How financial institutions can apply lessons learned on operational resilience in light of COVID-19

For financial institutions across the globe, the COVID-19 pandemic has proved to be a real-world test of operational resilience. Those in risk, compliance and operational functions have had to rapidly adapt their business continuity and resilience frameworks in response to new risks or changes in existing risks that occurred in different parts of their organisation as a result of the pandemic. This, in step with widespread regulatory reforms and a heightened focus on strengthening operational resilience within the financial sector – which came into play even prior to the pandemic – is putting increased pressure on organisations.

In the UK, while there have been various communications from the FCA and PRA during the pandemic setting out their expectations, specific guidance on what operational resilience should look like has been lacking. Over the summer, we carried out a survey exploring how financial institutions have been managing their operational resilience leading up to and during the pandemic, the findings of which can be found here. An overwhelming majority of survey respondents noted that it was important to obtain further guidance from regulators on operational resilience before they undertake any, or further, adjustments to their operational business models and controls. Survey respondents noted that they would welcome further supervisory guidance, specifically on applying lessons learned, internal and external communications, and scenario testing. Based on this, we have identified some key considerations for financial institutions as they navigate how to build resilience and thrive in this new environment.

Applying lessons learned

Applying lessons learned, not only from a financial institution’s initial pandemic response, but also from past operational incidents as well as scenario testing, is important to drive continuous improvements to operational resilience and, in the case of past incidents, to build trust and confidence with regulators.

In terms of lessons learned from COVID-19, financial institutions should evaluate their pandemic plans which were developed at the start of the crisis and compare intended results with actual results. The evaluation will cover different factors, including: composition and effectiveness of the crisis management team, frequency of meetings and speed of decision making, whether the initial prioritisation and mapping of important business services was correct, and engagement and feedback from internal and external communications. Financial institutions should also conduct an analysis of what went well and what did not with respect to their technology, people, facilities and third party management. Off the back of this self-evaluation, financial institutions should make a list of action points and decide which processes to keep and what they will do differently next time. Deficiencies, whether identified through scenario testing or through practical experience, should be addressed as a matter of priority, particularly as the pandemic is entering into a second wave in many countries. Financial institutions should prioritise actions to address the risks posed by each deficiency.

To date, COVID-19 related operational incidents in the public domain for financial services have been limited, which indicates that most financial institutions have so far weathered the storm pretty well. However, it may take some time for issues to surface as the charge on operational resilience is only starting to gain momentum.

Internal and external communications

The ability to communicate effectively is paramount during operational disruptions. Having strong internal and external communication strategies in place allows organisations to act quickly and effectively to reduce potential harm.

Both internal and external communications strategies should begin by identifying groups of stakeholders on which to target communications and an analysis of the current state of the business. Using the PEST (political, economic, social, technological) and SWOT (strengths, weaknesses, opportunities, threats) analysis tools is an effective way to assess the situation. The PEST analysis would be a review of facts about the crisis or disruption against each of the PEST categories; while the SWOT analysis allows the financial institution to assess how it may respond, working out organisational objectives and deliverables.

Internal communications plans should follow a top-down and bottom-up approach. This includes the board taking an active role, having upward and timely reporting measures in place, effective management information to inform decision-making, listening to the concerns of staff across the business, and ensuring individuals know what, when and how to communicate to their teams, customers and third parties. It is important to have engagement across the business and communication across teams and locations to ensure the financial institution takes a services and/or consumer focussed approach.

For external communications plans, proactive, consistent and clear messaging is key. Keeping external stakeholders informed, even if the whole picture isn’t clear, will provide assurance that the situation is under management and the financial institution is in control of unfolding events. Financial institutions should provide updated action plans on new developments as early and as often as possible. An effective and well executed external communications strategy should leverage technology to deliver planned multi-channel messaging, whether through email, voice, video, SMS or social media. Moreover, it is not enough to just send one-way communications, there needs to be a system in place to track receipt, to allow the receiver to respond as needed and escalate when required. Engagement surveys and active feedback requests are often good methods to help execute this.

In terms of communications with regulators, financial institutions should document their crisis response planning and decision-making to be able to demonstrate to the relevant supervisory authority that they are meeting their responsibilities in respect of operational resilience if required.

Scenario testing

Scenario testing as part of business continuity and disaster recovery often focuses on short-term disruptions posed by technology failures or the unavailability of a single asset. In contrast, scenario testing for operational resilience builds and demonstrates a financial institution’s capacity to anticipate, prepare for, respond to, and adapt to both incremental changes and sudden shocks to its operating environment from an external event.

Understanding if the financial institution can withstand stressed conditions and be resilient requires a holistic approach. The first step is to identify and map important business services and the main systems and processes involved, as well as any underlying dependencies. That is, to identify what is critical to the continuing delivery of the service. The next step is to consider impact tolerances – the maximum tolerable level of disruption to an important business service that can be tolerated. Scenario testing should be expanded from considering single points of failure to considering a broad range of severe but plausible scenarios of varying duration to test whether the financial institution is able to remain within its impact tolerances. Different contingencies should be deployed together, such as extraordinary workarounds alongside more conventional business continuity and disaster recovery procedures, to meet impact tolerances. This approach forces financial institutions to accept that disruptions to business services are inevitable and need to be actively managed.

While almost no one anticipated a crisis of the scale of the disruption caused by COVID-19, financial institutions that regularly ran comprehensive and detailed pandemic scenarios were better prepared than those that had not. Financial institutions should be currently testing severe but plausible scenarios on additional waves of COVID-19. These scenarios should be run and tested on an ongoing basis and should include scenarios with even more impact than the pandemic seen this year.

The future of operational resilience

Operational resilience is rapidly moving up the supervisory agenda. Notably, the proposal for a regulation on digital operational resilience in the EU financial sector is making its first steps through the EU legislative process. This proposal, which would introduce a detailed legislative framework on operational resilience for financial institutions in the EU, has entered negotiation phase and Member States are currently discussing different aspects of the framework. New or enhanced rules are expected to come into force next year in many countries across the globe.

Navigating through these changes is a challenge for firms and something to which we are regularly asked to advise. Please see our website to explore how we can help firms navigate effectively through the choppy waters of operational resilience issues so that they stay ahead of evolving risks.

First published in Thomson Reuters Accelus Regulatory Intelligence on November 13, 2020.

United Kingdom (and EU regulation)