www.navis-group.com | 978.495.0915
Storm Clouds on the Horizon
How’s your business continuity plan? How’s your disaster recovery plan? Ready for a major hurricane, or significant power outage? As the breeze picks a bit and the weather forecasters speculate on whether that disturbance coming up the coast will head out to sea or not, is this a “triggering” moment in which the business continuity plans come off the shelf and pre-planning activities commence?
In August of last year, I had the opportunity to facilitate a full day hurricane simulation in conjunction with Mass. Bankers Association and the National Weather Service. After a fascinating session on the history of New England hurricanes, Glenn Field of the Taunton office of the weather service provided a life-like scenario of a major hurricane aimed at Buzzards Bay as a realistic timeline to our chaotic planning session. Against a backdrop of charts, maps and projected paths, a dozen bank teams worked on business continuity planning decisions, while meeting regulatory and customer demands. The key lesson learned was an obvious one – plan ahead – decisioning “during” the event is way too late!
The hurricane road show comes to Connecticut on Thursday, September 4th and we hope that your bank will participate with us. There are three distinct parts to the day that we have planned. We have asked the National Weather Service to reprise the “History of New England Hurricanes” presentation for us. It turns out that we’ve been fairly lucky in terms of the routes that hurricanes have followed over the last fifty years, leaving most of us under 60 years of age with little experience with just how serious a major hurricane can be. Part two of our session will be a review of the BCP guidance updated by the FFIEC in March of this year. In addition to adding specific guidance on pandemic planning, the bulk of the updates to the regulatory booklet are inspired by recent hurricane and other serious weather events and clearly fits into the no-fooling-around-anymore category. For years, as New England bankers, we have become cavalier about our ability to weather the regular onslaught of Nor’Easters. However, the regulatory message seems to be “you can handle an inconvenient two or three day closing, but what about a real disaster”? The updated guidance includes a brand new section inspired by lessons-learned that addresses issues such as security, data synchronization, crisis management, incident response, remote access, notification standards, insurance and government and community communications. Does your plan address these elements?
Hmmm, winds are up to 30 miles per hour and the sky’s looking a little dark.
The main part of our day is the hurricane simulation. It has a bit of a reality-show feel to it and as such, I’ll reveal few specifics here. Suffice to say that regulatory demands, customer issues, media relations and other concerns will creep into the session at surprising times and in unexpected ways. The “simulation” of the normal day-to-day banking duties that must be maintained in the midst of the ever gathering winds will consist of each bank team working on business continuity strategies. Taking a process-centric approach, each bank team will consider ten or fifteen key business processes across all functional areas of the institution. If our day proceeds as planned, it should be a challenge to accomplish the task.
Wow, did you just notice the lights flicker!
Weather gear, flashlights, prayer books and first-aid kits are optional. Cell phones are mandatory. We do ask participants to come prepared to be immersed, as the role playing is most beneficial if your skepticism is parked at the door.
Hope you can join us. If not, weather permitting, look for the post-mortem report in next quarter’s Connecticut Banking magazine. Gotta go now, the lawn furniture just blew off the deck.
David B. Sidon CPA
The Navis Group
Enterprise Risk Management a/k/a/ERM. What is it? It might take a War and Peace length book to explain and cover all the intricacies and interpretations, but if you’ll invest 2 or 3 pages worth of your reading time, I’ll do my best....click for pdf
David B. Sidon CPA
The Navis Group
“Back-up is not enough.”
“Documentation is key.”
“Overall, we believe we were able to re-affirm our pandemic and business continuity plans.”
These are the words of Milford Bank’s CEO Robert Macklin, Security & Facilities Manager Ric Biroscak, and Branch Administration VP Jorge Santiago, in an interview discussing their experiences with a national pandemic planning exercise. Milford has been early to proactively respond to concerns about pandemic planning. In 2007, the bank collaborated with the Milford Chamber of Commerce and Milford Health Department to create a community pandemic continuity guide for businesses, leveraging banking and other national guidance to provide for their community, in addition to providing for the bank’s own welfare. The resulting document is available on the Milford Chamber of Commerce website.
In September-October 2007, the Financial Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC) coordinated a national financial services pandemic flu exercise. In a media briefing following the event, it was reported that 2,775 organizations were involved in the exercise, 62% of which were banks and credit unions.
The test was designed to be completed over a three week period, with the three intervals representing stages of an overall 10 week pandemic event. The national test simulated absentee rates based on employee last names. Reasons for absence were described as: taking care of dependents, fear of infection, transportation issues, illness, or death. For interval #1, representing the first 2 weeks of the pandemic simulation, last names beginning with the letters A, E, F, J, K, N, O, Q, T, U, V,X, Y, and Z were used to approximate a 25% absentee rate. The target absentee rate for interval #2 (weeks 3 through 6 of the pandemic event) was 49%, based on last names beginning with the letters A, C, E, F, G, I, J, K, N, O, Q, R, S, U, V, X, and Z. The target absentee rate for the last 4 weeks of the simulated event was 35%, based on last names beginning with the letters D, E, G, H, I, K, L, N, and R.
