Table of contents
Prudential practice guide
CPG 233 Pandemic Planning
-
Current1 May 2013
Prudential framework pillars
About this guide
Prudential practice guides (PPGs) provide guidance on APRA’s view of sound practice in particular areas. PPGs frequently discuss statutory requirements from legislation, regulations or APRA’s prudential standards, but do not themselves create enforceable requirements.
This PPG aims to assist regulated institutions in considering and prudently managing
the risks posed by a potential influenza pandemic, or any other widespread outbreak of contagious disease that could affect their operations. The information in this guide supports compliance with Prudential Standards CPS 232 Business Continuity Management (CPS 232) and SPS 232 Business Continuity Management (SPS 232), which set out the Australian Prudential Regulation Authority’s (APRA) requirements in relation to business
continuity management for authorised deposit-taking institutions (ADIs), general insurers, life companies and registrable superannuation entity (RSE) licensees (RSE licensees). This guide also supports compliance with risk management and other relevant prudential requirements.
Subject to meeting APRA’s prudential requirements, regulated institutions have the flexibility to configure their pandemic planning and risk management approaches in a manner best suited to achieving their business objectives. Not all of the practices outlined in this prudential practice guide will be relevant for every regulated institution and some aspects may vary depending upon the size, complexity and risk profile of the institution.
For the purposes of this guide, in the context of the superannuation industry, a reference to a ‘customer’, includes a beneficiary of an RSE.
Prudential Practice Guide
CPG 233 — Pandemic Planning
Disclaimer and copyright
This prudential practice guide is not legal advice and users are encouraged to obtain professional advice about the application of any legislation or prudential standard relevant to their particular circumstances and to exercise their own skill and care in relation to any material contained in this guide.
APRA disclaims any liability for any loss or damage arising out of any use of this prudential practice guide.
© Australian Prudential Regulation Authority (APRA)
This work is licensed under the Creative Commons Attribution 3.0 Australia Licence (CCBY 3.0).
This licence allows you to copy, distribute and adapt this work, provided you attribute the work and do not suggest that APRA endorses you or your work. To view a full copy of the terms of this licence, visit www.creativecommons.org/licenses/ by/3.0/au/.
Information on pandemic risks
Regulated institutions have access to numerous official and private-sector sources of information on pandemic risks, health and hygiene measures as well as tools for pandemic business continuity planning.
The World Health Organisation (WHO) is the global authority on pandemic risks, and publishes information on recommended planning and mitigation measures as well as current developments and threat levels.
[1]
In Australia, each pandemic phase is determined on advice from the Chief Medical Officer to the Minister for Health and Ageing and the Prime Minister.
The Australian Government has issued the Australian Health Management Plan for Pandemic Influenza and a National Action Plan for Human Influenza Pandemic, in addition to other guidance for the private sector. State government authorities and other jurisdictions in which Australian financial institutions operate have also issued pandemic policies and plans. It is important that institutions stay closely informed of developments and pronouncements by these authorities, as they can have a significant impact on institutions’ own planning and capabilities.
Institutions can regularly monitor official Internet sites and other expert resources for up-to-date information that may affect their preparedness, particularly during periods when the risk of a pandemic has increased.
Pandemic planning governance, structure and timing
Regulated institutions may initially consider establishing a formal internal pandemic committee or working group, which would develop and implement their approach to pandemic risk management. Such committees typically report regularly to the executive management, risk committee or crisis management group during the development phase.
Effective pandemic planning generally requires a cross-disciplinary approach involving, for example, the human resources (HR), business continuity management (BCM) or security areas, business units (in some cases through their BCM representative) and risk management functions within an institution.
Explicitly incorporating pandemic risks into strategic and business plans, performance measures and enterprise-wide risk management frameworks increases the likelihood that business units take these risks seriously and assist in managing them effectively on an ongoing basis.
As national requirements and government plans for pandemic preparations may differ across jurisdictions, it is important that local operations have the flexibility to accommodate local circumstances. Strong co-ordination processes between group and regional management are important in ensuring that the entire organisation implements an effective pandemic approach despite differing circumstances.
Relation to existing business continuity management process
Many institutions are working within their existing BCM frameworks to address pandemic risks. While traditional BCPs have historically been designed to operate regardless of the source of the particular impact, severe or even mild pandemic scenarios raise unique issues. BCPs can be modified, however, to incorporate the staffing impacts of a pandemic, via additional plausible scenarios and business impact analysis. Scenarios would include a sustained reduction in staffing and staff dispersal, for example.
