Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

The FDIC’s Readiness for Crises

This is the accessible text file for FDIC OIG report number Eval-20-004 entitled 'The FDIC’s Readiness for Crises'.

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

[FDIC OIG logo]

April 2020

Eval-20-004

The FDIC’s Readiness for Crises

Evaluation Report

Program Audits and Evaluations

The Office of Inspector General initiated this evaluation in 2018 and it covered the FDIC’s readiness planning and preparedness activities up to early 2019. Our work was not conducted in response to the current pandemic situation, nor is the report specific to any particular type of crisis.

Executive Summary

The Federal Deposit Insurance Corporation’s (FDIC) mission is to maintain stability and public confidence in the Nation's banking system by insuring deposits, examining and supervising financial institutions for safety and soundness and consumer protection, making large and complex financial institutions resolvable, and managing receiverships. This mission is intended to protect the integrity of the banking system. To ensure it can continuously achieve this mission, the FDIC must be prepared for a broad range of crises that could impact the banking system. Readiness planning provides the ability to respond timely and effectively to crisis events.

The FDIC Strategic Plan 2018-2022 acknowledged that despite the FDIC’s efforts to identify and respond to potential risks to the Deposit Insurance Fund, some events, such as natural disasters and sudden economic or financial market crises, could lead to broad losses within the banking industry and to the Deposit Insurance Fund. The FDIC regularly responds to events such as hurricanes, and at the time of our evaluation had developed, and was continuing to develop, readiness plans for responding to natural and environmental disasters, cyber attacks, and financial crises that impact the banking industry.

Since its inception in 1933, the FDIC has responded to several financial crises in the banking system. In 2012 and 2017, the FDIC completed two Agency-wide studies of its response to the financial crisis of 2008-2013. These studies identified challenges that the FDIC experienced and addressed during the prior financial crisis, such as those related to staffing, contracting, and information technology. The studies also identified lessons learned and recommendations, some of which the FDIC has incorporated or planned to incorporate into its operations and crisis readiness planning. Such operational improvements have helped the FDIC continue to enhance its readiness for crises impacting insured depository institutions.

The OIG identified that guidance established by the Department of Homeland Security and Federal Emergency Management Agency on planning for crisis events could be used as best practices by the FDIC. Additionally, best practices from non-Federal sources reinforce the concepts articulated in Federal best practices. Our review of these best practices identified seven important elements of a crisis readiness framework that are relevant to the FDIC – (i) Policy and Procedures; (ii) Plans; (iii) Training; (iv) Exercises; (v) Lessons Learned; (vi) Maintenance; and (vii) Assessment and Reporting.

Our evaluation objective was to assess the FDIC's readiness to address crises that could impact insured depository institutions. We initiated this evaluation in 2018 and it covered the FDIC’s readiness planning and preparedness activities up to early 2019. Our work was not conducted in response to the current pandemic situation, nor is the report specific to any particular type of crisis.

Results

The FDIC should fully establish the seven elements of a crisis readiness framework that we identified as best practices to address crises that could impact insured depository institutions. Specifically, we found that: i. The FDIC did not have a documented Agency policy that defined readiness authorities, roles, and responsibilities, including those of a committee responsible for overseeing readiness activities. Such a policy would help to ensure that FDIC personnel understand and implement management directives for readiness. The FDIC also did not have documented procedures to provide for a consistent crisis readiness planning process.

ii. The FDIC should develop an Agency-wide all-hazards readiness plan that identifies the critical common functions and tasks necessary regardless of the crisis scenario, as well as Agency-wide hazard-specific plans, as needed, to integrate divisional plans containing requirements unique to certain types of crises. Such overarching Agency-wide plans could improve the efficiency of the readiness planning process and provide FDIC management and personnel with an understanding of how well the Agency integrates readiness planning activities throughout its Divisions and Offices. We reviewed three of eight FDIC divisional hazard-specific readiness plans in detail and performed a limited review of the other five. The three we reviewed in detail addressed roles and responsibilities, resource needs, and integration among Divisions, Offices, and Regional Offices, but we identified opportunities for improvement.

iii. The FDIC did not train personnel to understand the content of crisis readiness plans, including their task-related responsibilities in executing the plans. Further, the FDIC did not incorporate a requirement within the eight readiness plans to train responsible personnel to understand the plan, and how to carry out the objectives and tasks specific to the plan.

iv. The FDIC should document the important results of all readiness plan exercises and consistently incorporate within the plans a requirement for regular exercises. For three readiness plans, we found that the FDIC did not adequately document the results of exercises. Further, only one of the eight plans included a requirement for regular exercises.

v. The FDIC identified lessons learned and related recommendations from exercises and other readiness planning activities and demonstrated that the Agency had taken or planned to take actions to address some of the lessons learned. However, the FDIC did not have a documented monitoring process that prioritized and tracked recommendations to improve readiness. vi. The FDIC updated all but one of the eight readiness plans, but incorporated maintenance requirements in only two of the plans. The FDIC should consistently review and update readiness plans, incorporate maintenance requirements in the plans, and establish a central repository of plans to facilitate periodic maintenance.

vii. The FDIC should regularly assess and report on Agency-wide progress on crisis readiness plans and activities to key decision makers, such as the FDIC Chairman and senior management.

By adopting the best practices reflected in the seven crisis readiness framework elements, the FDIC could improve its ability to respond timely and effectively to a crisis affecting insured depository institutions.

Recommendations

We made 11 recommendations to improve the FDIC’s crisis readiness planning, including: establishing Agency-wide policy and procedures; documenting Agency-wide readiness plans; training responsible employees on their plan-specific tasks; documenting exercises; monitoring the status of lessons learned recommendations; maintaining readiness documents; and assessing and reporting on Agency-wide readiness progress. The FDIC concurred with seven recommendations, partially concurred with four recommendations, and provided planned corrective actions and alternative corrective actions that meet the intent of the recommendations. The FDIC planned to complete all corrective actions by March 31, 2022.

Contents

BACKGROUND The FDIC’s Mission and Organization

FDIC Crisis Readiness Activities

FDIC Response Studies

Best Management Practices

Elements of a Crisis Readiness Framework Identified by the OIG

Federal Internal Control Standards

EVALUATION RESULTS

The FDIC Did Not Have Documented Policy and Procedures for Readiness Planning

The FDIC Should Develop an Agency-Wide All-Hazards Readiness Plan and Hazard-Specific Readiness Plans

The FDIC Did Not Train Personnel to Understand the Content of Readiness Plans

The FDIC Should Document Results of All Readiness Plan Exercises

The FDIC Identified Readiness Lessons Learned, but Did Not Have a Documented Process for Monitoring Them

The FDIC Should Consistently Review and Update Readiness Plans

The FDIC Should Regularly Assess and Report on Agency-Wide Readiness

FDIC COMMENTS AND OIG EVALUATION

Appendices

1. Objective, Scope, and Methodology

2. Acronyms and Abbreviations

3. FDIC Division and Office Roles and Responsibilities

4. Potential Hazards for Insured Depository Institutions

5. Crisis Readiness Best Practices

6. FDIC Comments

7. Summary of the FDIC’s Corrective Actions

Tables

1. FDIC Business Line and Support Divisions and Offices

2. Crisis Readiness Framework Elements and Supporting Documents

Figures

1. FDIC Divisions and Offices by Mission-Related Function

2. Elements of a Crisis Readiness Framework

April 7, 2020

Subject

The FDIC’s Readiness for Crises

The FDIC must be prepared for a broad range of crises that could impact the banking system, and readiness plans and activities are an important part of this preparation. One of the FDIC’s strategic objectives is to promptly identify and respond to potential risks to the Deposit Insurance Fund (DIF). The FDIC Strategic Plan 2018-2022 (January 2018) acknowledged that despite the FDIC’s efforts to achieve this objective, some events, such as natural disasters and sudden economic or financial market crises1 could cause broad losses within the banking industry and ultimately to the DIF. Effective crisis readiness2 plans and activities can help the FDIC support the safety and soundness of insured depository institutions (IDI), as well as the stability and integrity of the Nation’s banking system.

In November 2017, the FDIC published its study entitled Crisis and Response: An FDIC History, 2008-2013 (“FDIC Crisis and Response Report”). The study emphasized that the FDIC’s mission requires prompt action during periods of financial crisis. Because crises can be unique and can unfold quickly, robust readiness planning is important at all times. Readiness planning facilitates timely and effective responses to crisis events.

We conducted an evaluation to assess the FDIC's readiness to address crises that could impact IDIs. We initiated this evaluation in 2018 and it covered the FDIC’s readiness planning and preparedness activities up to early 2019. Our work was not conducted in response to the current pandemic situation, nor is the report specific to any particular type of crisis. To achieve our objective, we assessed the FDIC’s crisis readiness approach against best practices related to crisis readiness, which are supported by Federal internal control standards, in order to identify opportunities for improvement.3 We also interviewed FDIC and other Federal agency personnel. To assess existing readiness plans, we judgmentally selected and reviewed in detail three of eight readiness plans to determine whether they included essential elements of readiness plans. We also performed a limited review of the remaining five plans and other readiness-related documents.

We excluded from our scope the FDIC’s continuity of operations (COOP)4 planning and resolution planning for individual systemically important financial institutions (SIFIs).5 The OIG and GAO have performed various audits and evaluations related to these activities. See Appendix 1 for information about the evaluation scope. We performed our work from March 2018 to January 2019 at the FDIC’s offices in Arlington, Virginia, Washington, D.C., and Dallas, Texas. We conducted this evaluation in accordance with the Quality Standards for Inspection and Evaluation of the Council of the Inspectors General on Integrity and Efficiency.

BACKGROUND

The FDIC’s Mission and Organization

According to an article in the Organisation for Economic Co-operation and Development (OECD) Journal, Developing a Framework for Effective Financial Crisis Management,6 “[d]eposit protection has become an important feature of modern banking systems” and part of the official financial system safety net along with a lender of last resort, prudential banking regulator, and a government treasury department. The article further states:

In normal times the regulation and supervision of banks, . . . explicit deposit protection and an effective bank closure mechanism all help to reduce the adverse consequences of a financial crisis emanating from bank failures . . . . However, when problems become systematic, governments tend to play a much more active role and call upon the agencies that make up the [financial system safety net] to undertake extraordinary measures. . . . As such, there is a clear need for officials to undertake coherent contingency planning. . . .. [Emphasis added.]

Footnote: 1 A crisis is an unstable state of affairs leading to impending decisive change, especially a change or event resulting in a highly undesirable outcome. Merriam-Webster Online Dictionary (2019). For purposes of this report, we defined crisis as an event or series of events that rise in number and/or severity to a level that requires FDIC activities beyond steady-state environment operations.

Footnote: 2 The Department of Homeland Security (DHS) defines preparedness, which we refer to as “readiness” in this report, as a continuous process involving deliberate, critical tasks and activities necessary to build, sustain, and improve the operational capability to prevent, protect against, respond to, and recover from domestic incidents. Preparedness is operationally focused on establishing guidelines, protocols, and standards for planning, training, exercises, and other requirements. DHS, National Preparedness Guidelines (September 2007).

Footnote: 3 Government Accountability Office (GAO), Standards for Internal Control in the Federal Government (GAO-14-704G) (September 2014).

Footnote: 4 The FDIC has COOP plans that present Agency-wide and divisional responses to the direct effects that a disaster could have on FDIC facilities and personnel. However, our evaluation focused on FDIC readiness plans respecting the Agency’s response to the impact a crisis could have on IDIs.

Footnote: 5 GAO Report, Financial Regulatory Reform: Financial Crisis Losses and Potential Impacts of the Dodd-Frank Act (GAO-13-180) (January 2013) states that, “[w]hile the Dodd-Frank Act does not use the term ‘systemically important financial institution,’ this term is commonly used by academics and other experts to refer to bank holding companies with $50 billion or more in total consolidated assets and nonbank financial companies designated by [the Financial Stability Oversight Council] for Federal Reserve supervision and enhanced prudential standards.”

Footnote: 6 Developing a Framework for Effective Financial Crisis Management, Singh and LaBrosse, OECD Journal: Financial Market Trends, Volume 2011 – Issue 2, (2012).

In the United States (U.S.) financial system safety net, the FDIC provides deposit protection, and the role of Federal prudential banking regulator is a shared responsibility among the FDIC, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency in the Department of the Treasury.

The FDIC’s mission is to maintain stability and public confidence in the Nation's banking system by executing four functions intended to protect the integrity of the banking system:

(1) Insuring deposits;

(2) Examining and supervising financial institutions for safety and soundness and consumer protection;

(3) Making large and complex financial institutions resolvable; and

(4) Managing receiverships.7

The FDIC assesses risk-based insurance premiums on IDIs to fund deposit insurance, maintains the Deposit Insurance Fund (DIF), and uses DIF funds to resolve failed IDIs and protect insured depositors. The FDIC also supervises certain financial institutions and conducts periodic examinations to identify risks to the institutions. In addition, the FDIC recommends corrective actions to mitigate risks. The FDIC reviews resolution plans of large and complex financial institutions and develops strategies to facilitate their resolution through the Bankruptcy Code or through the FDIC’s orderly liquidation authority. Finally, in the event of an IDI failure, the FDIC, as receiver of the IDI, disposes of receivership assets and pursues receivership claims in order to pay receivership creditors.

Since its inception in 1933, the FDIC has responded to several financial crises in the banking system. The recent financial crisis was the most severe financial downturn in the United States since the Great Depression. According to the FDIC website, the Agency has been able to ensure that every depositor of insured funds has received their due amount following a bank failure.

The FDIC fulfills its mission through its Divisions and Offices as shown in Table 1.

Table 1: FDIC Business Line and Support Divisions and Offices Business Line Divisions and Offices

Division of Insurance and Research DIR

Division of Risk Management Supervision *** RMS

Division of Depositor and Consumer Protection DCP

Office of Complex Financial Institutions *** OCFI

Division of Resolutions and Receiverships *** DRR

Support Divisions and Offices

Corporate University CU

Division of Information Technology DIT

Division of Administration DOA

Division of Finance DOF

Legal Division Legal

Office of Communications OCOM

Office of Legislative Affairs OLA

Office of the Ombudsman OO

Office of Minority and Women Inclusion OMWI

[End of table]

Source: FDIC 2017-2018 Business Process Analysis (BPA) / Business Impact Analysis (BIA) Final Report (July 2018).

*** Effective July 21, 2019, the FDIC established a new Division of Complex Institution Supervision and Resolution to centralize certain responsibilities formerly held by RMS, OCFI, and DRR.

These Divisions and Offices must coordinate to perform the four mission-related functions and achieve the FDIC’s mission referenced above. Figure 1 provides an overview of the FDIC’s four mission-related functions and the interdependencies of the business line and support Divisions and Offices. See Appendix 3 for a detailed description of each Division and Office’s mission-related roles and responsibilities.

Figure 1: FDIC Divisions and Offices by Mission-Related Function

[End of figure 1]

Source: OIG adaptation of a figure in the FDIC 2017-2018 Business Process Analysis (BPA)/ Business Impact Analysis (BIA) Final Report (July 2018). Business line Divisions and Offices in dark blue are responsible for the associated mission-related function. Business line Divisions and Offices in light blue also support certain mission-related functions. Support Divisions and Offices in gray provide support for one or more mission-related functions.

FDIC Crisis Readiness Activities

In August 2008, the OIG prepared a report8 evaluating the FDIC’s preparedness for large-scale resolution activity. The OIG report noted that the FDIC’s “[p]lanning efforts had been ongoing for a number of years and there was a clear commitment across [D]ivisions to strengthen the FDIC's readiness for resolving large and complex bank failures.” The report identified observations related to enhancing readiness planning processes, plans, exercises, and resources such as staffing, contracting, and information technology.

Since the start of the prior financial crisis, the FDIC has continued to enhance its readiness for crises impacting IDIs. As examples, the FDIC has taken the following actions related to DIF management, compliance monitoring, staff training, receivership contracting, and information technology improvement:

• Developed a long-term DIF management plan in 2010 and 2011.

• Implemented policies, procedures and job aids for monitoring IDI compliance with 12 Code of Federal Regulations (C.F.R.) Section 360.9, Large-Bank Deposit Insurance Determination Modernization (July 2008).

• Refined its Contract Oversight Management Certification Training Program, so that as the FDIC needs additional contracts, contract oversight managers can be readily trained and deployed.

• Increased the number of receivership basic ordering agreements.9

• Improved the capabilities of the FDIC’s Claims Administration System that FDIC personnel use to ascertain depositors’ insured and uninsured funds in failing and failed financial institutions.

Footnote: 8 OIG Report, Contingency Planning for Large-Scale Resolution Activity (EM-08-004) (August 2008). Due to the report’s sensitive nature, the OIG did not make the report publicly available.

The World Economic Forum identifies events that could negatively affect the banking industry and IDIs, such as natural and man-made environmental disasters, acts of terrorism, cyber attacks, and financial crises.10 The FDIC helps IDIs and their service providers prepare for crises by establishing business continuity planning guidance, and reviewing IDI business continuity planning during supervisory examinations.

Footnote: 9 In 2008, the FDIC Board of Directors established a policy setting expenditure ceiling controls at the individual task order level rather than at the basic ordering agreement level for receivership-related activities. The new receivership basic ordering agreements gave the FDIC the flexibility to formulate contract requirements and resultant cost estimates as needs became known, and allowed the FDIC to award task orders less than $20 million in a more timely manner.

Footnote: 10 World Economic Forum, The Global Risks Report 2018, 13th Edition. See Appendix 4 for a reference list of potential hazards that could result in a crisis negatively impacting IDI operations.

The FDIC has also established an Enterprise Risk Management Program that multiple risk committees support. One objective of the program is to help ensure that the FDIC has increased awareness of emerging and key risks and an opportunity to address them proactively. Such information may provide early warning of a potential crisis. The OIG is currently conducting a review of the FDIC’s Enterprise Risk Management.

The FDIC had developed certain plans for responding, and had responded, to the effects of crisis events, such as hurricanes, on IDIs. In addition, at the time of our evaluation, the FDIC had developed, and continued to develop, response plans for a cyber attack that might significantly impact the banking industry. In general, the FDIC’s response to natural and cyber crises includes coordination and communication activities. The FDIC had also developed, and was continuing to develop, readiness plans for responding to a future financial-related crisis.

FDIC Response Studies

The FDIC also conducted and documented two Agency-wide studies of its response to the prior financial crisis. These studies identified how the FDIC addressed challenges it experienced during the prior financial crisis. The studies also identified lessons learned and recommendations for improving the FDIC’s readiness planning for a future financial crisis.