Milford’s experience echoes that of other participants, as the random aspect of defining absentees seemingly well reflects the random nature of a pandemic. Milford’s team was particularly sensitive to employee safety, well-being and wage continuity; placing a focus on how to ensure that sick employees stay home and not infect the rest of the bank. One of the important realities illuminated by this test is that management must honestly plan in terms of the possibility of losing entire departments and not be lulled into thinking that a pandemic will fairly distribute itself across all divisions. Instead of management planning on how they might manage with only half of the bank’s staff, the bank must plan on how it will get by with only half of its entire organization chart, including many or maybe most of senior management.
I recently facilitated an abridged version of the test with the management team at Rivergreen Bank in Maine, compressing the three week test into a three hour tabletop discussion. The random absentee methodology left much of the management team “available”, but presented the interesting challenge of only five branch personnel left to staff three offices, with no IT support in-house available. Their deliberations focused on three “basics”; cross-training, communication, and written procedures. Milford responded similarly and I expect that the survey results from the national test will suggest comparable focus.
In planning for pandemic, a company is in essence creating a disaster recovery plan for its most mission critical “system” – its people. Katrina taught us that illness is not the only reason for reduced personnel availability, as national disasters pose housing, displacement, and transportation issues that may generate absenteeism in a similarly random fashion.
Guidance now abounds. For example, Milford’s community plan references “materials modified from San Francisco Department of Public Health”. Banking guidance includes the ABA’s “Emergency Preparedness Toolbox” and the “Interagency Statement on Pandemic Planning” issued by the FFIEC in December. The FFIEC guidance contains a full page listing of helpful websites.
I was genuinely impressed with Milford Bank’s proactive planning. They have health supplies at the ready. They have a customer information brochure prepared in advance. Emergency planning is a standing agenda item for their quarterly employee meetings. Remote computing access is securely in place. Alternative communication is set up through a Yahoo user group. And more. What did we all learn back in Scouts? Be prepared.
Defining risk tolerance
David B Sidon, CPA
Consider that there are only four answers available: high, medium, low, or not applicable. Risk, like beauty, is in the eye of the beholder. So what’s the criteria? Your own judgment? Regulatory guidance? Guidance from senior management? Or a strict definition of risk tolerance as approved by your board of directors? ...click here for pdf
Banking , Enterprise Process Risk, and Apple Pies
David B Sidon CPA
Enterprise risk assessments are all the rage, and I think each definition of the word “rage” may apply (fury, frenzy, fume, fad, trend, etc). Banks subject to FDICIA compliance requirements (currently institutions with assets in excess of $1 billion) have had an early experience with enterprise risk assessment and control. Sarbanes‐Oxley (SOX) brings the requirement to most of the stock banks. And the mutuals and closely‐held stock banks are just starting to catch on to the fact that they, too, are struggling with enterprise risk. The struggle, however, lies in a lack of cognizance that assessing IT risk, GLBA risk, BSA risk, business continuity risk, and internal control risk, holistically amounts to an enterprise‐wide risk assessment. The struggle is in addressing the pieces of the puzzle individually, rather than as a whole...click here for pdf.
Bird Flu: Time to Prepare
David B. Sidon, CPA The Navis Group
Jack died last night. Now what?
The first person to die from the long‐predicted, dreaded pandemic is someone from your town, a 45 year‐old customer named Jack, a local businessman just returned from Singapore. Today is Wednesday; Jack died last night....click here for pdf
Business Continuity Planning
Lessons Learned from Katrina and Stephen King
David B. Sidon, CPA The Navis Group
Post‐Katrina, and for that matter, the rest of an incredible hurricane season in ’05, disaster and business continuity planning are getting a renewed and vigorous look by everyone including the White House, Homeland Security, and FEMA as well as the institutions and regulatory bodies that comprise our banking system. As we in the industry learn the importance of system recovery plans and business resumption plans (separate planning exercises as I will describe presently) and as we start to test, in simulated exercises, our plans and responses, we quickly come to the recognition of contingency planning’s key ingredient/problem. People. ...click here for pdf
David B Sidon, CPA The Navis Group
Have you Googled an address lately using the Satellite imagery function? WOW! You can actually see the cars in the parking lot at the office building you’re traveling to. But ... as a C‐level executive, could you look down into your enterprise with the same sort of detailed view? ...click here for pdf
David B. Sidon: Gloucester, Massachusetts
The Navis Group was founded in 2003 by David Sidon, CPA. The Company is a New England based banking consulting group specializing in SOX/FDICIA/COSO, strategic planning, back-office efficiencies, business continuity tabletop testing, organizational architecture, and enterprise risk management.
