A corporate Emergency Preparedness Program, which entails step-by-step procedures for all personnel, posting of procedures in key areas of each building site and life safety techniques.
- A corporate level "Disaster Recovery/Business Resumption Program" to establish Executive Committee involvement to obtain funding at the corporate level, secure commitment of executives and receive executive leadership.
- A disaster and business resumption recovery syndication program to ensure ownership, participation and funding throughout the corporation and to appoint a person in charge.
An important part of the plan is vendor selection for outsourcing repairs and recovery aid. For regulatory reasons, those vendors have to have disaster plans compatible to our own plan so that they know what will happen within First Interstate when an emergency occurs.
What happens during an emergency?
During an emergency, we have an Emergency Operations Center located in an earthquake-proof underground area of the bank. Each of the bank units also is represented by an individual assigned primary responsibility for the EOC. That individual is contacted when an emergency occurs and reports immediately to the center. If he or she is unavailable, alternate representatives are contacted. Represented at the EOC then are individuals from operations, public information, legal, human resources, transportation, corporate properties, health services, employee assistance, corporate management, insurance and, of course, security. When the disaster first occurs, security takes control of EOC to make sure it's opened up and functioning. Once life safety issues and physical safety of assets is handled, I turn the center over to the business resumption planning group.
The center is set up like a war room in a space that accommodates about 30 people. It has an area set up specifically for communications with the media and a briefing room for management. We can get this center up and running in about 30 minutes.
We also have set up backup sites called hubs so that if key personnel can't make it into the EOC, they can set up at the hub sites and maintain contact.
Security becomes involved immediately after the disaster occurs by securing the safety of employees and the physical assets of the bank. Bank security and corporate property personnel block off any areas affected. Our corporate property people immediately get someone to repair the buildings.
Damage to a building means many of your physical assets are exposed such as computer systems, cash vaults, safety deposit boxes. It is up to security to see that those assets are kept secure. Security also must coordinate with city or county building inspectors to clear when a building can be operating again.
What happened during last year's earthquake and what lessons did you learn ?
Eighty-two of our structures were affected by the quake. In the final analysis, we had to completely abandon our credit card center in Simi Valley, CA. The center was relocated to our business resumption backup site and was up and running the next day, which proved to us that our business resumption plan worked.
Other than that, we had one branch destroyed so badly that employees had to operate from trailers temporarily while the building was reconstructed.
Overall, we thought our business resumption plan worked extremely well, partly because we had gone through a disaster in 1988, when our headquarters in downtown Los Angeles caught fire, destroying three floors of our 62-story, high-rise building. Because of that disaster, First Interstate has been at the forefront of emergency preparedness.
One lesson we did learn from the Northridge disaster was that both customers and employees need to be better informed about procedures to take during an earthquake. We have prepared and are distributing a brochure that educates about how to prepare for an earthquake and what to do once it strikes. It has such information as checklists for office safety, first aid kits, home safety and emergency supplies to have on hand. It also tells where to go and what to do to protect yourself during a quake. We were really surprised at the lack of knowledge people here in this earthquake-prone area of the country had. Such brochures could be helpful to banks prone to all types of disaster. Never assume that because your organization is located in a floodplain, individual customers or employees will know what to do to protect themselves and the equipment. You can help them by providing that information in an easy-to-understand booklet.
The fire we had in 1988 and the civil disturbance we had in Los Angeles in 1993 taught us many important lessons that helped during Northridge. One of the most important is that you constantly have to improve your ability to communicatewhether it's by cellular phone or, as we used in the earthquake, a special disaster recovery channel on our 900-megahertz radios. Your equipment needs to be upgraded and tested frequently. The fire also taught us about backup sites. You need to have a location to move your whole branch operation, hopefully within a one-mile radius, so that you can be up and running the next day.
Did you change your disaster recovery plan as a result of the earthquake, and what will you be doing in the future, as far as disaster recovery?
Our earthquake preparedness plan wasn't changed much because it was tested during a smaller earthquake. But you have to wonder when you're waiting for the 8.3-on-the-Richter-scale event whether you could EVER be prepared for such a disaster.
For the immediate future, we plan more training for all units involved in disasters and recovery. In California, we're having more earthquake training drills and more practice at getting relocation sites up and running. We're testing our backup systems to see how they work.
I think disaster planning in general will be helped by the new software now available that allows each unit to input personnel changes and asset relocation changes immediately into central computer systems. When I'm in the EOC, I can access that information to make sure the right people are in the right place at the right time. I also can hook up vendor data to make sure I have updated information on who will be helping us with what during the disaster. Such immediate access to information will be vital to quick business resumption.
Disasters in the U.S.: A Mixed Breed of Events
Earthquakes in California: Before the Northridge earthquake, which resulted in 57 lives lost and $20 billion in damages, 16 other earthquakes or major aftershocks over magnitude 4.5 on the Richter Scale have occurred in California in the last 20 years.
Los Angeles Civil Disturbance: (1993) 53 lives lost and $1 billion of insured losses.
New York World Trade Center bombing (1993): Significant disruptions to many firms nationwide. Complete displacement of all employees in the building to other sites in the city. Hurricane Andrew (1992 ): 22 lives lost and $15 to $30 billion in damages.
Chicago Flood: (1992 ) disrupted the Chicago Board of Trade for several weeks and resulted in loss of $25 billion in trading volume.
Copyright © 1995 Bank Security & Fraud Prevention. Originally appeared in Bank Security & Fraud Prevention, Vol. 2, No. 3, 3/95
First published on 03/01/1995