Way before firms faced the challenges posed by the Covid-19 pandemic, the regulators had been closely monitoring operational resilience within financial services firms, focusing on threats such as cyber risk.
Then along came the Pandemic. All of a sudden, firms faced a very real and unexpected test of just how resilient they are, shining a spotlight on the critical importance of investing in crisis management plans.
The FCA recently published its final rules on what firms should be doing to ensure resilience. All the evidence it pointed to suggests that financial services firms have been quite successful in moving their business from office-based to homeworking, providing continuity of critical services much quicker and more successfully than expected.
But did this positive response come by design, or by accident? And what lessons can you learn from this experience to ensure your business is best placed to respond even more effectively in the event of any future serious disruption? Here’s my top three.
It all starts with a good planning
A well-designed and robust BCP and crisis management solution should prepare for every eventuality – no matter how unlikely it may seem. And while most businesses will already have one in place, if you can’t answer ‘yes’ to these important questions, it’d be worth revisiting your plan.
- Does it cover all key areas?
A robust operational resilience strategy should map out and prioritise all the business services that need to keep running to continue serving your customers. Look beyond the obvious things like systems and IT, and also consider the people, processes, sources of information and facilities that your business activities depend on – including those provided by third party providers.
- Is it reviewed and updated regularly?
If the financial services sector has learnt anything from the past year, it’s that the landscape changes every day. So, your crisis management plan should always be kept up-to-date and should reflect any changes to business strategy or processes, or the introduction of new technologies.
- Do you have an effective communication plan to support it?
A great plan is useless if no one knows about it. Your plan needs to be socialised and communicated effectively, across teams and locations, via a formal and well understood communication strategy.
Ultimately, everyone in the business needs to understand their role in the BCP in the event of a crisis. Start by formally mapping out the roles and responsibilities of the crisis management team and other stakeholders, in particular highlighting which team members have decision-making authority.
Test, retest… then test again
While most businesses already have a crisis management plan in place, very few take the time to review the appropriateness of this or test its robustness. So when the pandemic hit, many plans simply weren’t fit for purpose — just when they were needed the most!