As financial institutions continue to respond to the challenges posed by COVID-19, the Financial Conduct Authority (FCA) has set out its expectations of how firms should be managing their business from a business continuity, operational resilience and recovery and resolution perspective. In addition, the FCA has required certain firms to submit copies of their business continuity plan (BCP), operational resilience framework (ORA) and recovery and resolution plan (RRP) (together, the contingency plans) for review.
In previous statements, the FCA emphasised the importance of proper planning, constant monitoring, quick reactions and proactive remediation in the event of business disruption and it is clear that they expect firms’ contingency plans to be capable of dealing with any future developments in the COVID-19 situation. Therefore, firms should be reviewing and updating their contingency arrangements to ensure that they are not only fit for the current climate but stand up to potential regulatory scrutiny.
This alert highlights some of the issues that firms should consider when reviewing and updating their contingency plans.
The requirement to maintain and update BCPs has been woven into various aspects of regulation and has typically formed one of the key supervisory pillars by which regulators such as the FCA monitor the ability of a firm to withstand adverse events.
The FCA expects the BCP to address a variety of topics, covering: resource requirements, recovery priorities for each of the firm’s operations, stakeholder communications plans, escalation and invocation plans, the integrity of management information, and regular BCP testing. Factors that firms should take into account when reviewing, updating and implementing their BCPs include:
- Has the firm drafted and implemented a BCP?
- Has the firm identified all of its business resources and assets that need to form the subject of, or be included in, the BCP? Resources would include staff, real estate,
- technology, business lines and control functions.
- Has the BCP been reviewed by the board during the COVID-19 period?
- Have adequate reporting lines been set up to support the provision of management information in a timely and effective manner? How are these to operate in times of
- remote working?
- Have any barriers arisen that have impeded the firm’s ability to prudently and efficiently implement the BCP during the COVID-19 period?
- Does the firm’s BCP account for both short-term and long-term impacts? For instance, does the BCP address extended periods of working from home?
- Are senior management and other members of staff aware of their responsibilities under the BCP? Does the BCP account for senior management and staff absences?
- Are reportable events (e.g., potential breaches of FCA rules) and reporting lines identified such that management are aware of the circumstances, timeframes and methods in and by which to engage openly and honestly with regulators?
- Can the firm identify in short order impacted customers and third parties (whether service providers or otherwise) and is there a communications plan to engage with them?
- Has the firm assessed the impact of business disruption on customers and is it clear that the relevant contingency measures are appropriate to meet the firm’s obligations towards clients? For instance, can the customer access the firm’s switchboards in a fair timeframe when staff employed to operate those switchboards are working from home?
- Would the firm’s testing methodology to date be robust in replicating disruption scenarios? As an example, has testing included extended periods of working from home, and ensuring that both operating systems and control functions are effective in these circumstances?
- Have senior management and staff been trained in what to expect, and what is expected of them, in executing the BCP? Have changes to the BCP been communicated to staff?
Supplementing the high-level requirements of BCPs are more specific requirements relating to ensuring the integrity and continuity of outsourced services, whether they are critical, important or non-critical. Both the FCA and European Banking Authority (EBA) have issued detailed guidance in this area, which firms should take into account, particularly considering that firms remain responsible for the provision of the services they outsource. Issues to address include:
- Has the firm performed a business impact analysis that analyses exposures to a broad range of disruption, ranging from minor impacts on certain areas to severe impacts on multiple operational areas?
- Have business functions and their supporting processes, third parties and information assets, as well as the interdependencies of these, been mapped?
- Have any contingency plans been approved by relevant management stakeholders and is there a record of each stakeholder considering interdependencies between their area of responsibility and others?
- What are the potential impacts on confidentiality, and data integrity and availability, and have these been quantitatively and qualitatively assessed?
- Are there clear recovery timeframes pegged to the BCP for each operation?
- Is the BCP available on a system that is physically separated and readily accessible in case required?
- Are there effective communication lines between the senior management at the firm and those of the supplier? Are there robust and practical monitoring arrangements in place so the firm can ensure the proper provision of the outsourced service?
- Are suppliers to whom the firm has outsourced material functions aware of their obligations to deal in an open and cooperative manner with the firm’s regulators (this is particularly relevant for third country service providers)? Does the supplier contract reflect this and any other regulatory obligations? Do outsourcing agreements and service-level agreements set out risk-mitigating measures to be taken by either side?
- Has the firm identified intragroup arrangements within its control and supervision, and how has the firm dealt with the unavailability of those services, both for itself and reliant group entities?
- Does the BCP envisage that a service provider is unable to meet its obligations and does it take into account wider impacts to providers in that industry, such that alternative arrangements would need to be made?
- Has the firm learnt of any additional material outsourcing arrangements from its COVID-19 response? Has the FCA been made aware of this?
Where operational resilience differs from BCPs and RRPs is that it is more focused on the broad impact on customers and financial stability, rather than business continuity and operational continuity in resilience. The FCA and Prudential Regulation Authority’s consultations on operational resilience provide an insight into the themes regulators will be focusing on in a firm’s contingency planning going forward, as well as the process by which they expect firms to follow in creating a living, breathing contingency framework. While they may still be in the consultation stage (the consultation deadline has been extended to 1 October 2020) regulators are likely to take account of the principles established in their consultation when reviewing firms’ BCPs and RRPs during the COVID-19 period. Notably, the FCA will expect firms to invest in and address any weaknesses, vulnerabilities or deficiencies, with the aim of improving contingency plans overall.