Crisis and Response: An FDIC History, 2008–2013. In 2017, the FDIC published a study of the Agency’s response to the financial crisis of 2008-2009 and related banking crisis of 2008-2013 (collectively the “prior financial crisis”). The study’s objective was to serve as a guidepost for future policymakers responding to the next period of financial instability. The purpose of the study was to provide a historical record and help develop better strategies and planning. DIR led the research effort and included participation from other Divisions and Offices, including RMS and DRR.

The FDIC Crisis and Response Report stated that:

Before the crisis, the FDIC undertook several initiatives to prepare for a potential increase in bank failures. These initiatives included readiness exercises, large-bank resolution simulations, rulemaking to clarify bank closing processes and to provide timely access to critical information about failing banks, and enhancements to the FDIC’s IT systems and business processes. Although many of these initiatives were helpful, they were not fully successful, for two reasons. First, the crisis was greater than anticipated and— importantly—unfolded more quickly than anticipated. Second, the FDIC was shorthanded during the early phase of the crisis.

The Report indicated that the prior financial crisis:

[P]resented the FDIC with unprecedented challenges. The systemic threat posed by the financial crisis demanded creative and innovative responses from the FDIC and other financial regulatory agencies, while the speed and severity of the banking crisis stretched to the limit the FDIC’s capacity to supervise problem institutions, manage the [DIF], and implement orderly resolutions for failed financial institutions.

While the Report cited examples of how the FDIC enhanced its processes and systems, it concluded that, “[i]n hindsight, it might have been more effective if the FDIC, as part of its readiness planning, had built a larger and more agile infrastructure—including staff, contracts, and [information technology] systems—during the lull between the end of the previous crisis and the start of this new one.” The Report added that, as a result, one of the most important lessons learned from the prior financial crisis was that “readiness planning is essential.”11

The Report acknowledged that such planning must balance budgetary pressures on the FDIC to streamline operations in a low bank failure environment against the reality that the magnitude and speed of banking crises are unpredictable.12 The Report indicated that, as part of maintaining readiness in a low bank failure environment, the FDIC could explore how other agencies with highly variable resource demands address their resource challenges. The Report specifically cited the Federal Emergency Management Agency (FEMA) as an example, noting the agency “has developed readiness capabilities despite the unpredictable need for disaster relief.”

Effectively Managing FDIC’s Resources, Meeting the Challenges of the Financial Crisis, 2008-2011 (August 2012) (“FDIC Crisis Resources Report”). In 2012, FDIC personnel completed a study of the Agency’s resource management during the prior financial crisis. The objective of this effort sought to ensure maximum resource readiness in meeting the challenges of any future financial crises. DOA led the review effort and included participation from other Divisions and Offices, including CU, DIR, DIT, DOF, DRR, Legal, OCOM, OMWI, OO, and RMS. The FDIC Crisis Resources Report on the study provided an overview of how the FDIC managed its resources in response to the challenges of the prior financial crisis. The report concluded that a solid understanding of prior crises, best practices, and lessons learned would better inform future actions. The FDIC Crisis Resources Report recommended a cooperative, collaborative, multi-divisional Agency approach to readiness activities.13

Footnote: 11 The FDIC Crisis and Response Report identified 16 important lessons learned and 6 areas for future research. We discuss the FDIC’s efforts to monitor lessons learned later in this report.

Footnote: 12 The Report explained that: Seeking to be a responsible steward of the DIF, the FDIC controlled its operating expenses to reflect its reduced workload. It sought to achieve a balance between maintaining readiness for a future economic downturn, on the one hand, and minimizing costs (by maintaining a smaller staff and a slimmer infrastructure during a period of few failures), on the other hand. By reducing the number of employees, the FDIC recognized the risk that it might be initially understaffed if a large number of institutions failed during a short period, but it accepted this risk because the probability of such an event seemed remote.

Footnote: 13 The FDIC Crisis Resources Report identified 11 summary “Recommendations or Conclusions,” and identified other unnumbered lessons learned and recommendations.

Best Management Practices

According to GAO, best management practices refer to:

The processes, practices, and systems identified in public and private organizations that performed exceptionally well and are widely recognized as improving an organization’s performance and efficiency in specific areas. Successfully identifying and applying best practices can reduce business expenses and improve organizational efficiency.14

Best practices consider new approaches by comparing existing organizational functions with organizations that are performing those functions differently.

Our research identified a crisis readiness framework including seven elements (summarized in Figure 2 below) that represent best practices, which are further supported by Federal internal control standards.

Elements of a Crisis Readiness Framework Identified by the OIG

According to FEMA, a crisis readiness framework helps to create a shared understanding and a common, integrated perspective of readiness across all mission areas. This integration allows an organization to achieve unity of effort and use its limited resources effectively.15 According to the World Health Organization, a crisis readiness framework identifies the principles and elements of effective preparedness. It adopts the major lessons of the past and lays out the planning and implementation processes by which organizations can determine their priorities and develop or strengthen operational capacities. A framework promotes integrated actions to support preparedness.16

DHS and FEMA support interagency planning and coordination for crisis-related operations, and promote an all-hazards17 approach to readiness planning. An all-hazards approach is risk-based, and includes identifying critical functions and tasks to perform regardless of the crisis scenario, as well as separately identifying any unique requirements for specific hazards. FEMA emphasizes that an all-hazards approach to planning is important, because there is always a potential for new and unexpected risks.18

Footnote: 14 GAO Report, Best Practices Methodology, A New Approach for Improving Government Operations (GAO/NSIAD-95-154) (May 1995).

Footnote: 15 FEMA, National Disaster Recovery Framework website https://www.fema.gov/national-disaster-recovery-framework (summary page) (October 2018).

Footnote: 16 World Health Organization, A Strategic Framework for Emergency Preparedness (2016).

Footnote: 17 FDIC, FDIC 2017-2018 Business Process Analysis (BPA)/Business Impact Analysis (BIA) Final Report (July 2018) defines the term all-hazards as “all conditions that have the potential to cause injury, illness, or death; damage to or loss of equipment, infrastructure services, or property; or alternatively cause social, economic, or environmental damage.”

Footnote: 18 FEMA, Developing and Maintaining Emergency Operations Plans, Comprehensive Preparedness Guide (CPG) 101, Version 2.0 (November 2010) (“Comprehensive Preparedness Guide 101”).

We considered DHS and FEMA guidance on planning for crises to be best practices that would be applicable to the FDIC’s crisis readiness planning. Additionally, we identified crisis readiness best practices from the OECD and Harvard Business School (HBS) research that reinforce the concepts in Federal guidance. We refer to these best practices throughout this report as Federal and non-Federal best practices. See Appendix 5 for a more detailed description of the Federal and non-Federal best practices sources we considered. Federal internal control standards also support the concepts articulated in the Federal and non-Federal best practices.

During our evaluation, we considered the relevant best practices for crisis readiness and Federal internal control standards. Based upon these sources, and our judgment and understanding of FDIC operations, we identified seven important elements of a crisis readiness framework that could be applied to the FDIC. We present these elements in Figure 2.

Figure 2: Elements of a Crisis Readiness Framework

[End of figure]

Source: OIG review of Federal and non-Federal crisis readiness best practices. See Table 2 in Appendix 5 for a crosswalk of these elements to specific best practices documents.

Policy and Procedures. Agency policy should define management directives and authorities, as well as roles and responsibilities for individuals and groups relating to crisis readiness planning. Agency procedures should establish a readiness planning process for consistently implementing policy directives.

Plans. An agency should apply its readiness planning process to develop basic readiness plans that are integrated, flexible, and scalable to address both traditional and catastrophic incidents. An all-hazards plan describes requirements common to all crises, while supplemental plans describe any unique requirements for specific hazard scenarios, as necessary based on risk.

Training. An agency should provide formal and informal training to help ensure that agency personnel have the requisite knowledge, skills, and abilities to execute the tasks identified in readiness plans.

Exercises. An agency should use exercises that simulate crisis operations, or involve actual crisis events,19 to test and validate crisis readiness plans and identify opportunities for improvement.

Lessons Learned. An agency should establish feedback mechanisms to monitor the lessons learned from training, simulation exercises, and actions undertaken during an actual crisis event to systematically incorporate proposed improvements to readiness plans.

Maintenance. An agency should review and revise its readiness policy, procedures, and plans on a recurring basis in order to address gaps identified through lessons learned.

Assessment and Reporting. An agency should regularly assess and report to key decision makers, such as the chairman and senior management, on its overall crisis readiness. Assessments collect and analyze data to measure progress towards achieving established performance goals. Reporting summarizes readiness progress and informs decision makers on necessary improvements.

Federal Internal Control Standards

The GAO Standards for Internal Control in the Federal Government 20 (“Federal internal control standards”) support the crisis readiness framework elements discussed above and provide managers criteria for designing and implementing an effective internal control system. According to Federal internal control standards, management sets objectives to meet the entity’s mission and establishes effective and efficient operations necessary to fulfill those objectives. Federal internal control standards provide that management: Footnote: 19 For purposes of this report, we considered execution of a readiness plan during an actual crisis event as a “real-world” exercise of the plan.

Footnote: 20 GAO Report, Standards for Internal Control in the Federal Government (GAO-14-704G) (September 2014).

• Establishes structure, responsibility, and authority. Management establishes the organizational structure necessary to enable the entity to plan, execute, control, and assess achievement of objectives. To achieve the entity’s objectives, management assigns responsibility and delegates authority to key roles. This Federal internal control provision supports the Policy and Procedures Crisis Readiness Framework element.

• Ensures effective documentation. Effective documentation establishes and communicates to responsible personnel the who, what, when, where, and why of internal control execution. Documentation also provides a means to retain organizational knowledge and mitigate the risk of having that knowledge limited to a few personnel, as well as a means to communicate that knowledge as needed to external parties. This Federal internal control provision supports the Plans Crisis Readiness Framework element.

• Designs control activities. Management designs control activities in response to the entity’s objectives and risks. Control activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives to achieve the entity’s objectives and address related risks. This Federal internal control provision supports the Policy and Procedures, and Plans Crisis Readiness Framework elements.

• Communicates internally. Management should internally communicate necessary quality information to achieve the entity’s objectives. Quality information is communicated down, across, up, and around reporting lines to all levels of the entity. This Federal internal control provision supports the Policy and Procedures, and Plans Crisis Readiness Framework elements.

• Communicates externally. Management should externally communicate quality information to achieve the entity’s objectives. Management communicates with, and obtains quality information from, external parties using established reporting lines. This Federal internal control provision supports the Policy and Procedures, and Plans Crisis Readiness Framework elements.

• Demonstrates commitment to competence. Competence requires the relevant knowledge, skills, and abilities gained from experience and training. This Federal internal control provision supports the Training and Exercises Crisis Readiness Framework elements.

• Performs monitoring activities. Management should establish and operate activities to monitor the internal control system and to evaluate and document the results to determine the effectiveness of the system. This Federal internal control provision supports the Lessons Learned, Maintenance, and Assessment and Reporting Crisis Readiness Framework elements.

• Evaluates issues and remediates deficiencies. Management evaluates issues identified through monitoring activities or reported by personnel to determine whether any of the issues rise to the level of an internal control deficiency. Management should remediate identified internal control deficiencies on a timely basis. This Federal internal control provision supports the Lessons Learned, Maintenance, and Assessment and Reporting Crisis Readiness Framework elements.

EVALUATION RESULTS

The FDIC should fully establish the seven elements of a crisis readiness framework that we identified as best practices to address crises that could impact insured depository institutions. Federal organizations responsible for planning, implementing, and assessing responses to crisis events and non-Federal entities that have studied crisis preparedness advocate these best practices. Specifically, the FDIC:

• Did not have a documented Agency policy that defined readiness authorities, roles, and responsibilities, including those of a committee responsible for overseeing readiness activities; and did not have documented procedures to provide for a consistent crisis readiness planning process;

• Should develop an Agency-wide all-hazards readiness plan as well as Agency-wide hazard-specific readiness plans, as needed, to integrate divisional plans containing requirements unique to certain types of crises;

• Did not train personnel to understand the content of crisis readiness plans, including their task-related responsibilities in executing the plans, nor incorporate a requirement within the plans to train responsible personnel regularly on plan content;

• Should document the important results of all readiness plan exercises and consistently incorporate a requirement for documented exercises within the plans;

• Identified lessons learned and related recommendations, but did not have a documented process to monitor their implementation;

• Should consistently review and update crisis readiness plans, incorporate maintenance requirements in the plans, and establish a central repository of plans to facilitate periodic maintenance; and

• Should regularly assess and report on Agency-wide progress on crisis readiness plans and activities to the FDIC Chairman and senior management.

By adopting the best practices reflected in the seven crisis readiness framework elements, the FDIC could improve its ability to respond timely and effectively to a crisis affecting IDIs.

The FDIC Did Not Have Documented Policy and Procedures for Readiness Planning

The first element of a crisis readiness framework is establishing policy and procedures for readiness planning. Policy directives define the roles and responsibilities for achieving agency readiness objectives. Procedures establish a readiness planning process that promotes consistent implementation of policy directives by agency personnel.

According to Federal internal control standards, “[m]anagement documents in policies . . . its responsibility for an operational process’s objectives and related risks, and control activity design, implementation, and operating effectiveness.” The standards further state that, “those in key roles . . . may further define policies through day-to-day procedures, depending on the rate of change in the operating environment and complexity of the operational process.” Finally, the standards state, “management communicates to personnel the policies and procedures so that personnel can implement the control activities for their assigned responsibilities.”

The FDIC did not have a documented Agency policy that defined readiness authorities, roles, and responsibilities, including those of a committee responsible for overseeing readiness activities. The FDIC also did not have documented procedures to provide for a consistent crisis readiness planning process. FDIC personnel in selected FDIC Divisions and Offices21 confirmed that there was no standard guidance for conducting crisis readiness planning activities, or any agreed-upon definition of what constitutes a crisis. Instead, Division and Office personnel developed readiness plans based primarily upon the personal knowledge of individuals and their experiences with FDIC operations.

Footnote: 21 See Appendix 1 for a listing of the FDIC Divisions and Offices we contacted to conduct interviews and obtain information for this evaluation.

Policy and Steering Committee

FDIC Directive 1212.1, Directives Management Program (June 2018) and the related FDIC Directive Template (June 2017) indicate that an FDIC policy directive should include the purpose, scope, authorities, and responsibilities, and identify standard forms, if applicable. Therefore, a policy for crisis readiness should communicate management’s directives and priorities for readiness planning by clearly and concisely expressing what FDIC senior leadership intends to accomplish and who will accomplish it. A policy may also reference procedures describing how readiness planning will be accomplished.

Federal best practices indicate one important role should be a group or committee with the authority to provide direction and approve crisis readiness plans.22 Senior leader approval of key planning deliverables ensures that planning progresses in a manner that meets senior leaders’ expectations.23

In March 2004, the FDIC established a Resolution Policy Committee (RPC) comprised of FDIC senior management officials24 as the focal point for contingency planning for large-scale resolution activity. The RPC met regularly and established eight subcommittees to address critical readiness issues. Each subcommittee had a list of tasks with responsible parties and due dates. The multi-divisional Readiness Subcommittee was responsible for ensuring that the FDIC had the requisite people, information technology, and supplies to close banks.25 The FDIC disbanded the RPC after the prior financial crisis began.

In June 2008, near the beginning of the prior financial crisis, the FDIC formed a Resource Task Force (RTF) to support crisis-related resource needs. The RTF included representatives from the Chairman’s Office, the Office of the Chief Financial Officer (CFO), and certain other Divisions and Offices. The FDIC Crisis Resources Report indicated that, “the RTF, led by the CFO, was critical in handling impacts of the crisis. The RTF coordinated oversight on surge planning, preparation, and implementation and placed the FDIC in a significantly better position to handle the crisis in a coordinated and collaborative manner.”26 In August 2011, the RTF changed its focus to post-crisis management and became the Resource Management Committee (RMC). The RMC disbanded in July 2015 once the FDIC completed the special initiatives needed during the crisis and reverted to a steady-state environment.

Footnote: 22 FEMA, FEMA Operational Planning Manual (FEMA P-1017) (June 2014).

Footnote: 23 FEMA, FEMA Operational Planning Keystone (FEMA P-1035) (August 2015).

Footnote: 24 The RPC was comprised of the Chief Operating Officer, who served as chair, the Chief Financial Officer, the FDIC General Counsel, and the Directors of the Division of Supervision and Consumer Protection (DSC), DIR, and DRR. In August 2010, the FDIC Board of Directors approved renaming the Division of Supervision and Consumer Protection as RMS and establishing DCP as a separate Division.

Footnote: 25 OIG Report, Contingency Planning for Large-Scale Resolution Activity (EM-08-004) (August 2008).

Footnote: 26 In the context of FDIC readiness planning, a surge can include a significant increase in staff, contractor, information technology, workspace, and other resources in response to a crisis. See FDIC Crisis Resources Report.

The FDIC Crisis Resources Report recommended that “an RTF be assembled early in a crisis, to discuss mission, strategic, operational, and financial reporting risk and readiness.” It added that “the RTF and supporting teams should be identified before the surge activity with the responsibility to prepare and practice scenarios to meet requirements.”

Therefore, we believe, and best practices support, that it would be prudent to establish and maintain such an oversight body during normal operations. At the time of our evaluation, the FDIC did not have a steering committee responsible for prioritizing readiness tasks, and ensuring the cohesiveness of readiness plans and activities addressing potential crises impacting IDIs. Such a formalized oversight body could promote a consistent approach to readiness planning across the FDIC.

Procedures

According to the DHS National Preparedness Guidelines, common planning processes help to identify requirements, allocate resources, and build and maintain coordinated capabilities that are prioritized based on risk. Federal internal control standards indicate that personnel use procedures to implement processes. FEMA’s Comprehensive Preparedness Guide 101 explains how templates facilitate consistent implementation of planning procedures. Specifically, FEMA recognizes that the planning process demands a significant commitment of time, effort, and resources; therefore, many planners use templates to complete their plans. The best templates are those that include a plan format and describe the content of each section, allowing each plan to be tailored to the particular needs of the organization and crisis scenario.

In 2015, the FDIC developed a Draft Procedure for Identification and Planning for External Risk Events (September 2015). This draft document provided high-level procedural guidance on contingency planning for potential events and indicated that contingency planning for the most severe potential events should include: a strategy for acquiring real-time information; an estimate of resources required; and strategies for communications. While this draft procedure demonstrated the FDIC’s progress developing the crisis readiness procedures recommended by best practices, the FDIC never finalized this draft document and had not updated it since 2015. In addition, FDIC personnel whom we contacted did not recognize this document as current guidance. Further, FDIC personnel could not identify any other crisis readiness planning procedures or common planning template during our evaluation.

