COVID-19 and Operational Resilience

Writing a report on COVID-19 in the middle of the pandemic is no easy task; the situation and the information provided by governments changes daily, if not hourly. But it’s important to remember that though the circumstances we find ourselves in are alien to most of us; contagion itself is not a new challenge for business (though of course, this strain of coronavirus is indeed new.) With this in mind, we thought we’d ask risk managers working in some of the world’s largest financial institutions how they have been planning for an event like this and how their operational resilience plans are standing up to the challenge, especially in light of proposed changes from the UK’s FCA and PRA. We’ve also got input from health and safety experts, System Concepts, on what this means for firms going forward; plus views from Geary Sikich, who wrote a book on the subject of contagion: Protecting Your Business in a Pandemic, in 2009. 

Were we ready? 

Scientists have been warning us for years about the potential impact a pandemic like this could have on the world’s fragile, interconnected economic systems – and businesses clearly weren’t blind to the possibility either. In 2015, post-Ebola, Bill Gates did a TED Talk, watched by millions, entitled The Next Outbreak? We’re Not Ready, where he discussed the importance of scenario planning, vaccine research and health worker training. More recently, on February 26, 2020, Deloitte surveyed more than 4,200 US executives, asking them which of three typical risk categories – or a fourth “something else” category – would trigger the next economic downturn. 35% selected the “something else” option. We knew this was coming – even if we didn’t know we knew it. This means risk managers and business continuity teams should have already included some form of pandemic scenario in their planning, though for most, it probably didn’t feel like something that warranted a lot of resources. And now here we are in a world where a third of the global population is in lockdown; where social distancing, self-isolation and remote working are the new normal. 

Firms are still processing what this means for them. One operational risk manager from a large European bank told The Risk Universe that prior to COVID-19, their business continuity/disaster recovery plans only partly covered this type of pandemic. As a result, they confirmed that the bank has identified areas of shortfall as the situation unfolds. Working from home (where possible) has been a key part of their contingency action, but they believe this is only sustainable for approximately two months. Interestingly, a risk manager at a West African-based bank said their plans did not cover this type of pandemic at all, which is surprising, considering the impact of Ebola on the region. The same source said the bank’s contingency measures focused more on IT than any other aspect of the business. Perhaps as a result of this, they had strong infrastructure already in place to work from home, estimating that the business would have 75% functionality during a work-from-home/lockdown scenario, with minimal visits to the office needed. 

Some firms initially chose to approach social distancing recommendations by splitting teams over different locations, rather than have everyone work from home right away. A member of a crisis team at a Netherlands-based investment manager planned to use a combination of splitting/relocating teams, plus remote working. One of the barriers to having all staff immediately work from home in this instance was the rebalancing of the asset allocation process due to take place at the end of the month. “The rebalancing is a very intensive process that requires a lot of coordination between staff members, therefore we split key staff in two groups so that one group could work from the same location.” Even best-laid plans can change in such an evolving situation, though. “At the moment, all staff are working from home and it is [questionable] whether the additional office we prepared for will actually be used,” said the source.

Obviously, some banking functions in the current regulatory climate simply cannot function from home. The FCA has strict guidelines around recording of calls and timely input of orders into the system. This makes it impossible for some individuals to up sticks and work from home. In the US, the Commodity Futures Trading Commission (CFTC) has relaxed rules around traders using recorded phone lines, allowing them to work from home and contact customers more easily as people shift to remote working. CFTC chairman, Heath Tarbert, said the rules would be suspended using “temporary no-action relief.” He said the measures were part of the regulator’s efforts to keep the derivatives markets functioning, “orderly and liquid,” as they are important for hedging risk during this time. Transactions will still need to be recorded in some way and traders will be expected to take notes and document the calls they make.

The European Securities and Markets Authority has announced it expects authorities “not to prioritise their supervisory actions in relation to the new tick-size regime from 26 March, the application date, until 26 June 2020, and to generally apply their risk-based supervisory powers in their day-to-day enforcement of applicable legislation in this area in a proportionate manner.” It has also relaxed MiFID II rules around call recording due to increased levels of remote working, advising firms to look at other ways of record keeping, in a similar vein to the CFTC’s recommendations. 

The FCA has said firms should continue to record calls, “but we accept that some scenarios may emerge where this is not possible. Firms should make us aware if they are unable to meet these requirements. We expect firms to consider what steps they could take to mitigate outstanding risks if they are unable to comply with their obligations to record voice communications. This could include enhanced monitoring, or retrospective review once the situation has been resolved.”  

What this will mean for operational resilience measures in future could prove interesting. Monitoring the use of third parties and identifying business critical systems is one thing, but keeping track of the systems people use from home and ensuring they have appropriate and resilient ways of working available to them outside the office, will be difficult. One provider of cloud-based financial risk management solutions commented that they had seen a 25% reduction in client logins since most firms switched to working from home.

Geary Sikich, a crisis management expert and author of Protecting Your Business in a Pandemic, believes we are likely to experience between 500 and 800 days of crisis as a result of COVID-19, “based on historical analysis of previous pandemics and the time frame that it takes to burn them out.” He stresses the importance of allocating adequate resources to this area of risk management – a fact that is becoming only too clear to firms of all sizes right now. “With today’s businesses focussing on maximising the effectiveness of scarce resources, it may appear frivolous to dedicate time to planning for an unpredictable event such as a pandemic,” he says. “[But] because of the speed with which a pandemic could spread globally, reaction time – i.e. reactive planning – will be almost non-existent…We wouldn’t be in such a precarious situation if we had recognised the over concentration and dependence of a global economy that inherently lacks resilience due to the concentration of resources with little or no alternative solutions.” 

