Dealing With Changing Business Continuity (BC) Standards and Regulations
Businesses operating in the financial services sector of the UK are now required to fortify their operational resilience and must be in compliance by 31 March 2022. This comes as a result of a 2021 order from the Bank of England (BoE) and the Prudential Regulation Authority (PRA), which regulates and supervises the UK’s banks, building societies, credit unions, insurers and major investment firms. These are firms providing important business services as defined by the Financial Conduct Authority (FCA). This additional responsibility is a second step to strengthen the nation’s economic sector following the financial crisis of 2007-2008, stressing the belief of UK authorities that such firms should not just be financially stable, but operationally so, able to function not just during financial turbulence but natural disasters and similar challenges.
What this means is that, after a severe jolt to ordinary activities, these companies should be able to continue to provide their needed services during the disturbance and return to normal operation as quickly as possible following the disturbance.
This requires a plan that must be submitted to the PRA. This is the kind of work that a company like Infinite Blue, with our BC in the Cloud application, performs by automating business continuity and disaster recovery programs.
The plan must adhere to key rules.
First, the plan must identify impact tolerances for their important business services. This means first of all identifying those services, which, when disrupted, would “cause intolerable levels of harm to any one or more of the firm’s clients or poses a risk to the soundness, stability or resiliency of the UK financial system or financial markets.”
Each affected business needs to provide a map of the relevant assets. This could be the people within the organization who would be relied upon and must be able to report to work and do their jobs; the processes the company provides from computer and communications technology to warehousing and delivery; their facilities; and the information about the above.
With the above information, the PRA is requiring the involved firms to determine how much disruption their important business services can stand. These impact tolerances provide a ceiling for how much disruption the firm can stand during a disruptive event. These include not only what happens at the company, but functions external to it, such as its third-party supply chain.
Firms are also required to test their ability to stay within the impact tolerances that they set through scenario testing, examining how a variety of serious-but-likely possibilities will affect their plan and possibly devastate their impact tolerances.
Finally, affected enterprises must establish a communications strategy for reaching both employees and the wide variety of those outside of the organization to quickly minimize internal and external communications strategy to act quickly to reduce the any damage or impairment caused by operational disruptions. Infinite Blue’s Sendigo solution performs such a function, enabling affected firms to capture contact information for all relevant individuals, then target everyone or specific groups. (It also means faster reaction to developing situations.)
Some larger operations already have in their organizations a person who is responsible for business continuity or disaster recovery. Where that person sits on the organization chart varies — from someone reporting to a plant supervisor to a person with a c-suite title. Those companies may — only may — have an advantage over firms that don’t. However, the sweeping requirements of these new regulations — requiring discharge in barely a month from today — may themselves reveal flaws in the way these key businesses can respond, leaving both firm and the UK financial system at risk. With many pieces to identify, track, and monitor, the possibility of failing to meet these legal and regulatory obligations as reviewed by the FCA is dismayingly substantial.
How then, to manage all of the above? First and above all, upper management and the boards of the involved companies must commit to providing all of the support a compliance manager needs. Whomever is charged with implementation of these critical tasks must secure that promise from the executive suite. Both parties need to hold the others’ feet to the fire, making meeting the new Bank of England/PRA protocols an organizational mandate. For the officer delegated to implementation, the outline provided by the PRA is clear, and iterated above: establish the program, assess existing compliance compared to the rules, identify and map the important business services as defined by the FCA, determine the tolerances in the face of anticipated disruption, test all probable scenarios (including those external to the firm), and report on tests and implementation, then monitor and report to the regulators.
To build the plan, the compliance officer should conduct an internal inventory. This will involve identifying the processes, people, assets, key resources and vendors to manage. Some of these will be well-established for meeting any problems, but there will be weaknesses that must be overcome. Infinite Blue’s BC in the Cloud application captures all of this information and makes it easy to work with and share with key users, whether they’re in the main office, a remote facility, or working with their smart phone while on vacation.
Controlling the continued adherence to the Bank of England/PRA regulations will be crucial. The company officer accountable for implementation must compile, categorize, and codify the practices necessary to maintain compliance. This includes notification to the PRA and FCA when they are unable to do this.
What might be of assistance to continuity planners at affected firms (and others) are the benchmarks established by the International Organization for Standardization in 2012. Its ISO 22301 laid out the principles for businesses seeking to develop a Business Continuity Management System. Critical to its standard is the principle that consistent disaster planning makes possible the most effective response and the quickest possible recovery.
Many of the firms affected by the new regulations find themselves included because they have sometimes been called “too big to fail.” Jon Cunliffe of the PRA reported on this issue in 2016, pointing out that larger banks provided benefits to the financial system of diversification and economies of scale. Instead, he suggested that they focus on resilience through resolution tools and powers, resolvable structures, and loss absorbency.
From its impartial perch, Infinite Blue has watched the events unfolding at the Bank of England, the PRA, and the FCA. Our software and services are wholly congruent with the aims of these regulators, and can provide the assistance that compliance officers at companies providing important business services can rely on. As indicated above, the BC in the Cloud application provides a template for continuity executives to design and build their programs outright. And our Sendigo mass communications software supports these programs by keeping relevant personnel connected, enabling the organization to respond to any threat via Email, SMS, Voice, or Microsoft Teams. Just as essential to compliance is the ability for our products to scale with the organization.
The blueprint for dealing with changing business continuity standards and regulations exists. It only requires the affected firms to take the steps to implement their programs and maintain keen oversight of them.