Factors Affecting Readiness Policy and Procedures

FDIC senior management stated that the Agency’s mission and the nature of its work, such as monitoring banking industry health and supervising and resolving banks, prepared the FDIC for responding to financial crises. FDIC senior management indicated that crisis planning is an integral part of the FDIC’s ongoing work to maintain public confidence in the banking system. Senior management also explained that its process for responding to a crisis is intuitive, and that there is not a need for a high-level conceptual document explaining the FDIC’s approach to crisis readiness.

FDIC senior management indicated that the FDIC has early warning systems to identify problems developing in the banking industry. Senior management stated that it has, and will continue to meet to review available response strategies when there is any indication of an impending crisis. At that time, it will decide how to respond, which could include forming committees and evaluating existing readiness contingency plans.

However, there are limitations to this approach and reliance on early warning systems, as indicated by the FDIC Crisis and Response Report. That Report stated, “the FDIC, like most other observers, did not manage to connect the dots among the trends that were developing” as indicators of the prior financial crisis. The Report added that, “although it is important to supplement the examiners’ bank level view of risk with risk assessment of broad external trends, consensus on the most important risks in the financial system and on the urgency of those risks at any given time is likely to be elusive.” This observation regarding the unexpected nature of crises underscores the importance of establishing robust readiness planning policy, procedures, and a steering committee well in advance of a crisis, as supported by best practices.

Another reason the FDIC should document its crisis readiness process in policy and procedures is that key personnel having direct knowledge and experience from prior crises may not be available. The FDIC Crisis Resources Report recognized this risk and recommended that Agency contingency plans consider the potential for loss of institutional knowledge. At the time of our evaluation, 43 percent of permanent FDIC employees and 63 percent of permanent DRR employees were eligible to retire within 5 years.27 The FDIC also faces a high rate of potential retirements among seasoned senior and mid-level managers, with approximately 66 percent of permanent Executive Managers and 57 percent of permanent Corporate Managers eligible to retire within 5 years. Retirement waves can create gaps in leadership and institutional knowledge,28 further supporting the need for clearly articulated readiness planning policy and procedures.

Footnote: 27 Information included in this report regarding retirement eligibility is as of July 31, 2018.

Footnote: 28 GAO Report, High-Risk Series: Progress on Many High-Risk Areas, While Substantial Efforts Needed on Others (GAO-17-317) (February 2017).

The former DRR Director recognized attrition as a challenge, stating in 2017 that, [t]he management that was in charge during the advent of the most recent crisis will not be the same group of managers in charge during a future crisis. In fact, most of those individuals have already departed the organization.” Because the FDIC will not be able to rely on their absent expertise in the next crisis, the former DRR Director explained that it is “even more important that the Divisions and Offices clearly understand their role in a financial crisis, what is expected of them, and to thoroughly document their plans to respond.” These considerations supported an initiative from 2017 to develop the DRR Surge Staffing Plan, described later in this report.

Without a policy, the FDIC may not promote a uniform vision, create a clear understanding of roles and responsibilities, and ensure that the Agency’s Divisions and Offices effectively coordinate to achieve improved Agency readiness. Related procedures will promote consistent planning by Agency personnel and ensure that plans comprehensively document information needed for crisis readiness and response. The FDIC experienced staffing, contracting, and information technology challenges during the prior financial crisis. Established policy and procedures, guided by a steering committee, would help the FDIC more consistently plan for, and timely and effectively respond to, the challenges that could arise from a future unexpected crisis.

Recommendations

We recommend that the FDIC:

1. Establish and implement a policy providing senior management’s crisis readiness directives.

2. Establish a committee to guide and oversee FDIC crisis readiness planning.

3. Establish and implement procedures supporting an Agency-wide process for crisis readiness planning.

The FDIC Should Develop an Agency-Wide All-Hazards Readiness Plan and Hazard-Specific Readiness Plans

The second element of a crisis readiness framework is the development of readiness plans. An all-hazards plan can be supplemented by hazard-specific plans, if needed to describe any unique requirements for specific hazard scenarios. Readiness plans should clearly identify crisis response-related:

• Roles and responsibilities and required tasks (decisions, actions);

• Resources (staffing, contracting, information technology, work space,); and

• Internal and external integration (coordination and communication).

According to FEMA’s Comprehensive Preparedness Guide 101, an understanding of the major tasks to perform, and when and why such tasks are necessary, facilitates an effective response.

The FDIC Crisis Resources Report stated that “the recent financial crisis underlines the need for coordinated and proactive resource readiness.” The Report also stated that “[a]n interdivisional, Corporate-wide, and cross-agency approach will again best serve [the FDIC] in handling any future crisis. The [A]gency should consider establishing an FDIC [point of contact] or group of individuals to coordinate these activities.” This Report concluded that “[the] FDIC can be better prepared for the next crisis by developing contingency plans for key operational areas.” The FDIC Crisis and Response Report added that, “[p]lans to build capacity should remain broad and focus on scalability and flexibility but they should also include the technical and operational details necessary to implement quick capacity-building.”

At the time of our evaluation, certain FDIC Divisions and Offices29 had developed or were developing hazard-specific readiness plans or planning documents to respond to crisis events affecting IDIs. These potential crisis events included cyber attacks, environmental disasters, and financial crises.

However, the FDIC should enhance its readiness plans to ensure that they fully address roles and responsibilities for important tasks, the necessary resources, and integration both within the Agency and with external stakeholders. The FDIC should also develop an Agency-wide all-hazards readiness plan, and Agency-wide hazard-specific plans, as needed, to integrate Division and Office hazard-specific plans.

Such overarching Agency-wide plans could enhance FDIC management and personnel understanding of readiness planning activities across the Agency.

All-Hazards Plan

FEMA’s Comprehensive Preparedness Guide 101 supports that an all-hazards plan should identify the necessary critical common functions and tasks, and individuals responsible for accomplishing them, regardless of the crisis scenario. An all-hazards plan could improve the efficiency of the planning process, as it would allow hazard-specific plans to focus on any unique requirements for specific crisis scenarios, as necessary based on risk. During the course of our evaluation, we requested all FDIC readiness plans and other documentation demonstrating crisis readiness activities.30 FDIC personnel could not identify or provide an Agency-wide all-hazards readiness plan.31 Our evaluation, however, identified the following seven examples of internal and external coordination and communication activities at the FDIC. These activities may be common to crises and therefore, may be appropriate to include in an Agency-wide all-hazards plan as discrete tasks:

• Internal coordination with OCOM, which provides a centralized process for FDIC external communications32 with the banking community and with the media.33

• Coordination with the FDIC Central Call Center, which serves as a focal point for telephone and email contact with the FDIC by the public and financial industry.34

• Coordination with OLA, which serves as the liaison between the FDIC and Members of Congress or Congressional staff.35

• External coordination and communication with IDIs and their service providers to obtain and distribute crisis status information.

• Coordination and communication to exchange information with financial industry groups such as the Financial Services Information Sharing and Analysis Center36 and the American Bankers Association.37

• Coordination with other IDI regulators through crisis communication protocols established by the Federal Financial Institutions Examination Council38 (FFIEC).

• Coordination with Federal and State financial regulators through emergency conferencing protocols established by the Financial and Banking Information Infrastructure Committee39 (FBIIC).

Hazard-Specific Plans

In response to our requests for all FDIC readiness plans and other documentation demonstrating readiness activities for crises impacting IDIs, FDIC personnel provided eight Division and Office hazard-specific plans.40 However, FDIC personnel could not identify any Agency-wide hazard-specific plans that integrated the various Division and Office plans.

Footnote: 30 FDIC personnel and documentation referred to such plans alternatively as contingency plans or playbooks. The FDIC had no standard for what should be included in a playbook. A playbook is defined as a stock of usual tactics or methods. Merriam-Webster Online Dictionary (2019).

Footnote: 31 During our evaluation, we identified other Federal entities that conduct all-hazards readiness planning. One of those agencies, the Small Business Administration, maintains a publicly available all-hazards plan. An objective of the plan is to ensure that all available agency resources are both provided and integrated with the Federal government’s overall support to disaster survivors. U.S. Small Business Administration, Disaster Preparedness and Recovery Plan (June 2018).

Footnote: 32 Examples of FDIC written external communications include a Financial Institution Letter (FIL), an informational page on the FDIC’s external website, and a press release. A FIL serves as the primary tool for delivering information, guidance, and notice to IDIs about banking regulations, financial activity, regulatory relief, and other subjects of interest to the banking community. FDIC Divisions and Offices, such as RMS and DCP, determine what information is contained in a FIL and OCOM issues the FIL to electronic subscribers and coordinates with DIT to post it on the FDIC website. See www.fdic.gov/news/news/financial/index.html.

Footnote: 33 FDIC Directive 1420.1, Media Contacts (August 2018).

Footnote: 34 FDIC Directive 3100.3, FDIC Central Call Center (November 2000).

Footnote: 35 FDIC Directive 1211.2, Congressional Contacts, Correspondence, Information Requests, and Testimony (December 2018).

Footnote: 36 The Financial Services Information Sharing and Analysis Center (FS-ISAC) is the global financial industry's resource for analysis of cyber and physical threat intelligence and sharing of cyber and physical threat alerts and other critical information, such as analysis and recommended solutions from industry experts.

Footnote: 37 The American Bankers Association is an advocacy group that supports American banks of all sizes by providing information, training, staff expertise, and other resources.

Footnote: 38 The FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the Federal examination of financial institutions. The group also makes recommendations to promote uniformity in the supervision of financial institutions. Members include the Board of Governors of the Federal Reserve System, the FDIC, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau.

Footnote: 39 The FBIIC coordinates efforts to improve the reliability and security of the financial sector infrastructure. FBIIC was chartered under the President’s Working Group on Financial Markets in the wake of the terrorist attacks on September 11, 2001. It consists of 18 member organizations from across the financial regulatory community, both Federal and state, including the FDIC. The Treasury Department's Assistant Secretary for Financial Institutions chairs the committee. The RMS Director, as the FDIC’s representative on the FBIIC, attends regular FBIIC meetings designed, “to provide strategic and policy guidance to the FBIIC; ensure continued senior-level engagement on, and resourcing of, infrastructure protection issues; and enhance the processes for rapidly coordinating significant issues at the most senior levels of government.” The FDIC Chairman serves on the FBIIC Seniors group by attending quarterly meetings at the Treasury Department in which members discuss their efforts under multiple work streams.

Footnote: 40 These plans included the Division of Supervision and Consumer Protection Contingency Operating Strategies (2008), RMS Cyber Incident Response Plan (October 2016), the Atlanta Region Critical Event Management Plan (2018), the Dallas Region Environmental and Natural Disaster Response Procedures (undated), the Debt Ceiling Contingency Plan: Division of Risk Management Supervision (August 2017), the Office of Complex Financial Institutions FDIC Contingency Planning for Debt Ceiling (October 2013), the Draft Debt Ceiling Contingency Planning Summaries: DRR Contingency Plan (August 2017), and the draft DRR Surge Staffing Plan (May 2018).

We judgmentally selected three of the eight plans for detailed review to determine whether they contained information related to roles and responsibilities, resources, and integration. We also performed a limited review of the remaining five plans and other readiness planning-related documents including readiness strategies, meeting minutes, emails, and charters, to understand the status of FDIC readiness planning activities.

Our review found that the three selected divisional hazard-specific readiness plans documented crisis response-related roles and responsibilities, resources, and integration, but we identified opportunities for improvement. The following illustrates specific examples where the FDIC should enhance Division and Office hazard-specific readiness plans.

Plans to Respond to Cyber Attacks Against IDIs

The RMS Cyber Incident Response Plan (October 2016) was one of our three selected plans. It provides guidance for FDIC Headquarters staff when evaluating threats and incidents reported by IDIs and their service providers through the Field and Regional Offices.41 The plan identified predetermined criteria and thresholds that RMS personnel should use when determining whether to escalate threat and incident information to FDIC senior management. The plan also identified resources, such as the forms and reporting tools needed to document and monitor a cyber incident and established roles for RMS, the Legal Division, and DOF personnel. However, the plan should clarify the limited responsibilities of the Legal Division and DOF personnel.

While the plan described coordination and communication with external parties such as the FBIIC and the FFIEC, it could have better defined coordination and communication within the FDIC. As a result of an exercise conducted in January 2018, RMS personnel determined that the plan should be updated to detail communication requirements between Headquarters and the Regions. In addition, while the plan briefly references coordination between RMS and OCOM, it did not describe the necessary coordination between RMS and the FDIC Call Center to address bank customer and public inquiries about an incident. Such actions help maintain public confidence in the banking system.

Footnote: 41 RMS also instituted supporting Regional Cyber Incident Reporting and Response Guides to outline the steps Regional and Field Offices should take when IDIs report threats and incidents. Each guide includes specific telephone contact information for that Region.

The FDIC should have an Agency-wide cyber incident response plan that integrates the RMS Cyber Incident Response Plan with the cyber resolution readiness planning the FDIC was conducting. Importantly, the RMS Plan did not address RMS and DRR coordination when a cyber incident has the potential to cause an IDI failure. At the time of our evaluation, the FDIC was in the early phase of a multi-divisional effort42 to develop a playbook that would identify potential FDIC responses for this scenario. Establishing such a playbook is critical for the FDIC because, according to FDIC Directive 7000.1, DSC/DRR Information Sharing43 (December 2005), FDIC access to timely and reliable information is essential for a cost-effective resolution of a failing IDI that maximizes resolution options and the number of bids received.

In March 2018, the FDIC chartered a Cyber Resolution Working Group to guide this multi-divisional effort. In April 2019, the Working Group prepared a discussion draft white paper that summarized preliminary thinking on this area and included recommendations for further analysis and work. The FDIC had not finalized the white paper as of June 2019.

Plans for Environmental and Man-Made Disasters and for Pandemics

The Atlanta Region Critical Event Management Plan (2018) was one of our three selected plans. It focused on responding to natural disasters affecting IDIs, such as hurricanes, earthquakes, and flooding. The Plan, however, did not address whether the FDIC could use it for man-made disasters, such as a nuclear event or biological event, or for a pandemic. The Plan identified roles and responsibilities for RMS and DCP personnel performing specific crisis response-related tasks. In addition, the Plan identified information technology and contracting resources needed to execute the plan, and addressed internal and external integration. However, the Plan should also identify the roles and responsibilities of the recently created multi-regional Disaster Assessment and Response Team.44 This Team ensures the FDIC posts disaster-related communications timely to the FDIC website, reports monthly on disaster recovery efforts, and participates in outreach activities to understand post-disaster community needs.

FDIC personnel indicated that each FDIC Regional Office had discretion to develop its own critical event management plan, but the FDIC had not standardized these plans across the FDIC Regions. Standardization would help FDIC personnel in one Region to benefit from response best practices and lessons learned from other Regions. For example, the Atlanta Region Critical Event Management Plan identified an important crisis management resource, the Event Management Database System,45 as well as the roles, responsibilities, and tasks related to using the system during a crisis. However, the Dallas Region plan titled Environmental and Natural Disaster Response Procedures (undated) did not contain information about this system.

The FDIC should also have an Agency-wide critical event management plan that integrates the Regional Office plans and defines the FDIC’s process for providing regulatory relief.46 Such a plan should also address how DRR and other Divisions and Offices should coordinate and respond when an environmental or other disaster, such as a pandemic, impacts an IDI during the resolution and closing processes. The FDIC has a Pandemic Influenza Plan (February 2014). However, this Plan primarily focused on internal FDIC continuity of operations considerations, and briefly described OCOM activities to communicate with IDIs and the public. The Plan did not adequately address how the FDIC might need to adjust supervision, resolution, or closing activities in the event of a pandemic impacting IDIs, and the FDIC had not updated it in the past 5 years.

Footnote: 42 DRR, OCFI, RMS, and Legal Division personnel participated in this effort.

Footnote: 43 In August 2010, the FDIC Board of Directors approved renaming the former Division of Supervision and Consumer Protection (DSC) as RMS and establishing DCP as a separate Division. 44 In 2017, the DCP Community Affairs Regional Managers in the Dallas, Atlanta, and New York regions and their staff formed the Disaster Assessment and Response Team. The team later expanded to include members from RMS.

Footnote: 45 RMS uses the Event Management Database System to monitor and report on the number of IDI offices that either have closed or are experiencing significant issues within a particular county or market as a result of a major emergency event. RMS gathers and reports this information to provide bank customers with information concerning how to access their funds or process banking transactions during a crisis.

Footnote: 46 Regulatory relief includes actions taken by the FDIC to help IDIs and facilitate recovery in areas affected by disasters. Examples of such actions include rescheduling examinations, considering extensions for filing quarterly Reports of Condition and Income or other reports, and temporary exceptions to appraisal requirements. The FDIC communicates regulatory relief actions to IDIs through Financial Institution Letters.

Plans for Surge Staffing

In April 2017, FDIC personnel met to initiate development of the DRR Surge Staffing Plan. The former DRR Director acknowledged the importance of this effort, stating;

The FDIC’s response to the most recent financial crisis was ultimately successful; however, there was clearly less than adequate readiness preparation during the last “peacetime.” Sufficiently scalable systems, processes, human resources, and procurement and hiring mechanisms were not in place at the onset of the last crisis. This lack of preparation put a significant strain on the Agency and put us at risk of failure to achieve our mission.

He concluded that the central lesson for the next crisis is to work diligently to build both readiness plans and response capacity during periods of low, non-crisis bank failure activity. The development of the DRR Surge Staffing Plan was a key part of that work.

In May 2018, the FDIC compiled an initial draft of the DRR Surge Staffing Plan.47 DRR led the effort to plan for a surge in staffing and other resources in response to a large increase in the volume of IDI (non-SIFI) failures resulting from a financial crisis. Other FDIC units contributed to this effort, including CU, DIT, DOA, DOF, and the Legal Division.

The DRR Surge Staffing Plan (May 2018) was one of our three selected plans. It identified the general duties and responsibilities of each DRR Branch and each participating Division and Office under the crisis scenario presented in the draft Plan. However, DRR personnel had not yet documented task specific roles and responsibilities by, or interdependences among, readiness and response tasks.

The DRR Surge Staffing Plan broadly identified the FDIC staffing, contracting, and information technology resources that were in place or needed to support an increase in DRR staff during a financial crisis. It also contained recommendations to address current resource gaps. For example, the Plan noted that the FDIC had enhanced some systems and needed to enhance or develop other systems48 to prepare for a future financial crisis.

