Operational resilience requirements for companies in financial services are about to get a lot tougher and firms need to start planning now how they are going to meet them. In December 2019, the three top UK financial regulators, the Bank of England, Prudential Regulation Authority and Financial Conduct Authority published a joint consultation paper on new requirements to strengthen operational resilience in the financial services sector.
According to Bank of England Governor, Andrew Bailey disruptive events can have a high impact on consumers and businesses, so firms need to know where the risks to their service delivery lie and to make sure that they are prepared for any service disruption by testing their planned response.
The regulators have made it clear that financial sector firms are expected to take ownership of their operational resilience and that they will need to plan accordingly. If disruption does occur then firms are expected to communicate clearly, for example providing customers with advice about alternative means of accessing their service.
Under the proposals, financial sector firms will be expected to:
- identify their important business services that if disrupted could cause harm to consumers, markets or themselves;
- set impact tolerances for each important business service, which quantify the maximum level of disruption they would tolerate;
- identify and document the people, processes, information and technology that support their important business services; and
- take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios.
This requirement for business continuity planning is not new. In the UK, financial services firms are already required by Chapter 3.2.19 of the FSA Handbook to have in place appropriate arrangements to ensure that they can continue to function and meet regulatory obligations in the event of unforeseen interruption. But the new proposals are much more prescriptive and will take the level of planning required up several notches.
According to the Business Continuity Institute Horizon Scan the top business disruptions in the financial and insurance industry are unplanned IT and telecom outages (experienced by 75% of companies), adverse weather (experienced by 53% of companies) and cyber-attack (reported by 39% of companies).
Having a critical communications platform like Crises Control in place can help any organisation to meet the requirements set out in the consultation paper to be prepared to quickly respond to, effectively communicate during and mitigate any business disruption event.
A good example of how this works is one of our financial services customers, Itochu Europe. They use the Incident function on the Crises Control platform to alert employees working in their City of London HQ building to critical incidents via cloud-hosted e-mail, SMS, telephone call and push notification. The platform was used during the London Bridge terrorist attack in June 2017 to notify employees about the incident and warn them to stay away from the area, even though the incident took place outside working hours.
Itochu also use the Ping Message function when they hold their 6 monthly HQ building evacuation drills. The security guidance from police has changed recently in London and companies in the City are new required to instruct their employees not to gather in a single location during evacuations, but to spread themselves out some distance from the building.
This situation provides a challenge to the company to communicate with all of their 400 employees and direct a return to the building once the drill is complete. The Crises Control platform allows the customer to meet this challenge and communicate instantaneously with all of their staff via their mobile devices, saving significant time and trouble and speeding the return to business as usual.
In addition to a robust communications platform, Crises Control also provides a virtual environment for hosting and testing of response plans and automatically creates an audit trail of your actions during an event for later review. So, you will be better prepared for an event and better able to respond when one does occur. You will also be able to demonstrate to regulators if required how effective your response was.
For more information please get in touch and we will explain how we can help you to meet your regulatory requirements around resilience or visit www.crises-control.com/industries/financial-services/.
Shalen Sehgal
Managing Director, Crises Control