COVID-19 has caused unprecedented disruption to regulated financial services firms. Having implemented business continuity and crisis management plans these firms will now be discovering just how effective these plans were. It's important to learn lessons once normality returns, but the immediate priority must be to rapidly assess and respond to business impacts that could affect short term business continuity and the longer-term viability of the business.
Our Client Director, Lindsey Domingo, has brought together the thoughts and ideas of a group of our senior consultants to offer insight and guidance to help firms. They have identified five key areas that firms need to address: Employee Management; Leadership and Communication; Operational Resilience; Financial Viability; and Governance and Compliance.
The welfare of your employees will be of paramount importance, with there being lots of examples of firms putting in place measures to cater for employees’ physical and mental well-being. For example, providing staff at offices, branches and contact centres that remain open with infection protection support and guidance and working environments that enable them to maintain social distancing.
Regular, transparent and consistent communications are key. Ask early and often what people need or are concerned about and respond to those concerns. Consecutive hours of uninterrupted work or adhering to normal working hours may not be feasible while also having to look after children or elderly parents.
Tip - make sure staff are properly equipped to work from home and that they are trained and given time to adjust. It might be helpful to allow them more flexibility in their working patterns and to make allowances for sub-optimal productivity in setting performance targets. You may, also, find that there is increased scope for staff to undertake remote or online training and develop needed skills. One area of caution may relate to emerging data protection issues and questions that will naturally arise, such as whether you are allowed to collect health information about employees and their family members.
Leadership and Communication
Senior management must provide regular, consistent, and transparent communication not just to employees but equally to your customers. Having a clear plan and basis for decisions and being able to demonstrate your management of the crisis will give confidence to all your stakeholders, from employees, contractors and customers to business partners, shareholders, suppliers and regulators.
It is advisable to engage with your critical stakeholders and understand their priorities in the short and medium term and to make sure you regularly review the alignment of these priorities with your plans.
Tip – we recommend that, if you have not already done so, you form a COVID-19 Response Team, with clear governance - essentially the equivalent of your own COBRA meetings. The aim is to ensure that issues are properly analysed, effective decisions made and rapid-response actions taken, while avoiding impulsive short-sighted decisions. Also, we'd recommend you make sure you have appropriate remote working capabilities for the immediate and longer term and that managers have the necessary skills to lead a remote workforce.
Operational resilience refers to a firm’s ability to maintain critical services and functions irrespective of any disruption. As this crisis continues to evolve, firms need to constantly review critical activities and dependencies (people, systems, third parties, etc). If you identify any points of failure you should implement appropriate countermeasures such as technical availability measures, third-party due diligence and service level agreements, and team cross-training or cross-skilling e.g. to cater for weakness in a team due to COVID-19 illness.
This means constantly revisiting and refreshing operational plans and using impact assessments and scenario planning to make sure you continue to effectively manage the disruption.
Tip – do your impact assessments consider the potential for longer term disruption to normal working patterns? For example what if we faced longer than expected restrictions? Do your plans cater for potential staff unavailability if they are taken ill? And with staff working remotely how would you manage loss of key people or systems? Financial services regulators expect firms to be able to provide strong support and service to customers, especially consumers and small businesses who are facing challenges.
COVID-19 is fundamentally challenging firms’ ability to deliver their business plans, thereby bringing cashflow management to the forefront. Firms should plan for different scenarios and identify the triggers for different courses of action: cost savings that can be made; different business structures that would reduce risk and protect value; access to emergency funding etc.
Tip – don’t forget to consider third party firms providing services that support or enable the service you offer to your customers. You need to make you have a plan to manage any legal and financial risk of contractual non-performance, so you can effectively minimise losses and disputes. The Financial Conduct Authority have stated that they expect firms to actively manage their financial resilience and their liquidity.
Governance and Compliance
Although COVID-19 is a global emergency affecting almost all aspects of daily life, it does not suspend a firm’s regulatory compliance obligations. For example, you still need to continue to meet threshold conditions and have proper systems and controls in place.
Internal controls may be impacted by homeworking arrangements, so it’s important for senior management to set the tone, issue clear policies and expectations, and consider putting in place compensating controls such as incremental management information and monitoring.
It’s well reported that there has been a rise in suspicious email messages and with systems stretched due to remote working it’s a timely reminder for individuals and organisations to refresh their cybersecurity awareness and preparedness.
Tip – make sure you remind staff of the firm’s information security and confidentiality guidelines, including using secure devices and secure networks.
In summary, stakeholders expect firms to have contingency plans in place to allow them to continue to look after their people, operate effectively, serve and support their customers, and meet their legal and regulatory obligations.
Compliancy Services can support you in conducting business impact assessments, help you review your business continuity and resilience arrangements and help you manage your compliance obligations.
To find out more, please contact us at [email protected] to book a discussion with one of our experienced consultants.
Related resourcesAll resources
Payment Services Regulatory Compliance Forum 2023
Are you carrying out your new Consumer Duty obligations correctly?
Payments Newsletter - November 2023
A guide to effective fraud management – for Payment and E-money Firms