Go Back

[The New Compliance Normal] Business Continuity gets the spotlight

It only took a global pandemic and a war declared on racism to make a few things happen. With all this change, you’d think that every company on the planet would have a business continuity plan COVID-19 (BCP) in place by now. Shockingly, that doesn’t appear to be the case.

Many employees don’t even know what a BCP is. According to various sources who independently conducted surveys across different industries, somewhere between one quarter to over half of businesses did not have a BCP when the COVID-19 lockdown began. It’s unclear how many companies have since developed their continuity plans, but it’s likely that at least some portion of businesses have yet to draft, disseminate and/or test their BCP.

Given the enormous strife and heightened awareness of the need for a BCP in the wake of the havoc inflicted by COVID-19, businesses can no longer hide behind the excuse that they didn’t feel that a continuity plan was necessary. Cappitech made a clear statement reminding all financial firms that having a BCP was one of the “requirements under SMCR that was initiated by the FCA last December. With Business Continuity Post Covid-19 putting these plans to test, firms should document what part of their BCP worked and what didn’t.”

BCP by the numbers

To add a little more context to the adoption (or lack thereof) of BCPs with direct relevance to the financial sector, Lysis Financial has reported the following data: an encouraging 60% of survey respondents indicated their firms had circulated and tested a BCP before the lockdown began. The counterpoint is that nearly half of all financial firms in the UK did not.

There seems to be some geographical variation regarding BCP utilization rates according to Lysis Financial, “Most respondents from Ireland said they [had] an effective and tested BCP in place whilst many respondents located in the UAE and Japan said there was no BCP documented before COVID-19. And 30% of all the respondents said they were not aware or trained on a BCP before the lockdown.” The latter point here is of particular interest as it highlights the need to communicate what the continuity plan is before there’s a need to formally deploy it.

Communication is a critical step

Like any good plan, it’s only as good as the team that’s responsible for acting on it. Without effective communication, no BCP – no matter how good it is – has the chance of getting the business through the adverse experience if their team is ill-prepared to act. In some cases, it has been reported that there has been no communication at all.

According to Clausematch, several issues are common when it comes to BCPs: “Policies are written but not maintained [and there is] little understanding of the effectiveness of policies. Policies are inconsistent in template and language. No standardized methodology [and] technology is scattered.”

Here, there are several steps to consider. Each group that is going to be affected by a disruption scenario needs to be notified separately and trained on how to respond given the particular situation. A verification step such as a survey, assessment, or structured interview with each individual is essential to verify that s/he/they understand what the business expects in the event of an emergency. Towards the next step of stabilization, each of the personnel affected must have clear instructions on how to communicate the nature of the disruption and the procedures required of a broader part of the organization. Recovery can only begin once all personnel, procedures, equipment, operations and so on can be fully accounted for.

So, what’s next?

For the companies that don’t yet have a BCP in place, now is the time. Verint offers a simple, 5-Point Action Plan for Business Continuity. In their words, “It is vital that your business navigates these challenging times without compromising a focus on compliance and process adherence – no matter how unusual the times we find ourselves in.”

For those that have a BCP in place but haven’t communicated the plan, trained all personnel and tested it out, consider hosting in-house surveys and interviews with randomly selected (and anonymized) staff to collect insights on the effectiveness of the BCP. With the majority of financial firms now in the “BCP in place” category, this is an incredible time to learn and refine the plan in place.

The severity and suddenness of a global lockdown like the one witnessed for COVID-19 are unparalleled and, one can say, serve as the ultimate test. Cube reminds us that this is the time to, “Take stock of systems and find the gaps. Firms should use downtime to assess their current standing and make effective business continuity plans for the future.”

The new normal is all about change, preparing for change and expecting the unexpected. With attention dedicated to scenario-planning, training and implementing specialized plans that can ensure continued operations even in the midst of a crisis, businesses can be more confident in their success. Having a BCP with systems and policies in place, along with a practice run (or two) by the personnel who will stabilize the organization and guide its recovery, will go a long way towards ensuring both compliance to regulatory requirements and sustained operations, even in the midst of an unprecedented adverse event like COVID-19.

 

Subscribe

Follow Us

Subscribe to Shield’s Newsletter

Capture everything. Deploy anywhere. Store in one place.