Way before firms faced the challenges posed by the Covid-19 pandemic, the regulators had been closely monitoring operational resilience within financial services firms, focusing on threats such as cyber risk.

Then along came the Pandemic. All of a sudden, firms faced a very real and unexpected test of just how resilient they are, shining a spotlight on the critical importance of investing in crisis management plans.

The FCA recently published its final rules on what firms should be doing to ensure resilience. All the evidence it pointed to suggests that financial services firms have been quite successful in moving their business from office-based to homeworking, providing continuity of critical services much quicker and more successfully than expected.

But did this positive response come by design, or by accident? And what lessons can you learn from this experience to ensure your business is best placed to respond even more effectively in the event of any future serious disruption? Here’s my top three.

It all starts with a good planning

A well-designed and robust BCP and crisis management solution should prepare for every eventuality – no matter how unlikely it may seem. And while most businesses will already have one in place, if you can’t answer ‘yes’ to these important questions, it’d be worth revisiting your plan.

  1. Does it cover all key areas?

A robust operational resilience strategy should map out and prioritise all the business services that need to keep running to continue serving your customers. Look beyond the obvious things like systems and IT, and also consider the people, processes, sources of information and facilities that your business activities depend on – including those provided by third party providers.

  1. Is it reviewed and updated regularly?

If the financial services sector has learnt anything from the past year, it’s that the landscape changes every day. So, your crisis management plan should always be kept up-to-date and should reflect any changes to business strategy or processes, or the introduction of new technologies.

  1. Do you have an effective communication plan to support it?

A great plan is useless if no one knows about it. Your plan needs to be socialised and communicated effectively, across teams and locations, via a formal and well understood communication strategy.

Ultimately, everyone in the business needs to understand their role in the BCP in the event of a crisis. Start by formally mapping out the roles and responsibilities of the crisis management team and other stakeholders, in particular highlighting which team members have decision-making authority.

Test, retest… then test again

While most businesses already have a crisis management plan in place, very few take the time to review the appropriateness of this or test its robustness. So when the pandemic hit, many plans simply weren’t fit for purpose — just when they were needed the most!

What does good testing look like?

Set impact tolerance levels, using time/duration as a key metric

Identify and test against all potential disaster scenarios, no matter how unlikely they seem

Involve all key members of the crisis management team

Provide feedback where deficiencies have been identified

Take remedial action to help drive continuous improvement

Accept that anything can happen

At the risk of sounding a touch ‘doom and gloom’, operational resilience is ultimately about expecting the unexpected.

With continued uncertainty around how the world is likely to emerge from the pandemic, and whether further restrictions are likely, business leaders should be preparing themselves and their firms for other severe disruptions. The next crisis is likely to have different characteristics, or might be more firm or sector specific, so it’s important not to rest on your laurels if you’ve gotten through the pandemic without a scratch.

This way, all businesses will be able to comply with the regulator’s expectations to adapt, respond, recover, and learn from operational disruptions.  Responding to the current pandemic is only the beginning!

Speak to an expert today

Testing and enhancing your operational resilience is time-consuming. We can do the leg work for you.

    Before you hit submit…
    When you give us your personal details via this form we will process your data for our Legitimate Interests (such as for contacting you, for direct marketing and profiling). Find out more. You have the right to object to this processing – here’s how. Don't worry, we keep your data super secure and only share it with our sister company Recordsure (as we share resources). You can also opt-out of receiving direct marketing at any time.