Resilience in the face of COVID-19
A new normal
Coronavirus (COVID-19) has impacted our daily lives on a blockbuster scale. Governments are mandating behaviour, cities are in lockdown, hospitals are in overdrive, individuals are isolating themselves and businesses are having to adopt a sustained crisis management mentality.
Financial services firms have, like others, been hit hard. Frontline staff are under pressure, both internally and from the Government, to respond to volatile financial markets and provide financing support to impacted customers. This is especially important given the role FS firms must now play in helping businesses to secure government-backed loans. Other areas of the business, such as IT support functions, are frantically reprioritising work to deal with the COVID-19 response. The distraction is leaving firms more vulnerable to other threats, such as cyber-attacks or data leaks. All the while, there is a need to maintain calm and order, as any uncertainty will lead to further contagion in the markets. So much so that UK regulators have announced measures to minimise demand on the industry’s existing capacity, such as “allowing listed companies an extra two months to publish their audited annual financial reports” and pushing back the deadlines for certain regulatory deliverables.
In this light, it is now more critical than ever that organisations assess their underlying operational resilience and their ability to respond to and recover from high impact incidents. Coronavirus has become the litmus test for an organisation’s operational resilience.
The ramifications of operating in a ‘COVID’ environment
Stopping the spread of Coronavirus between staff has been a key priority for organisations in order to avoid the business disaster of contagion impacting enough staff to halt core operations and, ultimately, stop customers receiving vital services. This impact is already evident in the mortgage sector with the partial lockdown of new/re-mortgage applications.
Working from home has become the modus operandi, where possible, with staff having to balance caring for their families and finding a way to keep work tasks progressing. Call centres, for instance, have been impacted by both staff unavailability and increased customer call volumes regarding COVID-19 impacts. Processes are being tested ‘live’ with fractures occurring in real-time and there is an elevated strain on technology. For example, staff are being asked to start conference calls at irregular times in order to avoid overloading teleconferencing systems. Economically, businesses are having to make tough decisions on immediate priorities to maintain solvency; all within an uncertain macro-economic environment which could last for a lengthy period before the green shoots of recovery materialise. Cancelled orders, financing delays and redundancies now threaten the wider supply chain network.
In response, organisations have had to dust off crisis management procedures, mobilise continuity plans and utilise disaster recovery mechanisms, where they exist. The focus for firms has shifted from profitability to survival, as well as ensuring continued customer access to key financial products and services.
As responses to the Coronavirus threat are underway, we need to be cognisant of the wider picture. COVID-19 will be defeated eventually. However, what can we learn from this experience to factor into future incident prevention, response and recovery?
Lessons from adversity
The way in which firms respond to and recover from this experience can serve as a valuable opportunity to learn, adapt, share experiences and help organisations better protect themselves, their customers and markets in the future. We have identified seven key lessons:
- Know your business: COVID-19 has been a stark reminder to FS institutions of the importance of identifying and mapping their business services to enable effective response and recovery activity. Having an up-to-date inventory of your most important business services is fundamental to this and, in the current situation, is vital to assessing how COVID-19 is impacting the business and where resources need to be re-prioritised.
- Identify key staff, systems and third-party dependencies: Understanding the people, processes, information and infrastructure (including third parties) required to deliver important business services is imperative in helping organisations to identify and mitigate areas of weakness, close control gaps and resolve issues that significantly impact customers. If you know that all of your important business services utilise the same technology solution, run by a single third party, are you comfortable and do you have confidence in their resilience? Similarly, if you have key staff dependencies for core activities, you will need to consider how effective handover plans are in cases of prolonged absence.
- Create / enhance an Operational Resilience Framework and supporting procedures: Having a clear and robust Operational Resilience Framework has been at the core of the recent drive to improve operational resilience, but why is this so important during the COVID-19 crisis and in the subsequent aftermath? A framework and supporting procedures act as the blueprint and core reference points for what resilience mechanisms your organisation has in place, where to find them, when to use them and where responsibilities lie. For example, these core documents could be used to guide senior management / the Board through their organisation’s COVID-19 crisis response activities.
- Review your Scenario Testing strategy: An event with the impact and duration of the Coronavirus pandemic would not likely have featured in scenario testing plans prior to COVID-19. Therefore, firms should consider reviewing their scenario testing strategies to incorporate more severe disruptions for longer periods of time, as well as also considering applying a similar level of rigour to that used in Stress Testing, i.e. with multiple data points feeding into mature models.
- Update and enhance recovery plans: Coronavirus has challenged existing Business Continuity Plans (BCP) and Disaster Recovery Plans in new ways. For instance, a common BCP action plan for many functions is to use disaster recovery sites. However, the utilisation of recovery sites may now no longer be a viable alternative if staff in lockdown cannot travel to sites or work safely whilst ‘social distancing’. Many firms have managed to find innovative ways of enabling staff to work from home instead. This could lead to future cost savings.
- Communicate, communicate, communicate: Staff, clients, third parties and regulators are all stakeholders when it comes to major incident management. Therefore, a significant factor in response and recovery is how well stakeholders are kept informed during the lifecycle of an incident. Clear and consistent messaging can go a long way to minimising customer harm, maintaining confidence and reputation and keeping people calm in emergency situations. In the current situation, it is vital that this communication strategy is underpinned by appropriate technology platforms that enable communication to continue and be seamless in a remote working set-up. This includes secure remote access to corporate systems, video-conferencing capabilities, secure virtual conferencing for classified / exec boards, crisis messaging platforms, etc.
- Evolve: All of the above should be reviewed and assessed on an ongoing basis (particularly during the current situation) to ensure they are fit for purpose and that your organisation has the capability to execute established contingency measures in times of need. If you are a senior / responsible individual, ask yourself the following: (i) Are you easily able to list your most critical business services and identify those most impacted by COVID-19? (ii) Can you easily identify staff / third parties supporting services impacted by COVID-19? (iii) Have your crisis management and business continuity procedures been effective under the current situation? (iv) Have your communications held up and are all of your key IT systems working under remote working?
Where next from here?
The coronavirus pandemic has had, and is continuing to have, a large impact on individuals, businesses, customers and the economy at large. In some cases, businesses and even entire industry sectors have been forced to shut down. For those charged with the responsibility of delivering critical services, it has been telling that those with resilience measures in place (e.g. remote working arrangements, business service inventories and crisis management procedures) have been better able to maintain the provision of core services than those without.
This really underlines the importance of immediately mobilising programmes to implement operational resilience measures across organisations (regulators have been clear that firms must not wait for final policy statements on Operational Resilience – expected Q1 2021 – and should already be actively driving programmes of work). This crisis has forced firms to determine what their most important services are, identify their most vulnerable customers and come up with ways to effectively deliver services remotely. These learnings should be built into Operational Resilience Frameworks, response / recovery plans and supporting documentation.
Ultimately, embracing the current situation and learning from it will go a long way to protecting organisations (and their customers) from similar incidents in the future. How prepared are you for the next inevitable emergency?
If you need help in responding to and recovering from COVID-19 or in building operational resilience programmes to help protect against future incidents, please do get in touch.