COVID-19 Case Study: Recovery Goes Granular at Global Bank
Organization: A Canada-based multinational financial institution with global assets and facilities.
• Traveling staff
• Staff communications
• 14-day quarantines
• Varying return-to-work expectations and fears
28 July 2020 Update
Organizations initially responded to the coronavirus pandemic with broad brushstrokes, such as implementing work-from-home policies and mandating social distancing, Many are now shifting to the fine detail work of how to actually make those policies work in the real world.
For example, the bank had been looking for a date to bring staff back to work in its Western hemisphere facilities. Some workers are pushing to return, while others dread it. At the same time, case numbers in locations where the bank has facilities vary widely—sometimes hot spots are located in the same neighborhood where infection rates are low. Moreover, a spate of global, national, regional, and local authorities are weighing in with their own observations, recommendations, and mandates.
Bank management has decided to take a pragmatic, case-by-case approach with openings. It will consider local government mandates and recommendations, the opinions of its staff, and its own observations when deciding whether to reopen specific facilities and functions. “We will go office by office, campus by campus,” says the bank’s CSO.
That measured approach suits local governments fine, according to the CSO. No one wants thousands of commuters returning to buses and subways on the same day, for example. “Just because things are open doesn’t mean we should send everyone back into the world,” the CSO says. “It’s not just ‘Can we do this?’ but ‘Should we do this?’”
That lesson has been recently made clear in Hong Kong, where spiking case counts have convinced the bank to re-close facilities there.
When offices do open, returning staff will receive welcome kits that include masks, sanitizer, and “no-touch COVID keys” to open doors and press buttons. Instead of vague social distancing reminders, staff will watch professionally produced videos that depict how to line up at entrances, enter and stand in an elevator, open doors, and practice other social interactions that have never before required explanation. These relatively simple scenarios depict how tortuous it can be to navigate the risk of a million casual encounters. For instance, some elevators may be limited to four people. “What if a fifth person gets on and says, ‘You guys know me, I’m not sick,’ and they let him on, and then they get sick?” the CSO asks. People will complain both that the company enforces rules too rigorously or doesn’t do enough.
Some of the same broad-brush vs. granular-stroke issues also arise in contact tracing. In the banking industry and elsewhere, some companies are using massive data-aggregating tools such as Google to make contact tracing faster and more comprehensive, informing staff that they are opting-in to this approach by walking through the door. Others perform contact tracing manually to limit privacy concerns, but that’s much slower going and not as far reaching. The bank is pursuing the less intrusive route, the CSO says.
COVID-19 is spawning new technology in contact tracing, access control, temperature taking, visitor management, and other areas. But that puts some companies in a bind.
“Everyone is looking for technical solutions, but these are multimillion-dollar systems,” says the CSO. Companies hit by the economic downturn that are determined not to lay off staff because of COVID-19 may not have the budget to purchase these systems.
Other unexpected issues have arisen. In Canada, for example, health and safety regulations are much stricter than it is in the United States and many other countries.
“The system mandates the number of fire wardens and people who are certified in CPR per number of staff, up to even how many Band-Aids there are per floor,” says the CSO. Every security officer must be certified in first aid and CPR, but most officers are trained in a method of CPR that puts them at risk of getting COVID-19 from a victim. The bank may have to send staff long distances to courses where they will learn the safer “bag pump” method of CPR. But this exposes them to travel and group activity, two main avenues of coronavirus spread.
As everyone’s attention focuses on the pandemic, other security duties risk falling by the wayside, says the CSO. “A lot of our financial peers have deferred physical threat assessments,” the CSO says. This makes sense to limit exposure to possible contagion. But it also puts facilities in jeopardy and threatens regulatory compliance. The bank has bridged this gap by conducting virtual assessments as much as possible, augmented by property photos and videos. “If we can send someone into an almost empty building with a guard escort, we do,” says the CSO. “It’s the best we can do for the regulators.”
Some colleagues’ security departments are being swallowed by COVID issues, the CSO observes. So he has assigned half his staff to deal with non-COVID issues. “Some people have forgotten their yearly goals: we need to get contracts signed, make sure projects get done, people get hired, conduct threat assessments,” the CSO emphasizes. Creativity can overcome a tight budget; his department is staging events such as “lunch and learns” on security policies. “It costs nothing, but we need to get back into our core mandate of awareness and make it a positive thing.”
Some good news has emerged from the pandemic. Bank and ATM robberies have plummeted. Branches are posting additional security officers to help with access control and social distancing. And banks are often located around clusters of retail stores, which are more frequently hiring security officers. The increased presence has had a deterrent effect, the CSO speculates.