Issues that firms may wish to consider in the context of operational resilience include:
Identifying important business services
Can the firm identify important business services by reference to a wide range of factors, including: the nature of the client base, the ability of clients to obtain the service from elsewhere, time criticality for clients for receiving the service, the number of clients receiving on the service, and the ability of the service to inhibit the functioning of the UK’s financial system? Is the information to make this assessment readily available to the firm?
Firms should set their impact tolerances and remain within them
Can the firm identify and express clearly the first point at which likely disruption to each important business service might cause intolerable levels of harm to its clients or market integrity? What arrangements can the firm point to in order to demonstrate that it is able to operate within its impact tolerances? Can the firm justify its assessment that the impact tolerances considered are not excessively high?
Does the firm currently have enough information to map out a complete view of its resilience? For instance, can it identify and document the people, processes, technology, facilities and information that deliver each of its important business services? Is there a corresponding plan in respect of each area?
Scenario testing, lessons learned and self-assessments
Can the firm point to clear and wide-ranging scenarios in which it will test its systems? Do such scenarios consider disruptions such as: corruption, deletion or manipulation of data critical to the delivery of their important business services; unavailability of facilities or key people and critical third party services providers; disruption to other market participants; and loss or reduced provision of technology underpinning the delivery of important business services? The FCA’s proposals also require firms to conduct ‘lessons learned’ exercises. To this end, is the firm collating those lessons as they respond to current circumstances, and is a plan in place to address those lessons? Can the firm identify a documented communications strategy for its range of stakeholders, both internal and external?
Can the firm evidence that its contingency planning has been approved by senior management and that it has devoted adequate time to it to establish the business and risk strategies and the management of the main risks relevant to operational resilience? Are there clear lines of responsibility for the management of operational resilience in line with the Senior Managers and Certification Regime? As you can see, the regulators’ key proposals intend to provide more clarity and structure over a firm’s contingency arrangements and dovetail with the firm’s existing BCP obligations.
Completing a firm’s contingency matrix is the RRP required to be prepared by banks and larger investment firms, being investment firms subject to an initial capital requirement of €730,000 – i.e., UK IFPRU 730K firms. They set out what the firm would do in, or prior to becoming subject to, stressed circumstances that would affect the ability of the firm to carry on all or a significant part of its business. Whilst there will evidently be overlap between the considerations to be made when updating BCPs, RRPs have an additional granular focus on the financial recovery of the firm.
RRPs need to be periodically reviewed and submitted to regulators and so it is important to ensure their appropriateness and relevance. This is particularly pertinent given the changes to a firm’s business or financial situation that may have arisen as a result of COVID-19, and the lessons learnt from the firm’s response. Issues that firms should be considering when reviewing and updating their RRPs include:
Does the RRP address newly identified stress scenarios and circumstances, and adverse events that have had a material impact on the firm’s business? Has the firm discovered any additional critical services and functions that it had previously not considered critical? What additional actions should be taken to ensure the viability and availability of technological systems and services? Do the firm’s current outsourcing relationships and contractual terms (discussed above) help or hinder this? Are the governance arrangements in place sufficient to provide management with requisite information in a timely manner so that they can consider viable recovery options? This may include ensuring that the composition of response teams and committees is appropriate and covers relevant areas of the business. Does the recovery strategy account for the proposed capital and liquidity arrangements of the firm? To what extent will the availability of capital instruments be impacted and in what circumstances? Has the firm identified any material impediments that would impact its ability to execute its RRP? How does it propose to overcome them? Have all necessary preparatory measures been taken to implement the RRP within the firm, such that there are no internal barriers to executing the plan, if required? Are there any additional events that the firm has identified that may bring about the requirement to execute its RRP? Have these been identified clearly? Have all necessary stakeholders in a stressed scenario been identified and does the plan set out the method, frequency and strategy for engaging with those stakeholders? Stakeholders would include staff, regulators, group entities, outsourcing providers, other third party providers and any other external stakeholder that may be relevant to the firm’s business. Does the plan account for impacts to third party service providers and infrastructure and how continuity of services can be ensured from the firm’s perspective in these circumstances? Have assets and operations been identified that are capable of disposal, and have contingency arrangements been devised to replace any disposed items where these are important to business continuity? Is there an agreed-upon valuation method for proposed disposal assets and operations that would be deployed in a timely manner, if needs arise? Has the firm reviewed the periodic and prescribed information required from resolution authorities and is it in a position to gather the data efficiently?
The EBA has recently issued a report on the inherent interlinkage between the content of recovery plans and the resolution plans which are prepared by resolution authorities on the basis of information provided by firms. Firms should be aware of this interlinkage and the best practices set out in the EBA’s report. The fact that recovery and resolution plans exist on a continuum means that firms should ensure consistency both in the recovery plans they prepare and the information they provide to resolution authorities.
In a time where business interruption may be more widespread, unforeseen, and yet frequent, it will be important to ensure that the myriad requirements for continuity plans are comprehensive, robust and stress tested.
Firms should continue to monitor developments and statements from regulators in relation to continuity plans during this period of uncertainty.