COVID-19, Compliance, and Continuity

The ferocity and speed at which the COVID-19 virus has spread across the European continent has tested the resilience of most established, profitable and globally successful corporations, so where does this leave other firms and businesses? As a compliance and risk professional operating in a Firm which significantly buys-in to Risk and Compliance if we were to have tabled a COVID-19 desktop scenario only a matter of months ago during our annual BCP testing it would have very likely been chuckled over and politely dismissed as a little far-reaching.

So here we are and depending where on the Continent businesses are located will depend on how far progressed and developed their business continuity plans may be. Irrespective of this every business is very likely to go through similar initial phases in the plans roll out, these are: -

The core planners, decisionmakers and enablers. Firms must establish very quickly the core business continuity group, who need to be able to mobilise and communicate effectively. It should be comprised of the most senior decision makers and appropriate enablers to ensure difficult questions are presented (no hiding from them) and decisions are enacted upon promptly. This group may comprise of individuals such the MD, CEO, Senior Partner and departments heads, Human Resource, IT, Compliance, Operations.  Most business continuity plans would have had this group defined and established in their plans. The group may be slightly different depending on the contingency and should not be too large. It must be empowered to make decisions and make them quickly. One element about the current crisis is its speed of evolution. Normally BCPs deal with a specific event which has occurred.

Understanding the problem. Whilst many BCP’s would have tested natural disaster scenarios such as fire, flood and other such circumstances which effectively restrict workers access. Not many scenarios would have considered, social distancing (a new but sadly widely utilised term), self-isolation periods, illness, vulnerable persons, social and educational restrictions, public health challenges, global market crashes, unemployment, redundancy, travel restrictions, panic buying and restrictions of basic resources such as hand sanitiser all hitting a business and its client base all at the same time.

It is important that the business continuity “core group” is able to cut through the noise, prioritise action and be prepared to take calculated and measured risk where required.

Two headline planning areas are crucial to the success of business continuity under such unprecedented conditions: -

  1. Communication. The ability to communicate effectively and securely is vital. Phase 1 of most BCPs will heavily test the businesses IT and HR departments. IT will be under immediate pressure to accommodate remote or alternate working arrangements, whilst maintaining the businesses cyber-security frameworks. Working closely with the Core group to understand the business needs and priorities and enabling these as quickly as possible.

The other department heavily worked during this period is the Human Resource Department, who have to reassure staff, deal with individual concerns and needs, whilst at the same time delicately report sensitive information into the Core group such as individuals who may because of a medical condition be vulnerable and need prioritising.

All departments and the Core group therefore need to ensure confidentiality and data protection does not fall by the wayside during this initial phase. It is during this first phase that the core group need to be making decisions quickly and effectively based on information and predictions offered by local government, international news sources, public bodies and industry associations.

Communication albeit likely brief at this stage with the firms regulator body(ies) may also be appropriate to give the regulatory body assurance that the firm is acting appropriately and is still able to service clients in accordance with its regulatory and legal obligations.

At the same time the business needs to be communicating, reassuring and servicing its client base, much like the classic metaphor of the Swan appearing clam, capable and in control above the waterline but working ferociously below it.

  1. Governance. Corporate Governance and operational oversight become the next critical component.  The firm’s systems and controls may need to be adapted to accommodate for remote or alternate working arrangements, particularly if these are likely to be enduring. Business sign-off, payments, risk committees, data protection etc all processes which ensure the firm remains in compliance with its legal and regulatory obligations need careful consideration to ensure that they remain appropriate.

The better firms will reach this level of maturity quicker. They will be able to communicate and begin servicing clients more effectively faster and will be able to take on new lines of business in an assured and appropriate manner given all the support functions are operational and easily accessible to them.