Author: Chris Goodeve-Ballard
Testing your Operational Resilience procedures and your Crisis Management Team is now not only a regulatory requirement for those in scope of the PRA and FCA rules coming into full effect on 31 March 2025, but it is also more importantly and from a business perspective, silly not to. This is irrespective of whether you are in scope or out of scope of the aforementioned rules.
The PRA and the FCA have explicitly said that testing should include “severe but plausible scenarios”. I have in the last decade or so had the good fortune to travel the world reviewing crisis plans, pandemic plans, business continuity plans and all other plans for when things go horribly wrong. Not a single one of them envisioned a global shut down for a couple of years – which is effectively what COVID gave us. I’ll be honest, I didn’t take them to task on it either. Nobody really thought the unthinkable and planned for the (almost) unplannable.
Since COVID, the question of what you do if the www stops working is now being asked. I have seen Azure (in a desk based test) being turned off. We are still in the land of common sense though and global thermonuclear is still off the table (despite being possibly more likely – but hey ho!). The fact that firms off their own backs are now asking these questions is only to be welcomed. Effectively, the definition of “severe but plausible” has just moved on a notch or two in the collective consciousness of management.
The PRA’s consultation on Critical Third Parties is to be welcomed although I seriously question how it will be able to insist that a firm with its own space programme provides some of the minutiae of detail required and sanction it if it doesn’t. These firms are often by their nature, global providers as well as being huge. The failure of one of these firms however will have far reaching consequences – not only with businesses regulated by the PRA and the FCA but also with their entire supply chain (often unregulated).
This means testing needs to go way beyond where it has been in recent years. I have no problem with fire evacuation drills being recorded as a “test”. Where I do have a problem is when the firm that has done this has sat back in its metaphorical chair feeling very self-satisfied and ticked the “testing” box. I am not kidding; I have seen this within the last 12 months.
Testing, irrespective of your size, should consider the failure of third parties – effectively events outside your control. It should include multiple issues across the business that happen simultaneously, it should take into account the destructive nature of social media commentary and it should take into account that it might not be just your business affected by the issue. It is no longer sensible to have a Crisis Management Team, carefully named in your BCP, without having deputies nominated for each roll. Those deputies need to be trained and tested as much as the senior team. What the Army calls call 2nd X1 exercises have incredible value within a business. Crises can happen at any time and you simply do not know who will be available to start making decisions when they need to be made.
Effective communication both internally and externally can be tested in exercises and plans drawn up in the cold light of day rather than in the heat of an event. The FCA has recently said that communication is one of the areas they have recognised as having scope for improvement. Don’t be caught out on something that is relatively simple and at least carry out some “pre-thinking”.
Testing at a seriously stretching level is not something that can happen overnight. Nobody is ever expected to run a marathon having never done more than run for a bus. In the same way, nobody could be expected to handle the loss of all their data combined with a ransomware attack, the CEO being taken ill and a “Twitter Storm” all on their first exercise. This is something that needs to be done gradually and regularly, building up the complexity and adding in the interdependencies which are hidden when a siloed approach to testing is used. Exercises should become more immersive as time goes on having probably started as a reasonably gentle desk-top walk through.
If an exercise is run properly, participants will leave it feeling that they have learned something useful and more confident in their ability to handle situations. Even at the lowest level of exercise, the business becomes a more resilient operation after it has taken place.
Aldbury International is experienced at helping build these cumulative programmes for firms. Take a look at our website and contact us to discuss how we can best help take you to the next stage of resilience.
Comments