The DRR Surge Staffing Plan did not describe how the FDIC stress tests DRR system resources to ensure they can handle planned surge scenarios. The FDIC Crisis Resources Report stated that during the last crisis, “a number of FDIC systems” experienced, “a variety of performance and capacity problems,” because their design prevented the FDIC from readily scaling the systems to meet high user demand and the volume of transactions and data resulting from the large and sudden increase in bank closings, examinations, hiring, and contracting. The Report did not identify all of the systems that had problems, but recommended that the FDIC conduct periodic stress testing of critical systems certain related processes developed by DOA,49 and identify the triggers and coordination needed to activate the Plan. and business processes to ensure readiness. The DRR Surge Staffing Plan also did not document integration with certain related processes developed by DOA,49 and identify the triggers and coordination needed to activate the Plan.

In addition, the FDIC should develop an Agency-wide plan that integrates the DRR Surge Staffing Plan with other FDIC surge-related efforts, such as the Division of Supervision and Consumer Protection Contingency Operating Strategies staffing plan. In addition, an Agency-wide plan should address whether the other business Divisions (DCP, DIR, and OCFI) would require additional staff and resources in a surge environment. The plan should further explain how support Divisions and Offices, in particular CU, DIT, DOA, and the Legal Division, would support the additional staff and other resources needed by those business Divisions. This comprehensive information will help ensure that the FDIC considers the cumulative effect of surge-related requirements from all FDIC Divisions and Offices for particular crisis scenarios.

Lastly, an Agency-wide plan should also consider scenarios that contemplate a major financial crisis involving the potential rapid failure of multiple large regional or national banks. The FDIC Crisis and Response Report stated that “[e]arly in the crisis, as the speed and size of failures exceeded expectations, the FDIC’s infrastructure was challenged (despite the FDIC’s efforts to improve infrastructure before the crisis), and the [Agency] was forced to devote resources to the expansion of its capacity on a largely ad hoc basis.”

Plans for a Federal Debt Default

Between 2013 and 2018, the FDIC created and updated a collection of Division and Office contingency planning documents to address a possible default on U.S. government debt resulting from a Federal debt-ceiling impasse.50 However, these documents did not have a consistent structure, which could make it difficult to determine whether the FDIC had sufficiently integrated Division and Office roles, responsibilities, resources, and communications to ensure a coordinated Agency-wide response.

Footnote: 47 DRR personnel advised that the FDIC completed the DRR Surge Staffing Plan in December 2018 and further updated it in March and September 2019.

Footnote: 48 The plan indicated the systems that the FDIC needed to enhance included the Advanced Legal Information System and the Venue Virtual Data Room, and the systems that the FDIC needed to develop included a Limited Liability Company Data System and a replacement to the FDIC Automated Corporate Tracking System.

Footnote: 49 The FDIC 2017-2018 Business Process Analysis (BPA)/Business Impact Analysis (BIA) Final Report (July 2018) describes six DOA surge-related processes related to employee hiring, employee onboarding, Call Center operations, temporary office acquisition, personnel security, and emergency contracting.

Footnote: 50 Debt Ceiling Contingency Plan: Division of Risk Management Supervision (August 2017), Draft Debt Ceiling Contingency Planning Summaries: DRR Contingency Plan (August 2017), DOA Debt Ceiling Planning (undated), Debt Ceiling Limit – DIF Contingency Funding Plans (undated), Contingency Plan: DCP Strategies (August 2017), Draft Debt Ceiling Contingency Planning Summaries: DIR (August 2017), Draft Section 13(c) of the Federal Deposit Insurance Act (September 2018), Office of Complex Financial Institutions: FDIC Contingency Planning for Debt Ceiling (October 2013), and Office of Communications: FDIC Contingency Planning for Debt Ceiling (October 2013).

For example, the Debt Ceiling Contingency Plan: Division of Risk Management Supervision (2017) identified operational procedures and protocols, while the Draft Debt Ceiling Contingency Planning Summaries: DRR Contingency Plan (2017) included a bulleted list of strategies and tasks. Further, the RMS Plan did not describe integration with DRR through participation on the interdivisional Resolution Task Force. The Legal Division, DCP, DIR, DOA, DOF, OCFI, and OCOM also developed planning documents related to their roles in this crisis scenario. The FDIC should integrate the various Division and Office plans and strategies into an Agency-wide plan to help ensure it could provide a timely and effective response should this crisis scenario occur.

As noted earlier in this report, the FDIC had no readiness planning procedures or common planning template to provide for integrated, comprehensive, and consistent plan development. FDIC personnel, therefore, had no standard guidance on what information the Division and Office plans should contain. As a result, FDIC personnel developed readiness planning documents based on their individual knowledge and experience rather than applying a uniform, comprehensive Agency-wide planning approach.

Recommendations

We recommend that the FDIC:

4. Establish and implement an Agency-wide all-hazards readiness plan that identifies and integrates FDIC readiness activities common to all crises impacting insured depository institutions.

5. Establish and implement Agency-wide hazard-specific readiness plans, as needed, to identify and integrate FDIC readiness plans and activities unique to specific hazards impacting insured depository institutions.

The FDIC Did Not Train Personnel to Understand the Content of Readiness Plans

The third element of a crisis readiness framework is training on readiness plans, which provides agency personnel an understanding of the operational concepts associated with readiness plans, and their task-related responsibilities in executing the plans during simulation exercises or when an actual crisis event occurs.

The FDIC maintains operational training programs to enhance the ability of FDIC personnel to perform their regular duties, as well as cross training to facilitate their ability to assist in other functional areas as needed. The DRR Surge Staffing Plan (May 2018) described operational training resources such as:

• A comprehensive web-based DRR Training Curriculum.

• Ongoing conversion of the Oversight Manager Certification Training Program from classroom based to computer-based instruction.

• Receivership accounting training materials for employees and contractors.

• Human resources training for new managers.

• Updated and enhanced manuals and job aids.

However, the FDIC did not train responsible personnel to understand the content of a crisis readiness plan, including their task-related responsibilities in executing the plan. Such training can also provide an understanding of when to activate the plan, who activates the plan, and in what sequence specific actions should occur. In addition, readiness plans did not require regular training for responsible personnel to enhance their understanding of the plan and how they will accomplish the plan objectives and tasks.

In general, the FDIC relied on plan exercises to instruct personnel on the content and use of readiness plans. While personnel learn about the plan when participating in exercises, the intent of exercises is to test the training that individuals should have already received on the plans. In addition, training helps personnel know what to expect during an exercise and what to do during an actual crisis event.

The FDIC Crisis and Response Report concluded that, “[a] well-informed staff is invaluable when a crisis erupts. A staff with a strong knowledge of the FDIC’s historical resolution experience and a deep understanding of its options and the legal requirements, operational requirements, costs, and policy trade-offs for each option improves the FDIC’s ability to make good decisions.” Training on the contents of readiness plans should help ensure that FDIC personnel understand when to activate the plan, the roles and responsibilities of FDIC officials, and the specific actions required of them for crisis readiness and response.

Recommendation

We recommend that the FDIC:

6. Establish and implement a process for ensuring periodic training of responsible personnel on their task-related responsibilities in executing readiness plans.

The FDIC Should Document Results of All Readiness Plan Exercises

The fourth element of a crisis readiness framework is exercises that test the readiness plan. Exercises assess readiness plan tasks, coordination, communication, and assigned roles and responsibilities; and identify capability51 gaps and opportunities for improvement.

Federal best practices state that an effective readiness plan is integrated, actionable, flexible, and scalable to address changing conditions and hazards of various sizes. Planners should test whether critical plan elements meet desired attributes by exercising the plan against scenarios of varying type and magnitude. An agency should document the results of crisis operation exercises in an “after action report” to create an historical record of the test. These reports aid in identifying strengths and weaknesses in the plan and developing a list of lessons learned to address when updating readiness plans or revising plan training.52

The FDIC conducted exercises of four of eight53 crisis readiness plans but did not adequately document the results of plan exercises that it conducted for three plans.

During the evaluation, FDIC personnel provided the following examples that evidence the FDIC periodically conducted exercises related to crisis readiness planning through the CU Strategic Simulation Program (SSP)54 or other forums and documented the exercise results.55

• Cyber Incident Exercises. RMS personnel used the CU SSP and other forums to conduct four discussion exercises, from September 2013 to February 2016, which focused on the sufficiency of existing FDIC processes to respond to a banking crisis caused by a cyber incident. 56 In January 2018, RMS personnel conducted the first exercise of the RMS Cyber Incident Response Plan (2016) with a simulation scenario involving cyber incidents at multiple IDIs. Each RMS readiness exercise generated an after action report with recommendations for additional readiness activities.

•Surge Staffing Exercises. In April 2017, DRR personnel used the CU SSP to conduct a tabletop exercise to launch development of the DRR Surge Staffing Plan. In May 2018, DRR conducted a follow-up exercise to review draft planning documents. In September 2019, DRR used the CU SSP to conduct a simulation exercise of the updated DRR Surge Staffing Plan.

Footnote: 51 A capability is the means to accomplish a function or objective and encompasses authorities, policies, programs, staff, funding, and other available resources. FEMA, FEMA Operational Planning Manual, (FEMA P-1017) (June 2014).

Footnote: 52 Comprehensive Preparedness Guide 101 and the FEMA Operational Planning Manual, (FEMA P-1017) (June 2014).

Footnote: 53 The FDIC did not conduct exercises of the three debt ceiling contingency plans. The FDIC considered this hazard to be a low probability event with sufficient lead-time, “to prepare and update plans if a crisis seems more likely.” The FDIC also did not conduct exercises of the Division of Supervision and Consumer Protection Contingency Operating Strategies, because it was not designed for, “a tabletop, simulation, or roleplay.”

Footnote: 54 The SSP is a CU component that facilitates testing of proposed plans, policies, and procedures. The SSP incorporated three options for exercising readiness plans - Roundtable Discussions for initial vetting and analysis of issues; Tabletop Exercises that use roleplay to evaluate plausible courses of action; and Strategic Simulations to test, vet, and refine plans.

Footnote: 55 FDIC personnel also stated that the FDIC participated in other crisis readiness exercises that involved FDIC COOP plans, or that outside entities, such as the FBIIC and the President’s Working Group on Financial Markets, conducted. As these exercises did not specifically relate to the FDIC readiness plans included in the scope of our evaluation, we did not assess the results of those exercises.

Footnote: 56 One exercise included RMS personnel only, two exercises included personnel from most FDIC Divisions and Offices as well as inside FDIC Board members, including the Chairman, and one exercise included Federal Reserve Bank and state banking department executives as well as RMS personnel.

However, the FDIC did not always adequately document exercise results in after action reports. Specifically:

• RMS personnel indicated that the Atlanta Region Critical Event Management Plan and the Dallas Region Environmental and Natural Disaster Response Procedures had been tested during recent hurricane events. However, RMS personnel did not prepare an after action report that described the results of each exercise and identified areas for improvement.

• RMS personnel documented the exercise of the RMS Cyber Incident Response Plan in an after action report that included 20 lessons learned, containing observations and recommendations. However, one stated purpose of the exercise was to determine whether the Headquarters plan and related Regional guides promoted an efficient and effective response. The after action report did not include a conclusion on this objective.

Only one of eight plans, the RMS Cyber Incident Response Plan, included a requirement for periodic exercise of the plan. If FDIC personnel do not periodically conduct exercises of readiness plans, they may not be ready to execute plan activities in response to an actual crisis event. In addition, without documentation of the important results from exercises, the FDIC may not benefit from the lessons learned from such exercises by updating plans and training to address identified gaps.

Recommendation

We recommend that the FDIC:

7. Establish and implement a process for regularly documenting readiness plan exercise results and related recommendations, and retaining that documentation for use in readiness improvement activities.

The FDIC Identified Readiness Lessons Learned, but Did Not Have a Documented Process for Monitoring Them The fifth element of a crisis readiness framework is monitoring lessons learned from the results of plan training, exercises, or execution during actual crisis events. An agency should review lessons learned to identify and prioritize related recommendations. An agency should track implementation of recommendations to improve preparedness and response processes for future crises.

FDIC personnel identified lessons learned and related recommendations from exercises and other readiness planning activities, including the two Agency-wide studies to evaluate the FDIC’s response to the prior financial crisis. However, the FDIC did not have a documented monitoring process for lessons learned that prioritized and tracked recommendations. In addition, the FDIC did not formally prioritize and track recommendations to determine whether the Agency consistently incorporated them into policies, procedures, and crisis-readiness plans.

FDIC Crisis and Response Report. This Report included lessons learned and recommendations that primarily applied to RMS, DRR, and DIR, stating that “[f]ollowing up on these lessons will further strengthen the FDIC’s crisis preparedness, enhancing its ongoing contribution to maintaining the nation’s financial stability.” The lessons learned and recommendations related to IDI supervision, resolutions, and receiverships. For example, one important lesson learned was that, “past performance is not a guide to future performance.” Accordingly, the Report recommended that supervisors remain highly attentive to new issues, such as cybersecurity or the effects of a prolonged low-interest-rate environment. Further, the Report said that the FDIC should not assume that issues that have not caused problems in the past would not cause problems in the future.

To address this lesson learned, RMS personnel indicated that, among several other things, RMS had issued Regional Directors Memorandum 2017-018-RMS, Regional Cyber Incident Reporting and Response Guides. This memo articulates consistent regional procedures for responding to cyber incidents reported by IDIs or service providers.

FDIC Crisis Resources Report. This Report included lessons learned and recommendations that primarily applied to CU, DIR, DIT, DOA, DOF, DRR, Legal Division, OMWI, and RMS, and were intended to maximize resource management during a crisis. The lessons learned and recommendations related to multiple FDIC resources, such as staffing, contracting, and information technology. For example, one important lesson learned was that, “forecasting and planning for appropriate budget and staff increases is needed prospectively, before financial crises occur.”

To address this lesson learned, in 2018, the FDIC developed the DRR Surge Staffing Plan. This Plan was the result of an interdivisional effort to address a 2018 DRR divisional objective to, “[c]omplete [a] Surge Staffing Playbook.” Also, in December 2018, RMS updated the Division of Supervision and Consumer Protection Contingency Operating Strategies staffing plan in response to the same lesson learned.

We sought to understand the FDIC’s responsive actions by submitting the following two questions to FDIC personnel from nine Divisions and Offices57 with recommendations in the studies:

1. What is the FDIC’s process for prioritizing and following up on lessons learned, and is the process documented?

2. Have the FDIC’s policies, procedures, and readiness plans been updated, as appropriate, to incorporate the lessons learned relevant to your Division or Office?

Regarding the first question, based on the responses from Division and Office personnel we contacted, the FDIC did not have an Agency-wide standard, documented monitoring process58 for prioritizing or following up on crisis readiness lessons learned and related recommendations.59 Regarding the second question, personnel from seven of the nine Divisions and Offices we contacted explained that some of the lessons learned from the FDIC’s crisis response studies either had been, or would be, incorporated into policies, procedures, readiness plans, or other activities.60 For example, RMS personnel provided detailed summaries presenting how the Division had addressed, or planned to address, the RMS-specific lessons learned from the FDIC Crisis and Response Report and the FDIC Crisis Resources Report.

Footnote: 57 The nine Divisions and Offices included CU, DOA, DOF, DIR, DIT, DRR, Legal Division, OMWI, and RMS.

Footnote: 58 RMS personnel reported that RMS had implemented a process for prioritizing and following up on lessons learned. This process included integrating lessons learned into RMS strategic planning, annual business plans, training, and policies.

Footnote: 59 The FDIC Corporate University Procedures Manual, Section 5.1.5, Lessons Learned (June 2016) contains a standard template that can be used to capture lessons learned.

Footnote: 60 DOA and OMWI personnel did not have readily available information about whether the FDIC had or would incorporate specific lessons learned into readiness plans and activities.

Nevertheless, FDIC personnel did not consistently monitor, through documented prioritization and tracking, the resolution of all lessons learned and related recommendations, and there was not a stated expectation that they would do so. For example, DIR personnel stated that the FDIC did not commit to pursue all resolution and readiness topics identified for further research on potential options, as described in the FDIC Crisis and Response Report. In addition, DOA personnel described the FDIC Crisis Resources Report as a reference guide that memorialized best practices for future financial crises. As such, DOA personnel stated that the FDIC did not have action plans for implementing the lessons learned.

As noted earlier in this report, the FDIC did not have readiness planning procedures. Such a readiness planning process could help maximize the FDIC’s significant investment in identifying lessons learned from the prior financial crisis by providing the FDIC additional assurance that personnel address lessons learned in updates and enhancements to policies, procedures, or readiness plans in anticipation of future crises.

Recommendation

We recommend that the FDIC:

8. Establish and implement a monitoring process for lessons learned that prioritizes and tracks recommendations to improve readiness activities.

The FDIC Should Consistently Review and Update Readiness Plans

The sixth element of a crisis readiness framework is maintenance of planning guidance and plans. An agency should periodically review and update its readiness policy, procedures, and plans to address gaps identified in readiness-related lessons learned, or after changes in operational resources or hazard profile. Such updates help ensure readiness planning documents remain current and useful.

Federal internal control standards provide that management periodically reviews policies, procedures, and related control activities for continued relevance and effectiveness in achieving the entity’s objectives or addressing related risks.

The FDIC updated seven of the eight crisis readiness plans. However, the FDIC should enhance six of eight readiness plans by including a requirement for regular maintenance. Specifically, when we conducted our evaluation work:

• RMS drafted updates to the RMS Cyber Incident Response Plan to reflect the lessons learned from the plan exercise in January 2018; however, these updates were still under RMS management review as of July 2019. The Plan included maintenance requirements, stating it should be reviewed annually and updated as necessary to incorporate lessons learned from plan testing and real life events.

• In 2018, FDIC personnel updated the Atlanta Region Critical Event Management Plan. The Plan included maintenance requirements, stating that the Critical Event Specialist would periodically review and update the plan as needed to account for input from post-event debriefings.

• The Dallas Region Environmental and Natural Disaster Response Procedures document had no date, but RMS personnel indicated that FDIC personnel had updated this document in 2018. The Plan did not indicate who should review and update the plan, or how frequently.61

• In March 2018, RMS personnel began updating the Division of Supervision and Consumer Protection Contingency Operating Strategies (2008) staffing plan. In December 2018, RMS personnel finished updating the Plan and renamed it, Division of Risk Management Supervision Contingency Operating Strategies. Neither of the plans from 2008 or 2018 indicated who should review and update the Plan, or how frequently.

