On 4 March 2020 the FCA published a statement outlining their expectations as to how firms should respond to the situation we find ourselves in due to the Covid-19 outbreak. In the statement the FCA make note that all firms should have contingency plans in place which deal with major events such as this and are in the process of reviewing these plans. Included in these reviews the FCA are particularly looking at how a firm assesses its operational risks and how it continues to serve and support its customers.
At the very heart of their message is that they still expect firms to take “all reasonable steps to meet their regulatory obligations.”, specifically:
- Order and transaction entry;
- Recording of telephone lines and other methods of communication; and
- Access to compliance support.
Firms are expected to comply with these obligations and others even when staff are working remotely.
Responsibilities of firms during the current situation
It is understandable that most firms will have prioritised implementing their business continuity and contingency plans in order to protect their businesses and their employees, however, this alone is insufficient. The FCA expect not only that a firm can identify its operational risk, but also that it can:
- Identify its key risks;
- Calculate the potential loss rising from exposures to all risks, key and underlying;
- Continually assess the controls which reduce the risk levels; and
- Ensure any events are captured and recorded with the subsequent remedial action being documented and further assessed
In order to remind readers, the definition of operational risk is,
The risk of loss due to inadequate internal processes resulting from failures of people and systems within the business or from external events. Included in this definition are risks associated with legal, documentation, trading, settlement and valuation.
The FCA’s guiding principal is to prevent or reduce the harm to consumers and markets. Therefore it is imperative that firms focus their attention on the areas they see which could cause the most harm. Sometimes these areas are obvious, for others, not so, but we would recommend that the business’s management need to make an assessment as to what are the weakest controls under the present circumstances and implement remedial actions to ensure these controls are effectively reducing the operational risks they are associated with. Only by regular monitoring of both the operational controls and risks can an identification of emerging risks and significant issues be detected.
New risks are invariably identified in the monitoring phase of the operational risk cycle. However in this current environment where new operational risks are emerging or where relatively low valued risks have now increased to higher levels, it is important that all risks, however minor are reconsidered. New risks associated with employees working from home or at back-up sites need to be assessed. The increased likelihood of errors due to the disruption faced by operational staff will have a direct impact on the time taken to resolve such issues.
An area we believe all firms need to be aware of is the increased cyber security risk with more staff work from home using networks which are less secure than in the work environment. Management would do well to question the possibility of control breakdowns in which internal or external fraud can manifest itself.
Firms should also familiarise themselves with the FCA’s consultation paper published in Dec 2019 highlighting the FCA proposed changes to how firms should approach operational resilience and how this will help expose current and new vulnerabilities. The recommended processes include:
- Identifying important business areas;
- Mapping those business areas to people, processes, technology, facilities and information;
- Setting impact tolerances;
- Testing the firm’s ability to remain within those tolerances through stress testing;
- Noting lessons learnt;
- Developing communication plans; and
- Creating a self-assessment document.
There is much discussion around best practice for managing operational risk including the value of investing in the automation of the various processes associated with that management. Firms who have already gone some way in that automation are now reaping the benefits in these difficult times. Time saved by automating those previously laborious manual processes have allowed a refocus of management attention to the until recently unrecognised hot spots thereby maintaining a service with minimal impact to customers.
Help and advice
If you require any assistance in understanding operational risk and resilience or the implications of Covid-19 on your firm, please do not hesitate to contact us.