In an extreme pandemic, or for that matter in any other severe operational disruption, an institution may need to prioritise resources to enable it to continue to provide those essential functions that are most important to its continued operation
and to meeting its core obligations to customers and counterparties. Unlike scenarios typically addressed in a traditional BCP, in a pandemic an institution’s business priorities may shift as its customers, competitors and counterparties may also be affected to varying degrees.
Pandemic plans
Most institutions are developing stand-alone pandemic plans, although incorporating pandemic considerations into BCPs and other internal plans rather than maintaining a separate pandemic plan may also be an option for some institutions. These plans need to be comprehensive yet flexible as the actual timing and impact of any pandemic is impossible to predict. Effective pandemic plans need to tie in to existing BCPs, crisis management plans and communication plans, as well as other plans, such as liquidity management plans.
Institutions may consider the approach to pandemic phases and threat levels that is most appropriate to their operations. Many institutions are applying the six WHO pandemic phases (both global and Australian) directly in their plans.Some institutions are using a more streamlined version of the phases focusing on those considered most relevant to the institution.
[2]
See Attachment A and the WHOGlobal Influenza Preparedness Plan.
A sound plan specifies the actions to be taken at each phase of the pandemic. Escalation from one phase to the next within an institution’s plan may be based on formal WHO or Australian Government pandemic phase announcements or other internal or external triggers. Many institutions would also escalate their planned activities ahead of official announcements if they had credible information from other sources of an increase in the threat level.
The duration and severity of a potential pandemic is highly uncertain and institutions need to keep abreast of current developments rather than relying on a fixed set of assumptions. Pandemic plans would typically reflect the fact that a pandemic may not proceed in an orderly way from one phase to the next with adequate warning at each phase. The Government anticipates that a pandemic form of the influenza virus would first emerge overseas. A pandemic could have multiple ‘waves’ of varying duration and severity in affected areas
Institutions may consider incorporating both indicative infection rates as well as overall staff absenteeism rates into their business pandemic planning. The WHO has indicated that an infection rate of 30 per cent is generally appropriate for planning purposes. In a severe pandemic scenario, institutions are generally planning for reductions in typical on-site staffing of 25–50 per cent over an extended period of at least six months and as long as 18 months.
Institutions’ pandemic plans typically address considerations such as:
- Staff health and welfare measures — These may include human resources and hygiene policies, staff training and communication, tracking of employees as to health status and location, travel restrictions, distribution of medical supplies and measures to address building contamination. For institutions with overseas staff, updating of evacuation and medical assistance procedures may be needed.
- Alternative work arrangements — Given the potential for government-imposed social distancing measures and closure of public facilities, pandemic planning involves consideration of options for alternative working and transport arrangements for critical staff. This could include expanding telecommuting and routine work-at-home capabilities, use of remote branches and recovery facilities and split shifts. In some cases, institutions are considering pooling of resources with other institutions, or shifting work or staff across international locations.
- Alternative processing arrangements — While electronic transactions are increasingly common across critical business functions, some financial transactions remain paper- based. As a result, alternative procedures for processing certain physical transactions (such as cheques, vouchers, etc.) could be needed.
- Controls and compliance — Institutions will need to consider the length of time that a large percentage of staff could effectively process transactions or conduct other operations away from normal work locations or perform workarounds to maintain critical business functions. This includes the ability to meet management and compliance requirements. In this respect, institutions may need to discuss compliance requirements with relevant regulatory authorities and self-regulatory organisations, such as market operators, where they foresee that these could place constraints on their ability to implement remote working arrangements and workarounds.
- Technology options — In order to implement remote working arrangements, institutions need to assess the practical range of alternative technology strategies for their business, for example, forwarding phone calls to alternate work locations, enhanced video- conferencing and conference call facilities, and upgrades to remote system access capabilities. It is important for institutions to discuss with their telecommunications providers options more likely to be effective in a pandemic.
- Communications plans — Many institutions have drafted generic information for staff and in some cases customers (such as Q&As or internal web sites on pandemic plans); some have chosen to avoid general distribution until such time as the risk level rises. Clear trigger points for releasing and updating this information would be a component of an effective pandemic plan.
- Resource priorities — Prioritising resources (including staffing, facilities, systems) in advance where possible, will help to ensure that in an environment with reduced resources, they can be directed at the most critical functions. Identifying functions in pandemic plans according to the various pandemic phases or trigger points is one method of supporting clear prioritisation.
- Succession and decision planning — Pandemic risks have also highlighted the need to update, and in some cases expand, delegations for various types of decisions, as well as explicit staff succession planning and cross-training for key operational roles that would be needed to ensure continuity of critical operations.