As much as robberies have subsided however, online scams and fraud have more than filled the void. The CSO notes skyrocketing numbers of fake GoFundMe pages, charitable pleas, government notices, and job offers.
12 June 2020 Update
The bank is finding that COVID-19 is fickle, and that certainties are difficult to find. Security leaders at the bank note that, at least in the Western Hemisphere, few cities, regions, or countries have a handle on the virus or can definitively predict when it will ebb, how it is transmitted, who can transmit it, and whether antibodies confer immunity.
“Like our peers, we can’t definitively say what we’re doing” in coming weeks or months, says the bank’s CSO. Bank leadership is averse to giving mixed messages or having to walk back statements or policies made just days before. The bank is working on models to determine how to stage workers back into offices and branches, how to create sufficient separation, and how to maintain a sanitized environment. In the meantime, most staff members continue to work at home.
Only a skeleton crew occupies global headquarters, which usually accommodates more than 2,500 workers a day. Moreover, most branches in the Western Hemisphere remain closed. Exceptions are made by appointment. The bank is asking staff who must come in to take their temperature at home and will likely roll out a health survey for staff to take at home when workers begin to come back to the office. It is unlikely that the bank will take temperatures at the entrance when people return to headquarters, says the CSO.
Security is working with crisis management, real estate, and other departments on the return-to-office plan, especially on entry control and contact tracing. Among considerations is routing all visitors through the loading dock, and changing, moving, or reducing turnstiles to expedite movement.
In the meantime, there’s no rush to return to the office. As regions slowly open, the bank is being conservative and watching how things play out, such as whether states, provinces, or other regions see spikes in infections. The CSO says that these jurisdictions don’t want everyone coming back to work at once; they are promoting a staged return.
The bank has been surveying staff, and most either prefer to work at home or come to the office only with rigorous protocols and precautions in place, such as ample social distancing, barriers, regular cleaning, and a contact tracing program. “A majority of our staff can work remote,” says the CSO, who points out that frequent travelers typically don’t come to an office. “It’s hard to argue to staff that they need to be at an office.”
Some long-held bank practices—such as requiring wet signatures on physical documents—may be on the way out. Requiring a courier to retrieve a package, travel, and deliver it, and then have the recipient take sanitary precautions before returning it, is burdensome and creates health risks. The bank and other financial institutions are looking to regulators to adapt to the times, such as by accepting digital signatures.
Travel, which stopped completely due to the pandemic, has started with a trickle—quick and reasonable car trips. Any travel that puts staff in close contact with others—in planes, trains, or hotels, for example—not only risks them getting infected but also raises the prospect that they could be quarantined away from home. “We have some people who have been in quarantine who are just coming home now,” the CSO says.
At Asian branches, by contrast, the situation is much closer to pre-pandemic. Despite having the option to work at home, most staff have returned to branches or offices. All but 15 percent resumed their previous hours, and those that didn’t merely cut down on their number of days in the office, rather than opt to work at home full time.
What accounts for the difference in willingness to return to the office between Asia and North America? Security notes that in many Asian countries, the use of thermometers and masks at work has been common practice for years—the bank is using rapid temperature scan devices posted at entries to capture multiple people at once—and such activities are normal. In addition, in many places in the Far East where the bank has a presence, the CSO explains, many commuting staff look forward to reliable power, Internet connectivity, and other utilities that are spotty at home.
Travel within Asia remains infrequent, though, because of varying rules and regulations. Some require a two-week quarantine at a government facility. “It makes no sense to send someone across a border to quarantine for 14 days for one day of business,” the CSO says.
Globally, it is too early to tell whether the pandemic or economic crisis has affected bank or ATM crime. There has been an uptick in some areas of the United States, the CSO says, but that may be due to other reasons, such as violent offshoots of civil protests.
14 May Update
Workers in Asia have begun to return to their offices in stages, though many continue to work from home. Corporate security is working with colleagues in legal, real estate, human resources, and other departments on a phased approach to return to offices around the world, considering issues such as ensuring safety and hygiene, communicating regularly and empathetically, and monitoring staff health without breaching privacy.
The privacy issue is especially tricky. “If a corporate executive is flagged by a reader for having a high temperature at the entrance and is pulled aside by a guard out in the open, that’s not sustainable, feasible, or private,” says the CSO.
The security department is exploring how it can do its part to facilitate the return to the office, such as separating workstations, staggering work hours, and monitoring social distancing. “This has changed the agile office paradigm,” the CSO says. “People didn’t want to work so close to others before COVID-19, and they really don’t want to afterwards.”
