Thomson Reuters Regulatory Intelligence recently started a series of short webinars in which experts discuss and deliver in-depth insights regarding the regulatory environment for UK financial services firms during the novel coronavirus pandemic.
Episode one considered business continuity planning and assessed:
- operational resilience and the associated regulatory developments
- the regulatory requirements in place for business continuity planning, and
- the practical issues and challenges and associated improvements in business continuity which firms may wish to consider
The first episode aired on April 27 and can be listened to here. Host Susannah Hammond was joined by Mike Cowan, Senior Regulatory Intelligence Expert for the discussion. Over the course of 30 minutes a lot of ground was covered including taking audience questions. Unfortunately, not every question was answered and so the following questions have been published for your leisurely post-event reading.
Thomson Reuters Experts Talk webinar Series- Your questions answered.
Q1 - The process of the BIA highlights the critical processes and all its dependencies, which leads to the BC planning for organization in the event of disruption, however, the current scenario we are facing didn't have to do with a disruption but rather a new circumstance of social distancing and working from home. How do we relate the BIA and the current practice, taking into consideration, that all unit’s functions are now working from homes in light of the Social distancing practice? Do we now review the BIA and make plans for every business unit irrespective of their criticality?
Answer - The Business Impact Assessment (BIA) is a way to identify the impacts of a disruption on business processes within a firm. In many cases a BIA will explain the disruption event in some detail and then apply this to particular parts of business. The way firms deal with a range of disruption scenarios could overlap so it is possible that BIAs and subsequent BCPs will be fit for many disruptions (even those outside of ones documented in the BIA). However, where the disruption event in BIAs is significantly different from that planned then it may be appropriate to amend the BIAs accordingly.
In many ways current arrangements could be seen as a fore runner for future, normal working relationships. Therefore, I have two answers: -
- Future Working arrangements – If it is the firms view that some of the temporary arrangements currently being employed could be used on a more long term basis then I suggest that this is looked at holistically by a separate project that investigates the IT, people, premises, operational process elements of proposal and effectively take this away from the firms continuity planning.
- Temporary arrangements – I recognise that in the current crisis to amend a BIA may be problematic but where the firm believe that a return to business as usual is going to happen then the BIA and BCP should, as best as possible be kept up to date. It may not be possible to carry out a formal BIA process as would happen under business as usual and in truth this may not be welcomed by senior management. That said I think it is important for firms to carry out regular, formal reviews of their approach to the crisis – what went well, what went poorly, what risks are we seeing on the horizon etc. And I think it is the role of a Risk, Compliance, Internal Audit or a BCP function to get ahead of the game and not only opine on what has happened but also focus on future risks and plans needed to improve the situation. Part of this input could be to point the firm at a review of BIAs in a way that retains the value of a BIA but simplifies the process. Perhaps greater use of questionnaires, more focused virtual workshops, increased use of online training are examples of items that can be used to facilitate this.
For (2) it may not be necessary to include all areas when updating BCPs. Where, perhaps from historic BIAs, a firm has a clear understanding of its key business processes and any interdependencies then it may be appropriate for them to focus in these areas. I guess the key here is to focus on business objectives (that may have been amended to reflect the difficulties of the crisis) and ensure that the firm has appropriate operations to satisfy them.
Q2 - Mike in your view what should be a key learning from COVID-19 experience by compliance practitioners?
Answer - My key learning is to develop your compliance culture as it will allow greater flexibility in the future. In my view the need for firms and compliance departments to be flexible seems to be key. To enable this flexibility, at a time when so much change is happening, it is vital that a strong compliance culture exists in the firm so that not only do compliance departments do the right thing but some reliance on first line doing the right thing can be made. In particular the following: -
- Boards need to be sending a strong compliance message.
- Changes to policies and procedures need to go through a proper, but maybe simplified, governance process.
- Policies and procedures need to be monitored through all the lines of defence but maybe this can be simplified;
- Adequate reporting to governance committees needs to be in place and a proportional approach to breaches taken.
The tendency is for compliance departments to go into “firefighting” mode in times like these and to a degree this is unavoidable. But Heads of Compliance should have a structured plan in mind as to what needs to be changed and when. For example, resource needs to be devoted to policy/process change, monitoring plans need to be re-cast and focused on the riskier parts of the business, reports may have to be redrafted etc. This is easier to do where there is a strong compliance culture.