• The DRR Surge Staffing Plan (May 2018) was under development at the start of our evaluation fieldwork. In December 2018, FDIC personnel completed the Plan and in March 2019, further updated the Plan. Neither of the plans from May 2018 or March 2019 indicated who should review and update the Plan, or how frequently. The FDIC Crisis Resources Report recommended annual review and update of surge staffing plans.

• In 2017 and 2018, DRR and RMS, respectively, last updated their debt ceiling contingency plans. However, OCFI62 had not updated its Federal debt ceiling contingency plan since 2013, and a DOF official referred to this document as “dated.” Neither the DRR, OCFI, nor RMS debt ceiling contingency plans included plan maintenance requirements.

Footnote: 61 The document stated that the Event Manager would update annually the internal and external stakeholder contact information and the banker call questionnaire within the Plan.

Footnote: 62 Effective July 21, 2019, the FDIC established a new Division of Complex Institution Supervision and Resolution to centralize certain responsibilities formerly held by RMS, OCFI, and DRR.

Recurring review, acknowledged by updating the document, helps ensure a plan incorporates current processes and conditions. As noted earlier in this report, the FDIC did not have readiness planning procedures, and therefore had no documented process for maintaining crisis readiness plans, or policy and procedures once established. In addition, the FDIC should maintain a central repository of crisis readiness plans to facilitate periodic maintenance. Periodic review and update of the FDIC’s readiness policy, procedures, and plans to address capability gaps or changes in the risk environment could help the FDIC prepare for an effective crisis response.

Recommendations

We recommend that the FDIC:

9. Establish and implement a process to ensure that the FDIC reviews and updates readiness plans on a recurring basis.

10. Establish and maintain a central repository of up-to-date readiness plans.

The FDIC Should Regularly Assess and Report on Agency-Wide Readiness

The seventh element of a crisis readiness framework is assessment and reporting. Readiness assessments collect and analyze data to measure and monitor progress towards meeting performance goals. Readiness reports summarize progress on building, sustaining, and achieving the required capabilities, and inform decision makers on necessary readiness improvements.

The FDIC should regularly assess and report on Agency-wide progress on crisis readiness plans and activities to key decision makers, such as the FDIC Chairman and senior management. However, the FDIC did regularly assess and report progress on certain interdivisional and divisional hazard-specific readiness activities.

The FDIC established performance measurement processes to prioritize, assess, and report on key activities to FDIC senior management and the Chairman. However, the 2018 FDIC Performance Goals did not establish a goal specifically related to Agency-wide all-hazards crisis readiness on which the FDIC would regularly brief the Chairman. In addition, we did not see other evidence that FDIC personnel regularly briefed the Chairman on Agency-wide crisis readiness.

The FDIC, however, established interdivisional goals focused on readiness for specific hazards. For example, the following two 2018 FDIC performance goals communicated the importance of interdivisional planning for future crises that may impact IDIs:

• Enhance the cybersecurity awareness and preparedness of the banking industry, to include developing a plan or playbook for an FDIC response to a major cybersecurity incident.63

• Develop and implement, in response to recent major natural disasters, targeted strategies to support recovery efforts and implement appropriate supervisory flexibilities.64

Footnote: 63 In response to this goal, OCFI personnel indicated that the FDIC’s Cyber Resolution Working Group prepared a draft internal white paper rather than a playbook.

Footnote: 64 DCP personnel indicated that responses to this goal included Disaster Assessment and Response Team outreach to IDIs and the business community on disaster recovery resources and the Team’s work to enhance the Natural Disaster Impact on Banking Operations page of the FDIC public website. RMS personnel indicated that other responses to this goal included issuing FILs, in order to provide guidance to IDIs in areas affected by natural disasters and to facilitate recovery.

The FDIC assesses and reports on FDIC performance goals and objectives quarterly to FDIC senior management and the Chairman, as described in FDIC Directive 4100.4, Corporate Planning and Budget Processes (March 2007).65 Therefore, if FDIC-wide crisis readiness were incorporated into the Agency’s performance goals and objectives, the FDIC would have a process in place to regularly assess and report the status.

[Text Box: Example Division Goals and Objectives

DRR Asset Marketing & Management’s 2018 Division Goal 4 was titled, “Ensure readiness for future failures and the next crisis” and listed 8 separate objectives.

RMS 2018 Business Plan strategic objective 2.3 stated, “RMS’ contingency preparedness plans serve as playbooks for industry events and are responsive to external threats” and listed 14 action items.]

The FDIC also established divisional readiness-related goals and objectives, and FDIC personnel periodically assessed and reported progress towards meeting those goals and objectives to Division executives. However, the FDIC’s tracking at that level did not provide a clear or comprehensive picture of the FDIC’s overall readiness for crises impacting IDIs.

The FDIC also conducts monthly Operational Review meetings attended by the Chairman, Chief of Staff, Deputies to the Chairman, and all Division and Office directors. FDIC personnel indicated that during these meetings, the attendees receive updates on the status of various operational activities, including selected interdivisional readiness activities. For example, a document reflecting a presentation at the Operational Review meeting (September 27, 2019) indicated both the completion of an interdivisional surge staffing simulation exercise and a planned interdivisional cyber resolution tabletop exercise. However, FDIC personnel were not able to provide evidence that the FDIC Chairman and senior management received regular briefings on the status of Agency-wide all-hazards crisis readiness activities.

As noted earlier in this report, the FDIC did not have readiness planning procedures, and therefore did not have a documented process for measuring overall Agency progress related to readiness efforts. A documented readiness assessment and reporting process could help the FDIC better understand the status of its overall readiness capabilities and the gaps that should be prioritized and addressed through additional readiness efforts. A regular understanding of the current state of readiness is important, as the FDIC Crisis and Response Report indicated that crises may arise rapidly and be more severe than anticipated.

Footnote: 65 The FDIC also reports the status of its performance goals to the public in its Annual Report.

By adopting the best practices reflected in the seven crisis readiness framework elements, the FDIC could improve its ability to respond timely and effectively to a crisis affecting IDIs.

Recommendation

We recommend that the FDIC:

11. Establish and implement a process to assess and report regularly on the state of the FDIC’s Agency-wide readiness to address crises impacting IDIs.

FDIC COMMENTS AND OIG EVALUATION

On March 6, 2020, the FDIC’s Deputy to the Chairman and Chief Operating Officer, on behalf of the Agency, provided a written response to a draft of this report (FDIC Response), which we presented in its entirety in Appendix 6. We carefully considered the comments in the FDIC Response.

The FDIC’s mission is to maintain stability and public confidence in the Nation's banking system by insuring deposits, examining and supervising financial institutions for safety and soundness and consumer protection, making large and complex financial institutions resolvable, and managing receiverships. This mission is intended to protect the integrity of the banking system. To ensure it can continuously achieve this mission, the FDIC must be prepared for a broad range of crises that could impact the banking system.

The FDIC stated that it “takes readiness planning very seriously and has a documented history of reviewing and reassessing readiness plans.” The FDIC also stated that it “conducts crisis planning activities and regularly works to improve agency preparedness.” The FDIC recognized that “crises, by their very nature, can be difficult to manage effectively and can stretch agency capabilities and resources.” Therefore, the FDIC acknowledged that “there is always room for improvement” and concurred, or partially concurred, with all 11 recommendations we made in this report. In implementing these recommendations, the FDIC will improve its readiness for crises by:

• Establishing and implementing a policy, procedures, and training;

• Establishing a committee to guide and oversee crisis readiness planning;

• Establishing and implementing Agency-wide all-hazards and hazard-specific plans;

• Documenting readiness plan exercises;

• Monitoring lessons learned by prioritizing and tracking recommendations;

• Reviewing, updating, and maintaining readiness plans; and

• Assessing and reporting on the FDIC’s Agency-wide readiness.

FDIC Efforts to Improve Readiness

In its response, the FDIC described 14 separate actions that the Agency had taken or had in process to improve the FDIC’s readiness to respond to future crises. The actions the FDIC described included developing surge staffing and resolution plans, conducting exercises, creating a Division to supervise and resolve complex institutions, establishing contingency contracts and strategies, maintaining hiring flexibilities, increasing information technology capacity, emphasizing forward-looking supervision, enhancing offsite monitoring, expanding special examination activities, maintaining business continuity, and announcing a voluntary separation incentive and voluntary early retirement program.66

As our report recognized, since the start of the prior financial crisis, the FDIC has continued to enhance its readiness for crises impacting IDIs. However, the 14 individual actions described in the FDIC Response demonstrate that the FDIC does not have an overarching framework for integrating and coordinating crisis readiness activities across the Divisions and Offices and do not represent a holistic Agency-wide approach. We believe an established crisis readiness framework will enhance the FDIC’s overall readiness to respond to crises impacting IDIs, and will help FDIC management and personnel understand how the various readiness efforts are interrelated.

Crisis Readiness Related to the FDIC’s Mission

The FDIC questioned our use of guidance related to Presidential Policy Directive (PPD) 8, National Preparedness (March 2011), as criteria for evaluating the FDIC’s crisis readiness efforts. The FDIC Response posited that PPD-21, Critical Infrastructure Security and Resilience (February 2013), instead, would have been an appropriate criteria by which to evaluate the Agency’s readiness efforts.

PPD-21, however, establishes a policy specifically targeted at protecting the United States critical infrastructure from cyber and physical threats and designates the Treasury Department as the Sector-Specific Agency for the Financial Services Sector. The FDIC Response indicated that the FDIC has a role in implementing PPD-21 through the Agency’s participation in Financial Services Sector activities and membership and participation in the Financial and Banking Information Infrastructure Committee.

Footnote: 66 On March 16, 2020, the FDIC Chairman announced that the FDIC had postponed implementation of the voluntary separation incentive program and voluntary early retirement program.

However, PPD-21 does not specify how the FDIC should prepare for crises related to its mission. Suggesting that the OIG should have assessed the FDIC against PPD-21 rather than PPD-8 ignores the importance of the FDIC mission and its responsibility to be prepared for all crises.

PPD-8 emphasizes that national preparedness is the shared responsibility of all levels of government, the private and nonprofit sectors, and individual citizens, referred to collectively as, “the whole community.” The PPD-8 related guidance that we described in Appendix 5 provides a unified approach and common terminology to guide planning for any type of crisis. Therefore, it could be applied to the crisis readiness planning that the FDIC conducts in support of its own mission. As our report explained, Federal internal control standards established by the GAO and non-Federal crisis readiness guidance from the OECD and Harvard Business School also support the readiness framework we derived from PPD-8 related guidance.

Appropriateness of an All-Hazards Planning Approach

The FDIC Response stated that the OIG “asserted that the all-hazards plan should cover all crisis readiness situations potentially facing the FDIC” and that “from the OIG's perspective, the all-hazards plan should include disaster events impacting IDIs such as hurricanes or floods as well as cyber events, financial crises, and other events.” The FDIC’s statements reflect a misunderstanding of the all-hazards planning approach. Our report stated that “an all-hazards plan should identify the necessary critical common functions and tasks, and individuals responsible for accomplishing them, regardless of the crisis scenario.” [Emphasis added.]

More specifically, our report explained that “hazard-specific plans . . . focus on any unique requirements for specific crisis scenarios, as necessary based on risk.” Our report did not indicate or recommend that the FDIC should describe each type of crisis in the all-hazards plan or include in that plan the distinct methods of response for each specific type of hazard.

The FDIC Response also stated that “[b]ecause the FDIC’s methods of response are markedly different for a natural disaster event versus a financial crisis, the utility of covering all hazards/crises types under a single plan is questionable.” The FDIC Response subsequently asserted that “neither PPD-21 nor the FEMA guidance cited in the report include economic or financial crises in their definitions of ‘all-hazards’ or ‘disasters’.”

We note, however, that PPD-21 contemplates “all hazards that could have a debilitating impact on national security, economic stability, public health and safety, or any combination thereof.” [Emphasis added.] Further, the OECD criteria states, “Governments are confronted with an increasing number of crises . . . creating significant economic knock-on effects.” The OECD criteria also contemplates “cascading risks that become active threats as they spread across global systems, whether these arise in health, climate, social or financial systems.” We maintain that an all-hazards plan covering the FDIC’s critical common functions and tasks, regardless of the types of crises IDIs may encounter, would improve the efficiency and effectiveness of the FDIC’s crisis readiness planning process.

Readiness Plan Training

The FDIC Response disagreed with our findings with respect to training FDIC personnel and asserted that we did not include context and certain information. The FDIC Response stated that “[d]uring the evaluation, the FDIC informed the OIG team that, in most crisis scenarios, FDIC employees will be performing the same corporate operations and activities that they regularly perform, such as supervising or resolving banks, simply in a more intense and stressed environment.”

However, this statement appears inconsistent with other statements included in the FDIC Response. Specifically, the FDIC acknowledged that crises can involve “a significant increase in examination resources and resolution staffing,” which we note would require training of new personnel on readiness plans. Additionally, the FDIC Response indicated that a crisis can lead to “unprecedented challenges for the FDIC,” which we note may also require additional training to overcome. For example, the FDIC may need to adjust its normal processes for performing onsite examinations and in-person resolutions in response to a crisis involving a pandemic, such as COVID-19.

Our report acknowledged, “[t]he FDIC maintains operational training programs to enhance the ability of FDIC personnel to perform their regular duties, as well as cross training to facilitate their ability to assist in other functional areas as needed.” We also noted that the FDIC conducts exercises and simulations. However, as our report notes, “[w]hile personnel learn about the plan when participating in exercises, the intent of exercises is to test the training that individuals should have already received on the plans. In addition, training helps personnel know what to expect during an exercise and what to do during an actual crisis event.”

Our report focused on training targeted to understanding the specific roles and responsibilities needed to execute a crisis readiness plan. Our report stated that such training can “provide an understanding of when to activate the plan, who activates the plan, and in what sequence specific actions should occur.”

Interagency Guidance to IDIs

On March 6, 2020 the Federal Financial Institutions Examination Council, of which the FDIC is a member, issued an Interagency Statement on Pandemic Planning (FFIEC Interagency Statement) to remind IDIs that their business continuity plans should address the threat of a pandemic outbreak and its potential impact on the delivery of critical financial services. We found that this guidance reflected several of the readiness framework elements that we described in our report, including the importance of organization-wide readiness planning; a committee to oversee readiness planning; and plan training, regular plan exercises, and periodic plan maintenance. We noted that although the FDIC had not fully established these items as part of its crisis readiness planning, the FDIC expects that IDIs should have these items as part of their business continuity planning.

Planned Corrective Actions to Address OIG Recommendations

The FDIC concurred with seven of the recommendations in the report and partially concurred with the remaining four recommendations. We reviewed the FDIC’s planned actions and determined them to be responsive to our recommendations. We therefore consider all 11 recommendations to be resolved. We summarized the FDIC’s planned corrective actions, including planned alternative actions, in Appendix 7.

We note that the FDIC’s estimated completion dates range from approximately 15 months (June 30, 2021) to approximately 2 years (March 31, 2022) from the date of our report. For example, the FDIC Response stated that it would take 15 months to assign crisis readiness planning oversight to the Operating Committee. Additionally, the FDIC Response stated that it would take 2 years to establish and implement Agency-wide hazard specific readiness plans. We have also described below our perspectives on the recommendations with partial concurrence (Recommendations 2, 4, 6, and 10) and specific expectations for resolving Recommendations 4, 5, 6, 8, and 10. All 11 recommendations will remain open until the OIG confirms that the FDIC has completed the corrective actions.

Recommendation 2. The FDIC partially concurred with the OIG’s recommendation to “[e]stablish a committee to guide and oversee FDIC crisis readiness planning.”

The FDIC Response stated that “[t]he FDIC will not create a new committee for this purpose and will instead assign responsibility to its Operating Committee for overseeing crisis readiness planning efforts.”

We believe that the FDIC’s planned corrective action represents concurrence with the recommendation, which did not require the FDIC to create a new committee. Assigning the responsibility for overseeing crisis readiness planning efforts to the Operating Committee meets the intent of our recommendation.

Recommendation 4. The FDIC partially concurred with the OIG’s recommendation to “[e]stablish and implement an Agency-wide all-hazards readiness plan that identifies and integrates FDIC readiness activities common to all crises impacting insured depository institutions.” The FDIC Response stated that “[t]he FDIC will engage a crisis readiness consulting firm to obtain advice and recommendations on improving the agency's crisis planning framework and maturing the existing crisis readiness program. Based on this feedback and advice, we will develop and implement agency-wide readiness plan(s) appropriate for the FDIC's mission and responsibilities.”

We understand the FDIC’s need to consult with an outside firm in the area of crisis readiness. In order to satisfy this recommendation, we would expect that, after such consultation, the FDIC will develop an Agency-wide all-hazards plan. The consultants may provide guidance on how to implement this recommendation, but the plan should identify and integrate the FDIC’s critical common functions and tasks regardless of the crisis scenarios IDIs may encounter.

Recommendation 5. The FDIC concurred with the OIG’s recommendation to “[e]stablish and implement Agency-wide hazard-specific readiness plans, as needed, to identify and integrate FDIC readiness plans and activities unique to specific hazards impacting insured depository institutions.” The FDIC Response stated that “FDIC staff discussed with the OIG that the decision to develop agency-wide hazard-specific readiness plans would be risk-based, considering impact, likelihood, and criticality of the individual plan and whether the plan involved multiple divisions.” The FDIC Response added that “[t]he FDIC confirmed with the OIG that there is not an expectation that all or even most readiness plans would be expanded to be agency-wide.”

The FDIC Response mischaracterized our discussion with the FDIC regarding this recommendation. The OIG did not confirm an expectation regarding the number of hazard-specific readiness plans that the FDIC would need. The DHS National Planning System (February 2016) acknowledges that “[p]lanning is fundamentally a method to manage risk.” Our report reflected this point, stating that “supplemental plans describe any unique requirements for specific hazard scenarios, as necessary based on risk.” [Emphasis added.]

Consistently, our report concluded that the FDIC should develop “Agency-wide hazard-specific plans, as needed, to integrate divisional plans containing requirements unique to certain types of crises.” [Emphasis added.] Our expectation, based upon our evaluation of the FDIC’s existing readiness plans, is that Agency-wide hazard-specific plans are appropriate for the FDIC.

Recommendation 6. The FDIC partially concurred with the OIG’s recommendation to “[e]stablish and implement a process for ensuring periodic training of responsible personnel on their task-related responsibilities in executing readiness plans.” The FDIC Response stated that “[i]n most crisis scenarios, FDIC employees will be performing the same corporate operations and activities that they regularly perform, but in a more intense and stressed environment.” The FDIC “acknowledges there could be instances where unique skills or responsibilities are required to execute readiness plans. The crisis readiness policy and procedures . . . will require that readiness plans explicitly state whether staff require any specialized training or skills in order to execute the readiness plan. Further, the FDIC will look for additional opportunities to train staff to conduct operations in a stressful environment.”

