Does Coronavirus change regulation? How we can be ready

It’s been a while since our last Think post. And a lot has happened. Working with businesses in multiple sectors on a wide range of issues which were already challenging them, we can see potential further change that the impacts of the Coronavirus can bring to the regulatory and business environment. Here are our thoughts.

Things change – we all know that. As a species we knew it even before the ancient Greek Heraclitus recorded his belief that “the only constant in life is change”.  Change is a critical natural process. Throughout the pre-history and history of the earth it has shaped our planet and moulded our lives.

As a species, so far, humanity has proved to be excellent at adapting to changes.  We have, over many millennia, learnt to create tools, systems and methods in an attempt to control our environments and manage the impact of changes as they happen to us.   Including Coronavirus.

At TCF we think that the Pandemic has a lot to teach us all about managing change across an ecosystem, especially where it challenges our normal ways of working for the longer term. We believe that the regulators will therefore be rethinking how they regulate in a post Coronavirus world and that they too will inevitably adapt the methods they currently deploy for regulating firms.  Now like all predicted changes you can either ignore the suggestions we are offering here or act as if we were correct.  That is for you to decide.

In our very recent past, we humans have learnt to collect data and are now analysing it and processing it to predict changes before they arrive so we can exert yet more control over our environment and better manage the impacts of change.   The impact of this process is now visible in all our lives; from driving our cars on a smart motorway that is managing our speed and safety; to living in our smart houses that control our temperatures and lock our doors to using exercise data to control our food intake and health.   We are all becoming more and more comfortable with the concept of collecting and analysing data to exert control and manage change in our lives.

Which is probably why something which challenges data collection, analysis and prediction can leave us floundering. Coronavirus does that as well as challenging us in deeply personal ways and for some in life changing ways. Most of us didn’t see it coming. We are challenged in controlling it and it has fundamentally changed the way we are living our lives.  It makes us cry out for certainty. Needless to say, humanity across the globe has rallied and is working very hard to collect new data and to put in place new controls to help understand and manage the change.

Now, as a result of the Pandemic, there are any number of lessons we are all learning and relearning about how to manage change psychologically, physically and socially but we wanted to focus on 5 lessons we are relearning about the management of data and information in relation to managing change and then explore their implications for the ongoing management of risk and compliance in our business ecosystem.

The five big lessons, as we see them, are as follows.

To be able to effectively manage change we need to be able to:

  1. Collect and process significant amounts of data at speed from multiple sources – in as close to real-time as possible
  2. Easily compare that data across entities – so having universal standards is important
  3. Have in place the resources to make sense of the data and develop effective predictive models – smart people and funding will be required
  4. Co-operate and be transparent when sharing data – cover ups and delays are disastrous for all and slow down essential learning
  5. Properly prepare for future changes based on the outcomes of our models – actually trust our models more and invest appropriately to avert future disaster

So, if we were the regulators right now, looking at how best to regulate complex interconnected ecosystems, we think we’d be looking at the lessons above and applying them to our regulatory practices.

Here are some of the things that we think we might see soon:

  1. The regulators start to require firms to provide a significantly greater volume and diversity of data (both processed and raw) – and not just historic data but potentially even “real-time” data.   
    • This will be necessary to ensure that they can spot “systemic” problems and potential problems as early as possible.  There is evidence from a number of our clients and contacts that this is already occurring.
  2. The regulators impose tighter standards on the way that they want to receive information from firms – providing more specificity and setting universal standards.  
    • This will be a change for them and they are more likely to have to define “what good likes” than they are used to doing.   Although there are already examples where the regulators have become pretty specific e.g. the production of financial data for the PRA – particularly in relation to stress testing and the FCA’s requirements for reporting complaints data.  
    • We believe that more of this type of specificity will be required for the regulators so they can swiftly compare like for like data across firms and particularly a greater level of specificity will be required in the “softer”, “qualitative” areas rather than just in relation to the hard “quantitative” numbers.  
  3. The regulators “gear up” with more data modellers, data researchers, data analysts and data processing technology.   
    • This will be required to handle and manage the increased demands for data management and to process and analyse the increased volume of data collected. It may also change their style of communication and relationship management.
  4. Currently the regulators use several “early warning systems” such as a firm’s financial returns, complaints data, financial promotions quality, increased market volumes or academic/journalistic concerns to target their attention onto specific companies.  
    • This means some (usually smaller) firms could continue to operate with relatively poor systems and controls in place for many years with no feedback and/or sanction.  However, this emergency has brought home that crises can emanate from somewhere unexpected. So regulators will be under pressure to ensure that they can reach further and gain greater visibility into more firms – even if they need to do it remotely.  
    • This will require more firms to provide more data and specifically more “qualitative” data so that early warning signs do not go undetected and bad practices are spotted and halted before they cause significant challenges.
  5. Finally, we think that the regulators are going to want to see significantly more from a wider spectrum of firms in relation to their plans for managing business continuity.  
    • We believe that the regulators will want to press firms much harder about the plans and resources they have put aside to deal with business continuity issues and will probably want to see more robust modelling of scenarios, greater evidence of “testing the plans” and evidence that resources are available to action the plans.

