Publication
Road to COP29: Our insights
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
United Kingdom | Update | marzo 2020
The COVID-19 outbreak has been declared a public health emergency of international concern by the World Health Organization, which is causing a significant impact to people’s lives, businesses and the wider economy.
Whilst a significant effort is being made globally to contain the virus, crises such as these can unfold unpredictably. Therefore as the situation develops, firms across all sectors are having to work rapidly to ensure that their business services can continue to operate, their staff (and places of work) remain safe and their customers remain properly and appropriately served.
Effective and successful management of crises such as these is directly related to how well prepared organisations are to respond, and should be key operational resilience considerations for firms.
We have set out in this briefing key regulatory issues that boards need to think about in the immediate term as part of effective crisis response planning and to ensure that business as usual activities can carry on.
The FCA has already issued a statement on COVID-19, setting out at a high level its expectations of firms. The key messages from the regulator are:
The COVID-19 outbreak has brought operational resilience into even sharper focus. Before Christmas, both the PRA and the FCA published consultation papers on the issue. The purpose of these papers is to create a shift in the mind-set, from firms prioritising their own commercial interests to considering the vulnerabilities of consumers and the financial system as a whole when making decisions. They are also intended to foster a culture where firms are forward-looking, making decisions today that help prevent operational incidents tomorrow that impact consumers, financial markets and the UK financial system. To do this, the proposals are designed so that firms will be in a position to continue providing business services that are heavily relied on, even in the event of severe operational disruption. Firms should therefore have robust contingency plans in place that take into account high impact but low probability events so they are prepared for the worst.
In December 2019, the PRA published Consultation Paper 30/19: Outsourcing and third party risk management that set out proposals for modernising the regulatory framework on outsourcing and third party risk management. Along with this the PRA also published Consultation Paper 29/19: Operational resilience: impact tolerances for important business services (CP29/19).
One of the key points the PRA makes in CP29/19 is that whilst avoiding disruption to particular systems is a contributing factor to operational resilience, it is ultimately the business service that needs to be resilient. The PRA proposes that firms need to consider the chain of activities that make up the business service, from taking on an obligation to delivery of service, and determine which part of the chain is critical to delivery. Obviously, this varies from business to business and in some cases the chain will be long. The PRA considers that the most critical parts of the service should be operationally resilient, and that firms should accordingly focus their work on the resources necessary to deliver those activities in the chain.
In terms of an internal service such as HR or payroll, the PRA does not expect such services to be identified as business services unless the failure to deliver them would impact on the delivery of outward facing business services which have direct consequences for safety and soundness, financial stability or the appropriate degree of policyholder protection.
In terms of prioritising business services, the PRA has proposed that a business service is important if its disruption could pose a risk to the firm’s safety and soundness or financial stability, or in the case of insurers, the appropriate degree of policyholder protection. It therefore follows that boards and senior management not only have to identify business services within their firm but also assess each services’ relative importance and then conclude an approved impact tolerance. The proposed PRA policy in CP29/19 would introduce a requirement for boards and senior management to approve the impact tolerances that have been set for each of their firm’s important business services.
In December 2019, the FCA also published a consultation focussing on operational resilience, Consultation Paper 19/32: Building operational resilience: impact tolerances for important business services and feedback to DP18/04 (CP19/32). Unsurprisingly, the FCA follows a similar line to that taken by the PRA although in light of their differing statutory objectives the FCA focuses more on consumer protection rather than financial stability. The FCA is proposing that firms:
The deadline for comments on the PRA and FCA consultations is April 3, 2020. The PRA stated in CP29/10 that it intended to publish its final policy in the second half of 2020 (the FCA simply stated ‘next year’).
Notwithstanding the above UK papers, there are also papers from the European Supervisory Authorities that provide some assistance. For example, the European Banking Authority’s guidelines on security measures for operational and security risk of payment services under the Payment Services Regulation 2.
A robust crisis response plan and capability is key to minimising the impact the crisis has on a business, its staff and its customers. Firms should have in place crisis management and business continuity plans as part of their operational resilience frameworks that consider a range of scenarios, including a health pandemic, which should help them respond.
Given the various unknowns at this early stage in respect of COVID-19 and how it may impact nationally and internationally, it’s important that firms, if they haven’t done so already:
It is possible that an outbreak such as this could touch on all parts of an organisation, therefore it is important to include relevant stakeholders from across the business – HR, communications, customer services, legal, compliance etc. – headed by an appropriately senior individual to ensure it gets the profile it requires.
Consider the range of scenarios that could occur as a result of the crisis in the short, medium and longer term. These should be plausible, but severe in nature so as to prepare the organisation for what could be a prolonged period of high-stress. Various broad factors can influence this. Take for example, as we have seen in a number of areas of the country already, the impact of school closures, which may seem like a small and trivial matter at first glance. Some things to think about in respect of this example may include, but not be limited to:
As part of scenario planning, it’s important to establish accurate factual information from credible sources. In situations such as these social media in particular can be awash with inaccurate information or speculation, which may be unhelpful and impair decision-making.
Undertake testing of your crisis response plan using the plausible, but severe scenarios that you have considered. Some of the key components of the response plan include the communication media that you intend to use to keep staff and other stakeholders up to date on your response to the crisis, systems stress testing and effective/safe management of sites from which you operate, be they head offices, operations hubs or branches.
As you conduct the testing, what do the results show you? To what extent does it highlight previously unforeseen weaknesses that need addressing promptly? Which stakeholders need to be involved in addressing these weaknesses and how do you satisfy yourself that once action has been taken, this addresses the weaknesses identified?
All of these factors will serve to enhance your crisis response plan and overall preparedness.
In fast moving and unpredictable circumstances such as these, clear and timely communication to stakeholders is key. Staff, customers and regulators are all important stakeholders to keep updated in respect of an organisation’s planned response in the run up to and throughout the period of crisis response:
We are able to help financial institutions on their operational resilience journeys and can provide support in the following areas:
Publication
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Publication
Facing the fast-growing development of AI across the globe, particularly Generative AI (GenAI), the G7 competition authorities and policymakers (Canada, France, Germany, Japan, Italy, the UK and the US) and the European Commission met in Italy on 3-4 October 2024 to discuss the main competition challenges raised by these new technologies in digital markets.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023