We believe the FDIC’s proposed actions are responsive to meet the intent of our recommendation. We reiterate our expectation that the FDIC should train all responsible personnel to understand their roles during a crisis regardless of whether their responsibilities change or the environment simply becomes more intense and stressful.

Recommendation 8. The FDIC concurred with the OIG’s recommendation to “[e]stablish and implement a monitoring process for lessons learned that prioritizes and tracks recommendations to improve readiness activities.” The FDIC Response mischaracterized the OIG’s position by stating, “[t]he OIG confirmed it did not intend that the FDIC track all recommendations resulting from plan exercises, just those deemed significant, and the FDIC agrees with this view.” The OIG did not confirm such intention. We maintain the conclusions presented in our report.

Our report concluded that the FDIC “[s]hould document the important results of all readiness plan exercises.” Such results can include lessons learned and related recommendations. The FEMA Operational Planning Manual (June 2014) explains the importance of reviewing lessons learned to identify and prioritize related recommendations. Prioritizing recommendations helps focus efforts on the most important corrective actions and tracking helps ensure they are implemented. Our expectation is that the FDIC will formally prioritize and track all recommendations that will improve readiness activities.

Recommendation 10. The FDIC Response partially concurred with the recommendation to “[e]stablish and maintain a central repository of up-to-date readiness plans.” The FDIC Response stated that “[t]he FDIC will take action to ensure that readiness plans remain up-to-date and are readily available. The FDIC plans to further explore how best to maintain readiness plans with the crisis readiness consultant, including whether a central repository represents the most effective operational response.”

The FEMA Operational Planning Manual recommends the establishment of a clear process to enable stakeholders to locate the current version of a readiness plan, and to archive outdated versions. The manual also acknowledges that end users and operations personnel need to be able to quickly access and use readiness plans. Our expectation is that the process or system developed by the FDIC to maintain crisis readiness plans will provide appropriate personnel with readily available access to the current versions of these plans.

Appendix 1 Objective, Scope, and Methodology

Objective

Our evaluation objective was to assess the FDIC's readiness to address crises that could impact insured depository institutions.

We initiated this evaluation in 2018 and it covered the FDIC’s readiness planning and preparedness activities up to early 2019. Our work was not conducted in response to the current pandemic situation, nor is the report specific to any particular type of crisis.

We performed our work from March 2018 to January 2019 at the FDIC’s offices in Arlington, Virginia, Washington, D.C., and Dallas, Texas. We updated information regarding the status of certain readiness plans and activities through September 2019. We also reviewed and considered information about the FDIC’s readiness activities that FDIC personnel provided as part of the draft report process in September and October 2019 and January 2020. We performed our work in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation.

Scope and Methodology

The evaluation scope included FDIC crisis readiness plans and related planning activities, completed or in process at the time of our evaluation. These plans and activities involved the FDIC’s preparations for responding to financial, environmental, technological, or other hazardous events that could negatively impact the financial condition or operations of IDIs.

We excluded from our scope COOP planning-related activities, which focus on how the FDIC addresses crises that impact its internal operations. The FDIC established criteria and assigned responsibilities for COOP through two FDIC Directives.67 The OIG and GAO regularly review FDIC COOP-related activities.68

Footnote: 67 FDIC Directive 1500.5, FDIC Emergency Preparedness Program (January 2007) and FDIC Directive 1360.13, Information Technology Contingency Planning (June 2008).

Footnote: 68 For example, OIG Report, The FDIC’s Information Security Program–2018 (AUD-19-001) (October 2018); and GAO Report, Information Security: FDIC Needs to Improve Controls over Financial Systems and Information (GAO-17-436) (May 2017).

We also excluded from our scope financial crisis-related planning activities for the resolution of SIFIs, which the FDIC conducts related to the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act)69 or relevant FDIC regulation.70 Both the FDIC OIG71 and the GAO72 have performed various audit and evaluation assignments to review resolution planning for these entities.

To address our evaluation objective, we obtained and reviewed Federal and non-Federal documents relevant to crisis readiness in order to identify best practices for evaluation. See Appendix 5 for a description of these Federal and non-Federal best practices documents.

We contacted FDIC personnel in the following Divisions and Offices,73 regarding FDIC crisis readiness-related plans and activities, and FDIC roles and responsibilities for those activities:

• Corporate University

• Division of Administration

• Division of Depositor and Consumer Protection

• Division of Information Technology

• Division of Insurance and Research

• Division of Finance

• Division of Resolutions and Receiverships

• Division of Risk Management Supervision

• Executive Office

• Legal Division

• Office of Communications

• Office of Complex Financial Institutions

• Office of Minority and Women Inclusion

Footnote: 69 Pub. L. No. 111-203, 124 Stat. 1376 (2010). The Dodd-Frank Act Section 165(d) required certain nonbank financial companies and bank holding companies with $50 billion or more in total consolidated assets to submit periodically to the Board of Governors of the Federal Reserve System and the FDIC a plan for the companies' rapid and orderly resolution in the event of material financial distress or failure. In 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act increased the minimum threshold for resolution plans under Dodd-Frank Act, section 165(d), to $250 billion. See 12 C.F.R. §§ 243, 381 (2019) (final rule increasing the minimum threshold to $250 billion).

Footnote: 70 12 C.F.R. § 360.10, Resolution plans required for IDIs with $50 billion or more in total assets (2012). As of December 31, 2018, approximately 45 U.S. IDIs, with total assets of $13.1 trillion, were subject to this regulation.

Footnote: 71 For example, OIG Report, The FDIC's Progress in Implementing Systemic Resolution Authorities under the Dodd-Frank Act (AUD-14-001)(November 2013); OIG Report, The FDIC's Resolution Plan Review Process (EVAL-16-006) (September 2016); OIG Report, The FDIC's Risk Monitoring of Systemically Important Financial Institutions' Proximity and Speed to Default or Danger of Default (EVAL-17-003) (January 2017); and OIG Report, Claims Administration System Functionality (EVAL-18-002) (March 2018).

Footnote: 72 For example, GAO Report, Bank Regulation: Lessons Learned and a Framework for Monitoring Emerging Risks and Regulatory Response (GAO-15-365) (June 2015); and GAO Report, Resolution Plans: Regulators Have Refined Their Review Processes but Could Improve Transparency and Timeliness (GAO-16-341) (April 2016).

Footnote: 73 We contacted these entities because FDIC documentation or personnel indicated these Divisions and Offices had a role in crisis readiness or response.

We also interviewed officials with knowledge of crisis readiness planning from FEMA, whose guidance we reference in this report, and from the Board of Governors of the Federal Reserve System, another Federal agency responsible for the supervision of IDIs.

We considered the following GAO reviews of Federal agency crisis readiness while conducting our evaluation:

• GAO Report, National Preparedness, FEMA Has Made Progress, but Needs to Complete and Integrate Planning, Exercise, and Assessment Efforts (GAO-09-369) (April 2009).

• GAO Testimony, Disaster Response, Criteria for Developing and Validating Effective Response Plans (GAO-10-969T) (September 2010).

• GAO Report, Emergency Preparedness, Opportunities Exist to Strengthen Interagency Assessments and Accountability for Closing Capability Gaps (GAO-15-20) (December 2014).

Sampling Methodology

We selected a non-statistical sample74 of three of eight FDIC crisis readiness plans that FDIC personnel provided at the time of our evaluation. For each selected plan, we assessed whether the plan contained information related to the following five components or sections of a base readiness plan, which we identified in Federal best practices.75

• Situation. Identifies the purpose of the plan, the hazard(s) addressed, background information, and critical considerations and assumptions.

• Mission. Identifies senior leaders’ intent for the plan and the desired end state.

• Execution. Identifies how the plan will accomplish the mission, including the tasks required and key roles and responsibilities for task execution.

• Administration, Resources, and Funding. Identifies plan administration, the resources, such as staffing, contracting, and information technology needed to implement the plan, and the funds needed for operations.

• Oversight, Coordination, and Communications. Identifies plan integration, including the organization’s oversight of plan execution, coordination of tasks and personnel, and communication among stakeholders.

Footnote: 74 The results of a non-statistical sample cannot be projected to the sampled population.

Footnote: 75 FEMA, FEMA Operational Planning Manual (FEMA P-1017) (June 2014).

We also performed a limited review of the other five FDIC crisis readiness-related plans, as well as other readiness-related planning documents, to determine their status and whether such documents were consistent across the FDIC.

Appendix 2 Acronyms and Abbreviations

CFO - Chief Financial Officer

C.F.R. - Code of Federal Regulations

COOP - Continuity of Operations

CU - Corporate University

DCP - Division of Depositor and Consumer Protection

DHS - Department of Homeland Security

DIF - Deposit Insurance Fund

DIR - Division of Insurance and Research

DIT - Division of Information Technology

DOA - Division of Administration

DOF - Division of Finance

DRR - Division of Resolutions and Receiverships

DSC - Division of Supervision and Consumer Protection

FBIIC - Financial and Banking Information Infrastructure Committee

FDIC - Federal Deposit Insurance Corporation

FEMA - Federal Emergency Management Agency

FFIEC - Federal Financial Institutions Examination Council

FIL - Financial Institution Letter

FSSSP - Financial Services Sector-Specific Plan

GAO - Government Accountability Office

HBS - Harvard Business School

IDI - Insured Depository Institution

Legal - Legal Division

NCIRP - National Cyber Incident Response Plan

NIPP - National Infrastructure Protection Plan

OCFI - Office of Complex Financial Institutions

OCOM - Office of Communications

OECD - Organisation for Economic Co-operation and Development

OIG - Office of Inspector General

OLA - Office of Legislative Affairs

OMWI - Office of Minority and Women Inclusion

OO - Office of the Ombudsman

PPD - Presidential Policy Directive

RMC - Resource Management Committee

RMS - Division of Risk Management Supervision

RPC - Resolution Policy Committee

RTF - Resource Task Force

SIFI - Systemically Important Financial Institution

SSA - Sector-Specific Agency

SSP - Strategic Simulation Program

U.S. - United States

Appendix 3 FDIC Division and Office Roles and Responsibilities

This appendix summarizes the roles and responsibilities of the FDIC’s Divisions and Offices as described in FDIC internal documents.

Corporate University - CU is the training and employee development arm of the FDIC, and supports the Agency’s mission and business objectives through continuous learning and development. CU provides opportunities for employees to learn about the FDIC's major program areas of supervision, compliance, resolutions, and insurance.

Division of Administration - DOA is responsible for providing administrative management support to internal customers in eight major functional areas, including: human resources, facilities operations, lease administration, procurement, mail operations, records management, security and emergency preparedness, and the FDIC Call Center.

Division of Depositor and Consumer Protection - DCP supervises IDIs to ensure they treat consumers and depositors fairly and operate in compliance with Federal consumer protection, anti-discrimination, and community reinvestment laws. DCP also promotes economic inclusion by helping to build and strengthen positive connections between IDIs and consumers, depositors, small businesses, and communities.

Division of Finance - DOF provides accounting, financial, and employee services that support and enhance management’s ability to make effective and sound business decisions impacting Divisions and Offices, the FDIC, the banking industry, and the public.

Division of Insurance and Research - DIR offers comprehensive statistical information on banking; identifies and analyzes emerging risks; conducts research that supports deposit insurance, banking policy, and risk assessment; addresses global financial issues of importance to the U.S. deposit insurance system; assesses the adequacy of the DIF; maintains a risk-based premium system; and conducts economic analysis for FDIC rulemaking.

Division of Resolutions and Receiverships - DRR is responsible for IDI closings and for the receivership processes occurring both before and after failure of IDIs. DRR's responsibilities include the marketing and sale of the IDI's franchise before failure, overseeing the termination of an institution’s operations, the paying of insured deposits, and the marketing and sale of available assets after failure in order to satisfy the outstanding liabilities of the receivership.

Division of Risk Management Supervision - RMS examines and supervises insured depository institutions, leads policy development, evaluates resolution plans, and monitors and mitigates systemic risks to the safety and soundness of IDIs.

Legal Division - Legal provides legal services to the FDIC to support the Agency’s mission-related activities, including legal advice, litigation support, and ensuring compliance with applicable laws and regulations. Legal support for an IDI closing is bifurcated, with Headquarters-based legal staff providing qualified financial contract support and Dallas-based legal staff providing onsite support at the closing bank site.

Division of Information Technology - DIT provides information technology support to the FDIC and its customers. DIT operates the Virginia Square Data Center that provides and supports the FDIC network and automated data processing services for FDIC business operations. DIT performs contingency planning to ensure continuity in its delivery of information technology services to FDIC users and customer organizations.

Office of Communications - OCOM provides information about the FDIC, including its policies and programs, to the media, the public, the financial services industry, and FDIC employees. OCOM regularly responds to press inquiries. OCOM also initiates outreach activities to inform the public about deposit insurance, consumer protection, and financial literacy issues.

Office of Complex Financial Institutions - OCFI focuses on the supervisory, insurance, and resolution risks presented to the FDIC by the largest and most complex financial institutions. OCFI is responsible for ensuring that global SIFIs operating in the United States are resolvable under the Bankruptcy Code as prescribed by Title I of the Dodd-Frank Act. OCFI also develops strategies to resolve global SIFIs using the orderly liquidation backstop authority in Title II of the Dodd-Frank Act.

Office of Legislative Affairs - OLA serves as the agency’s congressional liaison and monitors and responds to legislation important to the FDIC. The FDIC established OLA to act as a central contact point for Members of Congress and their staff who have inquiries relating to the work of the FDIC. Consequently, OLA is an information resource and encourages employees to contact OLA staff if they need assistance with anything relating to congressional inquiries.

Office of Minority and Women Inclusion - OMWI works to ensure equal employment opportunity for all employees and applicants for employment; to achieve a workforce that is diverse and inclusive; and to increase participation of minority-owned and women-owned businesses in the programs and contracts of the Agency to the maximum extent possible.

Office of the Ombudsman - OO is an independent, neutral, and confidential resource and liaison for the banking industry and general public to facilitate the resolution of problems and complaints against the FDIC in a fair, impartial, and timely manner.

Appendix 4 Potential Hazards for Insured Depository Institutions

The World Economic Forum,76 The Global Risks Report 2018, 13th Edition identified a list of hazardous risks that could affect the world economy, and thereby potentially affect IDIs. Included below are examples of risks that the Report indicated had an above average likelihood or above average negative impact. The risks listed below track the risk categories discussed in the Report.

Economic Risks

Asset Bubble – Unsustainably overpriced assets such as commodities, housing, and equity shares in a major economy or region.

Environmental Risks

Extreme Weather Events – Major property, infrastructure, and/or environmental damage as well as loss of human life caused by events such as floods and hurricanes.

Man-made Environmental Disasters – Failure to prevent major man-made damage, including environmental crime, from events such as oil spills and radioactive contamination, causing harm to human lives and health, infrastructure, property, economic activity, and the environment.

Natural Disasters – Major property, infrastructure and/or environmental damage as well as loss of human life caused by geophysical disasters such as earthquakes, volcanic activity, landslides, tsunamis, or geomagnetic storms.

Geopolitical Risks

Terrorist Attack – Individuals or non-state groups with political or religious goals that successfully inflict large-scale human or material damage.

Weapons of Mass Destruction – The deployment of nuclear, chemical, biological or radiological technologies and materials, creating international crises and potential for significant destruction.

Societal Risks

Spread of Infectious Disease – Bacteria, viruses, parasites or fungi that cause uncontrolled spread of infectious diseases (for example, as a result of resistance to antibiotics, antivirals and other treatments) leading to widespread fatalities and economic disruption.

Technological Risks

Critical Information Infrastructure Breakdown – Cyber dependency that increases vulnerability to outage of critical information infrastructure (for example, internet and satellites) and networks, causing widespread disruption. Cyber Attacks – Large-scale cyber attacks or malware causing large economic damages, geopolitical tensions, or widespread loss of trust in the internet. Data Fraud/Theft – Wrongful exploitation of private or official data that takes place on an unprecedented scale.

Footnote: 76 Established in 1971 as a not-for-profit foundation, the World Economic Forum is an international organization for public-private cooperation.

Appendix 5 Crisis Readiness Best Practices

We interviewed crisis readiness subject-matter experts from the Federal Emergency Management Agency, and reviewed publicly available websites, to identify Federal and non-Federal documents containing best practices related to crisis readiness planning. We reviewed these best practices documents and identified seven important elements of a crisis readiness framework that could be applied to the FDIC, based on our judgment and understanding of FDIC operations. This appendix summarizes the crisis readiness best practices documents we reviewed during the evaluation, and correlates them to the seven elements of a crisis readiness framework.

Federal Crisis Readiness Best Practices

The requirements established by Presidential Policy Directive (PPD) 8, National Preparedness (March 2011), serve as the foundation for Federal crisis readiness best practices. PPD-21, Critical Infrastructure Security and Resilience (February 2013) and PPD-41, United States Cyber Incident Coordination (July 2016), align with the National Preparedness Goal and System required by PPD-8, and establish policies specifically targeted at protecting United States critical infrastructure from cyber and physical threats.

PPD-8

PPD-8 communicates the importance of strengthening the security and resilience of the United States through systematic preparation for the threats that pose the greatest risk to the security of the Nation. These risks include acts of terrorism, cyber-attacks, pandemics, and catastrophic natural disasters. PPD-8 emphasizes that national preparedness is the shared responsibility of all levels of government, the private and nonprofit sectors, and individual citizens, referred to collectively as, “the whole community.”

PPD-8 charges DHS with establishing a National Preparedness Goal and developing a National Preparedness System with an integrated set of guidance, programs, and processes needed to achieve the National Preparedness Goal.77 PPD-8 holds the Secretary of Homeland Security responsible for coordinating the domestic all-hazards preparedness efforts of all executive departments and agencies. The heads of all executive departments and agencies with roles in prevention, protection, mitigation, response, and recovery are responsible for national preparedness efforts, including preparing department-specific operational plans, as needed, consistent with their statutory roles and responsibilities.

Footnote: 77 DHS defined the National Preparedness Goal as, “A secure and resilient Nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.” See DHS, National Preparedness Goal (September 2015).

PPD-21

PPD-21 identifies 16 critical infrastructure sectors and designates an associated Federal Sector-Specific Agency (SSA) that has institutional knowledge and specialized expertise over a sector. PPD-21 designates the Treasury Department as the SSA for the Financial Services sector.78 The DHS NIPP 2013 Partnering for Critical Infrastructure and Resilience (National Infrastructure Protection Plan or NIPP), a key product of PPD-21, aligns with the National Preparedness System required by PPD-8. The NIPP states that each SSA must coordinate with DHS and other relevant Federal departments and agencies to implement the directive. Each SSA must further collaborate with critical infrastructure owners and operators, and where appropriate with independent regulatory agencies, which includes the FDIC.

