FCA Statement on the Coronavirus: Expectations for Business Continuity Planning

The FCA has published a short announcement confirming it is working closely with financial services firms to ensure they are responding effectively to the Covid-19 (coronavirus) outbreak. The FCA is discussing with firms and trade associations any particular issues they may have and is working with them to resolve these. The FCA is working on this in conjunction with the Bank of England and HM Treasury and will update its guidance as necessary. 

In its brief statement, the FCA outlines it expectations of firms which can be summarised as follows:

• All firms are to have contingency plans in place to deal with major events. The FCA is reviewing the contingency plans of a wide range of firms. This includes assessing firms’ operational risks, their ability to continue to operate effectively and the steps they are taking to serve and support their customers
• Firms are to take all reasonable steps to meet their regulatory obligations. As an example, the FCA expects firms to be able to enter orders and transactions promptly into the relevant systems, use recorded lines when trading and give staff access to the compliance support they need. The FCA has confirmed that if firms can meet these standards and undertake these activities from backup sites or with staff working from home, then they have no objection

The statement in full can be found here

In 2019 the FCA reviewed business continuity planning (BCP) amongst a number of small and medium-sized retail banks, payments institutions and electronic money institutions. The findings and recommendations of that review may give a steer on detail on what the regulator expects from firms now.

In that review the FCA assessed the approach taken by firms to:

• Plan for and manage business continuity events
• Implement business continuity contingencies including communications
• Recover and return to normal service following an event
• Identify potential or actual consumer harm and remedy where necessary

A summary of their findings, detailing both good practice and areas for enhancement, is set out below.

Planning and preparation - firms’ approach to planning and managing events

Good practice

• Most firms had a documented BCP strategy approved at Board level, with a clearly defined risk appetite. Documenting the appetite for event occurrence and recovery can guide a clear strategy for event management, including the roles and responsibilities of individuals.
• Some firms had real-time monitoring tools allowing frontline staff to track the performance of services, with automated alerts on new events sent to senior management at defined trigger points. Tracking an event in real time enables enhanced event management capabilities.
• All firms used governance forums for approval, challenge and maintenance of policies, plans and frameworks to ensure that the appropriate accountability and responsibility for managing BCP.
• Some firms considered real life scenario testing that goes beyond the basic scenarios of denial of premises access and denial of IT Service. They used real life events and potential events to test their colleagues’ understanding of responsibility, capabilities to adapt and critical decision making.
• Most firms had identified and documented customer critical processes so that if they are affected during an event, they can be prioritised swiftly for action to reduce harm.

Potential areas for enhancement

• Most firms did not adequately consider the link between business continuity and large-scale change projects or routinely revisit plans in anticipation of 'go-live launches'. When implementing significant changes, firms need to plan for unanticipated disruptions so that any response implemented is adequate, swift and reduces harm effectively.
• Most firms had training that covers the requirements for technical staff. However, there should also be relevant and tailored training across all firms that covers all colleagues. Training of this nature would raise awareness and understanding of roles and responsibilities, which would enable swift and effective action by staff during an event. It also makes clear what is expected of individuals.
• Firms should consider defining a broad range of test events covering multiple scenarios, so that plans can be tested regularly, improved as necessary and kept current and proportionate to the nature, scale and complexity of the risks inherent in the business model of the firm.
• Some firms did not ensure that BCP is a priority for attention at the highest level of the organisation – e.g. Executive Committee and Board. Also, challenge on current capabilities was not encouraged by those responsible for BCP.

Response - A firm’s approach to quickly recognise events, invoke business continuity arrangements and communicate effectively during events

Good practice

• Some firms had crisis management plans containing detailed pre-drafted and pre-approved communication plans for internal/external stakeholders (including their customers). These covered the specific messages to be used, how they should be issued and in which instances. This enabled fast reaction times when events occurred and was part of preparation work completed.
• Most firms documented several contingencies for their customer critical processes, and where gaps existed there were plans in place to make the necessary improvements.
• Some firms used flexible (internal and external) resource plans to ensure that they have the capability to quickly move resources to where they are most needed in an emergency. This means customer harm is reduced and solutions are implemented quickly.

Potential areas for enhancement

• Most firms had not created and developed ‘playbooks’ that cover different potential scenarios with multiple impacts. Firms should consider whether these documents should include guidance on the appropriate communication steps to be taken, the contingencies required to respond and the roles and responsibilities of the individuals managing the event.
• Firms should consider that any response to an incident should be managed and driven by appropriate individuals – i.e. an individual with appropriate knowledge, experience and seniority. Firms should also consider whether they need internal or external independent oversight and challenge on the robustness of proposed solutions, and the speed with which they are implemented.
• Depending on the nature, scale and complexity of their business, firms should consider whether individuals responsible for implementing the required solutions and fixes should be responsible for verifying that those solutions are adequate and appropriate. Firms should consider whether the verification for these solutions should be carried out by an appropriate impartial group or individual – e.g. 2nd Line of Defence Risk, Internal Audit, Third Party opinion.

Recovery - A firm’s approach to returning to ‘normal’ or ‘new normal’ service following an event and how it ensures it identifies potential or actual consumer harm at the earliest opportunity and remedies it swiftly

Good practice

• All firms used post incident reviews to drive change to policies, frameworks and plans – e.g. upgrading communication capabilities and revising contingency assumptions.
• Some firms proactively contacted customers during an event if harm had occurred without waiting for a customer complaint or complaint Management Information report. This enabled remediation to be as swift as possible.

Potential areas for enhancement

Firms need to consider using management information or other means to proactively identify potential or actual harm and consider what lessons they can learn from an event. Lessons learned need to be applied to other key services. This may reduce the likelihood and impact of future events.

Consultation paper CP 19/32

The Bank of England, Prudential Regulation Authority (PRA) and FCA have also published a shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector. All firms should familiarise themselves with the concepts outlined in the Consultation Paper CP 19/32 which closes on 3 April 2020. The Consultation Paper proposes firms:

• Identify their important business services that if disrupted could cause harm to consumers or market integrity
• Identify and document the people, processes, technology, facilities and information that support a firm’s important business services (mapping)
• Set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption)
• Test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios
• Conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible
• Develop internal and external communications plans for when important business services are disrupted 
• Create a self-assessment document

Doyle Clayton’s regulatory expertise means we are well placed to support our clients in this area. Please contact Charlie Herbert or your usual Doyle Clayton contact to discuss how we can help you.