The COVID-19 outbreak has been declared as a public health emergency of international concern by the World Health Organization, which is causing a significant impact to people’s lives, businesses and the wider economy.
Whilst a significant effort is being made globally to contain the virus, crises such as these can unfold unpredictably. Therefore as the situation develops, firms across all sectors are having to work rapidly to ensure that their business services can continue to operate, their staff (and places of work) remain safe and their customers remain properly and appropriately served.
Effective and successful management of crises such as these is directly related to how well prepared organisations are to respond, and should be key operational resilience considerations for firms.
We have set out in this briefing key regulatory issues that boards need to think about in the immediate term as part of effective crisis response planning and to ensure that business as usual activities can carry on.
The FCA has already issued a statement on COVID-19 setting out at a high level its expectations of firms. The key messages from the regulator are:
- it expects all firms to have contingency plans in place to deal with major events;
- alongside the Bank of England, it is actively reviewing the contingency plans of a wide range of firms. This includes assessments of operational risks, the ability of firms to continue to operate effectively and the steps firms are taking to serve and support their customers;
- it expects firms to take all reasonable steps to meet their regulatory obligations. For example, the FCA expects firms to be able to enter orders and transactions promptly into the relevant systems, use recorded lines when trading and give staff access to the compliance support they need. If firms are able to meet these standards and undertake these activities from backup sites or with staff working from home, the FCA has no objection to this; and
- it is discussing with firms and trade associations any particular issues they may have and are working with them to resolve these. The FCA wants to understand the pressures they are facing and will be continuing its active dialogue with firms, institutions and industry bodies in the coming days and weeks. The FCA will keep its guidance under review as necessary.
The COVID-19 outbreak has brought operational resilience into even sharper focus. Before Christmas both the PRA and the FCA published consultation papers on the issue. The purpose of these papers is to create a shift in the mind-set, from firms prioritising their own commercial interests to considering the vulnerabilities of consumers and the financial system as a whole when making decisions. They are also intended to foster a culture where firms are forward looking, making decisions today that help prevent operational incidents tomorrow that impact consumers, financial markets and the UK financial system. To do this the proposals are designed so that firms will be in a position to continue providing business services that are heavily relied on, even in the event of severe operational disruption. Firms should therefore have robust contingency plans in place that take into account high impact but low probability events so they are prepared for the worst.
In December 2019, the PRA published Consultation Paper 30/19: Outsourcing and third party risk management that set out proposals for modernising the regulatory framework on outsourcing and third party risk management. Along with this the PRA also published Consultation Paper 29/19: Operational resilience: impact tolerances for important business services (CP29/19).
One of the key points the PRA makes in CP29/19 is that whilst avoiding disruption to particular systems is a contributing factor to operational resilience, it is ultimately the business service that needs to be resilient. The PRA proposes that firms need to consider the chain of activities that make up the business service, from taking on an obligation to delivery of service, and determine which part of the chain is critical to delivery. Obviously, this varies from business to business and in some cases the chain will be long. The PRA considers that the most critical parts of the service should be operationally resilient, and that firms should accordingly focus their work on the resources necessary to deliver those activities in the chain.
In terms of an internal service such as HR or payroll, the PRA does not expect such services to be identified as business services unless the failure to deliver them would impact on the delivery of outward facing business services which have direct consequences for safety and soundness, financial stability or the appropriate degree of policyholder protection.
In terms of prioritising business services, the PRA has proposed that a business service is important if its disruption could pose a risk to the firm’s safety and soundness or financial stability, or in the case of insurers, the appropriate degree of policyholder protection. It therefore follows that boards and senior management not only have to identify business services within their firm but also assess each services’ relative importance and then conclude an approved impact tolerance. The proposed PRA policy in CP29/19 would introduce a requirement for boards and senior management to approve the impact tolerances that have been set for each of their firm’s important business services.
In December 2019, the FCA also published a consultation focussing on operational resilience, Consultation Paper 19/32: Building operational resilience: impact tolerances for important business services and feedback to DP18/04 (CP19/32). Unsurprisingly, the FCA follows a similar line to that taken by the PRA although in light of their differing statutory objectives the FCA focuses more on consumer protection rather than financial stability. The FCA is proposing that firms:
- identify their important business services that if disrupted could cause harm to consumers or market integrity;
- identify and document the people, processes, technology, facilities and information that support a firm’s important business services;
- set impact tolerances for each important business service;
- test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios;
- conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible;
- develop internal and external communication plans for when important business services are disrupted; and
- create a self-assessment document.