During outbreaks of SARS and Avian flu (H5N1), the bank stocked up on masks, so it has plenty for short-term needs. But it is looking closely at future needs at facilities around the world, based in part on when masks currently in stock reach their expiration date. The CSO says that masks will be available but not required for administrative staff.
The bank is also rethinking travel protocols when countries and regions start opening up. “At the beginning of COVID-19, countries locking down travel helped corporate security departments,” says the CSO, because they had no choice but to comply. Security is considering whether to require that all travel be approved by headquarters, rather than developing complicated charts including information on which countries have opened their borders and to whom, which areas are seeing declines in infections and deaths, which airlines are safe for travel, and so on. That is not only difficult to manage but difficult to communicate to staff.
The company’s HR department has proposed allowing travel but requiring that travelers self-quarantine for 14 days upon their return. The problem there, the CSO says, comes if a traveler gets quarantined away from home.
In the short term, most travel is being deferred. Changes in bank regulations to accommodate the pandemic are helping that cause. Regulations, such as having check identification in person for money laundering prevention, are being softened or suspended, the CSO says. Regulators are allowing for alternative modes of identification, such as biometrics and digital signatures.
An elevated standard for travel has yielded an interesting result: staff now have to prove that travel is critical, which is revealing that much travel that has been historically been considered essential is more accurately categorized as optional. Even such high-profile events as annual general meetings (AGMs) are no longer critical to attend. “All Canadian banks were able to have their AGMs virtually for the first time this year,” he says. “It’s a big deal.”
Outside of Asia, bank branches are mostly closed, though managers are available online to perform transactions virtually for customers, or they can arrange to meet in person when necessary for cash deliveries or other purposes. In Asia, branches limit occupancy, use tape lines to maintain distance between patrons, have created directional lines to improve customer flow, and deploy security officers to maintain order. Glass partitions that have protected tellers from armed robbers now serve double duty as transmission-prevention barriers.
With corporate campuses and city centers resembling ghost towns, the bank is wary of the rise in street crime such as muggings and smash and grab robberies. “The lack of crowds means there’s no eyes and ears on the street,” says the CSO. “When just a few staff show up on large campuses, it’s easier to become the target of a crime of opportunity.”
Security also spends time educating clients about avoiding COVID-19 scams by email, the Internet, and other means. But the bank is careful not to make it too difficult for technically unsophisticated customers to use their services. “If you make it too complicated to get money, by implementing biometrics or putting everything online,” he says, “it could confuse them” and deprive them of their own funds.
With executives now working from home, the role of executive protection has shifted from physical to virtual. EP practitioners have been partnering with cybersecurity staff to make sure senior managers understand proper cyber hygiene, know information protection protocols, use compliant shredders and safes, and conduct all activity on the corporate VPN. It has been another way for the EP team to show its value, says the CSO.
April 2020 Update
Because this Canada-based global financial institution has major operations in Asia, corporate security was alerted to the novel coronavirus early on. The CSO says that he “dusted off the pandemic crisis plans and gave them a once.” Business continuity, HR, legal, corporate security, real estate, and executives came together to sort out roles and responsibilities.
The team handled initial concerns as one-off responses, as if they were fire drills, the CSO says, before they realized that the crisis was prolonged, spreading, and ubiquitous. The bank distributed a global communication urging staff to stay at home if at all concerned and encouraging work from home when possible. A few staff were designated as critical, meaning they had to physically show up to the office as long as they felt well.
The bank initially locked down travel to and from high-risk regions, then expanded that policy to gradually include all regions. Staff were asked to report any medical concerns to HR while all facilities underwent deep cleaning.
Months later, other banks started retooling policies for visitors and contractors and instituted global travel bans. Because this bank had had exposure in Asia almost three months earlier, its preparation was well ahead of its peers.
Security is able to track staff and advise them if they need to stay at home. It issues letters to staff indicating that they are essential in case they get stopped by authorities on the way to work. They also receive personal protective equipment.
The bank created internal webpages dedicated to the virus and engaged all service providers specializing in that area and made their services available to the entire staff. Like many peers, the bank had to book special planes and work all channels to return people home.
Michael Gips, JD, CPP, CSyP, CAE, is the principal of Global Insights in Professional Security, LLC, a firm that helps security providers and executives develop cutting-edge content, assert thought leadership, and heighten brand awareness. Gips was previously Chief Global Knowledge Officer at ASIS International, with responsibility for Editorial Services, Learning, Certification, Standards & Guidelines, and the CSO Center for Leadership & Development. Before that, as an editor for ASIS’s Security Management magazine, he wrote close to 1,000 articles and columns on virtually every topic in security. In his early career he was an attorney who worked on death-penalty cases.