Be honest – when Coronavirus hit, how many of you immediately reached out for your Business Continuity Plan (BCP) for advice and support on how to deal with a pandemic and protect your business? Anyone? And if you did, are you now feeling like life expects us to plan for the unforeseeable?
Now we will apologise in advance for the slightly jaundiced view we are about to present of business’s relationship with its BCP. But it is a view we’ve developed over time reviewing out of date and unloved BCPs.
Now, to be fair, your view of business continuity planning will most likely be coloured almost entirely by the size of your business. And possibly whether you are a supplier to someone who requires you to maintain continuity of service.
For most small regulated businesses, a Business Continuity Plan (BCP) is most likely a document containing little more than the out of hours phone numbers of staff and the IT support. Possibly it includes the phone number for the landlord in case someone needs a new set of keys, the taps in the loos are leaking or the burglar alarm needs turning off. If you are FCA regulated and a small firm, the FCA may have never seen it or asked for it since you applied for authorisation and quite frankly it would probably take at least 90 minutes for someone to find it. If it still exists there’s a 95% chance it’s out of date.
For mid-size businesses, a slightly more substantial BCP will most likely have been produced, at one time or another, by the firm’s IT Director. They may have been working out their own anxieties about how the firm might access its data if there was a successful computer hack or a big power outage. They may have been creating it in order to gain an ISO accreditation. To be fair, the document is probably more of an IT Disaster Recovery Plan / pitch for more IT storage capabilities than a full blown BCP. But it does at least attempt to address some of the possible scenarios they might face. The document may even be “refreshed” by the IT Director every year if there is a semi efficient compliance team in place. But this is probably a cursory review to see that the back-up IT provision is still coming from the same stated supplier. For most firms it will be of no use to anyone unless there is a power outage or a hacking incident and it probably hasn’t been tested for at least a couple of years.
For large, closely regulated firms the BCP has become a multi headed beast and probably a mini-industry in itself owned and maintained by designated personnel. It will be informed by multiple feeds as diverse as the PRA’s stress tests, the Health & Safety teams, annual audit, the comprehensive IT Disaster Recovery Plan, the risk appetite and strategy, the compliance plan, the facilities plan, the workforce plan and a significant amount of scenario planning which has modelled multiple different crisis states and fed in the findings. It will be regularly reviewed and constantly tested as new potential scenarios are taken into consideration. Some of these will be synonymous with other stress and scenario testing you may need to undertake terrorist attacks, civil unrest, power disruptions, climate change and now pandemics (see PRA’s Dear CEO letter here – to insurers dated 17/06/2020). Phew! But did it actually help firms manage Coronavirus?
To be fair we think a number of firms were able to use some of their previously developed plans to help their staff work remotely. So from that point of view some of the planning has proved useful. Thank you cloud computing and the internet. Score one for BCP.
But here’s the thing – we’re not convinced BCP is focused on the right things. We think that for many of the larger firms BCP (and a number of the risk models that also colour their thinking) is focussed on modelling and testing a greater and greater number of possible scenarios, learning lessons and planning for specifics. But, is this just a classic case of missing seeing the wood for the trees?
As we are all now probably aware, our government carried out a number of exercises to test the UK’s ability to respond to a flu pandemic only a couple of years ago (classic BCP work). But, despite those tests and dry runs the country seemed relatively ill prepared to respond to the actual crisis. This was partly because it hadn’t heeded its own advice, but also because it was modelled on a specific type of flu outbreak that didn’t have a number of the key features of coronavirus. In other words – because we hadn’t modelled the exact scenario we were a bit slow off the mark and somewhat unprepared to respond at speed.
So, this has us asking the question – Is BCP actually a bit of a waste of time given that we are highly unlikely to be prepared for the next specific incident? Is it actually useful to focus on the specifics of multiple potential incidents? Is that really the best way to go about BCP?
Or is the smarter way to think also about what skills and protocols we might need to have in place to help us stand up, at short notice, a classic set of capabilities to help us manage any type of significant incident? We think yes. We also think this would also have the advantage of enabling smaller and medium firms to do more effective business continuity planning whilst lessening some of the burden on the big firms.
And yes, before we are harassed by the BCP aficionados – we do think that doing some work to think through possible disruptive scenarios is useful and that implementing the findings to make a firm more resilient is of course a good thing. However, we also think firms should consider spending as much, if not more time thinking through how they can stand up/access and/or develop the capabilities that they will need to access at speed, regardless of the nature of the business continuity challenge.
And the reason why this is so important is that most UK businesses are currently under significant strain and they know that how well they can respond to the challenges currently in front of them will most likely determine whether they survive or perish in a difficult economic climate.
In our view those that are best able to survive the current crisis will have developed and deployed the following Business Continuity Capabilities. Unsurprisingly, these types of capability are often found within military settings where dealing with unknown situations and developing order amidst chaos is very much what they train for.
Our belief is that all firms should look to assess whether or not they are capable of putting these capabilities in place, on a permanent basis or by accessing them on an as needed basis. And before everyone simply says it’s OK we’ll just access them when we need them – do remind yourselves of PPE and remember that at times of crisis everyone may be trying to access the same capabilities as you. We, therefore suggest that, where possible, you develop at least some of these capabilities in-house or as part of on-going partnerships. Of course, these capabilities are very useful to businesses in times of non-crisis too.
And the good news for regulated financial services firms is that the FCA says pretty much the same thing about developing capabilities in SYSC 13.8.7.
So, if you are a firm who would like to invest in making sure you have truly effective Business Continuity Capabilities rather than just a dusty un-loved, untested plan that sits on a remote shelf, then do get in touch to talk about how we can help you.