Having business continuity arrangements in place is a long-established FCA regulatory requirement and the rapid onset of coronavirus presents a new conundrum for firms. Specifically, how to plan for something where the range of potential outcomes is so diverse.
Many firms have a documented business continuity plan in place and regular testing of this plan should also be commonplace. In addition, operational resilience (the ability to prevent, adapt, respond to, recover and learn from operational disruptions), of which business continuity is a key component, is a regulatory ‘hot topic’.
In July 2019, the FCA published its findings following a review of business continuity arrangements at certain financial institutions. The regulator found that although firms often take steps to build resilience to prevent events from occurring, they are less adept at anticipating events that will occur and in carrying out proper planning and testing.
So, where does coronavirus fit into this? When considering business continuity risk, which in turn drives continuity planning and testing, a common approach is to consider specific events in terms of probability of occurrence and impact, should the event occur. Neither of these can be anticipated with certainty at present regarding coronavirus.
One of the FCA’s recommendations from July 2019 is for firms to create and develop ‘playbooks’ that cover different potential scenarios with multiple impacts. In the context of coronavirus, this could range from minimal or no impact, through to having a significant proportion of staff members off sick and then finally, to a worst case scenario of mass fatalities/incapacitation and/or emergency measures that could restrict the movement of individuals in order to prevent the spread of the virus.
Firms should therefore elect to test their BCP arrangements, in the event of disruptions caused by coronavirus. For example
- Has scenario testing regarding the possible disruption been conducted?
- Are senior management appropriately engaged with this initiative?
- For the relevant scenarios, is there a protocol for ensuring the successful enactment of continuity planning?
- Who are the key individuals responsible for this, and are they suitably senior/knowledgeable? Do staff members know what to do?
- Has key person risk been assessed?
- Is working from home a possibility for all staff members?
- Is it possible to set up conferencing facilities from home?
- What are the operational resilience plans of key service providers?
- What are the plans for communicating the enacted continuity planning to concerned parties, including clients and service providers?
- Could business operations continue in the absence of (certain) IT services?
- Is there an up-to-date phone directory that includes staff members and service providers?
Firms might also wish to take this opportunity to perform a wider review of the effectiveness of their operational resilience arrangements, including business continuity.
