We have recently reviewed business continuity planning (BCP) amongst a number of small and medium-sized retail banks, payments institutions and electronic money institutions.
We found that firms often take steps to build resilience to prevent events from occurring. However, anticipating that events will occur and carrying out proper planning and testing will allow firms to be better prepared to respond and recover from events – eg. pre-prepared communication plans.
We also assessed how firms are considering consumer harm and the proactive steps taken to identify and remediate.
Our expectations
We expect firms to proactively identify, test and revise the relevant capabilities (eg. people, processes, systems) which mitigate harm in the event of an incident. If there are areas that could be enhanced, we expect appropriate action to be prioritised, so that firms can deal effectively with incidents and harm is reduced when they do occur. This should be part of the ongoing assessment of systems and controls and is highlighted in the Discussion Paper on Operational Resilience that we published jointly with the PRA. This will help firms to be better prepared to respond and recover when events occur.
What we looked at
We wanted to assess the approach taken by firms to:
- plan for and manage business continuity events
- implement business continuity contingencies including communications
- recover and return to normal service following an event
- identify potential or actual consumer harm and remediate where necessary
What we found
Most firms demonstrated a good understanding of the importance of BCP. There were examples of good practice, such as, governance with clear accountability and real time monitoring to identify events as soon as they occur.
There were, however, some important areas where improvements could be made. In particular, we found examples where firms did not fully understand the link between large-scale change projects and BCP. We also saw examples where firms were assigning the management and oversight of events to staff at too low a level in their organisation.
Examples of good practice and potential areas for enhancement
Planning and preparation
A firms’ approach to effectively plan for and manage events.
Good practice
- Most firms had a documented BCP strategy approved at Board level, with a clearly defined risk appetite. Documenting the appetite for event occurrence and recovery can guide a clear strategy for event management, including the roles and responsibilities of individuals.
- Some firms had real-time monitoring tools allowing frontline staff to track the performance of services, with automated alerts on new events sent to senior management at defined trigger points. Tracking an event in real time enables enhanced event management capabilities.
- All firms used governance forums for approval, challenge and maintenance of policies, plans and frameworks to ensure that the appropriate accountability and responsibility for managing BCP is applied.
- Some firms considered real life scenario testing that goes beyond the basic scenarios of denial of premises access and denial of IT Service. They used real life events and potential events to test their colleagues’ understanding of responsibility, capabilities to adapt and critical decision making.
- Most firms had identified and documented customer critical processes so that if they are affected during an event, they can be prioritised swiftly for action to reduce harm.
Potential areas for enhancement
- Most firms did not adequately consider the link between business continuity and large-scale change projects or routinely revisit plans in anticipation of 'go-live launches'. When implementing significant changes, we strongly encourage firms to plan for unanticipated disruptions so that any response implemented is adequate, swift and reduces harm effectively.
- Most firms had training that covers the requirements for technical staff, but we did not see relevant and tailored training across all firms that covered all colleagues. Training of this nature would raise awareness and understanding of roles and responsibilities, which would enable swift and effective action by staff during an event. It also makes clear what is expected of individuals.
- We encourage firms to consider defining a broad range of test events covering multiple scenarios, so that plans can be tested regularly, improved as necessary and kept current and proportionate to the nature, scale and complexity of the risks inherent in the business model of the firm.
- Some firms did not ensure that BCP is a priority for attention at the highest level of the organisation – eg. Executive Committee and Board. Also, challenge on current capabilities was not encouraged by those responsible for BCP.
Response
A firm’s approach to quickly recognise events, invoke business continuity arrangements and communicate effectively during events.
Good practice
- Some firms had crisis management plans containing detailed pre-drafted and pre-approved communication plans for internal/external stakeholders (including their customers). These covered the specific messages to be used, how they should be issued and in which instances. This enabled fast reaction times when events occurred and was part of preparation work completed.
- Most firms documented several contingencies for their customer critical processes, and where gaps existed there were plans in place to make the necessary improvements.
- Some firms used flexible (internal and external) resource plans to ensure that the firm has the capability to quickly move resources to where they are most needed in an emergency. This means customer harm is reduced and solutions are implemented quickly.
Potential areas for enhancement
- Most firms had not created and developed ‘playbooks’ that cover different potential scenarios with multiple impacts. Firms should consider whether these documents should include guidance on the appropriate communication steps to be taken, the contingencies required to respond and the roles and responsibilities of the individuals managing the event.
- We encourage firms to consider that any response to an incident be managed and driven by appropriate individuals – eg. an individual with appropriate knowledge, experience and seniority. Firms should also consider whether internal or external independent oversight and challenge on the robustness of proposed solutions, and the speed with which they are implemented is required.
- Depending on the nature, scale and complexity of their business, firms should consider whether individuals responsible for implementing the required solutions and fixes should be responsible for verifying that those solutions are adequate and appropriate. Firms should consider whether the verification for these solutions should be carried out by an appropriate impartial group or individual – eg. 2nd Line of Defence Risk, Internal Audit, Third Party opinion.
Recovery
A firm’s approach to returning to ‘normal’ or ‘new normal’ service following an event and how the firm ensures potential or actual consumer harm is identified at the earliest opportunity and remediated swiftly.
Good practice
- All firms used post incident reviews to drive change to policies, frameworks and plans – eg. upgrading communication capabilities and revising contingency assumptions.
- Some firms proactively contacted customers during an event if harm had occurred, eg. not waiting for a customer complaint or complaint MI report. This enabled remediation to be as swift as possible.
Potential areas for enhancement
We encouraged firms to consider the use of management information or other means to proactively identify potential or actual harm and consider what lessons can be learned from an event. We also encouraged those lessons learned to be applied to other key services. This may reduce the likelihood and impact of future events.
Next steps
We encourage all firms to familiarise themselves with the concepts outlined in the recent Discussion Paper on Operational Resilience that we published jointly with the PRA as well as the relevant areas of the FCA Handbook.
We expect firms, on an ongoing basis, to carry out self-assessments of polices, frameworks and plans, considering their own strengths and weaknesses, relative to BCP.
Effective BCP contributes to the ability of firms to absorb shocks caused by disruptive events and can help ensure the continuity of supply of their most important business services. As such, this is highly relevant to achieving the outcome of operational resilience.
The FCA 2019/20 Business Plan sets out specific activities that will be undertaken on the subject of Operational Resilience:
- Deepening our understanding and assessing firms approaches to change management and third-party service provider management;
- Continuing our engagement with other authorities, including the Bank of England and National Cyber Security Centre, to respond to major operational incidents;
- Utilising regulatory tools to test the cyber capabilities of our high-impact firms; and
- Undertaking multi-firm work to better understand the protection measures that firms take against cyber-attacks.
Operational Resilience will remain a key area of focus going forward and we would encourage all firms to consider the above findings, how they may apply to their business and where necessary address deficiencies. We will be engaging with and assessing firms on these issues on an ongoing basis.