Financial reporting controls integrity based on COSO guidance with respect to FDICIA/SOX requirements has been the key concentration for Mr. Sidon over the past decade, with more than 40 such projects completed, and with about half of those leading to the annual management of the COSO compliance effort. The COSO work has become the signature aspect of Navis’ branding and identity. Strategic planning is another element of concentration for Mr. Sidon, annually facilitating management and Board retreats and crafting the strategic planning documents emanating from those sessions.
Mr. Sidon is also recognized in the industry for his business continuity tabletop exercises. He has conducted full-day, full-immersion business continuity exercises for many banking associations including Massachusetts, Connecticut, New York, Maryland and Kentucky. Participants have survived hurricanes, ice storms, wide-scale electrical outages, pandemics and cyber attacks. At the individual bank level, tornadoes, fires, chemical spills, electrical outages, cyber breaches and terrorist threats have been played out. The exercises are part consulting; part improv theatre.
Including freelance consulting work from 1998 to 2003, David has provided consulting services to more than 100 different institutions. The key descriptive word in that last sentence is “different”. Banks may all use checks that are rectangular in shape, but, after that, people, cultures, systems, geography, and complexity all contribute to a rich diversity institution to institution.
Personally, his credentials include a Bachelors degree in Business Administration (Merrimack College, as part of their initial co-op class), a CPA license, and a Masters degree in Finance from Bentley. After 13 tax seasons in public accounting and a brief dabble in private industry as a CFO, Mr. Sidon’s banking career commenced in 1985 as a young director at Gloucester Cooperative Bank. After starting out as the mortgage department (small bank - many hats - one man department) he eventually spent the last three years of his ten year tenure as CEO. In 1996, Mr. Sidon joined a larger commercial bank, Gloucester Bank & Trust, as CIO, running a three bank data center. After the BankNorth signs were installed on the GB&T building in 1998, his consulting career was launched; just in time for Y2K.
David managed Y2K readiness and testing projects for numerous New England banks, but also included work as far away as Guam. One of the interesting aspects of Y2K planning was that investment in banking technology was either escalated or delayed around that fateful and, as it turned out, uneventful date. System searches and implementation project management followed in the early years of the new century.
Mr. Sidon led a team that attempted to form, open and capitalize a de novo bank from late 2001 through June 2003, and although all approvals were attained, capital in the post 9/11 market recession was not adequately available.
On July 1, 2003, The Navis Group was born, soon moving into the newly emerging ERM (risk) disciplines, inclusive of technology and information security (GLBA) risks. He has assisted numerous client banks with risk programs, committee charters, risk appetite statements and risk metrics, regularly serving as a contributing member of client banks’ Risk Committees.
In addition to working with client institutions, Mr. Sidon has worked with the Massachusetts Bankers Association and Connecticut Bankers Association on various programs. For MBA, he facilitates a series of CFO forums and Risk Manager Forums. For CBA, as a faculty member of the Connecticut School for Financial Management, he instructs a risk class and serves as the driver of the financial simulation model underlying the school’s capstone resident session. For many associations, he has presented and facilitated ERM sessions and provided COSO-related education...
Kevin W. Nunes: Gloucester, Massachusetts
email@example.com / 978-423-7296
After graduating from Salem State College in 1984 with an accounting degree, Kevin joined the “Big 8” accounting firm of Arthur Andersen & Co., spending time in both the audit and tax divisions before leaving to join a division of ITT/The Hartford Group in Boston as a financial and reinsurance analyst. In 1991, Kevin joined Gloucester Bank & Trust Company (GB&T), where, along the way to becoming the bank’s CFO/Treasurer, he also ran the in-house operations center and was head of human resources. In 1996, Dave Sidon joined GB&T to develop its in-house systems processing excess capacity into a data center serving other financial institutions, beginning a long-standing association with Kevin that continues to this day.
In 2001, Kevin re-connected with David Sidon to become part of the core management team and the initial investor group for the formation of a de novo bank – Navis Bank – on Cape Ann, the precursor to the formation of the Navis Group in 2003. Kevin’s specific banking experience includes asset/liability management and liquidity planning, development of financial models for strategic planning and balance sheet modeling, bank regulatory compliance and investment portfolio management. As well his experience with forensic accounting and his background in audit and as a financial analyst lends itself to the work Navis Group does for its client banks, especially with respect to the FDICIA/SOX/COSO work that has become a mainstay of the practice
In 2001, Kevin re-connected with David Sidon to become part of the core management team and the initial investor group for the formation of a de novo bank – Navis Bank – on Cape Ann, the precursor to the formation of the Navis Group in 2003.
Kevin’s specific banking experience includes asset/liability management and liquidity planning, development of financial models for strategic planning and balance sheet modeling, bank regulatory compliance and investment portfolio management. As well his experience with forensic accounting and his background in audit and as a financial analyst lends itself to the work Navis Group does for its client banks, especially with respect to the FDICIA/SOX/COSO work that has become a mainstay of the practice