Each critical infrastructure sector creates a Sector-Specific Plan that supports the NIPP. The Financial Services Sector-Specific Plan 2015 (FSSSP) provides an overview of the sector and the cybersecurity and physical risks it faces, establishes a strategic framework that serves as a guide for prioritizing the sector’s day-to-day work, and describes the key mechanisms through which this strategic framework is implemented and assessed. The FSSSP indicates that the FDIC supports the goals of PPD-21 through its participation in the FBIIC and related collaboration with the Treasury Department.

PPD-41

PPD-41 provides additional responsibilities for SSAs, including the Treasury Department, in regards to responding to cyber incidents. The DHS National Cyber Incident Response Plan (December 2016) (NCIRP), a key product of PPD-41, states that PPD-41 complements and builds upon PPD-8 by integrating cyber and traditional preparedness efforts to manage incidents that include both cyber and physical effects. The NCIRP explains that while it focuses on cyber incident response efforts, the National Preparedness System under PPD-8 “outlines a broader architecture that establishes how the broader community prevents, protects against, mitigates, responds to, and recovers from all threats and hazards.” The NCIRP states that, “[b]oth the Comprehensive Preparedness Guide (CPG) 101 and the Response Federal Interagency Operational Plan . . . are foundational documents that agencies and organizations can leverage and tailor to cyber incidents to develop their own operational response plans.”

Footnote: 78 The Treasury Department’s Office of Critical Infrastructure and Compliance Policy, which is not a regulator, is responsible for carrying out the Department’s duties as the SSA for the Financial Services Sector. In that role, the Treasury Department is responsible for leading, facilitating, or supporting the security and resilience programs and associated activities for the sector in the all-hazards environment. This work includes serving as the chair of the FBIIC.

Applicability of Federal Crisis Readiness Best Practices to the FDIC

In April 2018, an FDIC Legal Division attorney opined, “[t]o our knowledge, the FDIC has not been identified as having a role in the national planning framework.” Further, PPD-8 does not identify the FDIC as an agency responsible for developing operational plans as part of the National Preparedness System. In addition, neither PPD-21, PPD-41, nor their related products, the NIPP, FSSSP, and NCIRP, identify specific responsibilities for the FDIC. However, the FDIC, through its participation in FBIIC activities, supports the FBIIC’s Government Coordinating Council responsibilities within the NIPP and FSSSP.

FDIC personnel did not use PPD-8 or PPD-21 as criteria for developing readiness plans. FDIC personnel considered the PPD-41 based NCIRP as criteria when developing the RMS Cyber Incident Response Plan. However, our research identified several sources of PPD-8 related best practices for crisis readiness that could be applied to the FDIC’s crisis readiness planning, based on our judgment and understanding of FDIC operations. Non-Federal best practices reinforce the concepts in Federal best practices. We describe the sources of Federal and non-Federal best practices below.

The DHS and FEMA are leaders in Federal readiness planning in support of PPD-8. The DHS issued the National Preparedness Guidelines (September 2007), which established a National Preparedness System that outlined an overarching framework for organizing preparedness activities and programs. The DHS National Preparedness System (November 2011) provides summary information on the components of the framework. The GAO has used these documents as criteria for evaluating FEMA disaster preparedness planning.79 One product of the DHS National Preparedness System, the DHS National Planning System (February 2016), “provides a unified approach and common terminology to plan for all-threats and hazards and across all mission areas of Prevention, Protection, Mitigation, Response, and Recovery.”80 The National Planning System contains an overview of the planning process more fully described in the FEMA guidance discussed below.

Footnote: 79 GAO-09-369 and GAO-15-20.

Footnote: 80 The DHS National Preparedness System states that the National Planning System will use, “a common approach and terminology based on existing guidance documents.” The document further states, “[p]lans should be developed in a manner compatible with the process identified in Comprehensive Preparedness Guide 101 or a similar planning structure relevant to the planning requirement.”

FEMA documented its process for operational planning in the FEMA Operational Planning Manual, (FEMA P-1017) (June 2014) (“FEMA Planning Manual”). FEMA developed this manual primarily for its internal use, to ensure its operational planning activities are consistent with the provisions of PPD-8. However, FEMA Division of Planning and Exercises personnel we interviewed stated that other agencies are also using the operational planning methodology described in the manual. The manual describes two types of operational plans:

• Deliberate plans, developed under non-emergency conditions that describe, among other things, agency crisis-related roles and responsibilities, impacts on existing authorities, tasks, resources needed, coordination and communication requirements.

• Crisis action plans, developed in response to specific incidents or credible threats.

The FEMA Operational Planning Keystone (FEMA P-1035) (August 2015) emphasizes that readiness planning is a fundamental responsibility of senior leaders and supports effective decision-making. This document states that “as decision makers, senior leaders should provide guidance and direction throughout the planning process. They also have the responsibility to identify strategies,81 approve concepts, ensure compliance with applicable laws and statutes, and approve planning products and deliverables. Senior leaders’ engagement throughout the planning process ensures that all products, deliverables, and plans will be supported with the required personnel and resources.”

FEMA also published the Developing and Maintaining Emergency Operations Plans, Comprehensive Preparedness Guide (CPG) 101, Version 2.0 (November 2010), which provides the fundamentals of planning and developing emergency operations plans. FEMA explains that Comprehensive Preparedness Guide 101 promotes a common understanding of the fundamentals of risk-informed planning and decision-making to help planners examine a hazard or threat and produce integrated and flexible plans. The goal of this guide is to make the planning process routine across all phases of emergency management and for all homeland security mission areas. The guide helps planners at all levels of government in their efforts to develop and maintain viable all-hazards, all-threats emergency operations plans. Accomplished properly, planning provides a methodical way to engage the whole community in thinking through the life cycle of a potential crisis, determining required capabilities, and establishing a framework for roles and responsibilities. The FEMA Planning Manual states that it is consistent with Comprehensive Preparedness Guide 101.

Footnote: 81 FEMA defines a strategy as a carefully devised plan of action to achieve one or more objectives.

Organisation for Economic Co-operation and Development

The OECD is an international organization comprised of 36 member countries from North and South America, Europe, and the Asia-Pacific region, including the United States. The OECD helps governments foster prosperity and fight poverty through economic growth and financial stability. Accordingly, the OECD has published documents regarding governmental preparation for crisis, including the report Strategic Crisis Management (December 2012) (“OECD Report”) that presents findings from work conducted in the OECD High-Level Risk Forum.82 The OECD Report draws on the discussions among 40 participants from 12 OECD countries, academia, the private sector, and international organizations to discuss the challenges that they are confronted with in crises management.

The OECD Report aims to discuss and assess practices of crisis management and contribute to identifying good practices. Recommended practices in the OECD Report that align with Federal best practices for readiness include:

• Clear mandates supported by comprehensive policies and legislation.

• The use of standard operating procedures to govern operations and coordination, including information-sharing and communication protocols.

• Establishment of pre-defined emergency or contingency plans.

• Allocation of resources for all activities necessary to prepare for a crisis, including risk assessment, early warning systems, and training and exercising.

• Feedback mechanisms that draw lessons from past crisis or disastrous events to help improve preparedness and response processes.

Harvard Business School

The Harvard Business School presents a section on its website entitled, “Working Knowledge” with articles containing research for business leaders. The HBS Working Knowledge article Your Crisis Response Plan: The Ten Effective Elements (September 2002) (“HBS Article”) summarizes, “the findings of research and experience about what it takes to respond effectively in crisis situations.” Recommended practices in the article that align with Federal best practices for readiness include:

• A representative set of crisis scenarios that guide the organization’s planning.

• A core plan, supported by response modules for specific scenarios.

• A clear chain of command during a crisis, to prevent an incoherent organizational crisis response.

• Regular, unscheduled simulation exercises to test speed of response.

• Mechanisms to ensure a disciplined post-crisis review, including identification of changes to the organization, its procedures, and its support resources.

Footnote: 82 The OECD established the High-Level Risk Forum in 2011 to offer a venue to achieve a shared and defined vision of integrated risk management, of which interagency crisis management is a core element.

Elements of a Crisis Readiness Framework and Supporting Best Practices Documents

Our review of Federal and Non-Federal best practices identified seven important elements of a crisis readiness framework that are relevant to the FDIC – (i) Policy and Procedures; (ii) Plans; (iii) Training; (iv) Exercises; (v) Lessons Learned; (vi) Maintenance; and (vii) Assessment and Reporting. We describe these seven elements in detail in the Background and Evaluation Results sections of this report. Table 2 below correlates each of the seven elements to the best practices that support the need for this element in a crisis readiness framework.

Table 2: Crisis Readiness Framework Elements and Supporting Documents

DOCUMENT: DHS National Preparedness Guideline Frame Work Element: POLICY & PROCEDURES, PLANS, TRAINING, EXERCISES, LESSONS LEARNED, MAINTENANCE,ASSESSMENT & REPORTING

DOCUMENT: DHS National Preparedness System Frame Work Element: POLICY & PROCEDURES, PLANS, TRAINING, EXERCISES, LESSONS LEARNED, MAINTENANCE,ASSESSMENT & REPORTING

DOCUMENT: FEMA Operational Planning Manual Frame Work Element: POLICY & PROCEDURES, PLANS, TRAINING, EXERCISES, LESSONS LEARNED, MAINTENANCE,ASSESSMENT & REPORTING

DOCUMENT: FEMA Comprehensive Preparedness Guide 101 Frame Work Element: PLANS, TRAINING, EXERCISES, LESSONS LEARNED, MAINTENANCE

DOCUMENT: OECD Report Frame Work Element: POLICY & PROCEDURES,PLANS, TRAINING, EXERCISES, LESSONS LEARNED

DOCUMENT: HBS Article Frame Work Element: PLANS, EXERCISES, LESSONS LEARNED

[End of table]

Source: OIG review of Federal and non-Federal crisis readiness best practices.

Appendix 6 FDIC Comments

[FDIC letterhead]

DATE: March 6, 2020

MEMORANDUM TO: Terry L. Gibson, Assistant Inspector General for Program Audits and Evaluations, Office of Inspector General

FROM: Arleas Upton Kea /Signed/, Deputy to the Chairman and Chief Operating Officer

SUBJECT: Management Response to the 010 Draft Report, Readiness for Crises (Assignmennt No. 2018-012)

The FDIC appreciates the opportunity to comment on the Office of Inspector General's (OIG) draft evaluation report titled, The FDIC's Readiness for Crises, issued on February 7, 2020. This memorandum also includes our planned actions to address the report recommendations.

Introduction

The FDIC takes readiness planning very seriously and has a documented history of reviewing and reassessing readiness plans. The FDIC conducts crisis planning activities and regularly works to improve agency preparedness. Readiness is in our DNA and is fundamental to our agency mission, vision, and values. The FDIC's core value of "effectiveness" involves responding quickly and successfully to risks in insured depository institutions and the financial system.

The FDIC has a strong and recognized track record of effectively responding to crises. During the 2008 financial crisis, the FDIC implemented financial stability programs that calmed markets and restored trust, supervised or monitored almost 900 problem banks at the height of the crisis and nearly 1,800 over its course, successfully resolved 489 bank failures while protecting insured depositors, and managed a highly successful shared-loss program that reduced failed bank losses by more than $40 billion over initial liquidation value estimates.

While certain management challenges exist in the human capital and succession planning area, FDIC management is working diligently to ensure that those challenges do not impair operational performance of core functions. Recent Chairman initiatives will contribute to addressing these challenges and retooling the FDIC to meet future needs. The Chairman and the FDIC management team are committed to ensuring that the FDIC is prepared for any future crises, no matter the cause.

FDIC Crisis Response Options and Resource Considerations

Given its mission, role, and authorities, the FDIC can respond to crises in several ways. The FDIC can reallocate examination staff to address an increase in problem banks; increase resolution staff, contractors, and agency support staff in response to a significant increase in bank failures; or establish financial stability programs, such as the Temporary Liquidity Guarantee Program (TLGP), which the FDIC developed during the 2008 financial crisis. Accordingly, the FDIC's crisis readiness efforts focus on ensuring our response options are ready, scalable, adaptable, agile, tested, understood, and resilient. The FDIC has focused significant effort to develop response options like these, as history has shown that they will undoubtedly be required in any future crisis.

For the FDIC, a true crisis generally involves some sort of resource surge-usually a significant increase in examination resources and resolution staffing, precipitated by a financial crisis situation. Because financial crises and recessions are unpredictable and cyclical, it is impractical for the FDIC to maintain a large contingent of resolution staff or excess examination staff during periods of economic prosperity and limited failure activity. As such, the FDIC thoughtfully assesses its resolution/readiness resource and examination needs annually, and relies on its ability to surge quickly in response to any rapid and broad-based deterioration of banking industry conditions.

As discussed later in this response, the FDIC also has a role in monitoring the availability of banking services during a natural disaster and the FDIC has a Critical Event Management Plan for guiding such activities. The Division of Risk Management Supervision (RMS) performs this role with existing staff in the normal course of business. As such, these efforts are not considered to be a direct crisis response from the FDIC.

FDIC Efforts to Improve Readiness in Response to the 2008 Financial Crisis

In its 2008 evaluation, Contingency Planning for Large-Scale Resolution Activity (Report EM-08-004), the OIG concluded that the FDIC had taken contingency planning seriously for a number of years and developed plans and processes for responding to large-scale resolution activity. The report noted that there was a clear commitment across divisions to strengthen the FDIC's readiness for resolving large and complex bank failures.

However, the severity, speed, and scale of the 2008 financial crisis presented unprecedented challenges for the FDIC and the rest of the government. The FDIC's Crisis and Response study acknowledged that the crisis challenged the FDIC's infrastructure and ability to scale resources quickly. The study identified a number of lessons learned for the FDIC's consideration. Since the crisis, and in response to the study, the FDIC has taken numerous substantive actions to prepare and be ready for future crises, including in the following areas:

• Division of Resolutions and Receiverships (DRR) Surge Staffing Plan- DRR developed a comprehensive surge staffing plan for quickly increasing resolution resources in the event of a sudden increase in bank fai lure activity. The plan is detailed and addresses all DRR functional areas. In addition, the FDIC developed division and office support plans for the Chief Information Officer's Organization (CIOO), the Division of Administration's (DOA) Acquisition Services Branch (ASB), the Corporate Services Branch, the Human Resources Branch, and the Legal Division among others. The FDIC has held multiple plan exercises with representatives from DRR and supporting divisions and offices and will continue to do so on a regular basis.

• Creation of the Division of Complex Institution Supervision & Resolution (CISR)- On June 27, 2019, the Chairman announced an organizational realignment to bring together specialized supervisory and resolution teams from across the FDIC to implement our mandate relating to large, complex financial institutions. More specifically, the establishment ofCISR brought together resources from across three different divisions and offices at the FDIC designed to address large complex financial institutions. Aligning these related skills and operations within a single division will improve our coordination, consistency, and accountability in this critical area. It will also simplify our organizational structure; consolidate specialized skill sets; foster a collaborative, interdisciplinary approach to our supervision and resolution functions; and promote internal and external accountability. This organizational change is also designed to ensure that information, resources, and expertise are shared in advance and readily available in the event of a crisis situation.

• Contingent Resolution Contracts- DRR and ASB have established multiple basic ordering agreements for numerous resolution services and prequalified many vendors. In the event of a sudden increase in failed bank activity, the FDIC could quickly increase dedicated resources through these contracts.

• RMS Contingency Operating Strategies - RMS developed a comprehensive set of strategies for quickly increasing examination resources in the event of sudden financial deterioration among banks. The plan is detailed and addresses the strategies RMS would execute, including hiring term loan review and information technology specialists to assist with examination work and freeing-up commissioned examiners to serve as examiners-incharge; rehiring retired annuitants; requesting authority to buy back annual leave; and eliminating any non-critical training. RMS used these strategies with great success during the 2008 financial crisis. RMS maintains position descriptions for the term positions in a ready state and would be able to execute the other strategies quickly and with minimum internal resources. RMS is also examining mechanisms to reduce the time required to achieve a commission, while maintaining training standards, and has also added additional entry-level positions for loan review and IT specialists that require considerably less training time to achieve full operational capability. These initiatives will also improve the FDIC's ability to quickly respond to a crisis in the financial sector.

• Rehired Annuitants-During the 2008 financial crisis, the FDIC rehired, under term appointments, former employees with valuable experience who had retired from the FDIC. In this regard, the Association of FDIC Alumni was established, in large part, to provide a ready source of available expertise in a future financial crisis situation. The FDIC has maintained a strong relationship with the Association to support crisis readiness.

• Capacity of Information Technology Applications- The FDIC has made important strides and continues efforts to enhance the capacity of FDIC information systems associated with making rapid and accurate deposit insurance claims determination decisions and handling sudden increases in FDIC staffing and failed bank assets.

• Non-Traditional Resolution Plans- DRR continues to develop plans and conduct exercises to address failure scenarios that could present unique challenges such as a failure caused by a cyber-attack or the failure of a bank that specializes in niche products.

• Hiring Flexibilities- The FDIC has worked with the US Office of Personnel Management to obtain authorization to use hiring flexibilities to hire staff quickly in response to a sudden increase in resolution activity.

• Forward-Looking Supervision Emphasis-Since the 2008 financial crisis, RMS has reemphasized, through updates to the Manual of Examination Policies, examiner training, and other means, the importance of examiners reporting and addressing weaknesses in internal controls and management practices before insured depository institutions (IDIs) experience material financial decline. These efforts embedded the lessons learned from the 2008 financial crisis into the FDIC's supervision program.

• Enhanced Offsite Monitoring Tools- RMS continues to expand and improve monitoring tools used between examinations to identify banks presenting risk factors for high growth, asset concentrations, interest rate risk, and liquidity risk.

• Expanded Use of Special Examination Activities- RMS and CISR engage in risk monitoring and backup supervision of the largest institutions. The FDIC also developed new tools for monitoring large bank risks using new data feeds from the Federal Reserve. The FDIC provided documented evidence of these and many other examples of crisis readiness eff011s to the OIG during its evaluation. Additionally, while not covered in the scope of the OIG evaluation, the FDIC has also taken action toward:

• Making Large Financial Institutions Rcsolvable--CISR has developed a comprehensive plan for perfom1ing a Title II resolution and has held interactive plan exercises and tabletops with representatives from multiple divisions, multiple federal agencies, and international partners.