Changing priorities: health and safety  

As the world scrambles to meet the many challenges presented by doing business in a pandemic, health and safety has become a hot topic and will no doubt be a massive area of investment going forward. So, what kinds of questions are firms asking their H&S advisors? Julie North, principal health and safety consultant at System Concepts, says enquiries have evolved as the situation progresses. “Initially, we had a lot of questions on interpreting health and safety legislation in relation to pandemics and what should be covered in a pandemic plan – so many people appeared to be unprepared for the COVID-19 outbreak. Questions then evolved as the Government produced more and more guidance for individuals and employers. Particularly, how to interpret recommendations from the Government regarding what to do if someone became unwell in the office, cleaning requirements of work areas, self-isolation and, exactly what Public Health England would do following a confirmed case of COVID-19.”

More recently, the focus has shifted to remote working measures and the problems these may create, such as how employers can support home workers from both an ergonomic and mental health perspective; workstation assessments and equipment and even how employees can “remain supported and engaged.” Going forward, firms will need to be ready to facilitate large swathes of employees accessing the network remotely at short notice; something many organisations were simply unprepared for. A risk manager working for a large public-sector organisation informed me that staff are having to take turns to access vital resources on the network as it simply wasn’t prepared for the sheer volume of remote workers due to COVID-19. The source estimated less than 50% of employees were able to access the network at any one time. All organisations will have no choice but to address this issue. “What we think will change is employers’ attitudes to flexible and remote working,” says North. “We will probably see business invest more heavily in technology and support for employees to work in a more agile way.”

Many firms will be worrying about the potential legal repercussions from staff who feel they have not been sufficiently protected whilst at work. However, pandemics are primarily a public health issue. “Work-related health and safety legislation (e.g. the Health and Safety at Work Act, the Management of Health and Safety at Work Regulations and the Control of Substances Hazardous to Health) apply to how organisations plan, manage and conduct their work activities and the resulting risks that employees and others may be exposed to,” explains North. “Work-related health and safety legislation doesn’t apply to risks which employees may face in everyday life or are in general circulation, like crossing roads, using public transport, the common cold or flu.” However, North advises firms to think outside of the immediate and obvious consequences of COVID-19. “It is possible that employees may face indirect risks as a result of pandemics and decisions made by employers, such as ergonomic risks arising from working at home on computers for prolonged periods, or risks arising from lone working in the office due to colleague absences, or at home. It’s important that employers consider the possible mental health risks associated with working in isolation and what support can be given.”

A recent report by claimed Wells Fargo staff working in call centres, complaints departments and retail branches had been categorised as “essential” by senior management, therefore forcing them to attend work during the COVID-19 outbreak. Vice spoke to 11 current or recently departed Wells Fargo employees who “feared they might be exposing themselves and others to the highly contagious virus but felt pressure to go to work.” Wells Fargo is still battling to repair its reputation after the sales fraud scandal in 2016 – brought back into the public consciousness again recently thanks to the Netflix docuseries, Dirty Money. The Vice story highlights the potential reputational damage that could be caused by decisions made during this extremely tense time for businesses. If your firm isn’t seen to prioritise the safety of its staff, what impact might this have, not just on the current workforce, but on future generations?

Operational resilience, post COVID-19

The new FCA and PRA proposals on operational resilience were penned before COVID-19 took centre stage and, as a result, focus largely on third-party/supply-chain risk and systems outages. But these could still become a key issue for firms as the pandemic develops. My source from the Dutch investment management firm said “Clients are requesting regular updates from us…Likewise we have asked our suppliers and outsourcing partners similar detailed questions and are now considering how to keep our finger on the pulse with regards to the situation with suppliers.” 

The consultation papers are now being held open until October 2020 (extended from April.) Originally launched as a reaction to the many IT outages experienced in the industry in recent years, there’s no doubt recent developments will add another layer to people’s interpretation of what operational resilience means. In the FCA’s latest information for firms about the COVID-19 response, under “operational resilience,” it said: “Firms should take all reasonable steps to meet the regulatory obligations which are in place to protect their consumers and maintain market integrity. For example, if a firm has to close a call centre – requiring staff to work from other locations (including their homes) – the firm should establish appropriate systems and controls to ensure it maintains appropriate records, including call recordings if required.”

In a discussion paper on the same topic published in July 2018, the FCA highlighted pandemics as a concern: “FMIs [financial market infrastructures] in particular are encouraged to consider threats such as natural disasters, terrorism, pandemics and cyber-attacks. FMIs are also expected to assess the evolving nature of the operational risks they face on an ongoing basis so they can analyse potential vulnerabilities and implement appropriate defence mechanisms.” 

Nothing exposes our reliance on global outsourcing like a global health crisis. The financial services sector places a huge reliance on international outsourcing of key functions such as call centres. In India, for example, where many banks have operations, a total lockdown is already having a far more devastating impact on people’s lives than in more developed regions of the world; with millions of lives at risk not only from COVID-19, but from starvation due to job losses as a result of the lockdown. For those lucky enough to be working for a bank and able to work outside of the office, the infrastructure for remote working is likely to be inadequate for demand and monitoring could prove extremely challenging.

The pressure COVID-19 is placing on our systems and processes (and indeed people) will inevitably impact security; exposing firms to cyber-attacks, ransomware attacks and many types of fraud – the perpetrators of which lie in waiting for these moments of vulnerability to occur.

COVID-19 is a Grey Swan event of a lifetime, rocking every single industry around the world. For anyone working in a risk management-related role, building a more resilient, outward-looking approach to protecting businesses will be essential if we are to survive the next Grey Swan – or indeed Black Swan – event, whatever that may be. Technology will be a major part of our recovery from this, putting even more emphasis on building systems that are resilient, fit for purpose and ready to spring into action when the unexpected happens. 

Click here to view COVID 19 and Operational Resilience.pdf