Covid-19: A wake up call to focus on Business Continuity Plans

In the past four weeks, we have seen the highly infectious coronavirus be declared a global pandemic and make its way into conversations at every level of society. What started as a trivial water cooler discussion topic in early January which people compared to the outbreak to the common flu has now sent the world into lockdown and global markets into freefall. For us and our clients the current situation presents a case in which many firm’s business continuity plans may be tested and therefore ensuring these are effective and appropriate is of the upmost concern.  

In writing this article I am trying to provide advice and awareness for our clients on the importance of reviewing their business continuity plans especially whenever we are all faced with macro events such as Covid-19. As advisors I do feel that flagging regulatory issues and supervisor warnings (such as the FCA notice last week regarding continuity planning) is an important part of our remit. This is even more relevant whenever we are facing events that are as serious as Covid-19.  

Business Continuity Expectations  

In the FCA’s consultation paper on operational resilience in December last year, the regulator outlined the expectations on firms to have plans to ensure their ability to continue functioning in unexpected situations, and to get back to a position where they are fully operational. This includes a major focus on events involving systems failureloss of office space and loss of key personnelWhen building out these plans, some make the mistake of thinking that because we have not witnessed a situation like this in many of our lifetimes, that it is so inconceivable that they do not have to plan for it.  

Viral outbreaks, such as Covid-19, can be a catalyst for major operational issues be this through forced office closure, failure in systems due to an increased number of staff working from home, or key members of your team becoming sick or forced into self-quarantine. The FCA state that firms should consider the likelihood and impact of a disruption to the continuity of operations from unexpected events [1]In doing this firms should have considered the likely timescale of those disruptions. At the current stage this can be very difficult to quantify in an ever-developing situationFirms should be prepared for the worst-case scenario which at this stage appears to be total lockdown and forced closure of public spaces for up to three months.  

Given the onset and unexpected nature of the situation, we find ourselves asking how can you ensure you have done enough? What we have seen from our clients in the past number of weeks has been that testing these processes before the situation is critical. For example, some clients have tested the continuity plans through working from home days. Exercises like this demonstrate a willingness to understand where their procedures may fall short and do so at a point where they can fix the issue. Failing this, firms are expected to have effective emergency plans for the timely recovery of such data and functions and the timely resumption of those activities however this is shall be a much more resource intensive, be that economic and reputationally, exercise than ensuring the mitigation procedures were fit for purpose in the first place.   

Another point worth considering is the fact that this obligation extends much beyond that of your own internal firm systems and geographical locations. Firms should also pay close attention to outsourced vendors and any actor in their supply chain. What the regulator expects is effective controls and appropriate accountability between your firm and the actors who play an important operational function in the delivery of your services. While perhaps late in the day given the situation, firms should have made an assessment as to the outsourced providers ability to continue in the event of an emergency before entering into, or significantly changing, an outsourcing arrangement’.  In doing this, firms should have considered concentration risk implications [2] when several services are provided by one supplier. The key point here may be the fact that should an event occur down the supply chain, you as the principle firm must be prepared to step in with contingency measures to ensure minimal disruption.  

Accordingly, wsuggest that firms identify and document all resources, both internally and externally, that are critical in the delivery of their regulated activity. Such an analysis will allow you identify areas in which you may be exposed in the event the situation worsens.  

Business Continuity Measures   

Having identified the need to develop and/or test business continuity plans, what measures should firms be testing and implementing in the given situation?  

1. Work from home procedures  

  • Viral infections spread through person to person contact and therefore limiting this contact may be the best way of minimizing the spread and escalation of the current situation. Many firms have such procedures already but what problems may you encounter when you put this into place? When deciding whether to implement these plans, firms should consider the financial implications and the risks posed of your office remaining open. 
  • Your IT infrastructure may already be able to support a number of remote workers but how would that change if that became the entire workforce? Do you have the systems and VPN licenses to enable your people to be productive?  
  • Do your staff have laptops, or have you implemented a bring your own device policy?  What are the broadband capabilities in the local area where you are based 
  • How are you enforcing your data privacy policies so that they align with governmental regulations?

2. Stress health and hygiene in the workplace  

  • While firms may already do this as a basic policy, consider whether providing hand sanitizer and additional notices around office space would be of use given the rate at which infections are currently being observed. 

3. Test your plans  

  • Firms should consider testing their emergency procedures before they are forced to. This could include making all staff work from home for a day before this is necessary need to or ensuring all hardware is fit for purpose through a batch working from home testing periods 

4. Pandemic response  

  • Firms should ensure they follow all government and WHO guidance daily to be sure that they are implementing contingency measures in an appropriate way.  
  • Identify if your vendors or any other providers in your supply chain operate within the infected regions? If so, identify operational and revenue impacts from potential disruptions to key suppliers and vendors before this impacts your ability to provide your services.  

5. Understand the implications of limiting employee travel

  • This may be an obvious measure but understanding the implications of restricting employee travel is critical with the potential of a global pandemic of this scale. 
  • Limiting your workforce to only essential business travel is a key method of ensuring that you don’t welcome the virus into your working environment. This said, firms should asses the risk posed of the area which the employee is traveling by paying close attention to local government advice and compare this with the economic detriment it may cause should your staff member be unable to travel. 

6. Consider postponing events

  •  If your firm are involved in any networking events, conferences or meet ups consider whether now is the right time to host this and if it can be postponed. Again, your continuity plan should identify the impact of taking this action economically and the effectiveness of the measures you choose to mitigate this impact. 

 

[1] SYSC 13.8.5

[2] SYSC 13.9.4

Related Posts

CASS Audit

TISA CASS Compliance Survey

Earlier this year, TISA launched a CASS compliance survey in association with fscom, aiming to gather insights on key areas of interest related to CASS

Read More