- Testing — Rehearsing and testing are important components of any preparedness plan. For example, CPS 232 and SPS 232 require that a testing program, for BCPs be carried out at least annually. Government authorities in Australia and abroad have published pandemic scenarios that can be used as a basis for walkthroughs of pandemic plans.
[3]
See for example, Commonwealth of Australia Department of Industry, Tourism and Resources,Business Continuity Guide for Australian Business.
Critical functions
Institutions generally identify critical business functions and operations in their BCPs. Given the particular features of a pandemic, including a potentially longer duration than envisioned in many traditional BCPs, the critical business functions identified in the traditional BCP may not always provide sufficient guidance for conducting operations in a pandemic scenario.
Explicit identification of the highest priority critical business functions and operations will help to ensure they receive appropriate resources. These functions and operations could be defined as activities which, if not performed or maintained for more than a very short period, would cause the institution to be in default on its obligations or otherwise threaten its financial soundness.
For example, institutions may consider it appropriate to focus on servicing existing customers and completing transactions already in progress, and closing or minimising risk positions. They may choose to defer or suspend activities such as new business development, opening new accounts, undertaking special or new projects or any internal non-essential systems changes within the organisation. These activities may be progressively scaled back based on the pandemic phases or available resources.
The most commonly cited critical business functions of regulated financial institutions, which would also be consistent with APRA and governmental priorities for public confidence, would generally include (but are not limited to):
All institutions
- Core risk management functions — particularly market, operational, credit and liquidity risk monitoring;
- General ledger/finance capabilities to allow monitoring of the overall financial (including capital) position of the institution;
- Call centres handling customer transactions and enquiries (excluding, for example, outbound or sales calls); and
- Data centres, recovery sites and critical third- party suppliers supporting critical functions.
Authorised deposit-taking institutions
- Cash supply and currency distribution, including operation of automated teller machines (ATMs);
- Retail payments and banking systems that provide existing customers with access to funds, including EFTPOS, bill payments, credit cards, telephone banking and Internet banking;
- Automated direct entry payment processing for existing customers, including government payments and payroll processing for corporate customers, as well as payments to suppliers and staff;
- Credit functions, in particular, those processing functions necessary for managing retail, corporate and institutional access to credit, particularly for pandemic-affected borrowers;
- For larger institutions, wholesale payments clearing and settlement activities, including interbank settlements, securities settlements and custody, particularly where these functions are provided to other financial institutions; and
- Limited trading functions for institutions active in markets operated by exchanges as well as over-the-counter — in particular, those functions necessary for completing transactions for existing customers and managing liquidity of the institution.
Insurance companies, fund managers and RSE licensees
- Claims processing and payment;
- Payment of benefits, including where appropriate early release of benefits; and
- Liquidation of assets held in managed investments, RSEs or other investment funds, within reasonable limits based on available liquidity.
This list is only broadly indicative of general priorities that in APRA’s view contribute to maintaining public confidence and meeting the core obligations of regulated institutions. Institutions need to consider their own critical functions based on their size and scope, customer base and role in the financial system.
External factors
Many external factors can influence the planning and capabilities of regulated institutions. In the case of a pandemic, government plans and actions will take priority. Ongoing coordination and communication between financial institutions and local authorities, as well as national and international financial authorities, would be important to implementing individual pandemic plans.
Financial institutions need to consider whether business continuity plans of critical third-party suppliers supporting critical business functions adequately address pandemic risks. Some institutions are doing this as part of their pandemic planning exercise; others are waiting until regular annual reviews of outsourcing contracts.
Prudent planning would include consideration of the likelihood of significantly increased usage of electronic transaction channels by customers (such as electronic banking systems). Demands on call centres, including transactions as well as enquiries from customers, may also increase.
Financial institutions may need to seek confirmation from their telecommunications providers that the infrastructure that supports their operations will be resilient to the level contracted, including being able to cope with potential substantial increases in volume of use in a pandemic scenario.
Some authorised deposit-taking institutions are anticipating increased demand for and usage of cash if pandemic risks appear to rise. Monitoring of cash usage may be included in pandemic plans or in normal operating procedures.
Availability of trading markets and counterparties could be important to those supervised institutions that rely on ready market access for liquidity, risk management and to meet customer demands for funds. In most scenarios, it can reasonably be assumed that major markets will remain open, although volumes and liquidity could be lower than normal. Settlement and other protocols may need to be adjusted, however, depending on the scenario.
