A level of business continuity management that just aims to meet regulatory requirements is not enough according to Jan Hanika and Ellen Olsson, specialists in operational risk management at PA Consulting.
In June 2020, Finansinspektionen (FI) published its report, FI supervision 18: Banks’ management of business continuity, which addresses requirements and desired actions in the financial sector with the aim of preventing and reducing the risk of serious business interruptions. Prolonged operational disruptions in IT systems or a reduced ability to conduct business due to unforeseen events such as terrorist attacks or pandemics are some concrete examples of risks. According to FI, the solution to the problem is more robust and integrated continuity management in more business critical functions.
We believe that a level of business continuity management that just aims to meet regulatory requirements is not enough. It is just as much about introducing a proactive culture that promotes continuous improvement.
We see three key factors to ensuring the development of the banks' and the entire financial sector's value-creating business continuity management:
Support from the management is critical
A commitment from management with a clear focus, which emphasises the importance of the work, ensures that resources are available and includes clear and clearly communicated measurable goals, leads to greater opportunities for the organisation to accept the solution. If employees at all levels understand the purpose and goal, it will be easier for them to personally contribute to the end result, at the same time as making their work more meaningful.
Proactive strategy for business continuity plans
It is not enough to reactively deal with the events that occur. You also need to look ahead and plan for what could happen, from the basic starting point of mapping critical activities in the business, including those that are outsourced.
Develop a risk strategy and determine the risk appetite in the organisation
Work with scenario planning that includes assessing the effects on more critical activities and the processes in the business which must be prioritised in the event of serious interruptions.
Identify the scenarios that will not be addressed and the risk the business is therefore prepared to accept.
Develop business continuity plans that include tests for handling serious interruptions with feedback of the results to management.
There is no goal line when it comes to value-creating business continuity management. Circumstances change, and tools, models, routines and working methods must be constantly adapted. By continuously integrating updates in working methods and routines, the organisation can ensure that its business continuity management is always relevant.
In order for the organisation to be able to change quickly in the event of unforeseen events, a corporate culture is required in which risk identification and responses are a natural part of everyday life. Organisations that work proactively to build robust structures to manage operational risks are quicker to identify and minimise damage once incidents occur.
FI flags in its report the need for continued scrutiny, which makes effective business continuity management more relevant than ever. FI's increased focus on business continuity management is sound, but we urge banks and the financial sector in general to see this as an opportunity to go beyond compliance, and develop business continuity management that creates value for the organisation.