The deadline for comments on the PRA and FCA consultations is 3 April 2020. The PRA stated in CP29/10 that it intended to publish its final policy in the second half of 2020 (the FCA simply stated ‘next year’), although it may be that as things develop with COVID-19 these final policy papers may appear sooner rather than later.
Notwithstanding the above UK papers, there are also papers from the European Supervisory Authorities that provide some assistance. For example, the European Banking Authority’s guidelines on security measures for operational and security risk of payment services under the Payment Services Regulation 2.
Crisis response planning: some areas for boards to consider
A robust crisis response plan and capability is key to minimising the impact the crisis has on a business, its staff and its customers. Firms should have in place crisis management and business continuity plans as part of their operational resilience frameworks that consider a range of scenarios, including a health pandemic, which should help them respond.
Given the various unknowns at this early stage in respect of COVID-19 and how it may impact nationally and internationally, it’s important that firms, if they haven’t done so already:
ACTION POINT 1: Assemble a proportionate but robust cross-functional response team to review their plans in detail:
It is possible that an outbreak such as this could touch on all parts of an organisation, therefore it is important to include relevant stakeholders from across the business – HR, communications, customer services, legal, compliance etc – headed by an appropriately senior individual to ensure it gets the profile it requires.
ACTION POINT 2: Scenario plan and consider the impacts on the crisis response plan:
Consider the range of scenarios that could occur as a result of the crisis in the short, medium and longer term. These should be plausible, but severe in nature so as to prepare the organisation for what could be a prolonged period of high-stress. Various broad factors can influence this. Take for example, as we have seen in a number of areas of the country already, the impact of school closures, which may seem like a small and trivial matter at first glance. Some things to think about in respect of this example may include, but not be limited to:
- Staff: Will more people need to work from home as a result (particularly those with child care responsibilities)?
- Systems: If so, will systems accessed remotely be able to cope with a higher number of users for an extended period?
- Operations: If system bandwidth is an issue, are there other things that can be done to reduce the impact (e.g. amend working hours, operate a shift system etc)?
- Customers: If factors impacting the level of service change (such as a change to opening hours), how will this be communicated to customers? How will customers be kept up to date if and when your response changes?
As part of scenario planning, it’s important to establish accurate factual information from credible sources. In situations such as these social media in particular can be awash with inaccurate information or speculation, which may be unhelpful and impair decision-making.
ACTION POINT 3: Test the plan and its key components:
Undertake testing of your crisis response plan using the plausible, but severe scenarios that you have considered. Some of the key components of the response plan include the communication media that you intend to use to keep staff and other stakeholders up to date on your response to the crisis, systems stress testing and effective / safe management of sites from which you operate, be they head offices, operations hubs or branches.
As you conduct the testing, what do the results show you? To what extent does it highlight previously unforeseen weaknesses that need addressing promptly? Which stakeholders need to be involved in addressing these weaknesses and how do you satisfy yourself that once action has been taken, this addresses the weaknesses identified?
All of these factors will serve to enhance your crisis response plan and overall preparedness.
ACTION POINT 4: Communicate to stakeholders:
In fast moving and unpredictable circumstances such as these, clear and timely communication to stakeholders is key. Staff, customers and regulators are all important stakeholders to keep updated in respect of an organisation’s planned response in the run up to and throughout the period of crisis response:
- Staff: will need to know what is expected of them if the crisis management plan is invoked. It is important that staff know how they should prepare, what action they should take, when they should take action and how they will be communicated with in the run up to and during a period of crisis management response. Staff will likely want to know how their safety has been considered, therefore this should also form a key element of any communications that are issued.
- Customers: will need to know the impact that any implementation of a crisis management plan will have on them and this should be communicated in a timely manner. Consider the extent to which their access to services will be impacted in any way. Will online systems / apps be available as normal? Will telephone lines operate as normal? Is it likely response times / processing times will take longer? Clear explanations of the impacts, timescales and reasons behind these will help to manage your relationships with your customers.
- Regulators: will expect firms to have in place robust crisis management and response plans and may ask to see these or ask you how you are satisfied that your plans are sufficiently robust. Be ready for this as it is likely any request will require an almost immediate response.
How Norton Rose Fulbright can help:
We are able to help financial institutions on their operational resilience journeys and can provide support in the following areas:
- Governance and oversight arrangements in respect of operational resilience matters.
- Management information, reporting and oversight.
- Third party provider risk and controls assessments.
- Scenario planning and building outputs into crisis response plans.
- Preparing for and responding to requests for information from the regulators.
- Monitoring the latest developments from the PRA and FCA.
- Sharing our broader experience in respect of operational resilience matters with relevant management.