• Agency Business Continuity- The Division of Administration and CIOO maintain a Continuity of Operations Plan and Disaster Recovery Plan, respectively, to address crises with operational impacts for the FDIC. The FDIC participates in the annual Eagle Horizon integrated continuity exercise with other federal executive branch departments and agencies.

• Voluntary Early Retirement Program and Voluntary Separation Incentive-On March 5, 2020, the Chairman announced a voluntary separation incentive and an early retirement program designed to address concerns raised by the Office of Inspector General (OIG) regru·ding management of human capital at the FDIC. Specifically, this program will provide incentives for FDIC personnel to opt for eru·ly retirement or separation from the FDIC. This program is not designed to reduce the FDIC budget or overall size of the workforce, but is instead intended to flatten the organization at executive and management levels, ease concerns on knowledge management and succession planning, address concerns raised by the OIG regarding the FDIC's significant retirement-eligible workforce, and redirect resources to hire and train new skillsets needed across the corporation. This program will strengthen the FDIC in all capacities and will promote additional growth and focus on overall long-term crisis readiness.

While these and other efforts significantly increased our preparedness, crises, by their very nature, can be difficu lt to manage effectively and can stretch agency capabilities and resources. The FDIC has strong programs across the agency that emphasize preparedness and has a proven track record ofresponding effectively. Nevertheless, the FDIC acknowledges there is always room for improvement and welcomes constructive suggestions for strengthening readiness efforts. As discussed later, while the FDIC concurs with most of the OIG's specific recommendations, the FDIC does not concur with some of the OlG's conclusions regarding the FDlC's crisis readiness, or with some of the evaluative criteria used by the OIG for this engagement.

Emergency Response Criteria Used by OIG Versus the FDIC's Actual Role in a Disaster Event

As part of this evaluation, the OIG developed its own framework to evaluate the FDIC's readiness efforts. The OIG based its framework largely on guidance issued by the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) for implementing Presidential Policy Directive 8, National Preparedness. 1 PPD-8 assigned responsibility for national preparedness efforts to the departments and agencies with roles in prevention, protection, mitigation, response, and recovery. The OlG's report acknowledges that the FDIC does not have an identified role in the national planning framework and is not responsible for developing operational plans under PPD-8. Nevertheless, the OIG used OHS and FEMA operational guidance to assess the FDIC's readiness planning efforts, and support certain report recommendations. The use of alternative criteria, as discussed below, would more appropriately reflect the FDIC's actual role in contributing to critical infrastructure security and financial services resilience.

The FDlC's appropriate role in assisting with disaster events affecting IDls- such as a hurricane, flood, winter storm, etc.- is not to be a first responder, but instead to communicate with and monitor IDls impacted by the event to assess whether bank employees are safe, banking offices are open and operational, and banks and ATMs have suffic ient cash on hand to meet the public's immediate need for funds. The FDIC may also encourage banks to work with loan customers experiencing financial hardship. The FDIC has a Critical Event Management Plan for guiding such activities. However, RMS performs this role with existing staff in the normal course of business. As a result, the FDIC would not consider such efforts to be a specific crisis response situation.

Footnote: 1 The OIG al so based its framework on publications authored by the Organisation for Economic Co-operation and Development and the Harvard Business School, both of which focused on emergency operations and emergency response.

The FDIC does have a role, however, in implementing PPD-21, Critical Infrastruc ture Security and Resilience, which identified 16 critical infrastructure sectors. The Treasury Department is the Federal Sector Specific Agency for the Financial Services sector of which the FDIC is a member and actively participates in sector activities. Treasury developed a Financial Services Sector-Specific Plan that lists goals for infonnation sharing, best practices for 1isk management and security, incident response and recovery, and policy support.2 Had the OIG assessed the FDIC's efforts against this more appropriate criteria, the OIG may have reached a more posi tive conclusion about the FDIC's readiness planning efforts and the need for an agency-wide all-hazards plan.

Appropriateness of an All-Hazards Approach to Financial Crisis Situations

In addition to developing an agency-wide crisis readiness policy and agency-wide readiness procedures, the OIG concluded that the PDIC should develop an Agency-wide all-hazards readiness plan that identifies the critical common functions and tasks necessary for any crisis response and asserted that the all-hazards plan shou ld cover all crisis readiness situations potentially facing the FDIC. Thus, from the OIG's perspective, the all-hazards plan should include disaster events impacting IDJ s such as hurricanes or floods as well as cyber events, financ ial crises, and other events. Because the FDIC's methods ofresponse are markedly different for a natural disaster event versus a financial crisis, the utility of covering all hazards/crises types under a single plan is questionable. Further, neither PPD-21 nor the FEMA guidance cited in the report include economic or financial crises in their definitions of "all-hazards" or "disasters" and FDIC staff could not identify an example of an all-hazards plan that included a financial crisis scenario.3

The OIG also noted the all-hazards plan should address functions and tasks that are common to any crisis scenario. The OIG identified internal coordination with the FDIC's Office of Communications, Central Call Center, and Office of Legislative Affairs as examples of common functions that should be included in an all-hazards plan. While coordination with these functions is vitally important, these offices are part of the FDIC's organizational structure, and divisions routinely collaborate with these offices on all important matters, including crisis response.

Footnote: 2 The FDIC is also a member and participates in the Financial and Banking Informat ion Infrastructure Committee (FB IIC). FB IIC works to coordinate efforts with respect to critical infrastructure resilience issues.

Footnote: 3 OIG's report referenced an all-hazards plan developed by the Small Business Administration (SBA) that included a financially-related role, but this role is an assigned mission responsibility and the SBA's all-hazards plan is legislatively required. Thus, SBA is not a good comparison for the FDIC.

The FDIC has serious reservations about the efficacy and usefulness of a true "all-hazards" plan at the FDIC. Notwithstanding, the FDIC is fully committed to continuous improvement and acknowledges further enhancements to planning and readiness efforts may be warranted. Accordingly, the FDIC plans to engage a consultant experienced in crises readiness planning to evaluate existing plans and capabilities, and advise on appropriate improvements to enhance operational readiness for any future crisis situations.

Sufficiency of Operational Training that Employees Receive to be Prepared for Crises The report concludes that the FDIC did not train personnel to understand the content of crisis readiness plans, including their task-related responsibilities in executing the plans. The FDIC disagrees with this conclusion, and the OIG report omits important context and evidence that was provided to the OIG evaluation team.

During the evaluation, the FDIC informed the OIG team that, in most crisis scenarios, FDIC employees will be performing the same corporate operations and activities that they regularly perform, such as supervising or resolving banks, simply in a more intense and stressed environment. In this regard, FDIC employees receive extensive classroom and on-the-job training to conduct supervision, resolution, and business-line support functions. The FDIC's Corporate University offers comprehensive curricula and supports crisis planning simulations and table-top exercises. This training and professional development allows staff to build the acumen and business judgment necessary to evaluate the unique circumstance presented by a crisis and develop new programs, such as TLGP, or modify existing ones, such as loss-share, to respond effectively. RMS has an intensive examiner training and development program that is continuously refreshed to respond to financial industry risks and developments.

In addition, FDIC employees practice and achieve readiness through periodic table-top exercises and simulations of crisis readiness plan content. Such exercises provide employees the opportunity to understand readiness plans and practice their operational responsibilities in a simulated environment. The FDIC provided the OIG evaluation team with documentation of these plan exercises.

The FDIC agrees that additional training strategies could be used in instances where unique skills or responsibilities are required to execute readiness plans and will include in readiness procedures a requirement that readiness plans explicitly state whether staff require any specialized training or skills to execute the readiness plan. Identifying situations in which a unique skillset will be needed in a crisis is important; however, since unique skill situations are rare, obtaining those skills through hiring or contracting may be a more practical solution.

In addition, the FDIC will expand opportunities for training and exercising staff on what to expect during an intense crisis situation and how to operate under a stressful environment.

FDIC Planned Management Actions in Response to the Report Recommendations

OIG made 11 recommendations in its Febmary 7, 2020 draft report. Our management decision, planned action, and estimated completion date for each recommendation follows.

Recommendation 1: Establish and implement a policy providing senior management's crisis readiness directives.

Management Decision: Concur.

Planned Action: The FDIC will develop a corporate-wide crisis readiness directive that establishes policy for crisis planning and readiness, defines roles and responsibilities, and sets expectations for basic information that readiness plans should address, such as any unique training requirements to execute the plan, frequency of plan updates, and expectations for plan testing.

Estimated Completion Date: June 30, 2021.

Recommendation 2: Establish a committee to guide and oversee FDIC crisis readiness planning.

Management Decision: Partially Concur.

Planned Action: The FDIC will not create a new committee for this purpose and will instead assign responsibility to its Operating Committee for overseeing crisis readiness planning efforts. This designation and responsibility will be addressed in the crisis readiness policy discussed in Recommendation 1.

Estimated Completion Date: June 30, 2021.

Recommendation 3: Establish and implement procedures supporting an Agency-wide process for crisis readiness planning.

Management Decision: Concur.

Planned Action: The FDIC will develop a crisis readiness procedures document that expands on the crisis readiness policy discussed in Recommendation 1. The procedures will discuss the FDTC's methods of response, communicate roles and responsibilities, define general expectations for readiness plan content and testing, and raise FDIC employee awareness of crisis planning and response processes.

Estimated Completion Date: June 30, 2021.

Recommendation 4: Establish and implement an Agency-wide all-hazards readiness plan that identifies and integrates FDIC readiness activities common to all crises impacting insured depository institutions.

Management Decision: Partially Concur.

Planned Action: The FDIC will engage a crisis readiness consulting firm to obtain advice and recommendations on improving the agency's crisis planning framework and maturing the existing crisis readiness program. Based on this feedback and advice, we will develop and implement agency-wide readiness plan(s) appropriate for the FDIC's mission and responsibilities.

Estimated Completion Date: December 31, 2021.

Recommendation 5: Establish and implement Agency-wide hazard-specific readiness plans, as needed, to identify and integrate FDIC readiness plans and activities unique to specific hazards impacting insured depository institutions.

Management Decision: Concur.

Planned Action: FDIC staff discussed with the OIG that the decision to develop agencywide hazard-specific readiness plans would be risk-based, considering impact, likelihood, and criticality of the individual plan and whether the plan involved multiple divisions. The FDIC con finned with the OIG that there is not an expectation that all or even most readiness plans would be expanded to be agency-wide. Based on discussions with subject matter experts and crisis readiness consultants, the FDIC will develop criteria for detennining when agency-wide hazard-specific plans are needed. The FDIC will document that criteria in the crisis readiness procedures contemplated in Recommendation 3. The FDIC will then apply that criteria to existing readiness plans and expand plans meeting the criteria to be agency-wide.

Estimated Completion Date: March 31, 2022.

Recommendation 6: Establish and implement a process for ensuring periodic training of responsible personnel on their task-related responsibilities in executing readiness plans.

Management Decision: Partially Concur.

Planned Action: As discussed earlier, FDJC employees receive extensive operational training to perform their day-to-day work functions. In most crisis scenarios, FDIC employees will be performing the same corporate operations and activities that they regularly perform, but in a more intense and stressed environment. The FDIC regularly tests readiness plans and conducts exercises to prepare employees for crisis response scenarios. However, the FDIC acknowledges there could be instances where unique skills or responsibilities are required to execute readiness plans. The crisis readiness policy and procedures contemplated in Recommendations 1 and 3 will require that readiness plans explicitly state whether staff require any specialized trai ning or skills in order to execute the readiness plan. Further, the FDIC will look for additional opportunities to train staff to conduct operations in a stressful environment.

Estimated Completion Date: June 30, 2021.

Recommendation 7: Establish and implement a process for regularly docwnenting readiness plan exercise results and related recommendations, and retaining that documentation for use in readiness improvement activities.

Management Decision: Concur.

Planned Action: The FDIC will address expectations for documenting the results of readiness plan exercises and significant follow-on recommendations. This expectation wi ll be documented in the crisis readiness procedures contemplated in Recommendation 3 as part of the crisis readiness policy. Documentation will be retained consistent with the FDIC's record retention policy.

Estimated Completion Date: September 30, 2021.

Recommendation 8: Establish and implement a monitoring process for lessons learned that prioritizes and tracks recommendations to improve readiness activities.

Management Decision: Concur.

Planned Action: The FDIC will establish, in the crisis readiness procedures contemplated in Recommendation 3, criteria for which priority recommendations resulting from plan exercises should be tracked. The OlG confirmed it did not intend that the FDIC track all recommendations resulting from plan exercises, just those deemed significant, and the FDIC agrees with this view.

Estimated Completion Date: September 30, 2021.

Recommendation 9: Establish and implement a process to ensure that the FDIC reviews and updates readiness plans on a recurring basis.

Management Decision: Concur.

Planned Action: The FDIC will develop a process for ensuring that plans remain current. The FDIC envisions having division and office directors periodically certify to the Operating Committee that plans are up-to-date or have been revised. The crisis readiness procedures contemplated in Recommendation 3 will address this expectation.

Estimated Completion Date: June 30, 2021.

Recommendation 10: Establish and maintain a central repository of up-to-date readiness plans. Management Decision: Partially Concur.

Planned Action: The FDIC will take action to ensure that readiness plans remain up-to-date and are readily available. The FDIC plans to further explore how best to maintain readiness plans with the crisis readiness consultant, including whether a central repository represents the most effective operational response. The FDIC wi ll address expectations for keeping readiness plans up-to-date and readily avai lable in the crisis readiness procedures contemplated in Recommendation 3.

Estimated Completion Date: September 30, 2021.

Recommendation 11: Establish and implement a process to assess and report regularly on the state of the FDTC's Agency-wide readiness to address crises impacting IDls. Management Decision: Concur.

Planned Action : The FDIC will develop a process for periodically assessing and reporting on the state of the I'DIC's agency-wide readiness. The FDIC will address this recommendation through the periodic certification and reporting process to the Operating Committee as discussed in Recommendation 9 and consideration of action items and recommendations resulting from plan testing. Reporting expectations will be addressed in the crisis readiness procedures contemplated in Recommendation 3.

Estimated Completion Date: September 30, 2021.

On March 16, 2020, the FDIC announced that it was suspending the Voluntary Early Retirement Program and Voluntary Separation Incentive Program given the operational realities resulting from the coronavirus pandemic.

Appendix 7 Summary of the FDIC’s Corrective Actions

This table presents management’s response to the recommendations in the report and the status of the recommendations as of the date of report issuance.

Row 1: ; Rec. No.: 1; Corrective Action - Taken or Planned: The FDIC will develop a corporate-wide crisis readiness directive that establishes policy for crisis planning and readiness, defines roles and responsibilities, and sets expectations for basic information that readiness plans should address.; Expeceted Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 2: ; Rec. No.: 2; Corrective Action - Taken or Planned: The FDIC will assign responsibility to its Operating Committee for overseeing crisis readiness planning efforts. This designation and responsibility will be addressed in the crisis readiness policy.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 3: ; Rec. No.: 3; Corrective Action - Taken or Planned: The FDIC will develop a crisis readiness procedures document that expands on the crisis readiness policy. The procedures will discuss the FDIC’s methods of response, communicate roles and responsibilities, define general expectations for readiness plan content and testing, and raise FDIC employee awareness of crisis planning and response processes.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 4: ; Rec. No.: 4; Corrective Action - Taken or Planned: The FDIC will engage a crisis readiness consulting firm to obtain advice and recommendations on improving the agency’s crisis planning framework and maturing the existing crisis readiness program. Based on this feedback and advice, the FDIC will develop and implement agency-wide readiness plan(s) appropriate for the FDIC’s mission and responsibilities.; Expected Completion Date: December 31, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 5: ; Rec. No.: 5; Corrective Action - Taken or Planned: Based on discussions with subject matter experts and crisis readiness consultants, the FDIC will develop criteria for determining when agency-wide hazard-specific plans are needed. The FDIC will document that criteria in the crisis readiness procedures. The FDIC will then apply that criteria to existing readiness plans and expand plans meeting the criteria to be agency-wide.; Expected Completion Date: March 31, 2022; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row 6: ; Rec. No.: 6; Corrective Action - Taken or Planned: ; Expected Completion Date: The crisis readiness policy and procedures will require that readiness plans explicitly state whether staff require any specialized training or skills in order to execute the readiness plan. Further, the FDIC will look for additional opportunities to train staff to conduct operations in a stressful environment.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row: 7; Rec. No.: 7; Corrective Action - Taken or Planned: The FDIC will address expectations for documenting the results of readiness plan exercises and significant follow-on recommendations in the crisis readiness procedures. Documentation will be retained consistent with the FDIC’s record retention policy.; Expected Completion Date: September 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row: 8; Rec. No.: 8; Corrective Action - Taken or Planned: The FDIC will establish, in the crisis readiness procedures, criteria for which priority recommendations resulting from plan exercises should be tracked.; Expected Completion Date: September 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row: 9; Rec. No.: 9; Corrective Action - Taken or Planned: The FDIC will develop a process for ensuring that plans remain current. The FDIC envisions having division and office directors periodically certify to the Operating Committee that plans are up-to-date or have been revised. The crisis readiness procedures will address this expectation.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row: 10; Rec. No.: 10; Corrective Action - Taken or Planned: The FDIC will ensure that readiness plans remain up-to-date and are readily available. The FDIC plans to further explore how best to maintain readiness plans with the crisis readiness consultant, including whether a central repository represents the most effective operational response. The FDIC will address expectations for keeping readiness plans up-to-date and readily available in the crisis readiness procedures.; Expected Completion Date: September 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

Row: 11; Rec. No.: 11; Corrective Action - Taken or Planned: The FDIC will develop a process for periodically assessing and reporting on the state of the FDIC’s agency-wide readiness. The FDIC will address this recommendation through the periodic certification and reporting process to the Operating Committee and consideration of action items and recommendations resulting from plan testing. Reporting expectations will be addressed in the crisis readiness procedures.; Expected Completion Date: September 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Open;

[End of table]

a Recommendations are resolved when —

1. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation.

2. Management does not concur with the recommendation, but alternative action meets the intent of the recommendation.

3. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

b Recommendations will be closed when the OIG confirms that corrective actions have been completed and are responsive.

[End of report]

Federal Deposit Insurance Corporation

Office of Inspector General

3501 Fairfax Drive, Room VS-E-9068, Arlington, VA 22226

(703) 562-2035

The OIG’s mission is to prevent, deter, and detect waste, fraud, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency. To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC.

FDIC OIG website, www.fdicoig.gov

Twitter, @FDIC_OIG

Oversight.gov - www.oversight.gov/

Print Print
Close