Financial impacts
APRA expects institutions to consider the potential impact of a pandemic on assets, liabilities and capital under a range of plausible scenarios. There is no source of definitive scenario assumptions that should be considered, but several macroeconomic studies have been conducted with respect to Australia as well as overseas economies. These use a range of assumptions for scenarios of varying severity.However, plausible assumptions may change over time.
[4]
See for example McKibbin, Warwick and Alexandra Sidorenko, ‘Global Macroeconomic Consequences of Pandemic Influenza’, Lowy Institute, February 2006.
Examples of common assumptions include:
- duration of pandemic;
- infection rates among the population;
- mortality rates of those infected;
- age distribution of mortality;
- duration of illness and absence from work;
- frequency and duration of business closures due to infection on or near premises;
- demand for credit and borrower ability to repay by sector;
- potential impact on volume of new and existing business;
- potential impact on customer and institution liquidity requirements; and
- potential impact on investments and asset prices and other macroeconomic parameters.
Insurers may find it prudent to assess matters such as:
- the gross exposure from pandemic-related claims under different assumptions, by product type;
- the portion of these exposures covered by reinsurance;
- timing over which reinsurance recoveries may be paid;
- the overall impact on solvency; and
- the liquidity of the investment portfolio to allow net exposures to be met in a timely fashion.
ADIs may find it prudent to assess matters such as:
- the potential impact of a pandemic on impaired assets and loan arrears by industry and sector and the associated impact on provisions, reserves and earnings; and
- the potential liquidity and operational implications of increased demand for cash and credit.
RSE licensees and other management investments may find it prudent to consider the potential liquidity and operational implications of early withdrawals or liquidation of assets.
Consistent with maintaining public confidence and financial stability, APRA would expect banks and other lenders to exercise some degree of forbearance for pandemic-affected customers, including for example, deferring loan repayments, capitalising interest and waiving late charges for a reasonable period of time. Institutions will need to have the means of monitoring the extent and financial impact on the institution of any such forbearance.
Where appropriate, insurers need to review exclusions and limitations on underwriting standards and policies written where appropriate, and ensure insurance beneficiaries are aware of the extent of coverage for pandemic-related losses.
APRA’s role in a pandemic
APRA would expect regulated institutions to keep APRA regularly informed of any significant impacts on their operations, customers and financial condition. In due course, APRA will provide an outline of the types of information that APRA’s supervisors may seek to obtain during a pandemic in order to monitor the status of affected institutions. This may include information such as:
- whether any sites have been closed;
- the number of ill or absent staff;
- the impact on critical functions, if any;
- the financial impact, if any; and
- any known or potential regulatory breaches.
In a more severe pandemic scenario, APRA would anticipate scaling back or deferring planned on-site prudential reviews and meetings with supervised institutions. In addition, processing of routine applications and other matters involving regulated institutions may be deferred.
APRA would continue to coordinate closely with Government authorities and other financial regulators, both in Australia and abroad, as well as financial industry associations.
APRA has various legal options available to waive prudential requirements if appropriate in exceptional circumstances. Reliance on regulatory forbearance is not a substitute for prudent pandemic planning. Regulated institutions should immediately consult with APRA if they have concerns about their ability to meet any prudential requirements.
Attachment A
Table of pandemic phases | |||
Period | Global Phase | Australian Phase | Description of phase |
Inter-pandemic | 0 | 0 | No circulating animal influenza subtypes that have caused human disease |
1 | Animal infection overseas: the risk of human infection or disease is considered low | ||
1 | Animal infection in Australia | ||
2 | Animal infection overseas: substantial risk of human disease | ||
2 | As above in Australia | ||
Pandemic alert | 3 | Human infection overseas with new subtype(s) but no human-to-human spread or at most rare instances of spread to a close contact | |
3 | As above in Australia | ||
4 | Human infection overseas: small cluster(s) consistent with limited human-to-human transmission, spread highly localised, suggesting the virus is not well adapted to humans | ||
4 | As above in Australia | ||
5 | Human infection overseas: larger cluster(s) consistent with limited human- to-human transmission still localised, suggesting virus is becoming increasingly better adapted to humans, but may not yet be fully adapted (substantial pandemic risk) | ||
5 | As above in Australia | ||
Pandemic | 6 | Pandemic overseas — not in Australia — increased and sustained transmission in general population | |
6a | Pandemic in Australia — localised (one area of country) | ||
6b | Pandemic in Australia — widespread | ||
6c | Pandemic in Australia — subsided | ||
6d | Pandemic in Australia — next wave |
[5]
Source: Commonwealth of Australia Department of Health and Ageing,Australian Health Management Plan for Pandemic Influenza, May 2006. See www.health.gov.au for updates.