Q3 - Who should take the lead when executing the BCP/Pandemic Response Plan in a pandemic. HR or the BCM Team? Especially when it comes to regular monitoring of staff health, identifying critical personnel.
Answer – In my opinion, the overall responsibility for executing the plan should be a member of the senior management who is an executive member of the board or reports into an executive director.
In the UK, under the senior management and certification rules firms are asked to nominate a senior manager to assume responsibility for the internal operations and technology of the firm (SMF 24). For firms regulated by the Prudential Regulation Authority (PRA), there is a specific prescribed responsibility for “developing and maintaining the firm’s recovery plan and resolution packs, and for overseeing the internal processes regarding their governance”.
In my opinion recovery and resolution and operational resilience, although different, are closely linked and whoever holds these responsibilities will want to be involved with the ongoing management of the crisis.
My view would be that whoever holds SMF 24 should lead. This would also allow heads of risk and compliance to assume an independent, challenge role.
The senior manager needs to put some governance around the role. In larger firms a sub-committee of the Board may be created to deal with crisis management, and I would expect to see the SMF 24 chair that committee.
To support the SMF 24 directly I may expect to see a small working group or project with representatives from risk, compliance, key front-line areas, HR, internal audit, IT (including communications) and maybe other relevant areas.
Reporting to Board and its sub committees (Risk, Audit and Operational Risk Committee) should be simplified but still effective.
Q4 - During a crisis, cost reduction across the organization is a key tool used, in such a situation how does one justify cost of cost centers like Internal Audit department.
Answer – Control functions such as Risk, Audit and Internal Audit hold a unique and vital role at this time. The primary role of Internal Audit should be to help the Board and Executive Management to protect the assets, reputation and sustainability of the organisation. It does this by assessing whether all significant risks are identified and appropriately reported by Management and the Risk function to the Board and Executive Management; assessing whether they are adequately controlled; and by challenging Executive Management to improve the effectiveness of governance, risk management and internal controls.
IA demonstrates value by, among other things,:-
- Control Effectiveness - The Board, some of whom will be non-executives of the firm, will still require assurance that controls in the firm are strong enough not to put the firm at risk and that senior management are acting in a prudent manner. Operational areas will seek comfort over new, amended processes and whether the controls within them are effective. The Board will look to the Chief Internal Auditor to provide this service whether internal or outsourced.
- Change Management – Where processes are to change because of the needs of the current situation, internal audit could participate as part of a review process before processes go live. Where time does not allow this then internal audit could review processes retrospectively to provide advice on any potential control weaknesses before they become too embedded. Providing a view on expenditure and cost against ability to meet business objectives.
- Business Continuity – CIA’s should keep up to speed with developments in a firm’s continuity arrangements to provide advice and guidance on areas that are working and those that aren’t.
- IT and Cyber Audit – At a time when IT capabilities are paramount to the success of a firm, internal audit can provide some assurance that IT facilities are capable of meeting the challenges in a robust, secure and reliable manner.
- Third Party/Outsourced arrangements – Third parties may be important for the firm’s operations. During a disruption it is important that a firm is assured that third party services will continue to be delivered. Internal audit can play a part in liaising with third parties and gaining the necessary assurance.
Q5 - Is there a regulatory requirement to have an external Business Continuity site? In the current crisis they almost seem redundant.
Answer – As far as I’m aware there is no specific requirement to have an external business continuity site. Historically, the fundamental question has been that if a firm’s head office or other building became inoperable where would the firm decamp to? The concept of a disaster recovery site with mirror IT systems and “hot” desks for key staff was created. Some financial services firms make greater use of their branch network or global presence rather than have a dedicated business continuity site, but this could come with additional cost and perhaps an extended lag time before systems can be recovered.
You raise an interesting point. Provided firms can operate their IT operations effectively without using a business continuity site then perhaps the arrangements to address the current crisis e.g. home working etc may see firms reviewing this requirement. Watch out disaster recovery site providers!
Thank you to everyone who attended the webinar on April27th and we look forward to taking and answering more questions on our future webinars.
Episode 3 of Experts Talk discussing working from home and other COVID-19 Canaries takes place on Thursday May 7th.
Episode 4 of Experts Talk will take place on 20th May at 13:00 BST and will discuss operational and conduct risk during the global pandemic.