All of this will mean that the people regulated will need to do this and will be expected to do this.

So, what are we suggesting firms should do to prepare themselves and do a bit of future proofing in relation to their interactions with the regulators?   

Firstly, we are suggesting that firms take this window of opportunity to review their businesses and look at the following issues:

  • The need to provide more and better quality data to regulators at speed. Review the ability of your firm to support the regulators’ desire for more relevant and comprehensive data. The ability to generate, package and potentially share with a regulator key data sets across the whole of your business – not just in relation to complaints and finances.   Can you do this comprehensively and at speed.  For instance, could you (at less than 24 hours warning):
    • Produce and send a remote regulator copies of the policies, procedures, associated records, reports and logs (including training logs) of any one or more of your key business processes?
    • Provide a remote regulator with up to date (possibly real-time) data on the KPIs associated with the control gates in your key business processes?

If you can’t, you may want to take the following steps:

  • Map your key business processes, control gates and associated KPI’s and standards – be really clear about all your KPIs and standards.
  • Revisit how you extract and report relevant data on performance against the standards and KPIs. Is there a technology solution you can implement that will speed up extraction and improve reporting?
  • Revisit your document repositories to ensure that all your versions of policies, procedures, logs and reports are easily accessible, up to date and in a format that can be easily shared.
  • The need to be transparent and easily assessed remotely by regulators.  Regulators may want to spend less and less time on-site with firms attempting to understand their systems and processes.  Review the ability of your firm to design its key systems and processes with transparency of remote assessment in mind.  The GDPR has ushered in the requirement for firms to ensure that they design their systems and processes to ensure “Privacy by Design”.  
    • We now believe that it is wise to consider ensuring that your systems and processes are “Transparent by Design” i.e. it is easy for a regulator to assess from end-to-end remotely.  Regulators do not like unexplained “black boxes”.  Now is a great time to assess your business and ensure it is as transparent as possible to the regulators.
    • Additionally, this new level of transparency will mean that firms need to ensure that they are complying fully with the regulators’ rules and guidance.  Many firms that we work with have never gone back to the base regulations and rule books to check that what they are doing is actually compliant – as a result many are not 100% compliant.  Now is a great time to do an in-depth audit of your current arrangements against the underlying regulations before added transparency shows up the compliance gaps.
  • The need to be properly prepared for the next crisis.  Review the ability of your firm to manage business continuity.  
    • Now is the time to revisit your Business Continuity Plans and see whether they are still fit for purpose.  Now is definitely the time to update them with all that you have learnt from the pandemic.  Our intel suggests that this is an area that the regulators are going to focus on far more in the future.   Check your plans are adequate, updated and properly tested and that all of this is evidenceable.   Check to see if you have allocated appropriate resources to the plans.

The government and regulators will be very keen to ensure that UK businesses are able and prepared to cope with whatever the next crisis might be.

So those are a few of the thoughts we have been having in relation to how this pandemic will impact on the regulators and the regulated.  Hopefully, the topics we’ve touched on here will resonate with you.  If you’d like to discuss any of the above further or would like to discuss how we could help you get better prepared for future regulatory demands then please do get in touch.

May 2020